search

octomagon / davegrohl

A Password Cracker for macOS
http://www.davegrohl.org
GNU General Public License v2.0
235 stars 39 forks source link

Memory Usage Buildup #22

Closed JoinTheHippies closed 7 years ago

JoinTheHippies commented 7 years ago

When I run this on my new macbook air, I get about 20 guesses per second, but my old macbook pro gets 91,000/second. In about 10 minutes, I have maxed out my RAM, as it just keeps building infinitely. Is there something that I configured incorrectly?

octomagon commented 7 years ago

20 guesses per second sounds about right for newer versions of macOS. Can you paste in the output from Dave on your older MBP? Does is say -- Loaded PBKDF2 (Salted SHA512)? What version of macOS is it running?

JoinTheHippies commented 7 years ago

Thank you for the quick reply. It is running ElCapitan. I did find the issue. I was running it on verbose mode because I like to see the progress, turns out that was a bad idea. What I was confused about though is why my old MacBook pro processes so much faster than my air. I get the Loaded PBKDF2(Salted SHA512) message on both and they're both running ElCapitan. Currently my MacBook pro is running a copy of my friends computer while I crack an old password of his, so it could be a setting he has on his computer. I'm not really sure. Long story short, verbose mode chews CPU when the computer is getting 100k+ guesses per second.

On Feb 18, 2017 6:31 PM, "Octomagon" notifications@github.com wrote:

20 guesses per second sounds about right for newer versions of macOS. Can you paste in the output from Dave on your older MBP? Does is say -- Loaded PBKDF2 (Salted SHA512)? What version of macOS is it running?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/octomagon/davegrohl/issues/22#issuecomment-280888511, or mute the thread https://github.com/notifications/unsubscribe-auth/AXSP8OwG7IXUizbQudz-wpKxnAEfTcWFks5rd5t8gaJpZM4MFTry .

octomagon commented 7 years ago

Hmmm... Interesting. The fastest I've seen Dave crack a PBKDF2 hash is like 60 gps, so 90k implies it's using a different hashing function or the function's not working correctly. Dave will go much faster if you have SMB file sharing enabled or maybe if your friend hasn't changed his password since Snow Leopard. I'll try to reproduce it tomorrow. If you're familiar with C++ debuggers and feeling especially randy, you can recompile Dave and dig thru the call stack.

Just curious, but are you specifically trying to figure out your friends password? Cuz there's much easier ways to break into an account (non-FileVault).

JoinTheHippies commented 7 years ago

I am not nearly familiar enough with c++ to recompile Dave or to debug anything. And I did replace the built in wordlist so that might have messed something up, but as of 2 hours or run time it has guessed 661 billion passwords. And no, I'm not trying to crack his password, but our school uses the same root password on all of the computers and we are trying to crack that.

On Feb 18, 2017 6:58 PM, "Octomagon" notifications@github.com wrote:

Hmmm... Interesting. The fastest I've seen Dave crack a PBKDF2 hash is like 60 gps, so 90k implies it's using a different hashing function or the function's not working correctly. Dave will go much faster if you have SMB file sharing enabled or maybe if your friend hasn't changed his password since Snow Leopard. I'll try to reproduce it tomorrow. If you're familiar with C++ debuggers and feeling especially randy, you can recompile Dave and dig thru the call stack.

Just curious, but are you specifically trying to figure out your friends password? Cuz there's much easier ways to break into an account (non-FileVault).

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/octomagon/davegrohl/issues/22#issuecomment-280889650, or mute the thread https://github.com/notifications/unsubscribe-auth/AXSP8Igm21KqxCmXMJ7QEvWLaQU8qfRgks5rd6GtgaJpZM4MFTry .

JoinTheHippies commented 7 years ago

Hmm... I just started a crack on his user account and it is going at 14 guesses per second.

On Feb 18, 2017 7:46 PM, "Lucas Erickson" lucas216erickson@gmail.com wrote:

I am not nearly familiar enough with c++ to recompile Dave or to debug anything. And I did replace the built in wordlist so that might have messed something up, but as of 2 hours or run time it has guessed 661 billion passwords. And no, I'm not trying to crack his password, but our school uses the same root password on all of the computers and we are trying to crack that.

On Feb 18, 2017 6:58 PM, "Octomagon" notifications@github.com wrote:

Hmmm... Interesting. The fastest I've seen Dave crack a PBKDF2 hash is like 60 gps, so 90k implies it's using a different hashing function or the function's not working correctly. Dave will go much faster if you have SMB file sharing enabled or maybe if your friend hasn't changed his password since Snow Leopard. I'll try to reproduce it tomorrow. If you're familiar with C++ debuggers and feeling especially randy, you can recompile Dave and dig thru the call stack.

Just curious, but are you specifically trying to figure out your friends password? Cuz there's much easier ways to break into an account (non-FileVault).

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/octomagon/davegrohl/issues/22#issuecomment-280889650, or mute the thread https://github.com/notifications/unsubscribe-auth/AXSP8Igm21KqxCmXMJ7QEvWLaQU8qfRgks5rd6GtgaJpZM4MFTry .

JoinTheHippies commented 7 years ago

Also, I don't remember where I downloaded the version I'm using from, but I downloaded the new one off of github and tried it and within seconds it would give me this :

Student-Zach-Rohovit:davegrohl-master zachrohovit$ sudo ./dave -u root -v

-- Loaded PBKDF2 (Salted SHA512)

-- Starting attack

-- Found password : ''

7e

m1

ui

-

--- --F oFFuoonuudnn ddp appsaassswssowwroodrr dd: ::' '[[[222;223;;133m117mmemui[[[222;220;;m00'mm

''

-- (incremental attack)

Finished in 0.000 seconds / 4 total guesses...

15503.88 guesses per second.

On Sat, Feb 18, 2017 at 7:49 PM, Lucas Erickson lucas216erickson@gmail.com wrote:

Hmm... I just started a crack on his user account and it is going at 14 guesses per second.

On Feb 18, 2017 7:46 PM, "Lucas Erickson" lucas216erickson@gmail.com wrote:

I am not nearly familiar enough with c++ to recompile Dave or to debug anything. And I did replace the built in wordlist so that might have messed something up, but as of 2 hours or run time it has guessed 661 billion passwords. And no, I'm not trying to crack his password, but our school uses the same root password on all of the computers and we are trying to crack that.

On Feb 18, 2017 6:58 PM, "Octomagon" notifications@github.com wrote:

Hmmm... Interesting. The fastest I've seen Dave crack a PBKDF2 hash is like 60 gps, so 90k implies it's using a different hashing function or the function's not working correctly. Dave will go much faster if you have SMB file sharing enabled or maybe if your friend hasn't changed his password since Snow Leopard. I'll try to reproduce it tomorrow. If you're familiar with C++ debuggers and feeling especially randy, you can recompile Dave and dig thru the call stack.

Just curious, but are you specifically trying to figure out your friends password? Cuz there's much easier ways to break into an account (non-FileVault).

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/octomagon/davegrohl/issues/22#issuecomment-280889650, or mute the thread https://github.com/notifications/unsubscribe-auth/AXSP8Igm21KqxCmXMJ7QEvWLaQU8qfRgks5rd6GtgaJpZM4MFTry .

JoinTheHippies commented 7 years ago

However, neither of these things happen on his user account "zachrohovit" and only happen on root. The root account on my Macbook Air cracks just as it should as well. I thought at first maybe the root password on his machine was just the return key and that was why I was getting all these problems, but I tried it and it was not. Either way, it all seems to be related to the root account, because everything goes as planned when I crack his user account.

On Sat, Feb 18, 2017 at 7:55 PM, Lucas Erickson lucas216erickson@gmail.com wrote:

Also, I don't remember where I downloaded the version I'm using from, but I downloaded the new one off of github and tried it and within seconds it would give me this :

Student-Zach-Rohovit:davegrohl-master zachrohovit$ sudo ./dave -u root -v

-- Loaded PBKDF2 (Salted SHA512)

-- Starting attack

-- Found password : ''

7e

m1

ui

-

--- --F oFFuoonuudnn ddp appsaassswssowwroodrr dd: ::' '[[[222;223;;133m117mmemui[[[222;220;;m00'mm

''

-- (incremental attack)

Finished in 0.000 seconds / 4 total guesses...

15503.88 guesses per second.

On Sat, Feb 18, 2017 at 7:49 PM, Lucas Erickson < lucas216erickson@gmail.com> wrote:

Hmm... I just started a crack on his user account and it is going at 14 guesses per second.

On Feb 18, 2017 7:46 PM, "Lucas Erickson" lucas216erickson@gmail.com wrote:

I am not nearly familiar enough with c++ to recompile Dave or to debug anything. And I did replace the built in wordlist so that might have messed something up, but as of 2 hours or run time it has guessed 661 billion passwords. And no, I'm not trying to crack his password, but our school uses the same root password on all of the computers and we are trying to crack that.

On Feb 18, 2017 6:58 PM, "Octomagon" notifications@github.com wrote:

Hmmm... Interesting. The fastest I've seen Dave crack a PBKDF2 hash is like 60 gps, so 90k implies it's using a different hashing function or the function's not working correctly. Dave will go much faster if you have SMB file sharing enabled or maybe if your friend hasn't changed his password since Snow Leopard. I'll try to reproduce it tomorrow. If you're familiar with C++ debuggers and feeling especially randy, you can recompile Dave and dig thru the call stack.

Just curious, but are you specifically trying to figure out your friends password? Cuz there's much easier ways to break into an account (non-FileVault).

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/octomagon/davegrohl/issues/22#issuecomment-280889650, or mute the thread https://github.com/notifications/unsubscribe-auth/AXSP8Igm21KqxCmXMJ7QEvWLaQU8qfRgks5rd6GtgaJpZM4MFTry .

octomagon commented 7 years ago

You can look at root's password hash by typing sudo plutil -p /var/db/dslocal/nodes/Default/users/root.plist in the terminal. By default, root shouldn't have a password. My root.plist looks like:

{
  "passwd" => [
    0 => "*"
  ]
  "uid" => [
    0 => "0"
  ]
  "smb_sid" => [
    0 => "S-1-5-18"
  ]
  "shell" => [
    0 => "/bin/sh"
  ]
  "home" => [
    0 => "/var/root"
  ]
  "realname" => [
    0 => "System Administrator"
  ]
  "generateduid" => [
    0 => "FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000"
  ]
  "gid" => [
    0 => "0"
  ]
  "name" => [
    0 => "root"
    1 => "BUILTIN\Local System"
  ]
}

If root's hash is wonky, Dave may be choking on it. What do your root hash look like? (Remember to munge out any sensitive data!)

JoinTheHippies commented 7 years ago

It is very possible that the root account has no password. I had not tried logging in through the GUI, only using "login root" in terminal. The only difference between your root hash and mine is that I have a section called "accountPolicyData" which consists of a bunch of random eight-character combinations. Is that something important?

On Tue, Feb 21, 2017 at 11:56 AM, Octomagon notifications@github.com wrote:

You can look at root's password hash by typing sudo plutil -p /var/db/dslocal/nodes/Default/users/root.plist in the terminal. By default, root shouldn't have a password. My root.plist looks like:

{ "passwd" => [ 0 => "*" ] "uid" => [ 0 => "0" ] "smb_sid" => [ 0 => "S-1-5-18" ] "shell" => [ 0 => "/bin/sh" ] "home" => [ 0 => "/var/root" ] "realname" => [ 0 => "System Administrator" ] "generateduid" => [ 0 => "FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000" ] "gid" => [ 0 => "0" ] "name" => [ 0 => "root" 1 => "BUILTIN\Local System" ] }

If root's hash is wonky, Dave may be choking on it. What do your root hash look like? (Remember to munge out any sensitive data!)

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/octomagon/davegrohl/issues/22#issuecomment-281441458, or mute the thread https://github.com/notifications/unsubscribe-auth/AXSP8IBZItQulE9wc6qg4M6KKIzjwkRMks5rezNBgaJpZM4MFTry .

octomagon commented 7 years ago

I think accountPolicyData is stuff like the last login time and number of failed login attempts. The random eight-character combinations is binary data represented in hexadecimal. If the root user had a password it would look like the accountPolicyData section, but would be called ShadowHashData instead.

It sounds like root has no password which is the default on Macs.

JoinTheHippies commented 7 years ago

OK, thanks. By the way, I'm not using this for any prank purposes or stupid things. My school asked me to find security vulnerabilities.

On Feb 21, 2017 5:41 PM, "Octomagon" notifications@github.com wrote:

I think accountPolicyData is stuff like the last login time and number of failed login attempts. The random eight-character combinations is binary data https://en.wikipedia.org/wiki/Struct_(C_programming_language) represented in hexadecimal https://www.youtube.com/watch?v=4EJay-6Bioo. If the root user had a password it would look like the accountPolicyData section, but would be called ShadowHashData instead.

It sounds like root has no password which is the default on Macs.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/octomagon/davegrohl/issues/22#issuecomment-281530416, or mute the thread https://github.com/notifications/unsubscribe-auth/AXSP8Msmy5xrBhXIsjYWo7n9l2PHGUU8ks5re4ROgaJpZM4MFTry .

nk1902 commented 7 years ago

Sureeee

On Feb 21, 2017, at 7:48 PM, JoinTheHippies notifications@github.com wrote:

OK, thanks. By the way, I'm not using this for any prank purposes or stupid things. My school asked me to find security vulnerabilities.

On Feb 21, 2017 5:41 PM, "Octomagon" notifications@github.com wrote:

I think accountPolicyData is stuff like the last login time and number of failed login attempts. The random eight-character combinations is binary data https://en.wikipedia.org/wiki/Struct_(C_programming_language) represented in hexadecimal https://www.youtube.com/watch?v=4EJay-6Bioo. If the root user had a password it would look like the accountPolicyData section, but would be called ShadowHashData instead.

It sounds like root has no password which is the default on Macs.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/octomagon/davegrohl/issues/22#issuecomment-281530416, or mute the thread https://github.com/notifications/unsubscribe-auth/AXSP8Msmy5xrBhXIsjYWo7n9l2PHGUU8ks5re4ROgaJpZM4MFTry .

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

octomagon commented 7 years ago

Yeah, I've used that one before too :)