tinyapps.org / blog

Recovering saved macOS user passwords #

Users who have (inadvisedly) enabled automatic login often forget the password. It is merely encoded with an XOR cipher and stored in /etc/kcpassword.

A number of sites suggest this Ruby one-liner to recover it:

sudo ruby -e'key=[125,137,82,35,210,188,221,234,163,185,31];IO.read("/etc/kcpassword").bytes.each_with_index{|b,i|break if key.include?(b);print [b^key[i%key.size]].pack("U*")}'

However, only the first four characters were returned in my limited testing.

Joaquin Moreno Garijo's Python script, kcpass.py, did the trick (see update below):

0. Copy /etc/kcpassword via target disk mode, single-user mode, etc.
1. curl -O https://raw.githubusercontent.com/jjarava/mac-osx-forensics/master/kcpass.py
2. chmod +x kcpass.py
3. # ./kcpass.py $(xxd -p /path/to/kcpassword)

       Kcpasswd: 0x09e03c5ab3ccad998dd66d1a89b165ae7e8912b851f8f0ff.
       Magic Xor: 0x7d895223d2bcddeaa3b91f.
       Used Magic Xor: 0x7d895223d2bcddeaa3b91f7d895223d2bcddeaa3b91f7d895223d2bcddeaa3b91f.
   
       The password is: "tinyapps.org".

See also:

• Gavin Brock's Encoding and Decoding OS-X Auto-Login Password (/etc/kcpassword) from 2007. Includes Perl script.
• Inside the Core's Decoding the KCPaswword [sic], which includes a detailed explanation of manually encoding and decoding.
• Recover passwords from current user's Login Keychain
• Crack Mac user password
• Cracking FileVault 2 (HFS+ or APFS)

kcpass.py:

Updates

1. Had to tweak kcpass.py slightly to make it compatible with Python 3, resolving "SyntaxError: Missing parentheses in call to 'print'. Did you mean print(...)?", etc.:

   #!/usr/bin/env python3 # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. """ KCPassword Xor """ # This code has been updated to work with Python 3 from the original version by: __author__ = 'Joaquin Moreno Garijo (bastionado@gmail.com)' # MSc Project in Royal Holloway, University of London. import sys magic_static = '7d895223d2bcddeaa3b91f' pwd = '' if len(sys.argv) != 2: print('Please write as a first argv the hexadecimal kcpassword value:') print('Example: python {} 1ceb3147d2172f1140ff63bf'.format(sys.argv[0])) exit(1) kcpasswd = sys.argv[1] print(f'\n\tKcpasswd: 0x{kcpasswd}.') print(f'\tMagic Xor: 0x{magic_static}.') tam_xor = len(magic_static) tam = len(kcpasswd) - tam_xor magic = magic_static while tam > 0: tam -= tam_xor magic += magic_static print(f'\tUsed Magic Xor: 0x{magic}.') i = 0 while i < len(kcpasswd): charkc = kcpasswd[i:i+2] charkch = int(charkc, 16) charm = magic[i:i+2] charmh = int(charm, 16) r = charkch ^ charmh pwd += chr(r) if r == 0: print(f'\n\tThe password is: "{pwd}".\n') break i += 2

2. Clément Caumes' decode-kcpassword offers another approach to decoding the stored macOS user auto-login password in Python 3:

   #!/usr/bin/python3 import struct import sys # Function to decrypt the kcpassword def decrypt_kcpassword(): key = [125, 137, 82, 35, 210, 188, 221, 234, 163, 185, 31] length = len(key) f = open(sys.argv[1], "rb") byte = list(f.read()) f.close() end = False kcpassword = [] for i in range(len(byte)): if byte[i]^key[i%length] == 0 : end = True if end == False : kcpassword.append(str(chr(byte[i]^key[i%length]))) print(''.join(map(str,kcpassword))) # Function main def main(): if len(sys.argv) < 2 : print('usage : ./decode-kcpassword.py KCPASSWORD_PATH') exit() decrypt_kcpassword() # Call to main if __name__ == '__main__': main()

/mac | Sep 07, 2017

Subscribe or visit the archives.