OpenSkillIndex← back to search

Hacktricks-skills macos-network-security

macOS network security assessment and hardening. Use this skill whenever the user mentions macOS security, network services, remote access (VNC, SSH, ARD, Screen Sharing), Bonjour, mDNS, service enumeration, privilege escalation, or security vulnerabilities. Trigger for any macOS security assessment, hardening recommendations, or network protocol analysis tasks.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/macos-hardening/macos-security-and-privilege-escalation/macos-protocols/SKILL.MD
source content

macOS Network Security Assessment & Hardening

This skill helps you assess, understand, and harden macOS network services and protocols. It covers remote access services, service discovery protocols, known vulnerabilities, and security best practices.

Quick Reference

Remote Access Services

ServicePortSystem NameCheck Command
VNC/Screen Sharing5900/tcpScreen Sharing`netstat -na
SSH22/tcpRemote Login`netstat -na
Apple Remote Desktop (ARD)3283/tcpRemote Management`netstat -na
AppleEvent3031/tcpRemote Apple Event`netstat -na
File Sharing88, 445, 548/tcpFile Sharing`netstat -na
Back to My Mac4488/tcpBack to My Mac`netstat -na

Service Discovery Protocols

ProtocolPortPurpose
mDNS (Multicast DNS)5353/UDPName resolution without DNS server
DNS-SD (DNS Service Discovery)5353/UDPService discovery on local network
Bonjour5353/UDPApple's Zero Configuration Networking

Service Enumeration

Check All Remote Services Status

Run this script to check which remote services are enabled:

# Check remote services status
rmMgmt=$(netstat -na | grep LISTEN | grep tcp46 | grep "*.3283" | wc -l)
scrShrng=$(netstat -na | grep LISTEN | egrep 'tcp4|tcp6' | grep "*.5900" | wc -l)
flShrng=$(netstat -na | grep LISTEN | egrep 'tcp4|tcp6' | egrep "\\*.88|\\*.445|\\*.548" | wc -l)
rLgn=$(netstat -na | grep LISTEN | egrep 'tcp4|tcp6' | grep "*.22" | wc -l)
rAE=$(netstat -na | grep LISTEN | egrep 'tcp4|tcp6' | grep "*.3031" | wc -l)
bmM=$(netstat -na | grep LISTEN | egrep 'tcp4|tcp6' | grep "*.4488" | wc -l)
printf "\nService Status (0=OFF, >0=ON):\n"
printf "Screen Sharing: %s\n" "$scrShrng"
printf "File Sharing: %s\n" "$flShrng"
printf "Remote Login (SSH): %s\n" "$rLgn"
printf "Remote Management (ARD): %s\n" "$rmMgmt"
printf "Remote Apple Events: %s\n" "$rAE"
printf "Back to My Mac: %s\n\n" "$bmM"

Browse Bonjour Services

# Browse SSH services
dns-sd -B _ssh._tcp

# Browse HTTP services
dns-sd -B _http._tcp

# Browse all services
dns-sd -B _services._dns-sd._udp.local

Network Scanning

# Nmap - discover mDNS services on a host
nmap -sU -p 5353 --script=dns-service-discovery <target>

# mdns_recon - scan subnet for misconfigured mDNS responders
python3 mdns_recon.py -r 192.168.1.0/24 -s _ssh._tcp.local

Security Vulnerabilities

Recent Screen Sharing / ARD Vulnerabilities

YearCVEImpactFixed In
2023CVE-2023-42940Session rendering leak - wrong desktop transmittedmacOS Sonoma 14.2.1
2024CVE-2024-23296Kernel memory bypass after remote loginmacOS Ventura 13.6.4 / Sonoma 14.4

Recent Bonjour/mDNS Vulnerabilities

YearCVESeverityImpactFixed In
2024CVE-2024-44183MediumDoS via crafted mDNS packetVentura 13.7 / Sonoma 14.7 / Sequoia 15.0
2025CVE-2025-31222HighLocal privilege escalationVentura 13.7.6 / Sonoma 14.7.6 / Sequoia 15.5

ARD Security Concerns

Critical: ARD uses only the first 8 characters of the VNC password for authentication, making it vulnerable to brute force attacks with no default rate limiting.

Detection: Use nmap's 

vnc-info
script to identify vulnerable instances:

nmap --script vnc-info -p 5900 <target>

Services supporting 

VNC Authentication (2)
are especially susceptible.

Hardening Recommendations

1. Disable Unnecessary Remote Services

# Disable Screen Sharing
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate

# Disable Remote Login (SSH)
sudo launchctl unload -w /System/Library/LaunchDaemons/ssh.plist

# Disable Bonjour (if not needed)
sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

2. Firewall Rules for ARD

If ARD must be enabled, restrict it to local subnet:

# Add ARDAgent to Application Firewall
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

# Block ARDAgent by default
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setblockapp /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent on

3. Network-Level Protections

  • Restrict UDP 5353 to link-local scope on routers and firewalls
  • Block or rate-limit mDNS traffic on wireless controllers
  • Use mDNS proxy to prevent cross-subnet service discovery
  • Put remote services behind VPN instead of exposing to Internet

4. System Hardening

  • Enable System Integrity Protection (SIP) - critical for full vulnerability protection
  • Keep macOS fully patched - Apple supports last 3 major releases
  • Use strong passwords - especially for VNC/ARD (8+ chars minimum)
  • Disable "VNC viewers may control screen with password" when possible

5. MDM Restrictions (Enterprise)

For environments requiring Bonjour internally but not across boundaries:

  • Use AirPlay Receiver profile restrictions via MDM
  • Deploy mDNS proxy solutions
  • Configure network segmentation to isolate service discovery

Assessment Workflow

Step 1: Enumerate Services

  1. Check local listening ports
  2. Browse local Bonjour services
  3. Scan network for exposed services

Step 2: Identify Vulnerabilities

  1. Check macOS version against CVE table
  2. Test ARD for weak authentication
  3. Verify mDNS responder configuration

Step 3: Apply Hardening

  1. Disable unnecessary services
  2. Configure firewall rules
  3. Update system and verify patches
  4. Document remaining services and justification

Tools Reference

ToolPurposeCommand
netstat
Port enumeration`netstat -na
dns-sd
Bonjour service discovery
dns-sd -B _service._tcp
nmap
Network scanning
nmap -sU -p 5353 --script=dns-service-discovery
mdns_recon
mDNS reconnaissance
python3 mdns_recon.py -r <range>
socketfilterfw
Application Firewall
sudo /usr/libexec/ApplicationFirewall/socketfilterfw

When to Use This Skill

Use this skill when you need to:

  • Assess macOS network security posture
  • Enumerate remote access services on macOS
  • Understand Bonjour/mDNS protocol behavior
  • Identify and remediate macOS network vulnerabilities
  • Harden macOS systems against network-based attacks
  • Investigate privilege escalation via network services
  • Configure secure remote access on macOS
  • Audit macOS systems for compliance

References