Hack Mac - Forums: Retrieving EFI-password - Hack Mac - Forums

Jump to content

Welcome to the HackMac.org forums. You are currently viewing the boards as a guest, which gives you limited access to the features of our site. If you want to have full access to our forums and be able to post new topics, private message other users, and much more, you can register for free. Join us today!
  • (2 Pages)
  • +
  • 1
  • 2
  • You cannot start a new topic
  • You cannot reply to this topic

Retrieving EFI-password

#1 User is offline   hackatrack 

  • Member
  • PipPip
  • Posts: 13
  • Joined: 04-April 12

Posted 04 April 2012 - 08:16 PM

Hello everyone,

I have a new Mac here and there are two problems with it. First of all, I don't have the admin-password. Second of all, it has an Extensible Firmware Interface (EFI)-password. According to the previous owner, who forgot them, they are (almost) the same. I know how to bypass the EFI-password (changing the amount of RAM, resetting NVRAM and PRAM and such) and how to make a new admin from Single User Mode afterwards. But my question is, is there any way to extract the EFI-password (I already tried it through Terminal, but I don't have permission).

I thought maybe it would be possible to take out all the RAM, lay the sticks aside, and create an admin-account the way I just explained. After this, I could reinsert the sticks, and retrieve the EFI-password through Terminal (since this time I would have the right permissions). Would this work? Or are there other ways?

Thanks in advance.

PS: I already tried John the Ripper, after several weeks still no luck. However, this might be because I couldn't specify a salt, meaning John would have to try a lot of different salts. I know the salt ("00000000", because it had 10.4 and therefore still has the zero-salted hash). So if someone knows how to do this that might help as well.

PSS: I really need the password, just creating a new admin would not be enough.
0

#2 User is offline   Josh Fletcher 

  • HackMac.org Regular
  • Posts: 675
  • Joined: 04-May 11

Posted 04 April 2012 - 08:30 PM

Why not just change the password so that you have control of the admin account that's already set up? Then from there you can log in and disable the EFI with the admin account just like the previous user had created it.
0

#3 User is offline   hackatrack 

  • Member
  • PipPip
  • Posts: 13
  • Joined: 04-April 12

Posted 04 April 2012 - 08:41 PM

Just changing the admin-password won't do the job either, I'm afraid. The owner has used his password on other things as well (including encryptionprograms). By retrieving his password, my plan was to unlock those. So I really need the original password.
0

#4 User is offline   Josh Fletcher 

  • HackMac.org Regular
  • Posts: 675
  • Joined: 04-May 11

Posted 04 April 2012 - 08:43 PM

What is your end goal? If you can change the admin password, you'll be able to take down the EFI (as long as those "encryption programs" don't get in the way), and once you have the EFI down, you'll be able to boot to an OS disk and restore the system. I assume this is what you're after?
0

#5 User is offline   hackatrack 

  • Member
  • PipPip
  • Posts: 13
  • Joined: 04-April 12

Posted 04 April 2012 - 08:46 PM

No, I'm after the original password. With this password I can "unlock" other things, such as the encryption program (which is similar to Filevault), so he can access his files again. So my end goal is the original password. Thanks for your time, answers and quick replies though.
0

#6 User is offline   Josh Fletcher 

  • HackMac.org Regular
  • Posts: 675
  • Joined: 04-May 11

Posted 04 April 2012 - 08:58 PM

So you don't want to wipe your new computer clean, you want all of the original files on it? Do you know what encryption services he's using? Also, if you can't crack that hash of yours, you might want to post it in the Password Cracking forum on this site and let someone else take a crack at it
0

#7 User is offline   hackatrack 

  • Member
  • PipPip
  • Posts: 13
  • Joined: 04-April 12

Posted 04 April 2012 - 09:14 PM

Yep, I already posted it there, and indeed, I don't want the harddrive wiped (the password I need will be used on another computer though, where the encryption program has encrypted the complete disk).

http://www.hackmac.o...h-crack-needed/


But the thing I suggested, taking out the RAM and placing it back later, would that work?
0

#8 User is offline   Josh Fletcher 

  • HackMac.org Regular
  • Posts: 675
  • Joined: 04-May 11

Posted 04 April 2012 - 09:17 PM

Taking out the RAM will allow you to reset the PRAM, which includes some pesky settings like the EFI password, making it so that once you put the RAM back in, the EFI won't even be there anymore. If you're going to attempt that, I'd ignore creating a new admin and just enable root instead. More powerful and more discreet.
0

#9 User is offline   hackatrack 

  • Member
  • PipPip
  • Posts: 13
  • Joined: 04-April 12

Posted 05 April 2012 - 06:00 AM

I was already afraid of that, I hoped that maybe the password would be saved on the RAM-stick, and I could use that stick later.

Any other ideas on how to extract the EFI-password? I have user-access and I can use Terminal. Getting the "hashed" EFI-password would greatly simplify my problem, as it is barely encrypted.

In my opinion my poosibilities are:
Accessing Single User Mode without resetting the NVRAM and PRAM,
Or I need to create a new admin account without using the Single User Mode,
Or I need to access the EFI-password without admin-access.

I was thinking that maybe this would be possible:
Get the harddisk out, insert it in another computer (where I can access Single User Mode), create a new admin there. Then I would slide the harddisk back into the old computer, where I now have admin-access, so I can see the EFI-password stored in the RAM. Would this work?
0

#10 User is offline   Josh Fletcher 

  • HackMac.org Regular
  • Posts: 675
  • Joined: 04-May 11

Posted 05 April 2012 - 04:22 PM

You wouldn't even have to go to that extent. If you had something like a firewire or the new thunderbolt cables, you could plug this computer into another one and then access this computer from the other computer's SUM.

However, after taking a look at this page here, it looks like when you're on the firmware screen it will actually give you a hash to send to apple (this means that Apple has it's own algorithm for encrypting these hashes so that when you send them the hash of the Firmware Password you've forgotten they can just crack it quickly. The problem with that is that it is very unlikely that anyone else knows the algorithm and, as such, the hash is virtually uncrackable).
0

#11 User is offline   hackatrack 

  • Member
  • PipPip
  • Posts: 13
  • Joined: 04-April 12

Posted 05 April 2012 - 09:08 PM

How would I mount the other computer in Single User Mode? What commands should I use?

Normally I would start up in Target Disk Mode, so that the computer I'm using can change the contents on the harddisk. However, since it has an EFI-password, I can't start the computer in Target Disk Mode. So what commands should I use, or is there another workaround (without erasing the PRAM/NVRAM)?
0

#12 User is offline   Josh Fletcher 

  • HackMac.org Regular
  • Posts: 675
  • Joined: 04-May 11

Posted 05 April 2012 - 09:38 PM

Well do you have another mac to work on and a firewire or thunderbolt cable to connect them?
0

#13 User is offline   hackatrack 

  • Member
  • PipPip
  • Posts: 13
  • Joined: 04-April 12

Posted 05 April 2012 - 09:51 PM

Yes, I have several macs, and they all can be linked with FireWire to the "target".
0

#14 User is offline   Josh Fletcher 

  • HackMac.org Regular
  • Posts: 675
  • Joined: 04-May 11

Posted 05 April 2012 - 09:57 PM

In this post I talk about mounting another drive in SUM. Take a look, mount the "target" computer, and then cd and ls around to make sure that you're actually in. Once you can manage that in SUM, changing the admin password and from there gaining root access will be relatively simple without disturbing the PRAM
0

#15 User is offline   hackatrack 

  • Member
  • PipPip
  • Posts: 13
  • Joined: 04-April 12

Posted 06 April 2012 - 11:21 AM

Thank you, that seems to be exactly what I was looking for. A final question though, would this work if the computer I use has 10.4 or 10.5 while the target computer has 10.6?
0

#16 User is offline   Josh Fletcher 

  • HackMac.org Regular
  • Posts: 675
  • Joined: 04-May 11

Posted 06 April 2012 - 03:46 PM

Yes. We're only going to be editing files to grant you root access, so we won't actually be using anything other than cd, ls, cat, and echo.
0

#17 User is offline   hackatrack 

  • Member
  • PipPip
  • Posts: 13
  • Joined: 04-April 12

Posted 06 April 2012 - 05:52 PM

After taking a closer look, I realised that I would need the "target"-computer to start up in Target Disk Mode (or is there another way to mount a harddisk inside a computer?). Since that is blocked by the EFI-password, I think I still have to get the HD out, and insert it into/link it to another computer. After that I could startup Single User Mode and mount the HD i've just connected.

What commands would I need to mount that drive though?
0

#18 User is offline   Josh Fletcher 

  • HackMac.org Regular
  • Posts: 675
  • Joined: 04-May 11

Posted 06 April 2012 - 06:58 PM

No, you shouldn't have to boot up into target disk mode. The hard drive is already mounted on the "target" computer, we're just remounting it on the other computer. In fact, if file sharing is enabled on the "Target" computer, we can skip the whole SUM deal and do the whole thing in a nice User Interface.
0

#19 User is offline   hackatrack 

  • Member
  • PipPip
  • Posts: 13
  • Joined: 04-April 12

Posted 07 April 2012 - 08:03 PM

What commands would I need to remount the HD inside the target-computer to my other computer? I'n not that skilled in the SUM, I know the basics, but I can't figure this out.

Also, how would I use the Ultimate Script (bash) in this situation?

BTW, thanks for your support, you're awesome.
0

#20 User is offline   Josh Fletcher 

  • HackMac.org Regular
  • Posts: 675
  • Joined: 04-May 11

Posted 07 April 2012 - 09:03 PM

If your remember, I said this in the Ultimate Script post:

Quote

To mount your flashdrive, plug it in and then boot into Single User Mode regularly (hold cmd-s on startup until you reach the black screen with code). Once you're there, type

/sbin/mount -uw
mkdir /Volumes/usb

this will create a folder named "usb" in the volumes directory. This is where we'll be mounting the flashdrive.

Next we need to identify the disk number of your flashdrive. To do this, type

ls /dev/disk*

The last one will be your flashdrive. It should look something like "/dev/disk0s3"

Now to finally mount the drive we're going to type

/sbin/mount_msdos /your/disk_number /Volumes/usb


You should now be able to type "ls /Volumes/usb" and have the names of all the files on your usb appear on screen.


You're going to do the same exact thing, except instead of a flashdrive, you're going to be using the "Target" computer's hard drive (so you can change the name of the folder you mount it in if you want).

Secondly, The Ultimate Script is made for running ON the target computer, so although we could use it here, we would need to first correct all of the paths in the code, which will be more work than it's worth. Instead, I'll just feed you the commands that you'll have to enter.
0

Share this topic:


  • (2 Pages)
  • +
  • 1
  • 2
  • You cannot start a new topic
  • You cannot reply to this topic

2 User(s) are reading this topic
0 members, 2 guests, 0 anonymous users