Building the HacBook 🍎

After winning the U.S. Department of Defense Chief Digital and Artificial Intelligence Office AI Bias Bounty program (gosh - that’s a mouthful 😅), I used some of the winnings to treat myself to a brand-new, fully-loaded MacBook Air M3. I’ve always enjoyed using light-weight laptops 😊 and this model felt like it had enough RAM (24 GB) and CPU to handle the “closed box” testing I perform as a bug bounty hunter who primarily looks at web applications.

Likewise, at the beginning of the year I also signed-up to take Offensive Security’s WEB-200 course in order to sharpen some of my client-side testing skills; I really should have listened to Jason Haddix all those years ago when he said to spend time learning JavaScript 😅 

Anyway - when I bought the new MacBook, I thought to myself: “wouldn’t it be cool if I could successfully navigate the WEB-200 course and the OSWA exam without a Kali VM or dual-boot setup?” - and so far, it certainly feels like the answer is “yes - and you can!”. Below is a list of the software - along with install instructions and the occasional commentary - which I’ve installed on my new “HacBook” as I’ve completed the WEB-200 chapter exercises.

I will eventually write a series of blog posts explaining how I use (and get the most out of) these various tools - but for now this post should serve as a starting point of “what’s in the toolbelt” for the various hacking adventures you might go on.

Oh and let’s not forget - it’s important to hack in style, so I needed to find some artwork for the custom ToastMade wooden cover I usually decorate my laptops with. Here’s what I landed on:

A wanted poster from Trigun: Stampede of Vash the Stampede, wanted Alive

Disclaimer: this is by no-means an exhaustive list. In fact, I welcome additional suggestions via my handle andMYhacks on Discord, or via an email to keith [at] securing [dot] dev; Happy hacking!

Core applications

  • Homebrew ← must have command line tool for MacOS
  • Make sudo use TouchID
    • sudo cp /etc/pam.d/sudo_local.template /etc/pam.d/sudo_local
    • sudo vim /etc/pam.d/sudo_local
    • Uncomment auth sufficient
  • Caido proxy ← My preferred proxy, upstreaming to Burp to cover some gaps (thank you, Justin Gardner 😄)
  • Burp Suite Pro from PortSwigger - because you still need it for some Ajax things in the OSWA course
  • OrbStack for container management (thank you, Natalie Somersall ❤️)
  • Viscosity VPN for connecting to Offensive Security’s lab network (thanks to the GitHub #homelab crew)
  • Google Chrome (strictly for web app testing)

brew install applications

  • brew install git
  • brew install semgrep
  • brew install codeql
  • brew install screen
  • brew install nuclei
  • brew install go
  • brew install notify
  • brew install nmap ← My preferred port scanning tool
  • brew install pipx
  • brew install feroxbuster
  • brew install ffuf ← My preferred web fuzzing tool
  • brew install ruby
  • brew tap owasp-amass/amass
    • Then brew install amass

burp and caido extensions

  • Burp extensions
    • 403 Bypasser
    • Active Scan++
    • Autorize
    • Backslash Powered Scanner
    • Collaborator Everywhere
    • Copy as Python-Requests
    • Distribute Damage
    • Hackvertor ← always on
    • Hunt Scanner ← always on
    • InQL - GraphQL Scanner
    • JS Link Finder ← always on
    • JS Miner
    • JSON Web Tokens
    • JWT Editor
    • Param Miner ← always on
    • Piper
    • Retire.js
    • Request Minimizer ← always on
  • Caido extensions

go install applications

📢 This content was thoughtfully written by a human being; If you find it useful, enjoyable, or influential you can support my work via Patreon.️ I think we all know the AI training “data scrapers” aren’t going to support people like me 😅 Anyway…

git clone applications

  • git clone
    • I usually end up referencing the GitHub page, but having it locally is nice 👌
  • git clone
    • I really wish directories were lowercased and didn’t include spaces 😢
  • git clone
  • git clone

docker pull

  • docker pull httpd ← useful for running an Apache web server during the course
    • I spun this up with docker run -dit --network host -v ${PWD}:/var/www/html --name apache-server httpd:latest from inside of a “web server” folder where I keep web shells, system binaries, etc.
    • The terminal session entrypoint is /usr/local/apache2
    • The config is located in /usr/local/apache2/conf/httpd.conf, you’ll need to modify this in order to have it load the site from /var/www/html
    • Restart the service with httpd -k restart
    • After this you can docker [start|stop] apache-server to get it running. I usually spin-up a terminal session within the container via the OrbStack UI if I need to.
  • docker pull kalilinux/kali-rolling ← some apps were just a pain to install, and this was my last resort
    • I spun this up with docker run -it --network host -v ${PWD}:/tmp --name kali-oswa kalilinux/kali-rolling:latest from inside my OSWA directory
      • After this you can docker [start|stop] kali-oswa to get it running or shut it down
    • Then ,when you are in a terminal session inside of the container, run: apt update && apt -y install kali-linux-headless to get all the tools, scripts, etc. you might need for the course
    • You’ll probably also want to run apt install seclists 👀

And before my friend Natalie sends me a message on Signal - I know, I know… “livestock, not pets” - but what can you do 🤷  There are some tools (like cewl, gobuster, msfvenom, and wfuzz ) which are used throughout the WEB-200 course that are just not easily installed on MacOS. You could probably go get the specific container for each of these tools - but for the limited use cases I have, these two containers made everything easier 👍

Chrome extensions

Tools I’m still looking into:


Oof - okay, I know that was a lot 😅 but I hope this will make other hacker’s lives easier if you get a sweet new MacBook of your own to hack with in the future 😊 Also, if any of these tools/links break (or go stale) I will do my best to update this content - but please do me a favor: if you find something broken just email me at keith [at] securing [dot] dev to let me know 👍

Finally, I just want to give a special shout-out to my friends jhaddix, xnl_h4ck3r, xssdoctor, un1tycyb3r, Roll4Combat, and G0LD3N for their all of their feedback, suggestions, and crazy ideas ❤️ I love you guys!

Oh, and about that ToastMade cover: I think it came out pretty great - what do you think?

A picture of the wooden MacBook Air M3 skin made by Toastmade of the smiling Vash the Stampede character from the wanted

Thank you for stopping by 😊 While taking some time to prepare my next blog post, you can git checkout other (usually off-topic) content I’m reading over at Instapaper.

And until next time, remember to git commit && stay classy!


Keith // securingdev

If you found this post useful or interesting, I invite you to support my content through Patreon 😊 and thank you once again for reading this content!

This post is licensed under CC BY 4.0 by the author.