Windows Domain Login Script

I don’t think I ever posted this before.  If you need a login script to map drives and network printers based on Windows domain group membership for users try the below.  Put it in a vbs file like login.vbs.  Edit “domainname” to be your Windows domain name, and edit the permission group names appropriately.  It also has example of removing existing drive mounts before trying to mount by group.

Continue reading “Windows Domain Login Script”


OSX Lion Filevault v2 – Dictionary Attack

I was curious if I could script a dictionary attack against one of the OSX Lion File Vault v2 encrypted external drives. If you haven’t done it. You need to be on Lion. Grab a spare USB storage stick. Make sure to backup any data from the device first. Encrypting the device by the book will erase and destroy the existing contents.

  1. Go into “Disk Utility”
  2. Plug in the desired USB storage stick
  3. Click on the device in the list
  4. Click on the Erase tab
  5. Pull down the Format box and choose one of the Encrypted options like: Mac OS Extended (Journaled, Encrypted)
  6. Click Erase
  7. When prompted provide a desired password.

Now that you have setup an encrypted device you can use that to test this process.

  1. First eject the usb device
  2. Unplug it
  3. Plug it back in
  4. Click cancel and do not enter the passphrase

Now onto the rest of the process.

Continue reading “OSX Lion Filevault v2 – Dictionary Attack”


Need to open a password protected zip on Mac OSX?

Recently we were sent a password protected zip file at work. If you have ever tried to double click open a protected zip file you know that you will get an error not a password prompt.

If we ignore third party applications to open these files we are left with running the unzip command from terminal. You can use the option “-P password” where you replace the word password with actual password used to protect the file. An example command might look like:

This may have been good enough for me. But we have less technically inclined folks in our group who needed access to the provided files. So I made an Automator that everyone in the group could reuse for even future files. The Automator needed several features.

  1. Provide a GUI browser selection box to choose the protected zip file.
  2. Prompt for the password needed to unzip the file.
  3. Send the content to the user’s desktop regardless of whom ran it.

Here is how we build the Automator. The key components are the use of variables within Automator and a shell script object that takes the file and password as arguments that were provided by the user.

Continue reading “Need to open a password protected zip on Mac OSX?”


Rough Draft OSX Automator – Password Extraction

I have had various discussions with other forensics folks about password dictionaries and their use with my crowbar tools.  So I am doing some experimentation using Automator plus shell script and perl script.  I really think a lot of forensics folks who use Mac OSX forget or underestimate Automator.  In my case I am using it to draft some password extraction tests.

You can download the automator app with a sample text file to run it on.  You can get it from here:PasswordExtractor Automator

Of course it is easy for you to edit the automator app in Automator and see/edit my scripts.  Here is a summary of what it does.  And it becomes more clear if you run it on the included text file.

It has you select a file and runs it through strings.  It sorts it and drops out duplicate strings.  Then it runs that base dictionary file through a perl script several times each time is a slightly different variant.  It is looking for certain flag strings then grabs all the remaining text on the line after that flag text and makes it into a stack of passwords.

It looks for all case insensitive occurrences of pw, pwd, pass and password and they can be followed by any of the three symbols. = – or :

It then takes the text following those text strings and starts at the first letter and dumps that to a line as a password and increments one letter at a time till it hits the full length.

So in essence if the password you really need is embedded in say a URL with pass=supersecretpassword then you will actually get a file where ONLY supersecretpassword occurs on a line in a dictionary.  Perfect for your dictionary attack tools.


Scripting Acrobat Reader Updates – nmap and psexec

The latest round of adobe patches are a pain for IT staff to implement.   If you allow automatic updates then many machines updating the full reader installer from Adobe is likely to knock out your wan or Internet links.  Too much traffic.

Manually running around and installing the update is also a pain for IT and consumes a lot of man hours.  So I love to make script packs for them to automate things.

To use these scripts you need to do several prep things.

  1. Download and put nmap binaries for windows in the folder you will run the scripts from.
  2. You will need to install the winpcap driver for the nmap scans to work.
  3. Download psexec from the Microsoft Sysinternals site and put it in the script folder too.
  4. Download the adobe reader installer and put it on a network share.
  5. Create a toss off domain user account that simply can map to the network share of the acrobat. I put it in a subfolder of that share called acro93 for the version I am installing.  Because if you have your domain setup reasonably well you want only authenticated users to connect to shares etc.  You will delete this account once done.

Next come the scripts.  We have the master script we call acrobat.bat.  This script pushes a second bat file into each target host.  You need to put your target hosts into a text file in a format that would be accepted by nmap.  A subnet, indvidiual ips, hostnames your pc can resolve.

Continue reading “Scripting Acrobat Reader Updates – nmap and psexec”


Mac Shell Script – Crack PGP WDE

While I am working on a crowbar version for PGP whole disk encryption.  I took a few minutes to modify the previous script for PGP virtual disk files to hit wde drives in case you need something right away.  Keep in mind you need to determine the drive number with something like df, diskutil etc.

When running the script you will see output like

Operation failed! (errno = -12000)
cannot recognize user record at index 1536:
reached end of user record list
ERROR, wrong passphrase.
Operation failed! (errno = -12000)
Password found!

Operation failed! (errno = -12000)
cannot recognize user record at index 1536:
reached end of user record list
ERROR, wrong passphrase.
Operation failed! (errno = -12000)
Password found!

Here is the script.  Obviously you will need to change the path to your dictionary and the number after the –disk to match the drive you are attacking.  If  you are clever the command for pgpwde is the same under windows with pgp installed.  You could build a similar script there.


for word in $(cat /Volumes/ExternalDrive/Dictionaries/test.txt | grep -v “#”)


echo -n $word | pgpwde –auth-disk –passphrase $word –disk 0

if [[ $? = 0 ]]


echo “Password found!”

echo $word

exit 0



echo “password not found :(“

exit 1


Mac Forensics – Did he roll the clock back?

A week ago I was contacted by a gentleman on a mac forensics issue.   Here is the scenario.  His son is a college student in a liberal arts degree.  The student is not particularly tech savy.  He had an A average in class participation and a B average for work to date in the class.  The student had a paper to turn in, wrote it, attached it and emailed it to his professor.  The grade that came back was an F for an incomplete paper.  He had accidently attached a previous version to the email for turn in.  Upon telling the instructor the accusation was made that he rolled back the clock on his laptop to make the finished paper.  The father wants to prove his son did not roll back the clock.  The school is supposedly open to review of the grade if proof can be presented.

Here is what I put together for the father.  It is a pair of automator actions.  Read on to see what I did.

Continue reading “Mac Forensics – Did he roll the clock back?”


Listing running processes

I have written a lot of command line scripts to automate certain tasks over the years.  What is cool is the new blog Command Line Kung Fu.  I made a comment about a post from it on twitter and mentioned I did a bat file once to dump a list of all running processes on the windows pcs on your network.  Several folks asked I post my script.  

I use nmap to do the ping sweep and feed the list of ips to a loop for pslist to work on.  Obviously you have to run this under an account that has admin credentials on all the target systems.  Worst case is that it just fails to run, wont run at all against non windows hosts and leaves a lot of noise in properly configured logs across your hosts.  None of which are really bad things.  Here is the bat file contents I use.

You could further limit the hosts by first using something like an nmap port scan for one of the microsoft netbios ports or use something like nbtscan to make a list.  Use that for an input file for your nmap ping sweep to help ensure you try and spend time on hosts only currently responding.  It is also fun to substitute things like psloggedon or psexec for more interesting loops.

delete pslists.txt
nmap -sP -iL %1 -oG pingsweep.txt
find “Status: Up” pingsweep.txt > pingtemp.txt
for /F “eol=- tokens=2” %%i in (pingtemp.txt) do pslist \\%%i >> pslists.txt