Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 7 Apr 2012 16:23:56 +0400
From: Solar Designer <solar@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: Re: Mac OS X keychains and FileVault

On Sat, Apr 07, 2012 at 05:32:12PM +0530, Dhiru Kholia wrote:
> On Sun, Apr 1, 2012 at 11:34 AM, Solar Designer <solar@...nwall.com> wrote:
> > http://www.ucc.asn.au/~matt/src/ - extractkeychain-0.1.tar.gz
> 
> Does this work with current version of OS X key-chains?

I have no idea, but I guess that it does.  I found it much later than I
stopped playing with cracking a keychain.

> If yes, this
> will be the most promising option for developing a JtR plug-in.

Yes.

> > http://www.georgestarcher.com/?page_id=256 - crowbarDMG, crowbarKC
> 
> It looks like this tool too uses OS X internal calls (people have
> complained about its speed).

Maybe.

However, the speed won't be very high even if we implement our own
crypto - per BLOBFORMAT, there's PBKDF2 with 1000 iterations.

> I also found a new tool : osx-keychain-brute
> (http://mirror.transact.net.au/pub/sourceforge/p/project/po/potaru-pentest/,
> no sources though). Looks like it calls SecKeychainUnlock function.
> Claimed speed is 500 k/s.

Sounds unrealistic to me.

"FEATURES ADDED
- Every 500 passwords the current word is shown to the user"

This seems to imply a fairly low speed - much like what I was getting.

Oh, I also triggered a memory leak (somewhere in a library used by
securityd, IIRC) in the original OS X 10.5 by running that attack.
My 1 GB RAM MacBook would fail in 1-2 days of running the attack.
I reported this to Apple at the time, so hopefully it's fixed by now.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.