..:: MacHacking.net ::..

Article from MacHacking.net Knowledge Base: http://kb.machacking.net

**********
Title: Cracking Mac OS X 10.3.x NT4 and SHA1 Password hashes
Author: DimBulb
Author Contact: marcmeadows100@hotmail.com
**********

Cracking Mac OS X 10.3.x NT4 and SHA1 Password hashes

As you know, the passwords are encoded as hashes. The hashes are one-way - they can not be decrypted without knowing the password. Password crackers ENCRYPT a word and see if it matches the hash - if so, the word that was encrypted is the password.

In 10.2.x client,

nidump passwd .

would result in the gecos info and the MD5 DES hash. 10.2.8 generated a seperate Samba hash ONLY IF Windows file sharing was enabled (the user was required to enter a new password when Windows sharing was turned on.)

Here's an example from 10.2.8:
hashtest:mW9YmZJMCM/jQ:502:20::0:0:hashtest:/Users/hashtest:/bin/tcsh (here is the nidump info and MD5 hash for one user account)
S-1-5-21-2527490168-2772051315-2868515623 (The Samba hash file name for that user, this name was listed in the Store.xxx files in /private/var/db/netinfo/local.nidb)
7CE21F17C0AEE7FB9CEBA532D0546AD6B757BF5C0D87772FAAD3B435B51404EE (this is the stored Samba hash, it's NT LM MD4 & it was in /private/var/db/samba/hash )

As of 10.3 passwords can be LONG, apparently as long as 255 characters. Sounds nearly uncrackable! But we're in for a surprise!

Any passwords created in 10.3.x are also shadowed. Netinfo houses the user name and other gecos info while the actual password hashes are in /private/var/db/shadow/hash. Each password hash is in it's own file, the name of each file is the generated user ID of the user. Netinfo still has the old style MD5 DES hashes if the system was upgraded from 10.2.x to 10.3 and the users did not then change their passwords. (Only passwords CREATED in Panther are shadowed by default.)

So, from netinfo you can get the username & other gecos info as well as the generated user ID (it's in the Store.xxx files in /private/var/db/netinfo/local.nidb) From the hash file that has the user's GUID as it's name, you get the hashed password.

Here's an example from 10.3:
hashtest:********:503:503::0:0:hashtest:/Users/hashtest:/bin/bash (this is from nidump)
F98502B8-7A0C-11D8-A03D-00050251BA75 (this is the GUID from the Store.xxx files)
7CE21F17C0AEE7FB9CEBA532D0546AD6B757BF5C0D87772FAAD3B435B51404EE7110EDA4D09E062AA5E4A390B0A572AC0D2C0220 (this is the 10.3 password hash, long isn't it?!)

Quote from Apple:

"Shadow Hash Authentication

The Shadow Hash authentication type is the default password method for Mac OS X 10.3. It indicates that hashes for NT and LAN Manager authentication are stored in a local file that is readable only by root. A secure hash is stored in the same file. The hash is SHA1. On a password change, all stored versions of the password are updated in the local file.

If the value of the authority data field is NTHashOnly, only the NT hash is used.

This authentication supports cleartext authentication (used, for example, by loginwindow) and the NT and LAN Manager authentication methods.

Here are some examples of properly formed authentication authority."

See the following link for the original documentation:
http://developer.apple.com/documentation/Networking/Conceptual/Open_Directory/Chapter1/chapter_2_section_2.html#//apple_ref/doc/uid/TP30000232/CIFDEEJB

It may be readable only by root but this worked with an admin password:
sudo ditto /private/var/db/shadow/ ~/hashes
sudo chmod -R 777 ~/hashes

Or you can boot from a FireWire drive and then Get Info on the internal hard drive and select "Ignore permissions on this volume" and then copy whatever you want including the /private/var directory. (You can also use DiskEditorX from Norton Utilities to find the hash or even over-write the hash...)

By looking at a 10.2.8 Samba hash next to the new 10.3 hash it suddenly makes perfect sense...

10.3 Hash
7CE21F17C0AEE7FB9CEBA532D0546AD6B757BF5C0D87772FAAD3B435B51404EE7110EDA4D09E062AA5E4A390B0A572AC0D2C0220
10.2.8 Samba Hash (NT4 a.k.a NT LanMan MD4)
7CE21F17C0AEE7FB9CEBA532D0546AD6B757BF5C0D87772FAAD3B435B51404EE
10.2.8 MD5 Hash
mW9YmZJMCM/jQ

The 10.3 Hash is actually the Samba hash followed by an SHA1 hash (neither of these are the 255 chr RSA:1024 hash!)

The beautiful thing is that in 10.3 unlike 10.2 THE SAMBA HASHES GET CREATED WHETHER WINDOWS SHARING IS TURNED ON OR NOT!!!

10.3 Hash broken down:
Samba (32 characters:32characters for word1 & word2):
7CE21F17C0AEE7FB9CEBA532D0546AD6:B757BF5C0D87772FAAD3B435B51404EE
SHA1: (40 characters)
7110EDA4D09E062AA5E4A390B0A572AC0D2C0220

All that remains is the proper formatting for the crackers:
hashtest:7CE21F17C0AEE7FB9CEBA532D0546AD6:B757BF5C0D87772FAAD3B435B51404EE:::
hashtest:7110EDA4D09E062AA5E4A390B0A572AC0D2C0220:::

Lepton's Crack cracked each of these hashes instantly on a dual 1GHz G4.
John cracked the NT LM MD4 hash instantly.

Look in the Store.xxx files in /private/var/db/netinfo/local.nidb to match up the generated-user-ID to a particular username.

Lepton's Crack (compiles and runs on OS X - you need Apple's Developer Tools in 10.2 or Xcode Tools in 10.3 for the GCC compiler!)
http://freshmeat.net/projects/lcrack/

John the Ripper (also compiles and runs on OS X, download the Unix version first, then the Mac version - you need the docs and character sets from the Unix version.)
http://www.openwall.com/john/

Apple's Developer Tools & Xcode Tools
http://developer.apple.com/tools/macosxtools.html

So where is the 255 character password stored? I STILL DON'T KNOW but at this point, it doesn't seem to matter much when these hashes can be easily cracked and they still allow access to the machine remotely!

I ran fs_usage while changing a password in SystemPreferences and got the following excerpt:
23:03:14.274 open [ 2] private/var/db/samba/hash>>> 0.000224 DirectoryService
23:03:14.274 PAGE_IN A=0x7d35a000 B=0x0 0.000357 DirectoryService
23:03:14.274 PAGE_IN A=0x7d359000 B=0x0 0.000027 DirectoryService
23:03:14.274 PAGE_IN A=0x7d35c000 B=0x0 0.000023 DirectoryService
23:03:14.274 PAGE_IN A=0x7d358000 B=0x0 0.000022 DirectoryService
23:03:14.275 stat private/var/db/shadow/hash 0.000055 DirectoryService
23:03:14.275 stat /var/db/shadow/hash/D500AD94-7A39-11D8-BF51-0050E4800941 0.000177 DirectoryService
23:03:14.275 open F=10 /var/db/shadow/hash/D500AD94-7A39-11D8-BF51-0050E4800941 0.000050 DirectoryService
23:03:14.275 fstat F=10 0.000005 DirectoryService
23:03:14.275 lseek F=10 O=0x00000000 0.000006 DirectoryService
23:03:14.275 write F=10 B=0x68 0.000132 DirectoryService
23:03:14.275 chmod /var/db/shadow/hash/D500AD94-7A39-11D8-BF51-0050E4800941 0.000045 DirectoryService
23:03:14.275 close F=10 0.000271 DirectoryService
23:03:14.282 WrData[async] D=0x00b09d78 B=0x200 /dev/disk1s10 0.006854 W DirectoryServic
23:03:14.283 WrData D=0x00002879 B=0x7200 /dev/disk1s10 0.001677 W DirectoryServic
23:03:15.381 WrData D=0x000010c8 B=0x200 /dev/disk1s10 0.000468 W DirectoryServic
23:03:15.432 sync 0.156413 W DirectoryService
23:03:15.432 WrMeta[async] D=0x00000bfa B=0x200 /dev/disk1s10 0.001408 W DirectoryServic
23:03:15.432 WrMeta[async] D=0x0001d7a8 B=0x2000 /dev/disk1s10 0.001753 W DirectoryServic
23:03:15.433 WrMeta[async] D=0x00020f88 B=0x2000 /dev/disk1s10 0.001878 W DirectoryServic
23:03:15.433 write F=7 B=0x2c 0.000113 DirectoryService
23:03:15.434 select S=1 0.160927 W netinfod
23:03:15.434 select S=1 0.000022 netinfod
(huge chunk of similar activity deleted to save space)
23:03:15.455 select S=1 0.000391 W DirectoryService
23:03:15.455 read F=7 B=0x260 0.000013 DirectoryService
23:03:15.455 write F=7 B=0x34 0.000031 DirectoryService
23:03:15.455 select S=1 0.000014 netinfod
23:03:15.455 select S=1 0.000013 netinfod
23:03:15.455 read F=8 B=0x34 0.000013 netinfod
23:03:15.455 write F=8 B=0x278 0.000045 netinfod
23:03:15.456 select S=1 0.000439 W DirectoryService
23:03:15.456 read F=7 B=0x278 0.000014 DirectoryService
23:03:15.460 select S=0 1.000053 W cupsd
23:03:15.472 PgIn[async] D=0x00e15230 B=0x1000 /dev/disk1s10 0.012648 W System Preferen
23:03:15.472 PAGE_IN A=0x9104d000 B=0x1000 0.012992 W System Preferenc
23:03:15.480 PgIn[async] D=0x00e151d8 B=0x1000 /dev/disk1s10 0.007910 W System Preferen
23:03:15.480 PAGE_IN A=0x91042000 B=0x1000 0.008173 W System Preferenc
23:03:15.481 CACHE_HIT A=0xa0192000 0.000019 writeconfig
23:03:15.481 CACHE_HIT A=0xa0004000 0.000016 writeconfig
23:03:15.482 PAGE_IN A=0x0000c000 B=0x0 0.000035 writeconfig
23:03:15.482 CACHE_HIT A=0xa20c1000 0.000049 writeconfig
23:03:15.482 stat private/etc/authorization 0.000107 SecurityServer
23:03:15.484 sendto F=7 B=0xf2 0.000060 SecurityServer
23:03:15.484 recvfrom F=3 B=0xf2 0.000033 syslogd
23:03:15.484 writev F=10 B=0xf9 0.000103 syslogd
23:03:15.484 CACHE_HIT A=0xa0000000 0.000022 writeconfig

**********
Article from MacHacking.net Knowledge Base: http://kb.machacking.net