John the Ripper

Hi never_more,
I waited to see if anyone answered before telling that I don't know how to do what want. However, maybe I can enumerate some of the issues. From the tutorials I've read, John the Ripper expects the password hashes to be in a file that is in the format of the /etc/passwd file. I don't know if the password hashes can be consumed by John the Ripper in any other format.

Before Panther, passwords for MacOS X users were stored in NetInfo but they were hashed via the ancient classic UNIX crypt algorithm, the same algorithm that is used in classic UNIX passwd files. In fact, there is a command line utility that will create a classic passwd file with the command:

nidump passwd / > passwd.nidump

It was a simple matter to run John the Ripper on that file.

Since Panther, passwords are stored in a "shadow hash". The hashes are stored in the /var/db/shadow/hash directory in one file per user. The name of a user's file is the value of the "generateduid" property found in the user's directory in NetInfo. (or Open Directory) There is actually another file for each user with the same name but with a .state filename suffix. That's just a property list with some related information. I'm afraid that I have no idea what algorithm is used to hash these shadow passwords but the contents of the file containing the hash are mostly zeroes, so the hashes are also padded in some way.

I'm afraid that's all I know. I don't know how to extract the hashes in a way that John the Ripper can use or what algorithm to tell it to use.
--
Gary
~~~~
"What if" is a trademark of Hewlett Packard, so stop
using it in your sentences without permission, or risk
being sued.

Hi never_more,

> I tried what you said and it worked fine.

If by that you mean the nidump command, that produces a result that Jack the Ripper can understand but if you have shadow passwords, the hashes are all asterisks, carrying no information. The real hashes are where I told you but you need root access to even see some of the directories. This is how it should be. No one should be able to do what you're trying to do to a working machine. There's no way that testing passwords is worth removing that protection, to say nothing of using a weaker hashing algorithm.

If you want to test a known password, just use the Perl crypt command, like so:

perl -e 'print(crypt("password","Fc")."\n");'

Replace the word, password, in the above command, with the password you want to test. Then get a line from one of your many password files, put it in it's own file and replace the password hash with the output of the above command. Running John the Ripper on such files produce by a variety of passwords should give you some idea of the relative strengths of the different passwords without requiring you to compromise the security of your machine to do so.

Oh, "Fc" above is just a two-letter seed. You probably want to try a variety of your own.
--
Gary
~~~~
My parents went to Niagara Falls and all I got was this
crummy life.