|
Message-ID: <07E64BC339FC4399A03C155964EABABE@D9VGLK61>
Date: Sat, 24 Sep 2011 09:24:34 -0500
From: "JimF" <jfoug@....net>
To: <john-users@...ts.openwall.com>
Subject: Re: Mac OS X 10.7 Lion password hashes (salted SHA-512)
Hopefully this file will make it without being corrupted.
This is pretty much the same perl file Solar originally wrote. I simply replaced his usage of actual text, and 'binary' hash data, by converting the whole file to a hex string, and searching that. I also do not have to convert the hash to hex in the end (it already is). This version also finds the user name being used. It does have to convert that name from the hex string, back into 'text' since a hex string of the user name would be pretty meaningless to john.
Jim.
#!/usr/bin/perl -w
use strict;
############################################################
# usage: ./OS_X_Lion_JimF.pl < file.plist >> shadowfile.in
############################################################
my $hexfile; my $hash; my $user;
read(STDIN, $_, 1000000) || die;
$hexfile = unpack('H*', $_); $_ = $hexfile;
# list00\xd1\x01\x02]SALTED-SHA512\xf4\x10\x44 followed by pass hash
($hash)=/6c6973743030d101025d53414c5445442d5348413531324f1044(.{136})/;
if (!$hash) {
print "Could not find a Mac OS X 10.7 Lion salted SHA-512 hash\n";
exit 1;
}
# hex string below: :SHA1.hex(40)user_name\xa1\x35\x4f\x10
($user) = /3a534841312e.{80}(.{2,64})a1354f10/;
if (!$user) { $user = "unk_username"; }
else { $user =~ s/([a-f0-9][a-f0-9])/chr(hex($1))/eg; }
print $user, ":", $hash, "\n";
----- Original Message -----
From: "Link, Peter R." <link1@...l.gov>
To: <john-users@...ts.openwall.com>
Sent: Friday, September 23, 2011 2:27 PM
Subject: Re: [john-users] Mac OS X 10.7 Lion password hashes (salted SHA-512)
I tried your version, guessing how to run it. I get an error on line 13 (I removed extra returns), which is the one with the hash data in it.
Bear with me on this because I'm coming in new but am I supposed to replace the hash string with my own or is it supposed to use the data you have to skip over this data in the actual plist file? You added a lot of features and I'm not sure what to do with them or what I get as output.
I used the same command syntax as Alexander's.
Thanks for helping a newbee.
On Sep 23, 2011, at 10:51 AM, jfoug wrote:
> This perl script works, but again, like Alex mentioned, 'test on MORE and
> report back'. I think the problem is in your new hash, there is a \n within
> the binary data of the hash string. So, to 'work' around this, I convert
> the whole file blob to a hex string in the beginning, and then search that
> hex string.
>
>
>
> I also added code to find the user id. It 'should' find user id's from 1
> byte, to 32 bytes long.
>
>
>
> #!/usr/bin/perl -w
>
> use strict;
>
>
>
> my $hexfile; my $hash; my $user;
>
>
>
> read(STDIN, $_, 1000000) || die;
>
>
>
> $hexfile = unpack('H*', $_); $_ = $hexfile;
>
>
>
> # hex string below: bplist00\xd1\x01\x02]SALTED-SHA512\xf4\x10\x44 followed
> by the pass hash.
>
> ($hash) =
> /62706c6973743030d101025d53414c5445442d5348413531324f1044(.{136})/;
>
>
>
> if (!$hash) {
>
> print "Could not find a Mac OS X 10.7 Lion salted SHA-512 hash\n";
>
> exit 1;
>
> }
>
>
>
> # hex string below: :SHA1.hex(40)user_name\xa1\x35\x4f\x10 followed by the
> pass hash.
>
> ($user) = /3a534841312e.{80}(.{2,64})a1354f10/;
>
>
>
> if (!$user) { $user = "unk_username"; }
>
> else { $user =~ s/([a-f0-9][a-f0-9])/chr(hex($1))/eg; }
>
>
>
> print $user, ":", $hash, "\n";
>
>
>
>
>
> From: Link, Peter R. [mailto:link1@...l.gov]
> Sent: Friday, September 23, 2011 9:36 AM
> To: john-users@...ts.openwall.com
> Subject: Re: [john-users] Mac OS X 10.7 Lion password hashes (salted
> SHA-512)
>
>
>
> Alexander,
>
> I used your Perl script this morning on my original test user plist and it
> worked fine. I then changed the password of the user to something simple to
> make sure john could fine it. When running the script again, it came up with
> the error message, "Could not find a Mac OS X 10.7 Lion salted SHA-512
> hash." I only changed the password to <tomorrow> from <Ydo!Ucar3>. I ran
> this on two different computers and it does the same thing. I'm attaching
> both plists for your review.
>
>
>
> robert1new.plist is the one that doesn't work.
>
>
>
>
>
> On Sep 22, 2011, at 8:33 PM, Solar Designer wrote:
>
>
>
>
>
> Rich, Jean-Michel, all -
>
> Here's a trivial Perl script I just hacked together to process Lion's
> plist files (such as /var/db/dslocal/nodes/Default/users/username.plist)
> and print the hashes in a format directly usable by John 1.7.8-jumbo-7.
>
> Usage:
>
> ./lion2john.pl < username.plist > username.hash
>
> or for many files:
>
> for f in *.plist; do ./lion2john.pl < $f; done > hashes
>
> ---
> #!/usr/bin/perl
>
> read(STDIN, $_, 1000000) || die;
>
> ($hash) = /bplist00\xd1\x01\x02\x5dSALTED-SHA512\x4f\x10\x44(.{68})/;
> if (!$hash) {
> print "Could not find a Mac OS X 10.7 Lion salted SHA-512 hash\n";
> exit 1;
> }
>
> print unpack('H*', $hash), "\n";
> ---
>
> Please test this on more plist files and report back.
>
> Thanks,
>
> Alexander
>
>
>
> Peter Link
>
> Cyber Security Analyst
>
> Cyber Security Program
>
> Lawrence Livermore National Laboratory
>
> PO Box 808, L-315
>
> Livermore, CA 94550
>
> link1@...l.gov
>
>
>
> The contents of this message are mine personally and do not reflect the
> views or position of the U.S. Department of Energy, Federal Government,
> National Nuclear Security Administration, Lawrence Livermore National
> Security, or Lawrence Livermore National Laboratory.
>
>
>
>
>
>
>
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94550
link1@...l.gov
Download attachment "OS_X_Lion_JimF.pl" of type "application/octet-stream" (813 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.