Building the HacBook 🍎

After winning the U.S. Department of Defense Chief Digital and Artificial Intelligence Office AI Bias Bounty program (gosh - that’s a mouthful 😅), I used some of the winnings to treat myself to a brand-new, fully-loaded MacBook Air M3. I’ve always enjoyed using light-weight laptops 😊 and this model felt like it had enough RAM (24 GB) and CPU to handle the “closed box” testing I perform as a bug bounty hunter who primarily looks at web applications.

Likewise, at the beginning of the year I also signed-up to take Offensive Security’s WEB-200 course in order to sharpen some of my client-side testing skills; I really should have listened to Jason Haddix all those years ago when he said to spend time learning JavaScript 😅 

Anyway - when I bought the new MacBook, I thought to myself: “wouldn’t it be cool if I could successfully navigate the WEB-200 course and the OSWA exam without a Kali VM or dual-boot setup?” - and so far, it certainly feels like the answer is “yes - and you can!”. Below is a list of the software - along with install instructions and the occasional commentary - which I’ve installed on my new “HacBook” as I’ve completed the WEB-200 chapter exercises.

I will eventually write a series of blog posts explaining how I use (and get the most out of) these various tools - but for now this post should serve as a starting point of “what’s in the toolbelt” for the various hacking adventures you might go on.

Oh and let’s not forget - it’s important to hack in style, so I needed to find some artwork for the custom ToastMade wooden cover I usually decorate my laptops with. Here’s what I landed on:

Disclaimer: this is by no-means an exhaustive list. In fact, I welcome additional suggestions via my handle andMYhacks on Discord, or via an email to keith [at] securing [dot] dev; Happy hacking!

---

Core applications

• Homebrew ← must have command line tool for MacOS
• Make sudo use TouchID
  • sudo cp /etc/pam.d/sudo_local.template /etc/pam.d/sudo_local
  • sudo vim /etc/pam.d/sudo_local
  • Uncomment auth sufficient pam_tid.so
• Caido proxy ← My preferred proxy, upstreaming to Burp to cover some gaps (thank you, Justin Gardner 😄)
• Burp Suite Pro from PortSwigger - because you still need it for some Ajax things in the OSWA course
• OrbStack for container management (thank you, Natalie Somersall ❤️)
• Viscosity VPN for connecting to Offensive Security’s lab network (thanks to the GitHub #homelab crew)
• Google Chrome (strictly for web app testing)

---

brew install applications

• brew install git
• brew install semgrep
• brew install codeql
• brew install screen
• brew install nuclei
• brew install go
• brew install notify
• brew install nmap ← My preferred port scanning tool
• brew install pipx
• brew install feroxbuster
• brew install ffuf ← My preferred web fuzzing tool
• brew install ruby
• brew tap owasp-amass/amass
  • Then brew install amass

---

burp and caido extensions

• Burp extensions
  • 403 Bypasser
  • Active Scan++
  • Autorize
  • Backslash Powered Scanner
  • Collaborator Everywhere
  • Copy as Python-Requests
  • Distribute Damage
  • Hackvertor ← always on
  • Hunt Scanner ← always on
  • InQL - GraphQL Scanner
  • JS Link Finder ← always on
  • JS Miner
  • JSON Web Tokens
  • JWT Editor
  • Param Miner ← always on
  • Piper
  • Retire.js
  • Request Minimizer ← always on
• Caido extensions
  • AI Replay Rename ← An absolute gem of an extension
  • EvenBetterExtensions ← a “must have” extension
  • Replay Header Refresher

---

go install applications

• go install -v github.com/g0ldencybersec/gungnir@latest
  • Alternative to cert-sub-go
• go install -v github.com/tomnomnom/anew@latest
• go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
• go install -v github.com/xssdoctor/graphqlMaker@latest
• go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
• go install -v github.com/OJ/gobuster/v3@latest

---

📢 This content was thoughtfully written by a human being; If you find it useful, enjoyable, or influential you can support my work via Patreon.️ I think we all know the AI training “data scrapers” aren’t going to support people like me 😅 Anyway…

---

git clone applications

• git clone git@github.com:swisskyrepo/PayloadsAllTheThings.git
  • I usually end up referencing the GitHub page, but having it locally is nice 👌
• git clone git@github.com@:danielmiessler/SecLists.git
  • I really wish directories were lowercased and didn’t include spaces 😢
• git clone git@github.com:trufflesecurity/trufflehog.git
• git clone git@github.com:projectdiscovery/katana.git

---

docker pull

• docker pull httpd ← useful for running an Apache web server during the course
  • I spun this up with docker run -dit --network host -v ${PWD}:/var/www/html --name apache-server httpd:latest from inside of a “web server” folder where I keep web shells, system binaries, etc.
  • The terminal session entrypoint is /usr/local/apache2
  • The config is located in /usr/local/apache2/conf/httpd.conf, you’ll need to modify this in order to have it load the site from /var/www/html
  • Restart the service with httpd -k restart
  • After this you can docker [start|stop] apache-server to get it running. I usually spin-up a terminal session within the container via the OrbStack UI if I need to.
• docker pull kalilinux/kali-rolling ← some apps were just a pain to install, and this was my last resort
  • I spun this up with docker run -it --network host -v ${PWD}:/tmp --name kali-oswa kalilinux/kali-rolling:latest from inside my OSWA directory
    • After this you can docker [start|stop] kali-oswa to get it running or shut it down
  • Then ,when you are in a terminal session inside of the container, run: apt update && apt -y install kali-linux-headless to get all the tools, scripts, etc. you might need for the course
  • You’ll probably also want to run apt install seclists 👀

And before my friend Natalie sends me a message on Signal - I know, I know… “livestock, not pets” - but what can you do 🤷  There are some tools (like cewl, gobuster, msfvenom, and wfuzz ) which are used throughout the WEB-200 course that are just not easily installed on MacOS. You could probably go get the specific container for each of these tools - but for the limited use cases I have, these two containers made everything easier 👍

---

Chrome extensions

• FoxyProxy Basic
• postMessage-tracker ← requires being in “developer mode”
• Simply Code Beautify
• Wappalyzer
• Xnl Reveal ← requires being in “developer mode”
• Bulk URL Opener
• Resources Saver
• Google Translate

---

Tools I’m still looking into:

• Nuclei AI extension
• REcollapse
• SignSaboteaur
• JSWZL
• GetAllURLs
• assetnote/nowafpls
• AutoGPT
• Vortimo

---

FIN

Oof - okay, I know that was a lot 😅 but I hope this will make other hacker’s lives easier if you get a sweet new MacBook of your own to hack with in the future 😊 Also, if any of these tools/links break (or go stale) I will do my best to update this content - but please do me a favor: if you find something broken just email me at keith [at] securing [dot] dev to let me know 👍

Finally, I just want to give a special shout-out to my friends jhaddix, xnl_h4ck3r, xssdoctor, un1tycyb3r, Roll4Combat, and G0LD3N for their all of their feedback, suggestions, and crazy ideas ❤️ I love you guys!

Oh, and about that ToastMade cover: I think it came out pretty great - what do you think?

---

Thank you for stopping by 😊 While taking some time to prepare my next blog post, you can git checkout other (usually off-topic) content I’m reading over at Instapaper.

And until next time, remember to git commit && stay classy!

Cheers,

Keith // securingdev

---

If you found this post useful or interesting, I invite you to support my content through Patreon 😊 and thank you once again for reading this content!