tinyapps.org / blog

Crack Mac user password #

Environment

• Target and attack Macs both running macOS Mojave 10.14.6
• FileVault not enabled on target (see Cracking FileVault 2 (HFS+ or APFS) for cracking FileVault-encrypted volumes)
• Target Mac connected to attack Mac via Target Disk Mode

Extract hash

sudo ./plist2hashcat.py /Volumes/Target/var/db/dslocal/nodes/Default/users/username.plist

user:$ml$28328$7215a1faa91e6196fb53884c4320970d9705ae6f19e5b50e0a24243708629a9b$8e0588decbdb347e0b909a7a1b1bc9470fe7dd37e09a64f9d02b82cfba91116b13d7c172b5a65683ac8d2c873324b8d82255a51ced0792656e766fa1a9c23994

Save the output without the leading "user:" (otherwise you'll need to specify --username when running hashcat) to hash.txt

Start cracking

hashcat -a 0 -m 7100 --status -o found.txt hash.txt wordlist.txt

More

Additional scripts and a program that accomplish the same goal as plist2hashcat.py (i.e., extracting hashcat-compatible hashes from binary plist shadow files generated by OS X 10.8 and up (SALTED-SHA512-PBKDF2)):

• mac2john.py (formerly "ml2john.py")
• Empire/lib/modules/python/collection/osx/hashdump.py
• osx_hashdump.py
• macOS-HashExtractor
• DaveGrohl

The process can also be done manually:

• Detailed walkthru by klanomath
• How to Extract OS X Mavericks Password Hash for Cracking With Hashcat

See also Recovering saved macOS user passwords.

/mac | Oct 30, 2019

Run Aperture, iPhoto, or iTunes on macOS Catalina #

Retroactive "is an app that lets you run Aperture, iPhoto, and iTunes on macOS Catalina." The author's exhaustive Technical Deep Dive: How does Retroactive work? answers the question in full, but also highlights a number of limitations:

• Importing new videos will fail in both iPhoto and Aperture.
• Playing an already-imported video in Aperture will silently fail.
• Playing an already-imported video in iPhoto will cause iPhoto to crash.
• Exporting slideshows will fail in both iPhoto and Aperture.

The list differs somewhat in the readme:

• All Aperture features should be available except for playing videos and exporting slideshows.
• All iPhoto features should be available except for playing videos and exporting slideshows. (iPhoto may automatically quit when playing video.)
• All features should work for iTunes 12.9.5 and iTunes 12.6.5. If you use iTunes 12.6.5 to download iOS apps, thumbnails may appear distorted.
• iTunes 10.7 may prompt “A required iTunes component is not installed. Please reinstall iTunes (-42401).” There is no need to reinstall iTunes.

/mac | Oct 30, 2019

Dedupe massive wordlists without changing order #

"The duplicut tool finds and removes duplicate entries from a wordlist, without changing the order, and without getting OOM on huge wordlists whose size exceeds available memory. ... [W]ritten in C, and optimized to be as fast and memory frugal as possible."

Refreshingly simple installation and syntax:

make release
./duplicut <WORDLIST_WITH_DUPLICATES> -o <NEW_CLEAN_WORDLIST>

UPDATE: Royce Williams kindly alerted me to possible issues around longer line lengths and non-ASCII characters, and the author of duplicut, nil0x42, was kind enough to set me straight: just needed to specify --line-max-size 254 to avoid truncation under that threshold.

/nix | Oct 30, 2019

Cracking hashes in the cloud with hashcat #

posted to the docs section.

/nix | Oct 29, 2019

Firefox: Enable Night Mode for desktop OSes #

Firefox for iOS offers an "Enable Night Mode" toggle which not only darkens the Firefox interface, but websites as well.

While not available for desktop OSes yet, you can achieve a similar result with ShadowFox (macOS users can install via Homebrew or MacPorts) and Dark Reader. ShadowFox correctly darkens every UI element, including ones that other themes can have trouble with, like the address bar, context menu, and history page.

/misc | Oct 23, 2019

Download webpage to .webarchive in Terminal #

Webarchiver "allows you to create Safari .webarchive files from the command line":

webarchiver -url https://tinyapps.org -output tinyapps.webarchive

With a bash function, we can automate creating the filename from the page's title tag and include the URL in the "Where from" metadata:

function dl() {
  ADDRESS="$1"
  TITLE=`curl -s "$ADDRESS" | grep -o "<title>[^<]*" -m 1 | tail -c+8`
  /Applications/network/webarchiver -url "$ADDRESS" -output "$TITLE.webarchive"
  xattr -w "com.apple.metadata:kMDItemWhereFroms" "$ADDRESS" "$TITLE.webarchive"
}

Add the above to your .bash_profile, reload with source ~/.bash_profile, and use like so:

$ dl https://tinyapps.org/docs/nvme-sanitize.html

Title tags can be tricky to parse correctly, here are some other approaches:

• How do I get a websites title using command line?
• Wget page title
• How can I download a page of reddit and extract the titles?

as well as another version wherein you manually supply the title/filename:

function dl() {
  ADDRESS="$1"
  FILENAME="$2"
  /Applications/network/webarchiver -url "$ADDRESS" -output "$FILENAME.webarchive"
  xattr -w "com.apple.metadata:kMDItemWhereFroms" "$ADDRESS" "$FILENAME.webarchive"
}

calling like so:

$ dl https://tinyapps.org/docs/nvme-sanitize.html "NVMe Sanitize"

Acquire webarchiver 0.9 via homebrew (brew install webarchiver) or MacPorts (sudo port install webarchiver), or build easily from source with Xcode.

Thanks to kenorb for his simple title regex; I only had to add -m 1 after running across a page containing multiple title tags (which apparently isn't that rare, in spite of the spec).

/mac | Oct 21, 2019

Catalina: Restore Classic Layout in Mail #

If you have the misfortune to be stuck on Catalina, you can restore Mail.app's classic layout via View > "Use Column Layout" and View > uncheck "Show Side Preview"; the previous option (Mail > Preferences > Viewing > Use classic layout) is gone.

/mac | Oct 21, 2019

Decrypt EFS-encytped files without a cert backup #

posted to the docs section.

/windows | Oct 18, 2019

Site design changes #

• Replaced retina-searing white background and black text with Mine Shaft (#222222) (updated to the yet sabler #121416, Woodsmoke) background and Silver Chalice (#AAAAAA) text (discover your own fancy hex color names with Chirag Mehta's open source Name that Color). There is some more work to be done cleaning up code blocks and the like, but please let me know if you find any glaring problems.
• Replaced the download, screenshot, website, and Green Award GIF icons with similar Unicode emoji characters. SSL changes have blocked ancient browsers anyway and I've always wanted to provide users an easy way to search pages for locally-cached downloads, Green Award recipients, etc.

UDPATE: Now rocking Ebony Clay (#222B39) and Westar (#E1DFDC).

/misc | Oct 09, 2019

Google Drive File Stream cache bug fills up drive #

Despite the sunny promise of version 26.1's July 24, 2018 release note ("Drive File Stream now guarantees that it won't use more than 20% of the free local disk space when caching files."), Google Drive File Stream cache continues to fill up virtually all available space on many drives.

Heinzelmann's solution of setting ContentCacheMaxKbytes to 100MB is excellent but incomplete; these are the steps I needed to follow in order to resolve the issue:

1. Uninstall:
   1. Sign out and quit Google Drive File Stream
   2. Uninstall Google Drive File Stream
   3. Delete %LOCALAPPDATA%\Google\DriveFS (which generally corresponds to \Users\username\AppData\Local\Google\DriveFS)
   4. Reboot
2. Apply the registry patch:
   Windows Registry Editor Version 5.00
   [HKEY_LOCAL_MACHINE\SOFTWARE\Google\DriveFS]
   "ContentCacheMaxKbytes"=hex(b):a0,86,01,00,00,00,00,00
3. Reinstall Google Drive File Stream and sign in

/misc | Sep 29, 2019

Subscribe or visit the archives.