[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 26 Sep 2011 23:38:24 +0200
From: Jean-Michel PICOD <jm@...izoku.org>
To: "john-users@...ts.openwall.com" <john-users@...ts.openwall.com>
Subject: Re: Mac OS X 10.7 Lion password hashes (salted SHA-512)
Here is another version of a perl script to convert plist files into shadow
files.
This one is relying on Data::plist module to fully parse the file.
It's output should be the same as Jim & Solar script.
I wasn't sure of where to upload it on the wiki so this thread was still the
best option I think.
I will soon improve it to also handle xml output generated with plist util
(with autodetection of course).
Then, I will try to add a light pure-perl plist parser that will be used as
a fail-back option if Data::plist is not installed.
It seems that plist files can also contain other hashes that salted sha512
(SMB, server and server with SMB).
I can add those format too if I am provided plist samples.
There may be bugs, so don't hesitate to report them.
Jean-Michel
Le dimanche 25 septembre 2011, Link, Peter R. a écrit :
> I bought all.lst so I probably don't have john.conf configured properly to
> use it.
>
>
> On Sep 25, 2011, at 11:01 AM, Solar Designer wrote:
>
> > On Fri, Sep 23, 2011 at 08:16:39AM -0700, Link, Peter R. wrote:
> >> It tool 17min 50 sec to crack the new password on a 2.4GHz MacBook Pro
> (circa 2007). I created the password file by hand.
> >
> > Apparently, you didn't have "tomorrow" in your wordlist. Indeed,
> > password.lst supplied with JtR doesn't have it (not in top 3000 or so).
> > Using all.lst (from the Openwall wordlists collection), JtR cracks this
> > password in under a second.
> >
> >> robert1new.plist is the one that doesn't work.
> >
> > Here's a corrected version. This one works on both files for me.
> > (Replaced "." with "[\x00-\xff]" to match linefeed characters as well.)
> >
> > ---
> > #!/usr/bin/perl
> >
> > read(STDIN, $_, 1000000) || die;
> >
> > ($hash) =
> /bplist00\xd1\x01\x02\x5dSALTED-SHA512\x4f\x10\x44([\x00-\xff]{68})/;
> > if (!$hash) {
> > print "Could not find a Mac OS X 10.7 Lion salted SHA-512 hash\n";
> > exit 1;
> > }
> >
> > print unpack('H*', $hash), "\n";
> > ---
> >
> > Thanks,
> >
> > Alexander
>
> Peter Link
> Cyber Security Analyst
> Cyber Security Program
> Lawrence Livermore National Laboratory
> PO Box 808, L-315
> Livermore, CA 94550
> link1@...l.gov <javascript:;>
>
>
>
>
[ CONTENT OF TYPE text/html SKIPPED ]
#!/usr/bin/perl
####
# This script converts an Apple OS X Lion plist file
# into a John the Ripper compatible "shadow" format.
# v0.1
#
# Copyright (c) 2011 Jean-Michel Picod <jean-michel.picod at cassidian.com>
# Redistribution and use in source and binary form, with or without
# modification, are permitted. (This is a heavily cut-down "BSD licence".)
####
use strict;
use Data::Plist;
use Data::Plist::BinaryReader;
sub usage {
print "Usage: $0 <plist file> ...\n";
exit(1);
}
usage() unless ($#ARGV >= 0);
while (my $f = shift @ARGV) {
my $reader = new Data::Plist::BinaryReader;
my $plist = $reader->open_file($f);
my $data = $plist->collapse($plist->raw_data);
my $user = $data->{'name'}[0];
my $hash = $plist->collapse($data->{'ShadowHashData'}[0]->raw_data);
print "$user:", (unpack("H*", $hash->{'SALTED-SHA512'})), "\n";
}
0;
Powered by blists - more mailing lists
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ
