Hacking MacOS X For Password Retrival
I had to resort to this trick as I have inherited an old Mac machine from a friend of mine, who in turn had inherited it from her children. The annoying thing is that the machine’s password is lost, and I can’t get access to updates or make configuration changes. Since I’ve gotten the ‘green-light’ to break into it, it’s going to be a ‘no-holds-barred’. Sorry Mac, but you’re going down!
Mac Zealots are going to kill me for saying this, but breaking access to
the Mac OS is incredibly trivial. In this case, I do not require and
external medium for the exploit, but just the magic keystroke of
'<Apple-s>', in order to get into it’s ‘single-user mode’. Do this by
rebooting your machine and holding down your
simultaneously. You should get to a screen below:
standard timeslicing quantum is 10000 us vm_page_bootstrap: 124982 free pages mig_table_max_displ = 70 92 prelinked modules Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. using 1310 buffer headers and 1310 cluster IO buffer headers ADB present:84 FireWire (OHCI) Apple ID 31 built-in now active, GUID 001451ff fe32b0e0; max speed s400. CSRHIDTransitionDriver::probe: -s CSRHIDTransitionDriver::probe booting in single user .. do not match Security auditing service present BSM auditing present disabled rooting via boot-uuid from /chosen: A827D24C-C773-3C25-8D8F-E027C540A4B8 Waiting on IOProviderClassIOResourcesIOResourceMatchboot-uuid-media Got boot device = IOService:/MacRISC2PE/[email protected]/AppleMacRiscPCI/[email protected]/AppleKauaiATA/[email protected]/IOAT ABlockStorageDriver/IOATABlockStorageDevice/IOBlockStorageDriver/TOSHIBA MK4025GAS Media/IOApplePartitionSchem e/[email protected] BSD root: disk0s3, major 14, minor 2 If you want to make modifications to files: /sbin/fsck -fy /sbin/mount -uw / If you wish to boot the system, but stay in single user mode sh /etc/rc %
You might as well call this the ‘super user mode’, given that it gives out ‘root privileges’ on the Mac. While it may not be immediately apparent in Mac OS, its UNIX heritage is still apparent. (See the ‘The Regents of University of California’ copyright message above.)
The message shown above is not reproduced from fidelity given that
there’s no way to intercept
stdout during startup, but rather roughly
constituted from the output from
'dmesg', so don’t panic if you don’t
see exactly the same messages.
And if you noticed the instructions given, the nice thing about the Mac’s user friendliness is that it even tells you what to do on the command prompt on how to start all the Mac services required!
There’s really no need to follow the instructions verbatim, given that
we didn’t boot into a single user because the harddisk has crashed,
there no need to run
'fsck', which is just a fairly time-consuming
process that checks your disk for errors. Just mount your root file
system in write mode and start the Mac services:
% /sbin/mount -uw / % sh /etc/rc Checking disk fsck_hfs: Volume is journaled. No checking performed. fsck_hfs: Use the -f option to force checking. Mounting local filesystems kern.sysv.shmmax: -1 -> 4194304 kern.sysv.shmmin: -1 -> 1 kern.sysv.shmmni: -1 -> 32 kern.sysv.shmseg: -1 -> 8 kern.sysv.shmall: -1 -> 1024 Resetting files and devices Starting virtual memory Removing /mach.sym /var/tmp/folders.501 /etc/nologin /private/_tmp_ /var/_run_ / private/var/vm/swapfile0 Configuring kernel extensions [... Other messages truncated ...] %
There are more messages to that screen, but because I didn’t trap the
stderr, some of them are missing here. But they are not
essential for our purpose.
And if you haven’t realised it, at this moment you’re in ‘God Mode’. You have now full file, and system access to all accounts on the Mac OS system, just without the facade of the GUI.
If you have lost your ‘Administrator’ password, changing it is just a
breeze, because you are ‘root’, you can just change the password of any
account you want. However your ‘Administrator’ account is not actually
called ‘Administrator’, and it does have it’s own login name, so you’ll
need to find that out by checking your
'/Users/' directory. For
purposes of illustration, I’ll assume that your Administrator’s username
% passwd vincent Enter your new UNIX password: it's-a-secret! Re-type your new UNIX password: it's-a-secret!
As expected, it doesn’t even asks you what your old password is for the change! Well if really wanted to be nasty and insidious, you can create a ‘backdoor’ account, by changing the password just for the ‘root’ user, and you’ll actually be able to access the computer even without the actual user knowing it!
Once you’re done with the fiddling, type
'exit' to get out of the
command line and back into the fancy GUI mode. Get into your ‘System
Preferences’ and click on ‘Accounts’ icon. You’ll probably see the
screen like this:
As you see, the ‘root’ account is invisible to Mac OS, i.e. you won’t see it as a valid user on your account panel. As typical Mac users, you won’t be able to detect the intrusion, given that it doesn’t show up as an additional user, normally a tell-tale sign that your machine is compromised.
Of course, you wouldn’t have this problem if there is a way to disable
'<Apple-S>' keystroke. Well I don’t for now, so it still poses a
security risk for my home machine, which is why it remains for casual
use as a really expensive music player.