Mac OS X Live Forensics 106
Welcome back :) We are going to have a lot of fun this week, talking about a portable forensics framework for OS X, cracking OS X user password hashes, and using the new Kon-Boot to bypass the login screen and access Macs that don't have full disk encryption enabled.
First, I've talked about Kon-Boot on my blog before, but recently I learned that there is a Kon-Boot for OS X! This new Kon-Boot costs $15 to download, you get a limited time to download, but can flash the image to either USB or CD as much as you want. The OS X version of Kon-Boot supports 10.6, 10.7, 10.8, and 10.9; Of which I've tested and confirmed it working with OS X 10.9.4. It works with the Mac Intel 64bit hardware, by virtually modifying the EFI bios and then loading it's own driver to interact with the OS X kernel. It has two modes of operation, one that allows you to select any user and log in with them using any password, and another that will add a new user for you with the default credentials of kon-boot:kon-boot. While it officially only works against OS X without full disk encryption, aka with file vault disabled, there is an interesting scenario where you can add a user on a system that has full disk encryption. Simply find a discrete USB port, add your small Kon-Boot USB, boot it up, select the add-user module, and then leave it at the main login screen, waiting for the owner to return and decrypt their hard disk. Once the hard-disk is decrypted, you will have a fairly hidden user added to the machine.
This leads us to our next forensics questions, where are users typically stored on OS X? Generally, their home folders are under /Users/[user]/, but they aren't tracked in /etc/passwd like a typical linux system. Actually, in 10.9.x, the users are stored as apple binary plists under, /private/var/db/dslocal/nodes/Default/users/[user].plist . These plists are great, and will contain all of the domain information on that user as well as the user's hashed password! By default on 10.9.x, these passwords are stored as salted-sha512-pbkdf2, which means they will be hard to crack. However, there is a tool that will let you attempt to bruteforce these hashes, called davegrohl, and while the original site may be down, there is a copy of the latest version of the tool here. Luckily though, HashCat also supports salted-sha512-pbkdf2, and you can set up cudaHashCat pretty easily following my tutorial. On older versions of OS X, hashed are stored under /var/db/shadow/hash/ as SHA1, which will be a lot easier to crack with cudaHashCat. Your probably going to want the following script to help you extract the hashes and put them into a crackable format: ml2john.
I also stumbled across this excellent forensics framework for OS X, called pac4mac. The framework only requires python to run and is pretty effective. It allows you to dump data from live access, single user mode, or a system image. From a live system you can also dump RAM and take an image of the system, and then the framework will allow you to analyze both of these later, offline. Using many of the techniques we've discussed in this series, the framework extracts tons of useful files from the system. Some of the useful data you can dump from system images or live systems includes browser history, cookies, downloads, Skype messages, calendar caches, emails, keychain files, iOS files, printed files, log files, and potential passwords.
Overall, these two tools together, Kon-Boot and pac4mac, can create a crazy effective USB for both penetrating and analyzing OS X systems. You can quickly access the system, dump RAM, take a system image, and if you the time, analyze tons of useful files. We can then take our hashes and crack them for access to other systems, assuming password reuse.