Thursday, February 14, 2008

Hacking MacOS X For Password Retrival

I had to resort to this trick as I have inherited an old Mac machine from a friend of mine, who in turn had inherited it from her children. The annoying thing is that the machine's password is lost, and I can't get access to updates or make configuration changes. Since I've gotten the 'green-light' to break into it, it's going to be a 'no-holds-barred'. Sorry Mac, but you're going down!

Mac Zealots are going to kill me for saying this, but breaking access to the Mac OS is incredibly trivial. In this case, I do not require and external medium for the exploit, but just the magic keystroke of '<Apple-s>', in order to get into it's 'single-user mode'. Do this by rebooting your machine and holding down your 'Apple' and 's' key simultaneously. You should get to a screen below:
standard timeslicing quantum is 10000 us
vm_page_bootstrap: 124982 free pages
mig_table_max_displ = 70
92 prelinked modules
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.

using 1310 buffer headers and 1310 cluster IO buffer headers
ADB present:84
FireWire (OHCI) Apple ID 31 built-in now active, GUID 001451ff fe32b0e0; max speed s400.
CSRHIDTransitionDriver::probe: -s
CSRHIDTransitionDriver::probe booting in single user .. do not match
Security auditing service present
BSM auditing present
rooting via boot-uuid from /chosen: A827D24C-C773-3C25-8D8F-E027C540A4B8
Waiting on IOProviderClassIOResourcesIOResourceMatchboot-uuid-media
Got boot device = IOService:/MacRISC2PE/pci@f4000000/AppleMacRiscPCI/ata-6@D/AppleKauaiATA/ATADeviceNub@0/IOAT
ABlockStorageDriver/IOATABlockStorageDevice/IOBlockStorageDriver/TOSHIBA MK4025GAS Media/IOApplePartitionSchem
BSD root: disk0s3, major 14, minor 2

If you want to make modifications to files:
/sbin/fsck -fy
/sbin/mount -uw /

If you wish to boot the system, but stay in single user mode
sh /etc/rc

You might as well call this the 'super user mode', given that it gives out 'root privileges' on the Mac. While it may not be immediately apparent in Mac OS, its UNIX heritage is still apparent. (See the 'The Regents of University of California' copyright message above.)

The message shown above is not reproduced from fidelity given that there's no way to intercept stdout during startup, but rather roughly constituted from the output from 'dmesg', so don't panic if you don't see exactly the same messages.

And if you noticed the instructions given, the nice thing about the Mac's user friendliness is that it even tells you what to do on the command prompt on how to start all the Mac services required!

There's really no need to follow the instructions verbatim, given that we didn't boot into a single user because the harddisk has crashed, there no need to run 'fsck', which is just a fairly time-consuming process that checks your disk for errors. Just mount your root file system in write mode and start the Mac services:

% /sbin/mount -uw /
% sh /etc/rc
Checking disk
fsck_hfs: Volume is journaled. No checking performed.
fsck_hfs: Use the -f option to force checking.
Mounting local filesystems
kern.sysv.shmmax: -1 -> 4194304
kern.sysv.shmmin: -1 -> 1
kern.sysv.shmmni: -1 -> 32
kern.sysv.shmseg: -1 -> 8
kern.sysv.shmall: -1 -> 1024
Resetting files and devices
Starting virtual memory
Removing /mach.sym /var/tmp/folders.501 /etc/nologin /private/_tmp_ /var/_run_ /
Configuring kernel extensions

[... Other messages truncated ...]
There are more messages to that screen, but because I didn't trap the output from stderr, some of them are missing here. But they are not essential for our purpose.

And if you haven't realised it, at this moment you're in 'God Mode'. You have now full file, and system access to all accounts on the Mac OS system, just without the facade of the GUI.

If you have lost your 'Administrator' password, changing it is just a breeze, because you are 'root', you can just change the password of any account you want. However your 'Administrator' account is not actually called 'Administrator', and it does have it's own login name, so you'll need to find that out by checking your '/Users/' directory. For purposes of illustration, I'll assume that your Administrator's username is 'vincent'
% passwd vincent
Enter your new UNIX password: it's-a-secret!
Re-type your new UNIX password: it's-a-secret!
As expected, it doesn't even asks you what your old password is for the change! Well if really wanted to be nasty and insidious, you can create a 'backdoor' account, by changing the password just for the 'root' user, and you'll actually be able to access the computer even without the actual user knowing it!

Once you're done with the fiddling, type 'exit' to get out of the command line and back into the fancy GUI mode. Get into your 'System Preferences' and click on 'Accounts' icon. You'll probably see the screen like this:

As you see, the 'root' account is invisible to Mac OS, i.e. you won't see it as a valid user on your account panel. As typical Mac users, you won't be able to detect the intrusion, given that it doesn't show up as an additional user, normally a tell-tale sign that your machine is compromised.

Of course, you wouldn't have this problem if there is a way to disable the '<Apple-S>' keystroke. Well I don't for now, so it still poses a security risk for my home machine, which is why it remains for casual use as a really expensive music player.


Post a Comment