Crack Mac user password #

Environment

Extract hash

sudo ./plist2hashcat.py /Volumes/Target/var/db/dslocal/nodes/Default/users/username.plist

user:$ml$28328$7215a1faa91e6196fb53884c4320970d9705ae6f19e5b50e0a24243708629a9b$8e0588decbdb347e0b909a7a1b1bc9470fe7dd37e09a64f9d02b82cfba91116b13d7c172b5a65683ac8d2c873324b8d82255a51ced0792656e766fa1a9c23994

Save the output without the leading "user:" (otherwise you'll need to specify --username when running hashcat) to hash.txt

Start cracking

hashcat -a 0 -m 7100 --status -o found.txt hash.txt wordlist.txt

More

Additional scripts and a program that accomplish the same goal as plist2hashcat.py (i.e., extracting hashcat-compatible hashes from binary plist shadow files generated by OS X 10.8 and up (SALTED-SHA512-PBKDF2)):

The process can also be done manually:

See also Recovering saved macOS user passwords.

/mac | Oct 30, 2019

Run Aperture, iPhoto, or iTunes on macOS Catalina #

Retroactive "is an app that lets you run Aperture, iPhoto, and iTunes on macOS Catalina." The author's exhaustive Technical Deep Dive: How does Retroactive work? answers the question in full, but also highlights a number of limitations:

The list differs somewhat in the readme:

/mac | Oct 30, 2019

Dedupe massive wordlists without changing order #

"The duplicut tool finds and removes duplicate entries from a wordlist, without changing the order, and without getting OOM on huge wordlists whose size exceeds available memory. ... [W]ritten in C, and optimized to be as fast and memory frugal as possible."

Refreshingly simple installation and syntax:

make release
./duplicut <WORDLIST_WITH_DUPLICATES> -o <NEW_CLEAN_WORDLIST>

UPDATE: Royce Williams kindly alerted me to possible issues around longer line lengths and non-ASCII characters, and the author of duplicut, nil0x42, was kind enough to set me straight: just needed to specify --line-max-size 254 to avoid truncation under that threshold.

/nix | Oct 30, 2019

Cracking hashes in the cloud with hashcat #

posted to the docs section.

/nix | Oct 29, 2019

Firefox: Enable Night Mode for desktop OSes #

Firefox for iOS offers an "Enable Night Mode" toggle which not only darkens the Firefox interface, but websites as well.

While not available for desktop OSes yet, you can achieve a similar result with ShadowFox (macOS users can install via Homebrew or MacPorts) and Dark Reader. ShadowFox correctly darkens every UI element, including ones that other themes can have trouble with, like the address bar, context menu, and history page.

/misc | Oct 23, 2019

Download webpage to .webarchive in Terminal #

Webarchiver "allows you to create Safari .webarchive files from the command line":

webarchiver -url https://tinyapps.org -output tinyapps.webarchive

With a bash function, we can automate creating the filename from the page's title tag and include the URL in the "Where from" metadata:

function dl() {
  ADDRESS="$1"
  TITLE=`curl -s "$ADDRESS" | grep -o "<title>[^<]*" -m 1 | tail -c+8`
  /Applications/network/webarchiver -url "$ADDRESS" -output "$TITLE.webarchive"
  xattr -w "com.apple.metadata:kMDItemWhereFroms" "$ADDRESS" "$TITLE.webarchive"
}

Add the above to your .bash_profile, reload with source ~/.bash_profile, and use like so:

$ dl https://tinyapps.org/docs/nvme-sanitize.html

Title tags can be tricky to parse correctly, here are some other approaches:

as well as another version wherein you manually supply the title/filename:

function dl() {
  ADDRESS="$1"
  FILENAME="$2"
  /Applications/network/webarchiver -url "$ADDRESS" -output "$FILENAME.webarchive"
  xattr -w "com.apple.metadata:kMDItemWhereFroms" "$ADDRESS" "$FILENAME.webarchive"
}

calling like so:

$ dl https://tinyapps.org/docs/nvme-sanitize.html "NVMe Sanitize"

Acquire webarchiver 0.9 via homebrew (brew install webarchiver) or MacPorts (sudo port install webarchiver), or build easily from source with Xcode.

Thanks to kenorb for his simple title regex; I only had to add -m 1 after running across a page containing multiple title tags (which apparently isn't that rare, in spite of the spec).

/mac | Oct 21, 2019

Catalina: Restore Classic Layout in Mail #

If you have the misfortune to be stuck on Catalina, you can restore Mail.app's classic layout via View > "Use Column Layout" and View > uncheck "Show Side Preview"; the previous option (Mail > Preferences > Viewing > Use classic layout) is gone.

/mac | Oct 21, 2019

Decrypt EFS-encytped files without a cert backup #

posted to the docs section.

/windows | Oct 18, 2019

Site design changes #

UDPATE: Now rocking Ebony Clay (#222B39) and Westar (#E1DFDC).

/misc | Oct 09, 2019

Google Drive File Stream cache bug fills up drive #

Despite the sunny promise of version 26.1's July 24, 2018 release note ("Drive File Stream now guarantees that it won't use more than 20% of the free local disk space when caching files."), Google Drive File Stream cache continues to fill up virtually all available space on many drives.

Heinzelmann's solution of setting ContentCacheMaxKbytes to 100MB is excellent but incomplete; these are the steps I needed to follow in order to resolve the issue:

  1. Uninstall:
    1. Sign out and quit Google Drive File Stream
    2. Uninstall Google Drive File Stream
    3. Delete %LOCALAPPDATA%\Google\DriveFS (which generally corresponds to \Users\username\AppData\Local\Google\DriveFS)
    4. Reboot
  2. Apply the registry patch:
    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Google\DriveFS]
    "ContentCacheMaxKbytes"=hex(b):a0,86,01,00,00,00,00,00
  3. Reinstall Google Drive File Stream and sign in

/misc | Sep 29, 2019


Subscribe or visit the archives.