#!/bin/bash #=============================================================================== # # DIRECTORY: # /home/*/.local/share/nautilus/scripts/05b-macOS/ # OR # /home/*/.gnome2/nautilus-sctipts/05b-macOS/ (deprecated) # # FILE: # 05c-E01-dump-SALTED-SHA512-PBKDF2-v10.8-10.15 # # USAGE: # Right klick on an EWF image (.E01) and # choose this nautilus script from the context menu. # # OPTIONS: # none # # DESCRIPTION: # Extracts the Hashes out of OS X and macOS (10.8+) # # REQUIREMENTS: # bash, zenity, sleuthkit, awk, findutils, libplist-utils, sed, grep # coreutils and xxd # # BUGS: # --- # # NOTES: # Tested on # - Debian 8+ # - Arch Linux # # AUTHOR: # Patrick Neumann, patrick@neumannsland.de # # COMPANY: # (privately) # # VERSION: # 0.9 (beta) # # LINK TO THE MOST CURRENT VERSIONS: # https://... # # CREATED: # 21.06.2020 # # COPYRIGHT (C): # 2015-2020 - Patrick Neumann # # LICENSE: # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # WARRANTY: # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # # TODO: # ---- # # HISTORY: # 0.9 - Patrick Neumann - Initial (public) release # #=============================================================================== #------------------------------------------------------------------------------- # Additional supported Distribution(s) (add before Library!). #------------------------------------------------------------------------------- # fred-report-templates have to be copied manually to! SUPPORTED_OSR="arch" #------------------------------------------------------------------------------- # Check for library (casualscripter_nautilus-scripts_functions.sh). #------------------------------------------------------------------------------- readonly LIBRARY="${0%/*/*}/.casualscripter_nautilus-scripts_functions.sh" if [ ! -f "${LIBRARY}" ] ; then zenity --error \ --text \ "ERROR: casualscripter_nautilus-scripts_functions.sh MISSING!" exit 1 fi source "${LIBRARY}" #------------------------------------------------------------------------------- # Checks (see library "casualscripter_nautilus-scripts_functions.sh"). #------------------------------------------------------------------------------- check_dep "${IFIND_BIN}" "sleuthkit" check_dep "${FLS_BIN}" "sleuthkit" check_dep "${AWK_BIN}" "awk" check_dep "${ICAT_BIN}" "sleuthkit" check_dep "${FIND_BIN}" "findutils" check_dep "${PLUTIL_BIN}" "libplist-utils" check_dep "${SED_BIN}" "sed" check_dep "${GREP_BIN}" "grep" check_dep "${TR_BIN}" "coreutils" check_dep "${BASE64_BIN}" "coreutils" check_dep "${TAIL_BIN}" "coreutils" check_dep "${XXD_BIN}" "xxd" check_dep "${CUT_BIN}" "coreutils" check_ext "${SOURCE}" "[eE]01" check_tmp #------------------------------------------------------------------------------- # A little bit of configuration before the magic. #------------------------------------------------------------------------------- readonly OFFSET="$( choose_partition "${SOURCE}" | ${AWK_BIN} -F "_" '{ print $3; }' )" readonly HASHES="${TMP}/${OFFSET}-hashes.txt" #------------------------------------------------------------------------------- # Extract user plists and get the password with a little bit of command line # kung fu. # We need HFS+ support for 10.8-10.12 and # APFS support for 10.13 and later! #------------------------------------------------------------------------------- if ! [ -f "${HASHES}" ] ; then USERS="$( ${IFIND_BIN} -o "${OFFSET}" -n "/private/var/db/dslocal/nodes/Default/users" "${SOURCE}" )" for line in $( ${FLS_BIN} -o "${OFFSET}" "${SOURCE}" "${USERS}" | ${AWK_BIN} '$NF !~ /^_/ { print $(NF-1) $NF; }' ) ; do ${ICAT_BIN} -o "${OFFSET}" "${SOURCE}" "${line%:*}" > "${TMP}/user-${line#*:}" done for plist in $( ${FIND_BIN} "${TMP}" -type f -iname "user-*.plist" -size +1k ) ; do user="${plist#*user-}" user="${user%.plist}" ${PLUTIL_BIN} --infile "${plist}" \ | ${SED_BIN} --silent '/ShadowHashData/,/<\/array>/ p' \ | ${GREP_BIN} --extended-regexp --invert-match "<.*>" \ | ${SED_BIN} --regexp-extended 's/[[:space:]]//g' \ | ${TR_BIN} --delete '\n' \ | ${BASE64_BIN} --decode \ > "${TMP}/shadowhashdata-${user}.plist" ITERATION="$( ${PLUTIL_BIN} -i "${TMP}/shadowhashdata-${user}.plist" \ | ${SED_BIN} -E -n '/SALTED-SHA512-PBKDF2/,/<\/dict>/ p' \ | ${GREP_BIN} -F -A1 "iterations" \ | ${TAIL_BIN} -n 1 \ | ${SED_BIN} -E 's#[[:space:]]*##g' )" SALT="$( ${PLUTIL_BIN} -i "${TMP}/shadowhashdata-${user}.plist" \ | ${SED_BIN} -E -n '/SALTED-SHA512-PBKDF2/,/<\/dict>/ p' \ | ${SED_BIN} -n '/salt/,/<\/data>/ p' \ | ${GREP_BIN} -E -v "<.*>" \ | ${SED_BIN} -E 's/[[:space:]]//g' \ | ${BASE64_BIN} -d \ | ${XXD_BIN} -b -p \ | ${TR_BIN} -d '\n' )" ENTROPY="$( ${PLUTIL_BIN} -i "${TMP}/shadowhashdata-${user}.plist" \ | ${SED_BIN} -E -n '/SALTED-SHA512-PBKDF2/,/<\/dict>/ p' \ | ${SED_BIN} -n '/entropy/,/<\/data>/ p' \ | ${GREP_BIN} -E -v "<.*>" \ | ${SED_BIN} -E 's/[[:space:]]//g' \ | ${TR_BIN} -d '\n' \ | ${BASE64_BIN} -d \ | ${XXD_BIN} -b -p \ | ${TR_BIN} -d '\n' \ | ${CUT_BIN} -c 1-128 )" echo "\$ml\$${ITERATION}\$${SALT}\$${ENTROPY}" >> "${HASHES}" done fi #------------------------------------------------------------------------------- # Display content of the resultfile "hashes.txt". #------------------------------------------------------------------------------- display_resultfile "${HASHES}" exit 0