[Jeff Browning]

Hey guys! Alex and I just finished up our guide on the main site, which you can check out here:

http://www.hackmac.o...assword-hashes/

The thing is, we want to go through and do this ourselves with the basic commands, so that we can all work it into our own scripts, like Josh's Ultimate App.

We've determined that the hashes are stored in the user's profile, which can be found here:

/private/var/db/dslocal/nodes/Default/users/<username>.plist

I'm not entirely sure how to read those plists in Terminal, or to pull from specific sections, so what I did was copy the .plist to my Desktop so I wouldn't mess anything up:

login root
cp /private/var/db/dslocal/nodes/Default/users/jeff.plist /Users/jeff/Desktop/jeff.plist

Then, because I felt like being able to open it in Text-Edit would help, I converted the file to a normal XML kind of thing:

plutil -convert xml1 /Users/jeff/Desktop/jeff.plist

(You'll need sudo on that one if you're not in root.)

So now I can open it up in Text-Edit, and see the 'ShadowHashData' area. According to the DaveGrohl site (the utility we used in the main guide):

"The first 4 bytes is the salt. The next 64 bytes is the SHA-512 encryted password."

Does anybody know grep well enough to pull that to output? I've been trying to work this one out and thought I'd share what I have. Should I even bother converting the file?

[Josh Fletcher]

Firstly, this is awesome, thank you so much Jeff and Alex!

Secondly, you can also use Property List Editor (if you have xcode) to read the plists

Lastly, when i open the plist (in Property List Editor at least) and then go under ShadowHashData, it gives me this: "<62706c69 73743030 d101025d 53414c54 45442d53 48413531 324f1044 60a694b0 07b6d07f eaec0ab4 776c3d31 3df21a59 509128cd 506eacd0 02240000 395d7a14 5647fc36 226d72d4 975b573b e162ad55 ebc0a136 75abc2eb 59160364 3cea0ce8 080b1900 00000000 00010100 00000000 00000300 00000000 00000000 00000000 000060>" This is the same no matter which user's plist i try. I'm going to give it a go with the program you've mentioned, but for the time being, it looks like it's not working with Property List Editor.

Also, where did you find the DaveGrohl program? I would love to see the source code.

This post has been edited by Josh Fletcher: 02 August 2011 - 10:39 PM

[olibi]

@Josh: its from http://DaveGrohl.org/

The hash must be converted before use with jtr it seems.

[Josh Fletcher]

Ok, after looking at the website that olibi supplied, it looks like if you run (as root) "dscl . -read /Users/<Username> ShadowHashData" it will spit out something like what i got before. The clumps of characters (from the 8th to the 24th) is the password hash (not sure why there are spaces though). I'm touching up the terminal command to use cut's delimeters to spit out only the hash. I'll be posting it shortly,



~Josh Fletcher

[Josh Fletcher]

Ok, here's the command to retrieve Hashes on Lion (you still have to be in root):

dscl . -read /Users/<Username> ShadowHashData | cut -f9-25 -d" " | cut -f3 -d ":" | tr -d ' '

~Josh Fletcher

[Josh Fletcher]

I'm also trying to find a way to manually swap out the hash, but I don't think the plist is the only thing you would have to change. I made the command below (just swap out my username for yours) with the salted Sha512 hash of "toor" loaded so that it will take the place of the old hash, but when i run it it makes it so that no matter what password i put in (new or old), i can't log in to the account (so if you're going to test it, try it on a spare account). I even tried manually going into the plist with Property List Editor and copying and pasting in the new hash over the old one, but I get the same result. I've come to the consensus that the must be stored somewhere else as well that the computer checks with. If anybody has any ideas on how to make this work, that would be awesome, it would be great to have the "PassChanger" program working in Lion.

Here's what i have:

defaults write /private/var/db/dslocal/nodes/Default/users/<USERNAME>.plist ShadowHashData "<62706c69 73743030 d101025d 53414c54 45442d53 48413531 324f1044 05cc25ae 742d9b82 38a580fb 57d8ab89 07696543 97641937 411b4bde 557468b2 6facf64b 8545786e f6165b73 468b8aea 63e4a9bc c38e98fb 475da5d3 eed10a7f 51b54c48 080b1900 00000000 00010100 00000000 00000300 00000000 00000000 00000000 000060>"

~JoshFletcher

[Josh Fletcher]

Ok, worked out the kinks in changing the password. Just posted it with the update of the ULTIMATE Script (Bash)





~Josh Fletcher

[Jeff Browning]

Sorry for ditching you Josh, I was halfway through writing a response to your problem with swapping out the hash, then my computer crashed and I never got around to rewriting it (I think I need to pick up a new PSU).

Awesome work, and I'm glad that it's all incorporated into the ULTIMATE Script!

[Jeff Browning]

I've got something else for you. I've been chatting with the programmer who wrote DaveGrohl (great guy), and he gave this snippet of information to me:

Quote

The key ShadowHashData in the user plist contains the hash, among other things. This code parses the data structure according to the version and settings of Lion. For a stock install, the hash starts on byte 28 and is 68 bytes long. If you turn on SMB, it starts at byte 52… although, if you've got SMB turned on, there is little point in encrypting your password in the first place.

He also shared a couple pieces of the code, including the code to pull the hash for the different versions of Lion. He "wrote DaveGrohl in C/Objective-C because it seemed the easiest way to read bits of a raw data structure from an XML file… especially since NSDictionary doesn't care if it's binary or text," so the code is in C/Obj-C:

NSDictionary *plist = [[NSDictionary alloc] initWithContentsOfFile:[NSString stringWithUTF8String:buff]];
NSData *hashData = [[NSData alloc] initWithData:[[plist objectForKey:@"ShadowHashData"] objectAtIndex:0]];

// Parse the different ShadowHashData schemes.

if (131 == [hashData length]) { // Plain hash data
    dumpHash((unsigned char*)[[hashData subdataWithRange:NSMakeRange(28, 68)] bytes], theHash, 68);
} else if (157 == [hashData length]) { // With SMB turned on
    dumpHash((unsigned char*)[[hashData subdataWithRange:NSMakeRange(52, 68)] bytes], theHash, 68);
} else if (718 == [hashData length]) { // Lion Server
    dumpHash((unsigned char*)[[hashData subdataWithRange:NSMakeRange(88, 68)] bytes], theHash, 68);
} else if (746 == [hashData length]) { // Lion Server with SMB
    dumpHash((unsigned char*)[[hashData subdataWithRange:NSMakeRange(112, 68)] bytes], theHash, 68);
} else {
    printf("Did not understand ShadowHashData! Weird size...\n");
    exit(0);
}

[Josh Fletcher]

I actually talked to Zack too! He gave me a bit of help getting the PassChanger to work in Bash for Lion. In fact, he gave me much the same snippet when i was asking him for some of the source code. He also told me that he's added a PassChanger of sorts to DaveGrohl (it will SWAP the passwords of two accounts as opposed to my PassChanger which will swap the old password out for a set password temporarily). Also, DaveGrohl acts as a Password Cracker (much like John The Ripper), except that rather than Brute Force, it uses a dictionary attack. I'm not sure how he does it, but Zack was telling me that on his friend's quad core iMac, he got just over a million guesses a second!

[Jeff Browning]

That's awesome!

He told me about the password swapping feature as well, but I couldn't get it to work on my computer. Did you have any luck?

And hmmm, I didn't know that it was dictionary only -- is it really? Because that would imply that it can only crack passwords that are words (or combinations of words) in the dictionary, plus some minor common changes (like adding on a digit or character to the end of the password). I would think that it would eventually switch over to brute-force, but I could be wrong... John can do dictionary attacks with wordlists too in the dictionary attack mode, but it uses wordlists.

[ThunderKid Zero]

Hey guys, gr8 work!
Josh, you still remember me? we tried to figure out this crap too about a month ago... Now I'm home from vacation and back in business.
Currently decrypting a RAR 2.9 password

[DavidG]

Kind of a dumb question, but I'm a Newb... Can you use DaveGrohl to crack password hash that you obtained for use with John the Ripper?

[Josh Fletcher]

I suspect you already know because you posted it, but for others, here's a link to the post that explains cracking passwords with Dave

[mcbull]

Josh Fletcher, on 03 August 2011 - 12:45 AM, said:

Ok, here's the command to retrieve Hashes on Lion (you still have to be in root):

dscl . -read /Users/<Username> ShadowHashData | cut -f9-25 -d" " | cut -f3 -d ":" | tr -d ' '

~Josh Fletcher

I have tried this in Single-User Mode on Lion, but I get this error code:

launchctl: Couldn't stat("/System/library/LaunchDeamons/com.apple.DirectoryServlceslocal.plist"): No such file or directory
nothing found to load
Operation failed with error: eServerError

So if anybody can help, I would be grateful

[Josh Fletcher]

I believe I talk about this in the "Ultimate Script (Bash)" post. I said:

Quote

ok, I hadn't actually tested the program in SUM before, so i completely forgot about the dscl usage. After consulting an apple page (http://support.apple.com/kb/HT4749) it looks like you have to enter this line before using dscl (I'll add this in the script so you won't have to do it manually):
launchctl load /System/Library/LaunchDaemons/com.apple.opendirectoryd.plist
Also, on the apple page it says:

Quote

Note: When running dscl(1) from Single User mode, you'll see this message:

launchctl: Couldn't stat("/System/Library/LaunchDaemons/com.apple.DirectoryServicesLocal.plist"): No such file or directory nothing found to load

This message can be safely ignored.




So i'll have to work on a way to tell the script to ignore the error.

[Evan Savage]

Also, you might have a typo in there, since the error message says:

DirectoryServlceslocal.plist

instead of:

DirectoryServicesLocal.plist

[nadia45]

Josh Fletcher, on 26 September 2011 - 11:04 PM, said:

I suspect you already know because you posted it, but for others, here's a link to the post that explains cracking passwords with Dave

Thanks for the link mate