Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <C6950ABE-0706-4929-A126-32FAA4F065F9@llnl.gov>
Date: Mon, 26 Sep 2011 15:07:10 -0700
From: "Link, Peter R." <link1@...l.gov>
To: "john-users@...ts.openwall.com" <john-users@...ts.openwall.com>
Subject: Re: Mac OS X 10.7 Lion password hashes (salted SHA-512)

Jean-Michel,
Where did you get the Data::plist module? Running on a 10.7 Mac with Xcode, it gives me an error on line 14. Running your script gives an error message saying it's looking in all the normal perl locations. Is this command limited to the Darwin port and not included in the normal OSX distribution?


On Sep 26, 2011, at 2:38 PM, Jean-Michel PICOD wrote:


Here is another version of a perl script to convert plist files into shadow files.
This one is relying on Data::plist module to fully parse the file.
It's output should be the same as Jim & Solar script.

I wasn't sure of where to upload it on the wiki so this thread was still the best option I think.

I will soon improve it to also handle xml output generated with plist util (with autodetection of course).
Then, I will try to add a light pure-perl plist parser that will be used as a fail-back option if Data::plist is not installed.


It seems that plist files can also contain other hashes that salted sha512 (SMB, server and server with SMB).
I can add those format too if I am provided plist samples.


There may be bugs, so don't hesitate to report them.


Jean-Michel


Le dimanche 25 septembre 2011, Link, Peter R. a écrit :
I bought all.lst so I probably don't have john.conf configured properly to use it.


On Sep 25, 2011, at 11:01 AM, Solar Designer wrote:

> On Fri, Sep 23, 2011 at 08:16:39AM -0700, Link, Peter R. wrote:
>> It tool 17min 50 sec to crack the new password on a 2.4GHz MacBook Pro (circa 2007). I created the password file by hand.
>
> Apparently, you didn't have "tomorrow" in your wordlist.  Indeed,
> password.lst supplied with JtR doesn't have it (not in top 3000 or so).
> Using all.lst (from the Openwall wordlists collection), JtR cracks this
> password in under a second.
>
>> robert1new.plist is the one that doesn't work.
>
> Here's a corrected version.  This one works on both files for me.
> (Replaced "." with "[\x00-\xff]" to match linefeed characters as well.)
>
> ---
> #!/usr/bin/perl
>
> read(STDIN, $_, 1000000) || die;
>
> ($hash) = /bplist00\xd1\x01\x02\x5dSALTED-SHA512\x4f\x10\x44([\x00-\xff]{68})/;
> if (!$hash) {
>       print "Could not find a Mac OS X 10.7 Lion salted SHA-512 hash\n";
>       exit 1;
> }
>
> print unpack('H*', $hash), "\n";
> ---
>
> Thanks,
>
> Alexander

Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94550
link1@...l.gov<javascript:;>



<OS_X_Lion2john.pl>

Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94550
link1@...l.gov<mailto:link1@...l.gov>




Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.