Breaking into my MacBookPro10,2
I recently found my old 2012 Macbook Pro, but I forgot the password. I decided to try to get in without it. Here's what happened…
Accessing the filesystem
You can boot in single user mode to get into the filesystem (just hold ⌘-S at boot1). I thought it would be more fun to actually log in, so I decided to keep trying…
Resetting the password
To reset a user's password, you can create a new administrator account from which any password can be overwritten2. An easy way is to boot in single-user mode and run:
$ rm /var/db/.AppleSetupDone
which triggers the setup process at the next boot, allowing you to create a new admin account. But at this point, I decided it would be more fun to recover my actual password…
Cracking the password
First, we need to find the hash stored by the OS. I found a nice guide3 on cracking mac passwords: apparently, a user's password hash resides at /Volumes/<hard drive name>/var/db/dslocal/nodes/Default/users/<username>.plist. I grabbed the relevant plist and attempted to extract the hash:
$ sudo defaults read tanner.plist ShadowHashData | tr -dc 0-9a-f | xxd -r -p | plutil -convert xml1 - -o - 2> /dev/null Property List error: Unexpected character è at line 1 / JSON error: JSON text did not start with array or object and option to allow fragments not set.
No luck. I'm not sure why. I tried another method4 which happened to work:
$ dscl . read tanner.plist dsAttrTypeNative:ShadowHashData | xxd -r -p | plutil -convert xml1 - <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>SALTED-SHA512-PBKDF2</key> <dict> <key>entropy</key> <data> 96kq3nobm2G/jFtdoIsfgzP8m3SCYbGhnI1OdO0rv/ag+8UJOUDUZtTIaH4G MsBLMM8HFtqpH5jAKpJiQhDwmYNWZ64ZAYpV1hUt7UlswDK8HtnTOeZ1x5hI CHFkd0ZbGUziMPRGRuNUv64aOC2ihxFODsAkbuZnrvjsfWTCBZ0= </data> <key>iterations</key> <integer>36900</integer> <key>salt</key> <data> BQn1fkxpi15tLrI6sVCfZs8rVxxE+0q8W94cwIxj3wA= </data> </dict> <key>SRP-RFC5054-4096-SHA512-PBKDF2</key> <dict> <key>iterations</key> <integer>36900</integer> <key>salt</key> <data> YzJlukj/KbexF5fHhQzv8IViPl2/qtsVDJLjNeAUdo0= </data> <key>verifier</key> <data> UfW9fmB6SDEtcJHCd3jOewcOtqc3sg87U2KGKsd1znQh8DULayr4AZCoPJfv JOw+uzQulSIe/utd7g+Toogso6GW1BtfxUuY4wAkJoEAqMO1rsKzVE9BoGJa W18glTHgrbygkjMZEBoVrKXqBHeoWAVFsr2UzQDOfj4XmjHSLUbxfsVkgQSD ehm058nCkq7Sat3CqM1U0k2Lv9cmE+eg0QoOHaBG2PdcV11c0UAyuDOZkQrL rAKcTb51ylGWT8GH2DO0OgCYmMZnjqCgfqPL06omgs/BPxnbEL63epztC01y FriNbRyuOBgawzo9YW+/Z4I9XEYS7rK3d8zVaI+ZiC8WFDYRJFQxbuAVlcUt QIGnMy+DEUFmFIoZmjv+YLA6dngClbQ84MkOa9x3ApfopVNVhaA/20CDsB7s X+y/Z5YJ+MusJd264Yjx1ijR8qrrHSlrpcXo6tKZQsCL0yWDu3UQT8lK6Yst 8Evmx2KmIM9Oxm0DhvHB+djoQO7e6vnK582mh4uMSWsm/SAng+Evs7M0CQtN PhG0qi5MsLiDufjsgluPcksVCtgxev1n2+hzF0TMhb82d8FrRM7ixOIzFPy6 NdCSqIV2Rnxc3HY5DCoTkQvVzA44jGxtBzBkqZz6e6fNggXwn1cehtq4LLa1 evmkn++fUmbk+QzialJqMVg= </data> </dict> </dict> </plist>
Great! Now that we have the hash, we'll use hashcat to crack it. Hashcat expects input in base 16, so we'll need to convert the above hash/salt values which are in base 64. You can perform this conversion any way you want, so I just rewrote a popular script 5:
#!/usr/bin/python2.7 import base64 import sys entropy64 = '96kq3nobm2G/jFtdoIsfgzP8m3SCYbGhnI1OdO0rv/ag+8UJOUDUZtTIaH4GMsBLMM8HFtqpH5jAKpJiQhDwmYNWZ64ZAYpV1hUt7UlswDK8HtnTOeZ1x5hICHFkd0ZbGUziMPRGRuNUv64aOC2ihxFODsAkbuZnrvjsfWTCBZ0=' iterations = '36900' salt64 = 'BQn1fkxpi15tLrI6sVCfZs8rVxxE+0q8W94cwIxj3wA=' entropyRaw = base64.b64decode(entropy64) entropyHex = entropyRaw.encode("hex") saltRaw = base64.b64decode(salt64) saltHex = saltRaw.encode("hex") print("$ml$%s$%s$%s" %(iterations, saltHex, entropyHex))
I ran the script, and:
$ml$36900$0509f57e4c698b5e6d2eb23ab1509f66cf2b571c44fb4abc5bde1cc08c63df00$f7a92ade7a1b9b61bf8c5b5da08b1f8333fc9b748261b1a19c8d4e74ed2bbff6a0fbc5093940d466d4c8687e0632c04b30cf0716daa91f98c02a92624210f099835667ae19018a55d6152ded496cc032bc1ed9d339e675c7984808716477465b194ce230f44646e354bfae1a382da287114e0ec0246ee667aef8ec7d64c2059d
Now we're ready for hashcat. I decided to use a dictionary attack with 14 million of the most common passwords:
$ hashcat -a 0 -m 7100 hash.txt rockyou.txt -w 4 --potfile-path hash.pot
hashcat (v5.1.0) starting...
* Device #1: WARNING! Kernel exec timeout is not disabled.
This may cause "CL_OUT_OF_RESOURCES" or related errors.
To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: NVIDIA GeForce GTX 960, 499/1998 MB allocatable, 8MCU
Hashfile 'hash.txt' on line 1 ($ml$36...114e0ec0246ee667aef8ec7d64c2059d): Token length exception
No hashes loaded.
Started: Wed Dec 15 05:03:01 2021
Stopped: Wed Dec 15 05:03:01 2021
We got a "token length exception." It turns out that hashcat expects a 64-byte hash, but we gave it a 128-byte one6. We'll just remove 64 bytes from the hash and try again. Since each byte of the hash is represented in hash.txt in hexadecimal as two ASCII characters, each of which occupies one byte, we need to remove 64*2 bytes from hash.txt:
$ truncate -s=-64 hash.txt > hash-truncated.txt
$ hashcat -a 0 -m 7100 hash-truncated.txt rockyou.txt --encoding-from=utf8 --encoding-to=ascii -w 4 --potfile-path ~/hash-truncated.pot
hashcat (v5.1.0) starting...
* Device #1: WARNING! Kernel exec timeout is not disabled.
This may cause "CL_OUT_OF_RESOURCES" or related errors.
To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: NVIDIA GeForce GTX 960, 499/1998 MB allocatable, 8MCU
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP
* Uses-64-Bit
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Watchdog: Temperature abort trigger set to 90c
* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=1 -D VENDOR_ID=32 -D CUDA_ARCH=502 -D AMD_ROCM=0 -D VECT_SIZE=1 -D DEVICE_TYPE=4 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=32 -D KERN_TYPE=7100 -D _unroll'
Dictionary cache built:
* Filename..: ./rockyou.txt
* Passwords.: 14329857
* Bytes.....: 139921497
* Keyspace..: 14329850
* Runtime...: 7 secs
$ml$36900$0509f57e4c698b5e6d2eb23ab1509f66cf2b571c44fb4abc5bde1cc08c63df00$f7a92ade7a1b9b61bf8c5b5da08b1f8333fc9b748261b1a19c8d4e74ed2bbff6a0fbc5093940d466d4c8687e0632c04b30cf0716daa91f98c02a92624210f099:[REDACTED]
Session..........: hashcat
Status...........: Cracked
Hash.Type........: macOS v10.8+ (PBKDF2-SHA512)
Hash.Target......: $ml$36900$0509f57dbc698b5e6d2eb23ab150b066cf2b571c4...10f099
Time.Started.....: Wed Dec 15 23:37:35 2021 (1 min, 18 secs)
Time.Estimated...: Wed Dec 15 23:38:53 2021 (0 secs)
Guess.Base.......: File (./rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 3385 H/s (268.08ms) @ Accel:512 Loops:128 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 262144/14329850 (1.83%)
Rejected.........: 0/262144 (0.00%)
Restore.Point....: 0/14329850 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:36864-36899
Candidates.#1....: 123456 -> rayburn1
Hardware.Mon.#1..: Temp: 69c Fan: 17% Util:100% Core:1430MHz Mem:3004MHz Bus:16
Started: Wed Dec 15 23:37:20 2021
Stopped: Wed Dec 15 23:38:55 2021
We recovered the password in just over a minute!
Notes
To prevent leaking the recovered password, I flipped bits in both the salt and the hash. However, I used a well-known password dictionary and provided full output from hashcat, which means that the recovered password lies somewhere in the dictionary between the shown candidates (unless I'm lying). If I'm not, then my password could be recovered by hashing the candidates until a hash is found with low edit distance from the above hash. Happy hunting!