Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
c
CptOfEvilMinions
03/20/2020, 4:42 PMTo get the system proxy on macOS here a query:
SELECT subkey, value FROM plist WHERE path='/Library/Preferences/SystemConfiguration/preferences.plist' AND key='NetworkServices' AND subkey like '%HTTP%P%' AND value != '';+---------------------------------------------------------+---------+
| subkey | value |
+---------------------------------------------------------+---------+
| Proxies/HTTPPort | 5555 |
| Proxies/HTTPSProxy | 1.1.1.1 |
| Proxies/HTTPSPort | 5555 |
| Proxies/HTTPProxy | 1.1.1.1 |
+---------------------------------------------------------+---------+SELECT DISTINCT p.pid, x.name, x.cmdline, p.local_port FROM process_open_sockets as p JOIN plist as l ON p.local_port=l.value JOIN processes as x ON p.pid=x.pid WHERE l.path='/Library/Preferences/SystemConfiguration/preferences.plist' AND l.key='NetworkServices' AND l.subkey like '%HTTP%Port' AND l.value != '';+-------+------+------------+------------+
| pid | name | cmdline | local_port |
+-------+------+------------+------------+
| 19821 | nc | nc -l 5555 | 5555 |
+-------+------+------------+------------+s
seph
03/21/2020, 1:35 AMI found working with
plistkolide_plistkolide_plist will let you losslessly retrieve the data, which means you can then run it through an EAV style pivot.