{
	"id": "a7c87411-3ff3-4d2e-b154-a6a14906ac80",
	"created_at": "2026-04-06T01:31:33.481581Z",
	"updated_at": "2026-04-10T03:20:24.715037Z",
	"deleted_at": null,
	"sha1_hash": "d2ff3aeed08b6f421c9b835262046d60b35f939d",
	"title": "MacOS Red Teaming 206: ARD (Apple Remote Desktop Protocol)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1063958,
	"plain_text": "MacOS Red Teaming 206: ARD (Apple Remote Desktop Protocol)\r\nBy Action Dan\r\nArchived: 2026-04-06 01:13:27 UTC\r\nOne of the things people always ask about when they are exploring MacOS pentesting is \"what are the available\r\nlateral movement options?\". Today we are going to explore one of the most popular methods of remote access for\r\nmacOS, ARD or Apple Remote Desktop or Remote Management. There are several native ways to remotely\r\naccess a macOS machine, specifically under the Sharing option in the System Preferences. The most interesting\r\nmethods are Screen Sharing (tcp:5900), Remote Login (tcp:22), Remote Management (tcp:3283, tcp:5900), and\r\nRemote Apple Events (tcp:3031). Remote Login is essentially SSH access on port 22, which has been covered\r\nheavily from a security perspective many times before. I plan on covering Remote Apple Events on port 3031 in a\r\nlater post, but this post will focus on Remote Management which is ARD and Screen Sharing which is just VNC.\r\nSo today we are drilling down on ARD, which is essentially a bastardized VNC with some extra macOS specific\r\nfeatures. Hosting an ARD server is native macOS functionality but the client costs $70 from the App Store. ARD\r\nis old software, and like a lot of Apple software it has evolved over the years into a mix of proprietary and open\r\nsource software. It has largely merged with the VNC protocol to send the screen and control buffers, as well as for\r\nbackwards compatibility with VNC clients. However, full ARD will also use protocols such as SSH for secure file\r\ntransfer when you copy a file over. All VNC-like communications are encrypted with a minimum of 128bit AES.\r\nThe Screen Sharing option is just a basic VNC server. There is also an advanced ARD or Remote Management\r\noption to set a control screen password which will make ARD backwards compatible for VNC clients. However\r\nthere is a weakness to this authentication method that limits this password to an 8 character auth buffer, making it\r\nvery easy to brute force with a tool like Hydra or GoRedShell (there are also no rate limits by default). You can\r\nidentify vulnerable instances of Screen Sharing or Remote Management with nmap, using the script \"vnc-info\",\r\nand if the service supports \"VNC Authentication (2)\" then they are likely vulnerable to brute force. The service\r\nwill truncate all passwords sent on the wire down to 8 characters, such that if you set the VNC auth to \"password\",\r\nboth \"passwords\" and \"password123\" will authenticate.\r\nhttp://lockboxx.blogspot.com/2019/07/macos-red-teaming-206-ard-apple-remote.html\r\nPage 1 of 3\n\nWhen you use the ARD client to connect to mac machine, there are methods to lock down the permissions based\r\non groups, however many admins will take the simpler route of using a shared local account across multiple\r\nmachines. In fact, the ARD admin wizard prompts the administrator to create such a user on their first connect,\r\nwhich was a historical weakness in Windows as it allowed for lateral movement once that user's password was\r\ncompromised. There are some LAPS like solutions for macOS, but nothing official. You can use the kickstart\r\ncommand to launch and configure ARD in server mode from the command line. This can be useful for persistence\r\nor if you need to escalate from an SSH session, to say accept some TCC prompts. The following is a good\r\nkickstart commands to launch ARD for all users:\r\nsudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -\r\nactivate -configure -allowAccessFor -allUsers -privs -all -clientopts -setmenuextra -menuextra yes\r\nIf you do get credentials to a machine with the ARD service running, it is an extremely rich service with many\r\nfeatures that lend itself to pentesting. For example you can switch between observation mode, shared control, and\r\nfull control, going from spying on a user to taking over their desktop at the click of a button. You can even lock a\r\nuser out of their desktop while you make edits, although this is less advised. If you do get access to an ARD\r\nsession, that session will remain open until the session is terminated, even if the user's password is changed during\r\nthe session. You can also send unix commands directly over ARD and you can specify the root user to execute\r\nthings as root if your an administrative user. You can even use this unix command method to schedule remote\r\ntasks to run at a specific time, however this occurs as a network connection at the specified time (vs being stored\r\nand executing on the target server). Finally, remote Spotlight is one of my favorite features. It's really neat because\r\nyou can run a low impact, indexed search quickly and remotely. This is gold for searching for sensitive files\r\nbecause it's quick, lets you run searches concurrently across multiple machines, and won't spike the CPU.\r\nHowever this won't get directories which aren't indexed by Spotlight, such as ~/.ssh/ by default:\r\nhttp://lockboxx.blogspot.com/2019/07/macos-red-teaming-206-ard-apple-remote.html\r\nPage 2 of 3\n\nThese events obviously leave logs. Spotlight searches will show up in logs, specifically the \"Mac Analytic Data\",\r\nhowever the contents of the search will not appear here. VNC logon and screen sharing events also appear here.\r\nAnother good way to view these logs is using the new macOS \"log\" command, like so:\r\nlog show --last 3d --predicate 'processImagePath CONTAINS \"screensharingd\" AND eventMessage CONTAINS\r\n\"Authentication\"'\r\nFinally you can also use an ARD feature called Advanced System Reporting show things like recently touched\r\nfiles and memory usage. Here is an example of catching the VNC brute forcing and regular ARD authentication in\r\nthe logs:\r\nSource: http://lockboxx.blogspot.com/2019/07/macos-red-teaming-206-ard-apple-remote.html\r\nhttp://lockboxx.blogspot.com/2019/07/macos-red-teaming-206-ard-apple-remote.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"http://lockboxx.blogspot.com/2019/07/macos-red-teaming-206-ard-apple-remote.html"
	],
	"report_names": [
		"macos-red-teaming-206-ard-apple-remote.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439093,
	"ts_updated_at": 1775791224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d2ff3aeed08b6f421c9b835262046d60b35f939d.pdf",
		"text": "https://archive.orkl.eu/d2ff3aeed08b6f421c9b835262046d60b35f939d.txt",
		"img": "https://archive.orkl.eu/d2ff3aeed08b6f421c9b835262046d60b35f939d.jpg"
	}
}