Difference between revisions of "Mac OS X Commands"

From SkullSecurity
Jump to navigation Jump to search
(Obtaining the password hashes on OS X 10.3, 10.4 and 10.5)
 
(→‎Obtaining the hashes: added pasword hash info for 10.0, 10.1 and 10.2)
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Passwords==
==Passwords==
===Obtaining the hashes===
===Obtaining the hashes===
====OS X 10.0 (Cheetah)====
The same as in 10.2 (Jaguar). See below.
====OS X 10.1 (Puma)====
The same as in 10.2 (Jaguar). See below.
====OS X 10.2 (Jaguar)====
Dump the hash
<pre>
nidump passwd . | grep username | cut -d':' -f2
</pre>
This hash is created using the [http://en.wikipedia.org/wiki/Crypt_(Unix) Unix DES Crypt(3)] function, where the password is first truncated to 8 characters.
====OS X 10.3 (Panther)====
====OS X 10.3 (Panther)====
First find out the users' GUID:
First find out a users' GUID:
<pre>
<pre>
niutil -readprop . /users/username generateduid
niutil -readprop . /users/username generateduid
</pre>
</pre>


Next take that GUID and cat the hash file
Next take that GUID and dump the hash file
<pre>
<pre>
cat /var/db/shadow/hash/GUID
cat /var/db/shadow/hash/GUID
</pre>
</pre>


The hashes in Panther are stored very plainly. The first 64 characters are the NTLM hash (first 32 NT, next 32 LM) and the last 40 characters are the SHA1 hash.
The first 64 characters are the NTLM hash (first 32 NT, next 32 LM) and the last 40 characters are the SHA1 hash.
 
====OS X 10.4 (Tiger)====
====OS X 10.4 (Tiger)====
The process for Tiger is very similar to Leopard. The only difference is that you need to use a utility called niutil instead of dscl to find out the GeneratedUID. It uses is as follows:
You can obtain the GUID just as in 10.3 (Panther). See above.


To obtain the GUID of a user in Tiger/Panther:
After obtaining the GUID, you can dump the passwords just as in 10.5 (Leopard). See below.
<pre>
niutil -readprop . /users/username generateduid
</pre>


After obtaining the GUID, see below for how to get the password hashes.
====OS X 10.5 (Leopard)====
====OS X 10.5 (Leopard)====
To obtain the password hashes for a user in leopard, you need to first find out thier GeneratedUID. This can be accomplished with the following command (as any user):
First find a users' GUID:
<pre>
<pre>
dscl localhost -read /Search/Users/username | grep GeneratedUID | cut -c15-
dscl localhost -read /Search/Users/username | grep GeneratedUID | cut -c15-
</pre>
</pre>
What this does is read out all the user information using the Directory Service Command Line utility. In previous versions of OS X, this functionality was provided by the niutil program. Then we grep for just the GeneratedUID and cut the line from the 15th character until the end.


Now that we have the GUID we can find the hashes. They are located in a file at /var/db/shadow/hash/GUID. Note that the /var/db/shadow directory is only readable by the root user. This file can contain up to three different hashes of the users' password. It will always contain the salted SHA1 hash, which is used by OS X to authenticate during login, etc. If the user has previously turned on SMB file sharing, this file will also contain the easily crackable NTLM hash of the password as well. Also if the user has upgraded their OS X to 10.5 (Leopard) from 10.4 (Tiger) from 10.3 (Panther), this file will also contain a zero-salted SHA1 for Panther compatibility purposes, which is vulnerable to a SHA1 look-up/dictionary attack. Regardless, you can view all these simply by cat-ing the file. Here are the commands to just cut out certain hashes:
After getting the GUID you can dump various hashes. By default the only hash stored is the salted SHA1. If the user has turned on SMB file sharing then the NTLM hash will also be stored. If you upgraded from 10.3->10.4->10.5 then the zero salted SHA1 is also stored.


Salted SHA1 (first 8 characters are the salt)
Salted SHA1 (first 8 characters are the salt)

Latest revision as of 21:42, 30 September 2008

Passwords

Obtaining the hashes

OS X 10.0 (Cheetah)

The same as in 10.2 (Jaguar). See below.

OS X 10.1 (Puma)

The same as in 10.2 (Jaguar). See below.

OS X 10.2 (Jaguar)

Dump the hash

nidump passwd . | grep username | cut -d':' -f2

This hash is created using the Unix DES Crypt(3) function, where the password is first truncated to 8 characters.

OS X 10.3 (Panther)

First find out a users' GUID:

niutil -readprop . /users/username generateduid

Next take that GUID and dump the hash file

cat /var/db/shadow/hash/GUID

The first 64 characters are the NTLM hash (first 32 NT, next 32 LM) and the last 40 characters are the SHA1 hash.

OS X 10.4 (Tiger)

You can obtain the GUID just as in 10.3 (Panther). See above.

After obtaining the GUID, you can dump the passwords just as in 10.5 (Leopard). See below.

OS X 10.5 (Leopard)

First find a users' GUID:

dscl localhost -read /Search/Users/username | grep GeneratedUID | cut -c15-

After getting the GUID you can dump various hashes. By default the only hash stored is the salted SHA1. If the user has turned on SMB file sharing then the NTLM hash will also be stored. If you upgraded from 10.3->10.4->10.5 then the zero salted SHA1 is also stored.

Salted SHA1 (first 8 characters are the salt)

cat /var/db/shadow/hash/GUID | cut -c105-152

Zero-Salted SHA1 (first 8 characters are the salt and will always be all zeros)

cat /var/db/shadow/hash/GUID | cut -c169-216

NTLM (first 32 characters are NT, next 32 are LM)

cat /var/db/shadow/hash/GUID | cut -c-64