diff --git a/home/lucifer/.local/share/nautilus/scripts/05b-macOS/03-E01-autologon-credentials b/home/lucifer/.local/share/nautilus/scripts/05b-macOS/03-E01-autologon-credentials new file mode 100755 index 0000000..d438935 --- /dev/null +++ b/home/lucifer/.local/share/nautilus/scripts/05b-macOS/03-E01-autologon-credentials @@ -0,0 +1,218 @@ +#!/bin/bash +#=============================================================================== +# +# DIRECTORY: +# /home/*/.local/share/nautilus/scripts/05b_macOS/ +# OR +# /home/*/.gnome2/nautilus-sctipts/05b_macOS/ (deprecated) +# +# FILE: +# 03_credentials +# +# USAGE: +# Right klick on an EWF image (.E01) and +# choose this nautilus script from the context menu. +# +# OPTIONS: +# none +# +# DESCRIPTION: +# Shows password hints, configured autoLoginUser and +# recalculated kcpassword (if present). +# +# REQUIREMENTS: +# bash, zenity, sleuthkit, awk, grep, libplist-util, print_plist_entry.py, +# kcpass.py, vim and coreutils +# +# BUGS: +# --- +# +# NOTES: +# Tested on +# - Debian 8+ +# - Arch Linux +# +# AUTHOR: +# Patrick Neumann, patrick@neumannsland.de +# +# COMPANY: +# (privately) +# +# VERSION: +# 0.9 (beta) +# +# LINK TO THE MOST CURRENT VERSIONS: +# https:// +# +# CREATED: +# 23.03.2016 +# +# COPYRIGHT (C): +# 2015-2020 - Patrick Neumann +# +# LICENSE: +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# WARRANTY: +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# TODO: +# --- +# +# HISTORY: +# 0.9 - Patrick Neumann - Initial (public) release +#=============================================================================== + +#------------------------------------------------------------------------------- +# Additional supported Distribution(s) (add before Library!). +#------------------------------------------------------------------------------- +SUPPORTED_OSR="arch" + +#------------------------------------------------------------------------------- +# Check for library (casualscripter_nautilus-scripts_functions.sh). +#------------------------------------------------------------------------------- +readonly LIBRARY="${0%/*/*}/.casualscripter_nautilus-scripts_functions.sh" +if [ ! -f "${LIBRARY}" ] ; then + zenity --error \ + --text \ + "ERROR: casualscripter_nautilus-scripts_functions.sh MISSING!" + exit 1 +fi + +source "${LIBRARY}" + +#------------------------------------------------------------------------------- +# Checks (see library "casualscripter_nautilus-scripts_functions.sh"). +#------------------------------------------------------------------------------- +check_dep "${AWK_BIN}" "awk" +check_dep "${FLS_BIN}" "sleuthkit" +check_dep "${FSSTAT_BIN}" "sleuthkit" +check_dep "${GREP_BIN}" "grep" +check_dep "${ICAT_BIN}" "sleuthkit" +check_dep "${IFIND_BIN}" "sleuthkit" +check_dep "${MMLS_BIN}" "sleuthkit" +check_dep "${PLUTIL_BIN}" "libplist-utils" +check_dep "${RM_BIN}" "coreutils" +check_dep "${XXD_BIN}" "vim-common" + +# https://github.com/casualscripter/mac-osx-forensics +# (forked from https://github.com/moxilo/mac-osx-forensics) +check_dep "${KCPPY_BIN}" "kcpass.py" + +# https://raw.githubusercontent.com/casualscripter/debian-stuff +check_dep "${PPEPY_BIN}" "print_plist_entry.py" + +# actually only working correct with EWF images! +check_ext "${SOURCE}" "[eE]01" + +check_tmp + +#------------------------------------------------------------------------------- +# A little bit of configuration before the magic. +#------------------------------------------------------------------------------- +readonly OFFSET="$( choose_partition "${SOURCE}" | ${AWK_BIN} -F "_" '{ print $3; }' )" + +readonly CREDENTIALS="${TMP}/${OFFSET}_credentials.txt" + +#------------------------------------------------------------------------------- +# The wonder... +#------------------------------------------------------------------------------- +if ${FSSTAT_BIN} -o "${OFFSET}" "${SOURCE}" > /dev/null 2>&1 ; then + ( + echo -e -n "Partition (mmls line):\n " >> "${CREDENTIALS}" + ${MMLS_BIN} -aM "${SOURCE}" \ + | ${AWK_BIN} '$3=="'"${OFFSET}"'" { print $0; }' \ + >> "${CREDENTIALS}" + + users="$( ${IFIND_BIN} -o "${OFFSET}" \ + -n "/private/var/db/dslocal/nodes/Default/users" \ + "${SOURCE}" )" + if [ "${users}" != "File not found" ] ; then + echo -e "\n Some contents from the OpenDirectory (users):\n" \ + >> "${CREDENTIALS}" + users_ls="$( ${FLS_BIN} -o "${OFFSET}" "${SOURCE}" "${users}" \ + | ${GREP_BIN} --extended-regexp \ + --invert-match \ + ".*[[:space:]](Guest|_.*|daemon|nobody|root)\.plist" \ + | ${AWK_BIN} '{ sub( /:/, "", $2 ); print $2; }' )" + for user in ${users_ls} ; do + if [ ! -f "${user}.plist" ] ; then + if ! ${ICAT_BIN} -o "${OFFSET}" "${SOURCE}" "${user}" > "/tmp/${user}.plist" ; then + echo " During the execution of icat an error occurred." >> "${CREDENTIALS}" + fi + ${PLUTIL_BIN} -i "/tmp/${user}.plist" -o "${DIRNAME}/${user}.plist" + ${RM_BIN} "/tmp/${user}.plist" + fi + echo -e -n " " >> "${CREDENTIALS}" + ${PPEPY_BIN} "${DIRNAME}/${user}.plist" "name" >> "${CREDENTIALS}" + echo -e -n " " >> "${CREDENTIALS}" + ${PPEPY_BIN} "${DIRNAME}/${user}.plist" "hint" >> "${CREDENTIALS}" + echo >> "${CREDENTIALS}" + done + else + echo -e " Directory \"/private/var/db/dslocal/nodes/Default/users\" not found.\n" \ + >> "${CREDENTIALS}" + fi + + calp="$( ${IFIND_BIN} -o "${OFFSET}" \ + -n "/Library/Preferences/com.apple.loginwindow.plist" \ + "${SOURCE}" )" + if [ "${calp}" != "File not found" ] ; then + if [ ! -f "${calp}.plist" ] ; then + if ! ${ICAT_BIN} -o "${OFFSET}" "${SOURCE}" "${calp}" > "/tmp/${calp}.plist" ; then + echo " During the execution of icat an error occurred." \ + >> "${CREDENTIALS}" + fi + ${PLUTIL_BIN} -i "/tmp/${calp}.plist" -o "${DIRNAME}/${calp}.plist" + ${RM_BIN} "/tmp/${calp}.plist" + fi + echo -e -n " Some content from com.apple.loginwindow.plist:\n " \ + >> "${CREDENTIALS}" + ${PPEPY_BIN} "${DIRNAME}/${calp}.plist" "lastUserName" \ + >> "${CREDENTIALS}" + echo -e -n " " >> "${CREDENTIALS}" + ${PPEPY_BIN} "${DIRNAME}/${calp}.plist" "autoLoginUser" \ + >> "${CREDENTIALS}" + echo >> "${CREDENTIALS}" + else + echo -e " File \"/Library/Preferences/com.apple.loginwindow.plist\" not found.\n" \ + >> "${CREDENTIALS}" + fi + + kcpw="$( ${IFIND_BIN} -o "${OFFSET}" -n "/private/etc/kcpassword" "${SOURCE}" )" + if [ "${kcpw}" != "File not found" ] ; then + echo -e "\nPassword (kcpass.py CREDENTIALS):" >> "${CREDENTIALS}" + if ! ${KCPPY_BIN} "$( ${ICAT_BIN} -o "${OFFSET}" "${SOURCE}" "${kcpw}" \ + | ${XXD_BIN} -p )" \ + >> "${CREDENTIALS}" ; then + echo "During the execution of kcpass.py an error occurred." \ + >> "${CREDENTIALS}" + fi + else + echo -e " File \"/private/etc/kcpassword\" not found.\n" \ + >> "${CREDENTIALS}" + fi + ) | ${ZENITY_BIN} --progress \ + --title="credentials" \ + --text="Please wait..." \ + --pulsate +else + echo -e " ? (The Sleuth Kit does not support the filesystem!)\n" \ + >> "${CREDENTIALS}" +fi + +#------------------------------------------------------------------------------- +# Display content of the resultfile "credentials.txt". +#------------------------------------------------------------------------------- +display_resultfile "${CREDENTIALS}" + +exit 0