Skip to content

Instantly share code, notes, and snippets.

View brunerd's full-sized avatar

Joel Bruner brunerd

34 followers · 2 following
View GitHub Profile
@brunerd
brunerd / maclTackle.command
Last active February 23, 2024 11:28
A hacky example to clean the com.apple.macl attribute from a file using zip to sidestep SIP on Catalina
#!/bin/bash
#clean the com.apple.macl attribute from a file or folders using zip to sidestep SIP on Catalina
#WARNING: This will overwrite the original file/folders with the zipped version - DO NOT use on production data
#hold down command key at launch or touch /tmp/debug to enable xtrace command expansion
commandKeyDown=$(/usr/bin/python -c 'import Cocoa; print Cocoa.NSEvent.modifierFlags() & Cocoa.NSCommandKeyMask > 1')
[ "$commandKeyDown" = "True" -o -f /tmp/debug ] && set -x && xtraceFlag=1
#hacky example to clean the com.apple.macl attribute from a file using zip to sidestep SIP
: <<-EOL
@brunerd
brunerd / jamflog.function
Created November 14, 2023 22:04
# jamflog - Copyright (c) 2021 Joel Bruner, Licensed under the MIT License
# a way to log to stdout and /var/log/jamf.log (or elsewhere) and have it match Jamf's log style
function jamflog(){
[ -n "${-//[^x]/}" ] && { local xTrace=1; set +x; } &>/dev/null
local logFile="${2:-/var/log/jamf.log}"
#if it exists but we cannot write to the log or it does not exist, unset and tee simply echoes
[ -e "${logFile}" -a ! -w "${logFile}" ] && unset logFile
#this will tee to jamf.log in the jamf log format: <Day> <Month> DD HH:MM:SS <Computer Name> ProcessName[PID]: <Message>
builtin echo "$(/bin/date +'%a %b %d %H:%M:%S') ${jamflog_myComputerName:="$(/usr/sbin/scutil --get ComputerName)"} ${jamflog_myName:="$(/usr/bin/basename "${0%.*}")"}[${myPID:=$$}]: ${1}" | /usr/bin/tee -a "${logFile}" 2>/dev/null
@brunerd
brunerd / keyDown.sh
Last active September 10, 2023 19:28
Getting macOS Modifier Key Down Events in JXA and Python
#!/bin/bash
#https://gist.github.com/brunerd/d775ab7b362b72d9feb0c4035f922ede
function printState
{
echo commandKeyDown: $commandKeyDown
echo controlKeyDown: $controlKeyDown
echo optionKeyDown: $optionKeyDown
echo shiftKeyDown: $shiftKeyDown
echo functionKeyDown: $functionKeyDown
@brunerd
brunerd / inZoomMeeting.sh
Created February 15, 2022 04:14
Simple shell script function to determine if a Zoom meeting is in progress
#!/bin/sh
#inZoomMeeting (20220214) Copyright (c) 2021 Joel Bruner (https://github.com/brunerd)
#Licensed under the MIT License
function inZoomMeeting {
#if this process exists, there is a meeting, return 0 (sucess), otherwise 1 (fail)
pgrep "CptHost" &>/dev/null && return 0 || return 1
}
if inZoomMeeting; then
@brunerd
brunerd / macOSScreenLockDetection.sh
Created March 20, 2021 16:46
Detect the macOS CoreGraphics Screen Lock status of the console user via ioreg
#!/bin/sh
#Joel Bruner (https://github.com/brunerd)
function screenIsLocked { [ "$(/usr/libexec/PlistBuddy -c "print :IOConsoleUsers:0:CGSSessionScreenIsLocked" /dev/stdin 2>/dev/null <<< "$(ioreg -n Root -d1 -a)")" = "true" ] && return 0 || return 1; }
function screenIsUnlocked { [ "$(/usr/libexec/PlistBuddy -c "print :IOConsoleUsers:0:CGSSessionScreenIsLocked" /dev/stdin 2>/dev/null <<< "$(ioreg -n Root -d1 -a)")" != "true" ] && return 0 || return 1; }
if screenIsLocked; then
echo "Screen locked"
fi
@brunerd
brunerd / macHardwareIdentifiers.sh
Last active December 9, 2022 20:29
Shell one liners for getting Mac hardware Serial, UUID, and Board ID
#Serial Number - x86/ARM
mySerial=$(/usr/libexec/PlistBuddy -c "print :0:IOPlatformSerialNumber" /dev/stdin <<< "$(ioreg -ard1 -c IOPlatformExpertDevice)")
#UUID - x86/ARM
myUUID=$(/usr/libexec/PlistBuddy -c "print :0:IOPlatformUUID" /dev/stdin <<< "$(ioreg -ard1 -c IOPlatformExpertDevice)")
#Provisioning UDID - ARM only, Monterey+ only
myProvisioningUDID=$(system_profiler -xml SPHardwareDataType | sed -e $'s/^[ \t]*//g;s/[ \t]*$//g' -e "s/date>/string>/g; s/data>/string>/g;s/real>/string>/g" | sed -e :a -e N -e '$!ba' -e 's/\n//g' | plutil -extract "0._items.0.provisioning_UDID" raw -o - -)
#Model ID - Universal
@brunerd
brunerd / kcpasswordDecode.sh
Last active November 17, 2022 14:34
De-obfuscates macOS /etc/kcpassword file used for automatic login
#!/bin/bash
#kcpasswordDecode (20220729) Copyright (c) 2021 Joel Bruner (https://github.com/brunerd)
#Licensed under the MIT License
#specify file as input
#kcpasswordDecode.sh /etc/kcpassword
#given a filepath XOR to the it back and truncate padding
function kcpasswordDecode() (
filepath="${1}"
@brunerd
brunerd / kcpasswordEncode.sh
Last active July 31, 2022 11:46
Encode a string for use in macOS /etc/kcpassword using shell, printf, sed, awk and xxd
#!/bin/bash
#kcpasswordEncode (20220610) Copyright (c) 2021 Joel Bruner (https://github.com/brunerd)
#Licensed under the MIT License
#given a string creates data for /etc/kcpassword
function kcpasswordEncode () (
#ascii string
thisString="${1}"
@brunerd
brunerd / maclTrack.command
Last active June 16, 2022 18:59
Examine all the com.apple.macl entries on files and folders
#!/bin/bash
: <<-EOL
MIT License
Copyright (c) 2020 Joel Bruner
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
@brunerd
brunerd / EAGrabber.sh
Last active January 29, 2022 16:20
Grab Jamf Extension Attributes (including recovery key) as they come down during recon
#!/bin/bash
# Joel Bruner - EA Grabber: Surreptitiously grabs Jamf Extension Attributes (EAs) during recon
#touch file for debug
[ -f /tmp/debug ] && set -x
#############
# VARIABLES #
#############