Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 24 Sep 2011 20:18:36 -0700
From: "Link, Peter R." <link1@...l.gov>
To: "john-users@...ts.openwall.com" <john-users@...ts.openwall.com>
Subject: Re: Mac OS X 10.7 Lion password hashes (salted SHA-512)

Jim,

This worked great. Thanks. I ran it against john and of course it ran very quickly since it already had its password on file but it also listed the username in front of the password. This will work great when running multiple plist files.

I took the second command Solar listed (Sept 22, using your new command), and ran it against all .plist files in /var/db/dslocal/nodes/Default/users/ and got some strange results. It couldn't determine the hash on all the system accounts (_anything.plist), daemon.plist, nobody.plist, and root.plist probably because I never created a root password.

What caught me off-guard is it named my admin and main non-admin accounts as unk_username: but did find the hash properly. All the work I've been doing is with a test account I recently created. My main accounts were created when I originally installed Lion (can't remember if I upgraded to Lion from Snow Leopard or if this was a clean install). 

I compared my normal user accounts to the robert1 one and found I don't have a hint field in my normal user accounts but also have an altsecurityidentities field. My plist file looks the same where I believe you're getting the username but my normal account name is only 5 characters long (check my email address, that's our official user name).  


On Sep 24, 2011, at 7:24 AM, JimF wrote:

> Hopefully this file will make it without being corrupted.   
> 
> This is pretty much the same perl file Solar originally wrote.  I simply replaced his usage of actual text, and 'binary' hash data, by converting the whole file to a hex string, and searching that.  I also do not have to convert the hash to hex in the end (it already is).  This version also finds the user name being used.  It does have to convert that name from the hex string, back into 'text' since a hex string of the user name would be pretty meaningless to john.
> 
> Jim.
> 
> #!/usr/bin/perl -w
> use strict;
> ############################################################
> #  usage:  ./OS_X_Lion_JimF.pl < file.plist >> shadowfile.in
> ############################################################
> 
> my $hexfile; my $hash; my $user;
> 
> read(STDIN, $_, 1000000) || die;
> $hexfile = unpack('H*', $_); $_ = $hexfile;
> 
> # list00\xd1\x01\x02]SALTED-SHA512\xf4\x10\x44 followed by pass hash
> 
> ($hash)=/6c6973743030d101025d53414c5445442d5348413531324f1044(.{136})/;
> if (!$hash) {
>   print "Could not find a Mac OS X 10.7 Lion salted SHA-512 hash\n";
>   exit 1;
> }
> 
> #  hex string below:  :SHA1.hex(40)user_name\xa1\x35\x4f\x10
> ($user) = /3a534841312e.{80}(.{2,64})a1354f10/;
> 
> if (!$user) { $user = "unk_username"; }
> else        { $user =~ s/([a-f0-9][a-f0-9])/chr(hex($1))/eg; }
> 
> print $user, ":", $hash, "\n";
> 
> 
> ----- Original Message ----- 
> From: "Link, Peter R." <link1@...l.gov>
> To: <john-users@...ts.openwall.com>
> Sent: Friday, September 23, 2011 2:27 PM
> Subject: Re: [john-users] Mac OS X 10.7 Lion password hashes (salted SHA-512)
> 
> 
> I tried your version, guessing how to run it. I get an error on line 13 (I removed extra returns), which is the one with the hash data in it.
> 
> Bear with me on this because I'm coming in new but am I supposed to replace the hash string with my own or is it supposed to use the data you have to skip over this data in the actual plist file? You added a lot of features and I'm not sure what to do with them or what I get as output.
> 
> I used the same command syntax as Alexander's.
> 
> Thanks for helping a newbee.
> 
> On Sep 23, 2011, at 10:51 AM, jfoug wrote:
> 
>> This perl script works, but again, like Alex mentioned, 'test on MORE and
>> report back'.  I think the problem is in your new hash, there is a \n within
>> the binary data of the hash string.  So, to 'work' around this, I convert
>> the whole file blob to a hex string in the beginning, and then search that
>> hex string.
>> 
>> 
>> 
>> I also added code to find the user id.  It 'should' find user id's from 1
>> byte, to 32 bytes long.
>> 
>> 
>> 
>> #!/usr/bin/perl -w
>> 
>> use strict;
>> 
>> 
>> 
>> my $hexfile; my $hash; my $user;
>> 
>> 
>> 
>> read(STDIN, $_, 1000000) || die;
>> 
>> 
>> 
>> $hexfile = unpack('H*', $_); $_ = $hexfile;
>> 
>> 
>> 
>> # hex string below:  bplist00\xd1\x01\x02]SALTED-SHA512\xf4\x10\x44 followed
>> by the pass hash.
>> 
>> ($hash) =
>> /62706c6973743030d101025d53414c5445442d5348413531324f1044(.{136})/;
>> 
>> 
>> 
>> if (!$hash) {
>> 
>>       print "Could not find a Mac OS X 10.7 Lion salted SHA-512 hash\n";
>> 
>>       exit 1;
>> 
>> }
>> 
>> 
>> 
>> # hex string below:  :SHA1.hex(40)user_name\xa1\x35\x4f\x10 followed by the
>> pass hash.
>> 
>> ($user) = /3a534841312e.{80}(.{2,64})a1354f10/;
>> 
>> 
>> 
>> if (!$user) { $user = "unk_username"; }
>> 
>> else        { $user =~ s/([a-f0-9][a-f0-9])/chr(hex($1))/eg; }
>> 
>> 
>> 
>> print $user, ":", $hash, "\n";
>> 
>> 
>> 
>> 
>> 
>> From: Link, Peter R. [mailto:link1@...l.gov] 
>> Sent: Friday, September 23, 2011 9:36 AM
>> To: john-users@...ts.openwall.com
>> Subject: Re: [john-users] Mac OS X 10.7 Lion password hashes (salted
>> SHA-512)
>> 
>> 
>> 
>> Alexander, 
>> 
>> I used your Perl script this morning on my original test user plist and it
>> worked fine. I then changed the password of the user to something simple to
>> make sure john could fine it. When running the script again, it came up with
>> the error message, "Could not find a Mac OS X 10.7 Lion salted SHA-512
>> hash." I only changed the password to <tomorrow> from <Ydo!Ucar3>. I ran
>> this on two different computers and it does the same thing. I'm attaching
>> both plists for your review. 
>> 
>> 
>> 
>> robert1new.plist is the one that doesn't work. 
>> 
>> 
>> 
>> 
>> 
>> On Sep 22, 2011, at 8:33 PM, Solar Designer wrote:
>> 
>> 
>> 
>> 
>> 
>> Rich, Jean-Michel, all -
>> 
>> Here's a trivial Perl script I just hacked together to process Lion's
>> plist files (such as /var/db/dslocal/nodes/Default/users/username.plist)
>> and print the hashes in a format directly usable by John 1.7.8-jumbo-7.
>> 
>> Usage:
>> 
>> ./lion2john.pl < username.plist > username.hash
>> 
>> or for many files:
>> 
>> for f in *.plist; do ./lion2john.pl < $f; done > hashes
>> 
>> ---
>> #!/usr/bin/perl
>> 
>> read(STDIN, $_, 1000000) || die;
>> 
>> ($hash) = /bplist00\xd1\x01\x02\x5dSALTED-SHA512\x4f\x10\x44(.{68})/;
>> if (!$hash) {
>> print "Could not find a Mac OS X 10.7 Lion salted SHA-512 hash\n";
>> exit 1;
>> }
>> 
>> print unpack('H*', $hash), "\n";
>> ---
>> 
>> Please test this on more plist files and report back.
>> 
>> Thanks,
>> 
>> Alexander
>> 
>> 
>> 
>> Peter Link
>> 
>> Cyber Security Analyst
>> 
>> Cyber Security Program
>> 
>> Lawrence Livermore National Laboratory
>> 
>> PO Box 808, L-315
>> 
>> Livermore, CA 94550
>> 
>> link1@...l.gov
>> 
>> 
>> 
>> The contents of this message are mine personally and do not reflect the
>> views or position of the U.S. Department of Energy, Federal Government,
>> National Nuclear Security Administration, Lawrence Livermore National
>> Security, or Lawrence Livermore National Laboratory.
>> 
>> 
>> 
>> 
>> 
>> 
>> 
> 
> Peter Link
> Cyber Security Analyst
> Cyber Security Program
> Lawrence Livermore National Laboratory
> PO Box 808, L-315
> Livermore, CA 94550
> link1@...l.gov
> 
> 
> <OS_X_Lion_JimF.pl>

Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94550
link1@...l.gov



Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.