Homebrew: How to install post-exploitation tools on macOS

Learn how to use the Homebrew package manager to install post-exploit security tools on macOS to further assess compromised system vulnerabilities found in your Apple equipment.


Illustration: Lisa Hornung, Getty Images/iStockPhoto

In this final article in the Homebrew series, we look at the availability of post-exploit tools you can use to further assess vulnerabilities in computing devices. You can use these to continue following the attack chain in an effort to establish permission escalation, persistence, and pivot from one compromised system to another, extending the attack throughout the network.

SEE: Apple Macbook Air 2020: Cheat sheet (Free PDF) (TechRepublic)

This part of the engagement is not about compromising the system initially: That is the exploit phase. But the post-exploit process deals with the initial level of access obtained on the compromised system and evolving it into something far more in order to obtain as much data on the underlying system and any hosts that might be communicating with it over the same network segment and beyond.

By using the proper tools, security admins and penetration testers can perform a deep dive on the system and continue the attack on subsequent systems encountered during the additional reconnaissance process that will enumerate more nodes to target. In addition to targets, the scope may change as well, as new access rights and expanded targets may bring with it applications and services that are used internally and externally.

The collection of tools listed here may be used as standalone tools or in conjunction with other tools and kits to provide a broad or granular landscape of a particular system or the entire network of hosts. And, of course, the more information that can be gathered on networked devices, the greater the ability security admins and pentesters will have in identifying lingering issues for remediation before a true security threat takes advantage of these vulnerabilities.


Babel Scripting Framework (SF) is not a standalone tool, but rather a collection of tools used to perform and automate a number of security-related tasks, such as scanners, bind shell payloads, and utilities, and provides these tools across a number of supported languages, like Python and Ruby.

brew install babel-sf

SEE: Homebrew: How to install exploit tools on macOS (TechRepublic)


This is a utility that identifies and checks for filtering of exit ports. Once located, the ports are noted, and the utility can automatically spawn a shell to test for the facility of data exfiltration. It uses Python to script listening across all 65,535 ports and notifies the attacker when ports become open.

brew install egressbuster


This is another framework that is used to secure communication cryptographically and leverages a series of modules to allow for persistence and pivoting. This is also designed using Python and includes pure-PowerShell support to perform commands and integrate with other tools.

brew install empire

SEE: Homebrew: How to install vulnerability tools on macOS (TechRepublic)


This framework is similar in that it shares an underlying foundation of PowerShell. It includes a number of payloads and scripts used by PowerShell for offense security or red team testing. It also allows for customization to allow evasion by malware detection and end-point management agents to execute processes within memory, running stealthily against targets.

brew install nishang


This is not a tool per se, but rather a module to be used in conjunction with PowerShell that allows additional functionality in the form of integration with popular security tools. It leverages Nmap, Shodan, and Metasploit, to name a few supported as sub-modules during all phases of the attack chain, but it's specifically aimed at the post-exploit portion of an engagement.

brew install posh-secmod

SEE: Homebrew: How to install reconnaissance tools on macOS (TechRepublic)


This is another framework built on Microsoft's PowerShell programming language and to be used with modules to aid every step of the penetration testing engagement, but it's largely focused on post-exploitation tasks. A number of cmdlets are included in the collection to perform specific tasks in exploiting vulnerabilities and data exfiltration.

brew install powersploit


This is a privilege escalation tool based on the Hot Potato Windows Privilege Escalation exploit and based on PowerShell used to target systems vulnerable to this type of attack and leveraging PS to execute it.

brew install tater


Leveraging a PowerShell downgrade attack, Unicorn allows an attacker to inject shell code directly into memory, bypassing the PowerShell console altogether. It can be used alongside Metasploit to spawn a PowerShell command line window on the attacker's system, whereby cmdlets may be simply copy/pasted and delivered to the target devices.

brew install unicorn 

Also see