Tuesday 20 May 2008

How do you tell if an account password is set in Mac OSX ?

A colleague asked me "How do you tell if an account password is set in Mac OSX ?". A bit like buses two mac problems have turned up at once.

A simple question? - well after looking at this for a while I thought -give me one on sport!

When you google this problem you find tons of stuff on cracking/ hacking/ replacing/ passwords and a few relevant sites that I will reference at the end of this post.

I am going to focus on Mac OSX 10.4 and 10.5. Password hashes for each user are contained in files at the path private\var\db\shadow\hash. The file names comprise of the generated user Id for each user and these can be reconciled (on Tiger boxes) to the user name by looking at the store.xxxx files in var\db\netinfo\local.nidb.

When you look at the hash files in the text pane within Encase it will look something like


NTLMNTLMNTLMNTLMNTLMNTLMNTLMNTLMNTLMNTLMNTLMNTLMNTLMNTLMNTLMNTLM000000000000
000000000000000000000000000000000000SHA1SHA1SHA1SHA1SHA1SHA1SHA1SHA1SHA1SHA1
0000000000000000SaSHA1SaSHA1SaSHA1SaSHA1SaSHA1SaSHA1SaSHA1SaSHA1000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000


NTLM represents a 64 character NTLM hash.
SHA1 represents a 40 character SHA1 Panther compatibility hash.
SaSHA1 represents a 48 character salted SHA1 hash used by Tiger and Leopard.

The NTLM hash comprises a 32 character NT hash and a 32 character LM hash and will only exist if Windows File Sharing is enabled for this user (or in Tiger boxes has been in the past). I have seen only a 32 character NT hash on Leopard boxes (i.e. the first 32 characters). The SHA1 hash will only exist if the box has been upgraded from Panther and may also be salted with four zeroes preceding the 40 characters. The SaSHA1 hash comprising of 48 characters will exist in all cases from FO169.

If an account is enabled for Windows File Sharing it is easy to establish whether a password is set. This is because the NTLM hash for a blank password is known and is in all cases:

31D6CFE0D16AE931B73C59D7E0C089C0AAD3B435B51404EEAAD3B435B51404EE

therefore any other NTLM hash must represent a password of some kind. In Leopard it appears that only an NT password hash is stored and therefore only the first 32 characters of the blank password hash will be stored.

I have created a few test accounts and the hash files are as follows:

1) apple pw test\0\1 Customer\Macintosh_HD\private\var\db\shadow\hash\49BE7F58-7656-4FF3-A77B-21CC32E774CB

This is a hash file from a Leopard box - note the 32 character NT hash which represents a blank password.

31D6CFE0D16AE931B73C59D7E0C089C0000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000003894ED462BFB59E9E750F719DD326D62685D51BE63F0823E000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000
0000000000000000000000000000000000000000
0000000000000000000000000000000000000000
0000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000
00000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000



2) apple pw test\1\1 Apple_HFS_Untitled_1\Bootable Backup\private\var\db\shadow\hash\322CD0AA-AE6D-4100-A94C-E27A7D64EA5B

This is a hash file from a Tiger box - note the 64 character NTLM hash which represents a blank password.


31D6CFE0D16AE931B73C59D7E0C089C0AAD3B435B51404EEAAD3B435B51404EE0000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000AE9FF34A30316C6A3ED60E16E01DACE0CB2EC125F4535523000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000


3) apple pw test\1\1 Apple_HFS_Untitled_1\Bootable Backup\private\var\db\shadow\hash\F796D172-5974-4BD6-AF20-A389C45137AC

This is also hash file from a Tiger box for another account- note the 64 character NTLM hash which represents a blank password and also that the salted SHA1 hash is different to the previous entry.


31D6CFE0D16AE931B73C59D7E0C089C0AAD3B435B51404EEAAD3B435B51404EE0000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000030A5A46EEC7D0CA83AB340F593DC98B9DC9C3A7984807428000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000

The last two files illuminate the problem - because of the salt in the absence of a NTLM hash how do you determine if a null/blank password has been set. I understand that the salt that prefixes the hashed password in tiger/leopard has 2^32 potential values which is a big number. I have tried to use a password cracking program MacKrack but it does not seem to like blank passwords however the pre-patched version of John The Ripper which includes support for OSX salted SHA1 hashes does cope with them.

To use JTR download a pre-compiled version from here and unzip. Then create a text file containing an entry in the form user:saltedSHA1hash (i.e. for the hash in the example above user:30A5A46EEC7D0CA83AB340F593DC98B9DC9C3A7984807428). Next launch Terminal and drag into it the file John from the unzipped JTR download and then drag in your text file and press return.

Last login: Mon May 26 00:03:32 on console
test-machine-imac:~ test$ /Users/test/Downloads/john-1.7.2-macosx-universal/run/john /Users/test/Desktop/jtr.txt
Loaded 1 password hash (Salt SHA1 [salt-sha1])
(test)
guesses: 1 time: 0:00:00:00 100% (2) c/s: 12950 trying:
test-machine-imac:~ test$


The process is complete once you see the command prompt. The output of the password is in the form
Password (user name)
In this example the user name I used was test and because the password is blank nothing precedes (test).
The result will also be recorded in John.pot. If the password is not blank JTR will keep trying to guess what the password is -blank passwords will be identified almost instantly. The example I have shown above utilises a Mac OSX version of JTR - there is also a Windows version which is equally as good and runs from the command line - just a pity you can't drag files to the windows command prompt.

Another issue to consider if the ability to configure a Mac to login automatically to a nominated account without inputting a password. Luckily the com.apple.loginwindow.plist clearly indicates whether the autologin facility has been used and additionally the log at private\var\log\secure.log also contains reference to this facility when it has been used.

References
http://www.dribin.org/dave/blog/archives/2006/04/07/os_x_passwords/
http://www.machacking.net/kb/files/crackingosxhashes.txt
http://www.macshadows.com/forums/index.php?s=&showtopic=8516&view=findpost&p=62916
http://www.macos.utah.edu/documentation/system_deployment/radmind/faqs/manage_local_users.html
http://www.macshadows.com/kb/index.php?title=Mac_OS_X_password_hashes#Mac_OS_10.4_.27Tiger.27
http://freaky.staticusers.net/ugboard/viewtopic.php?t=17175

No comments: