Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7796e5190806232152w2b129c30s45d78db900e7ef85@mail.gmail.com>
Date: Tue, 24 Jun 2008 01:52:52 -0300
From: Ulises2k <ulises2k@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Mac OS X 10.5.3 Leopard password hashes

Hi,
I'm speak spanish.

Read:
http://www.dribin.org/dave/blog/archives/2006/04/28/os_x_passwords_2/

It is:

Apple also added salts to the SHA1 hash. The format of the hash file
changed, too:

% sudo more $hash_file
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000000000000000\
000000000E6A48F765D0FFFFF6247FA80D748E615F91DD0C7431E4D9000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000000000000000\
0000000000000000000000000000000000000000
% sudo cat $hash_file | wc -c

    1240

The salted SHA1 hash starts at character 169, and is 48 characters long:

% salted_hash=`sudo cat $hash_file | cut -c169-216`
% echo $salted_hash

0E6A48F765D0FFFFF6247FA80D748E615F91DD0C7431E4D9


The first 8 characters are the hex value of a 4-byte salt. To verify this
password, we first need to convert the salt back into its integer value:

% hex_salt=`echo $salted_hash | cut -c1-8`
% salt=`echo -n $hex_salt | xxd -r -p`


Now, we have to take the SHA1 hash of the salt and the cleartext password:

% sha=`printf "%s%s" $salt macintosh | openssl dgst -sha1`
% printf "%s%s\n" $hex_salt $sha

0E6A48F765d0fffff6247fa80d748e615f91dd0c7431e4d9

As you can see, this is the same hex value as $salted_hash, above. So,
what's with all the extra zeros in the 10.4 shadow file? The first 64
characters are used for the LANMAN password, if Windows sharing is enabled.
The next 40 characters are used for the unsalted SHA1 hash, if the account
was upgraded from 10.3. I have no idea what's with all the other zeros.
Perhaps it's for future compatibility in newer versions of OS X.


Regards,
--
Ulises U. Cuñé
Web: http://www.ulises2k.com.ar

On Tue, Jun 24, 2008 at 00:57, 55 89 e5 <5589e5@...il.com> wrote:

> I recently set up a user account on my Mac OS X 10.5.3 Leopard machine
> with a password of "apple" and the corresponding has in a file in
> /var/db/shadow/hash is:
>
>
> 00000000000000000000000000000000000000000000000000000000000000000000000000000000
>
> 00000000000000000000000000000000000000000000000000000000000000000000000000000000
>
> 0000000001295B67659E95F32931CEDB3BA50289E2826AF3D5A1422F000000000000000000000000
>
> 00000000000000000000000000000000000000000000000000000000000000000000000000000000
>
> 00000000000000000000000000000000000000000000000000000000000000000000000000000000
>
> 00000000000000000000000000000000000000000000000000000000000000000000000000000000
>
> 00000000000000000000000000000000000000000000000000000000000000000000000000000000
>
> 00000000000000000000000000000000000000000000000000000000000000000000000000000000
>
> 00000000000000000000000000000000000000000000000000000000000000000000000000000000
>
> 00000000000000000000000000000000000000000000000000000000000000000000000000000000
>
> 00000000000000000000000000000000000000000000000000000000000000000000000000000000
>
> 00000000000000000000000000000000000000000000000000000000000000000000000000000000
>
> 00000000000000000000000000000000000000000000000000000000000000000000000000000000
>
> 00000000000000000000000000000000000000000000000000000000000000000000000000000000
>
> 00000000000000000000000000000000000000000000000000000000000000000000000000000000
> 0000000000000000000000000000000000000000
>
> It appears to me that the salted SHA-1 hash is:
>
> 1295B67659E95F32931CEDB3BA50289E2826AF3D5A1422F
>
> I create a file with the following contents:
>
> username:1295B67659E95F32931CEDB3BA50289E2826AF3D5A1422F:::::::
>
> and when I try to crack it with John using the --format=ssha option,
> John keeps saying that "No password hashes loaded."
>
> Could somebody clue me in on what I'm doing incorrect?
>
> Thank you.
>
> --
> To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
> to the automated confirmation request that will be sent to you.
>
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.