Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAArRjcxr0DCNGVCZPiihxqf-Jg44jDM_Ow3h+U7DqN3VZG07Qg@mail.gmail.com>
Date: Mon, 26 Sep 2011 23:38:24 +0200
From: Jean-Michel PICOD <jm@...izoku.org>
To: "john-users@...ts.openwall.com" <john-users@...ts.openwall.com>
Subject: Re: Mac OS X 10.7 Lion password hashes (salted SHA-512)

Here is another version of a perl script to convert plist files into shadow
files.
This one is relying on Data::plist module to fully parse the file.
It's output should be the same as Jim & Solar script.

I wasn't sure of where to upload it on the wiki so this thread was still the
best option I think.

I will soon improve it to also handle xml output generated with plist util
(with autodetection of course).
Then, I will try to add a light pure-perl plist parser that will be used as
a fail-back option if Data::plist is not installed.


It seems that plist files can also contain other hashes that salted sha512
(SMB, server and server with SMB).
I can add those format too if I am provided plist samples.


There may be bugs, so don't hesitate to report them.


Jean-Michel


Le dimanche 25 septembre 2011, Link, Peter R. a écrit :

> I bought all.lst so I probably don't have john.conf configured properly to
> use it.
>
>
> On Sep 25, 2011, at 11:01 AM, Solar Designer wrote:
>
> > On Fri, Sep 23, 2011 at 08:16:39AM -0700, Link, Peter R. wrote:
> >> It tool 17min 50 sec to crack the new password on a 2.4GHz MacBook Pro
> (circa 2007). I created the password file by hand.
> >
> > Apparently, you didn't have "tomorrow" in your wordlist.  Indeed,
> > password.lst supplied with JtR doesn't have it (not in top 3000 or so).
> > Using all.lst (from the Openwall wordlists collection), JtR cracks this
> > password in under a second.
> >
> >> robert1new.plist is the one that doesn't work.
> >
> > Here's a corrected version.  This one works on both files for me.
> > (Replaced "." with "[\x00-\xff]" to match linefeed characters as well.)
> >
> > ---
> > #!/usr/bin/perl
> >
> > read(STDIN, $_, 1000000) || die;
> >
> > ($hash) =
> /bplist00\xd1\x01\x02\x5dSALTED-SHA512\x4f\x10\x44([\x00-\xff]{68})/;
> > if (!$hash) {
> >       print "Could not find a Mac OS X 10.7 Lion salted SHA-512 hash\n";
> >       exit 1;
> > }
> >
> > print unpack('H*', $hash), "\n";
> > ---
> >
> > Thanks,
> >
> > Alexander
>
> Peter Link
> Cyber Security Analyst
> Cyber Security Program
> Lawrence Livermore National Laboratory
> PO Box 808, L-315
> Livermore, CA 94550
> link1@...l.gov <javascript:;>
>
>
>
>

Content of type "text/html" skipped

View attachment "OS_X_Lion2john.pl" of type "text/x-perl" (860 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.