I have had various discussions with other forensics folks about password dictionaries and their use with my crowbar tools. So I am doing some experimentation using Automator plus shell script and perl script. I really think a lot of forensics folks who use Mac OSX forget or underestimate Automator. In my case I am using it to draft some password extraction tests.
You can download the automator app with a sample text file to run it on. You can get it from here:PasswordExtractor Automator
Of course it is easy for you to edit the automator app in Automator and see/edit my scripts. Here is a summary of what it does. And it becomes more clear if you run it on the included text file.
It has you select a file and runs it through strings. It sorts it and drops out duplicate strings. Then it runs that base dictionary file through a perl script several times each time is a slightly different variant. It is looking for certain flag strings then grabs all the remaining text on the line after that flag text and makes it into a stack of passwords.
It looks for all case insensitive occurrences of pw, pwd, pass and password and they can be followed by any of the three symbols. = – or :
It then takes the text following those text strings and starts at the first letter and dumps that to a line as a password and increments one letter at a time till it hits the full length.
So in essence if the password you really need is embedded in say a URL with pass=supersecretpassword then you will actually get a file where ONLY supersecretpassword occurs on a line in a dictionary. Perfect for your dictionary attack tools.
Perhaps you have made yourself a logging vm, or even a logging machine out of an old laptop using my pdf instructions. At home I actually turned a real old IBM Thinkpad A22m into a unbuntu logging machine. Just like my directions only no vmware.
I send all my network hardware logs via syslog to the machine. BUT I also did one simple change to the syslog.conf on every mac in my house. Now all my mac logs collect into my machine for searching in Splunk.
- Just open Terminal on your mac.
- sudo vi /etc/syslog.conf
- edit the file and add the following line, substituting your own logging machine IP address.
- Make sure to use an actual ip address in place of loggingmachineipaddress. I tried using the bonjour or mdns name like logger.local and my macs never consistently sent logs. So changing to IP address it seemed to work after that.
- Next if you are in Leopard you can do the following two terminal commands to restart syslog and pick up the config change. Otherwise you could also just reboot your mac.
- sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
- sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist
I have begun to be real pleased with the mac mini. It was the one I put a new drive and ram in. Then I loaded snow leopard.
Between iTunes and Hulu it has been great hooked to my tv. I do use my small apple Bluetooth keyboard with it. but instead of tying to use a mouse I have been using an iPhone iPod app I had for a while. It is called ipad. basically it makes my device a wireless touchpad similar to the one on my laptop.
I find the automation features in Mac OSX to be a lot of help. Especially when whipping up a solution for someone else. If you want to know more about how to work with automator and services check out these links.
Automation in Snow Leopard
Automation in Snow Leopard Part 2
Automation in Snow Leopard Part 3
Automation in Snow Leopard Part 4
And the mother site of mac automation
I really really love Automator on the mac. It just makes it so easy to setup scripts you can run again later. More importantly it lets you write a script solution that is point and click for someone else when they need help.
I had an email from a Detective that does forensics work on child exploitation cases. He wanted a simple way to build a dictionary from a selection of folders and files. He wanted to use that dictionary with my crowbar tools to go after a filevault from a mac.
Here is what I did.
Continue reading “Mac Forensics – Automator Love – Make a Dictionary”
While I am working on a crowbar version for PGP whole disk encryption. I took a few minutes to modify the previous script for PGP virtual disk files to hit wde drives in case you need something right away. Keep in mind you need to determine the drive number with something like df, diskutil etc.
When running the script you will see output like
Operation failed! (errno = -12000)
cannot recognize user record at index 1536:
reached end of user record list
ERROR, wrong passphrase.
Operation failed! (errno = -12000)
Here is the script. Obviously you will need to change the path to your dictionary and the number after the –disk to match the drive you are attacking. If you are clever the command for pgpwde is the same under windows with pgp installed. You could build a similar script there.
for word in $(cat /Volumes/ExternalDrive/Dictionaries/test.txt | grep -v “#”)
echo -n $word | pgpwde –auth-disk –passphrase $word –disk 0
if [[ $? = 0 ]]
echo “Password found!”
echo “password not found :(“
One of the things I built into my crowbar dictionary attack tools for DMG and keychain files from the start was Growl. Growl is a free add on notification framework for your mac. MANY popular mac programs support growl so this is not just some odd plug in. I recommend in the crowbar apps making it popup the notifications for password found and not found at least go to your screen. The password found is even better when set to sticky. This means the alert stays on the screen until you click on it.
Now if you have an iPhone you can get the alert notifications right to your iPhone. There is a great iPhone application called Prowl (App Store Link). The developer’s site lets you create a login to his site which you set in the Prowl program. You download and install a Growl plugin for Prowl. The Prowl iPhone app is $2.99. The service and plugin are free. Last all you do is customize the alert settings for the crowbar apps to send to Prowl just using the growl preference pane control.
Now when you leave those real large dictionaries running you can leave them minimized and even leave the office or home knowing you will get the status when the job finishes.
You can find out everything at the Prowl developer’s site: http://prowl.weks.net/
I gave myself a crash course this weekend. I mainly wanted to be able to make plugins for fun in Pixelmator. But turns out you can use things in iChat and Photobooth live. It was a bit of a fun uphill battle to actually figure out a repeatable process. So I wrote one. You can download my Image Units Tutorial in PDF.
I cover Prototyping in Quartz Composer, moving it to an Image Unit and compile it in Xcode. I toss in how to add a user input and even found a blog post on the Internet on how to ensure your IU puts out an image with defined dimensions.