Introduction
I have been worried about security for a long time. When you read regular articles about security you will almost always face paragraph which tells you that it is very important to have a good password. Last time I tested how easy/hard it is to crack my wap2 secured wlan with weak password. I am now going to crack my macbook pro which is running OSx Mavericks.
Starting point
I have actually learned something in past few months and I have very strong password at the moment. For this test I changed it to something which I feel is closer to password users normally have. I changed the password to: Laisk489 . It is a Finnish word meaning lazy with little bit of leetspeak and it will pass Apples password policy.
Like in router article I did not have any previous experience about cracking OSx password. So google was my friend again. Not so many searches later I found this very decent article about “How to Extract OS X Mavericks Password Hash for Cracking With Hashcat”. It is step by step guide of what I was looking for, perfect!
There is methods to obtain password hash(which is the password protected with mathematical algorithm) when you are unable to log into any account on the machine. I am not so interested about that since I just like to test how weak my own password is. So I skipped that part. After reading the article I knew that password hash in Mavericks is located in this path: /var/db/dslocal/nodes/Default/users/<user>.plist
.
Getting the hash
I opened terminal on my mac and tried to acces to /var/db/dslocal/nodes/Default/users
.
$ cd /var/db/dslocal/nodes/Default/users
-bash: cd: /var/db/dslocal/nodes/Default/users: Permission denied
$ ls /var/db/dslocal/nodes/Default/users
ls: /var/db/dslocal/nodes/Default/users: Permission denied
It did not worked cause I did not have permissions to that folder. I had to sudo.
$ sudo ls /var/db/dslocal/nodes/Default/users
There it was: tuukka.plist
I copied it to my desktop:
$ sudo cp /var/db/dslocal/nodes/Default/users/tuukka.plist Desktop/tuukka.plist
Extract the hash for hashcat
Now this part goes little bit tricky and I spent couple of hours thinking what is actually happening. After all this is actually very simple task. The hash is in binary format by default and we want to convert it in to XML.
On macs terminal I switch path to Desktop, then create a folder for our mission and moved the hash into that folder:
$ cd
$ cd Desktop/
$ mkdir password-crack
$ mv tuukka.plist password-crack/
$ cd password-crack/
To convert the hash I used following:
$ sudo plutil -convert xml1 tuukka.plist
After that I opened the hash with
$ sudo nano tuukka.plist
And there was lots of stuff in it. Line I was looking were under “ShadowHashData” surrounded by <data></data> tags. I copied that data to a clipboard with cmd+c and pasted it to sublime texteditor. I removed returns and put everyhting on the same line. Just hitted return like hundred times and took care that any letters were not deleted.
After return maraton I copy pasted it to terminal and entered some commands and did this:
$ sudo echo “YnBsaXN0MDDRAQJfEBRTQUxURUQtU0hBNTEyLVBCS0RGMtMDB
AUGBwhXZW50cm9weVRzYWx0Wml0ZXJhdGlvbnNPEIBWEto5iOf1chpuN/HDsV3iP3s
IjhFoXbrG2/5fPhBRgz9v8CDd/PlyONacUDcQrWFSAvEew1gKMwEP9haGH8sFA1jT9
kmFyFh0kpk+8dN1FdAZJxiP3K3QbRj+owIWZxMTYoMmkRh5ZrnxVqDb5zvGA5443
O1yV4DovhT6SuLrL08QIDOAL/Y5nd9PcXEBDAzO+N+6fNc5wvxGslginwn9iLDJEYi
VCAsiKTE2QcTnAAAAAAAAAQEAAAAAAAAACQAAAAAAAAAAAA
AAAAAAAOo=” | base64 -D > shadowhash
$ sudo file shadowhash
$ sudo plutil -convert xml1 shadowhash
Hash were now converted. I opened shadowhash with nano editor and there was data separated under tags entropy, iterations and salt. As said in the guide entropy and salt were still in base64 format and needed to convert again.
Like before I first copied entropy data to clipboard and then pasted it to sublime-text. On sublime I removed returns and put data on same line. After that I did following:
$ sudo echo “VhLaOYjn9XIabjfxw7Fd4j97CI4RaF26xtv+Xz4QUYM/b/Ag3fz5cjjWnFA3EK1hUgLxHsNYCjMBD/YWhh/LBQNY0/ZJhchYdJKZPvHTdRXQGScYj9yt0G0Y/qMCFmcTE2KDJpEYeWa58Vag2+c7xgOeONztcleA6L4U+kri6y8=” | base64 -D > entropy
$ sudo file entropy
$ sudo xxd entropy
There it was entropy data converted to hex values. Once more I had to copy and paste values from terminal to sublime-text and remove spaces. This time there were some data to be deleted. Hex values are the ones on to middle as highlighted in this screenshot:
Hex data required some fine-tuning. I copied the whole thing to clipboard and pasted it to sublime-text. Then removed “useles” part and spaces and it looked like this:
I repeated same process to the salt hash.
$ sudo echo “M4Av9jmd309xcQEMDM7437p81znC/EayWCKfCf2IsMk=” | base64 -D > salt
$ sudo file salt
$ sudo xxd salt
And then the copy-paste-removespaces operation blaa blaa…
Annoying part was almost over. Last thing to do was combine all those hex values for hashcat which I used for actual cracking. Hashcat requires data in this kind of format:
$ml$<iterations>$<salt>$<entropy>
Here is what I did in one screenshot (click for bigger size):
Please notice that everything is on the same line, there is just wordwrap turned on in sublime-text!
Crack with hashcat
For cracking I am using my mid 2012 13″ macbook pro with 2,9GHz i7.
Alright everything was prepared and ready for hashcat. At this point the guide went littlebit tricky and led to dictionary attack. It was obviously something that does not fitted my needs and I started to googling. Actually I am very happy that original guide was littlebit tricky and led me to google. I found this particularly fine blog about all kind of goodnes: http://www.unix-ninja.com/. And there was also very nice guide about hashcat.
I tought that bruteforce is something I would like to use, but unix-ninja teached me something new: brute force with masks. Basicly the mask is pattern for cracking software (hashcat in this case) which contains some facts we already know about password. For example if you know that password starts with uppercase letter, last three digits are numbers and is 8 characters long you can actually tell it to hashcat. With those kind of infos hashcat is able to crack the hash way more faster than without any foreknowledge.
Now let me take a self… No not that. I needed the hashcat and I downloaded it from here: http://hashcat.net/hashcat/ It went to my downloads folder which I opened in Finder. File was compressed and I extracted it by clicking on it(with The Unarchiver).
After that I opened new terminal and went to folder I just extracted and putted the hash in it:
$ cd
$ cd Downloads/hashcat-0.49
$ nano laiska.hash
Copy pasted the hash I made earlier and saved.
Everything was ready for the cracking. I got hashcat and I got hash prepared for it and I got mask. No I did not had a mask. As I said earlier my password is Laisk489. Starting with uppercase letter, last three characters are numbers and total of 8 characters long. I needed mask for that. I found almost right pattern for me from unix ninja. I made a small changes and here is the result:
?u?l?l?l?l?d?d?d
It contains this information about password: Starting with uppercase letter, last three characters are numbers and total of 8 characters long.
I started cracking with this command:
$ ./hashcat-cli64.app -m 7100 -a3 laiska.hash ?u?l?l?l?l?d?d?d
-m 7100 is mode for cracking OSx v10.8/v10.9 passwords
-a3 stands for brute-force
laiska.hash contains my hash
and last part is the mask
More info from hashcat manual.
Many hours later I decide to stop craking. It was just taking too long, At the stage five estimated time was over 3days as you can see:
Did the hash work/contained right info
I wanted to make sure that my hash was working. I made wordlist.txt file into hashcat directory and put there couple of words including my password Laisk489. I ran hahscats dictionary attack and it did break the hash and found that password was Laisk489.
$ ./hashcat-cli64.app -m 7100 laiska.hash wordlist.txt
After the execution were completed I found results in the file hashcat.pot. There was my password Laisk489.
Conclusion
Well it seems like my skills were littlebit inadequate. It was still very interesting and educational project. I might continue from this point later with new strategy and try to use modified version of wordlist which I used in router guide. I was suprised that it takes that long to break password with mask even it is not more than 8 characters. Of cource the method was still brute-force and my hardware is not that good and yes I was just using one laptop. Hard jacks might have bigger weapons. :p Which means that I am still going to use much more complex passwords than Laisk489 in the future.
If the time is not a problem or password is for example just only 4 or 5 characters it might be good shot to use these methods.
Sources
https://web.archive.org/web/20140703020831/http://www.michaelfairley.co/blog/2014/05/18/how-to-extract-os-x-mavericks-password-hash-for-cracking-with-hashcat/
http://www.unix-ninja.com/p/Exploiting_masks_in_Hashcat_for_fun_and_profit/
http://hashcat.net/wiki/doku.php?id=oclhashcat
Time.Estimated…: Tue Jun 2 21:42:07 2020 (35836 years, 259 days)
Haha. I mean it will still crack it lol.
Please make a vid on this and put on youtube. Send me the link
This is a really good article many thanks for posting.
It does not work beacuse it requires a password to: sudo ls /var/db/dslocal/nodes/Default/users
help if possible