casualscripter/Masterthesis
1
0
Fork 0
Code Issues 11 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Masterthesis/home/lucifer/.local/share/nautilus/scripts/05b-macOS/03-E01-autologon-credentials

219 lines
7.6 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/bash
#===============================================================================
#
# DIRECTORY:
# /home/*/.local/share/nautilus/scripts/05b_macOS/
# OR
# /home/*/.gnome2/nautilus-sctipts/05b_macOS/ (deprecated)
#
# FILE:
# 03_credentials
#
# USAGE:
# Right klick on an EWF image (.E01) and
# choose this nautilus script from the context menu.
#
# OPTIONS:
# none
#
# DESCRIPTION:
# Shows password hints, configured autoLoginUser and
# recalculated kcpassword (if present).
#
# REQUIREMENTS:
# bash, zenity, sleuthkit, awk, grep, libplist-util, print_plist_entry.py,
# kcpass.py, vim and coreutils
#
# BUGS:
# ---
#
# NOTES:
# Tested on
# - Debian 8+
# - Arch Linux
#
# AUTHOR:
# Patrick Neumann, patrick@neumannsland.de
#
# COMPANY:
# (privately)
#
# VERSION:
# 0.9 (beta)
#
# LINK TO THE MOST CURRENT VERSIONS:
# https://
#
# CREATED:
# 23.03.2016
#
# COPYRIGHT (C):
# 2015-2020 - Patrick Neumann
#
# LICENSE:
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# WARRANTY:
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# TODO:
# ---
#
# HISTORY:
# 0.9 - Patrick Neumann - Initial (public) release
#===============================================================================
#-------------------------------------------------------------------------------
# Additional supported Distribution(s) (add before Library!).
#-------------------------------------------------------------------------------
SUPPORTED_OSR="arch"
#-------------------------------------------------------------------------------
# Check for library (casualscripter_nautilus-scripts_functions.sh).
#-------------------------------------------------------------------------------
readonly LIBRARY="${0%/*/*}/.casualscripter_nautilus-scripts_functions.sh"
if [ ! -f "${LIBRARY}" ] ; then
zenity --error \
--text \
"ERROR: casualscripter_nautilus-scripts_functions.sh MISSING!"
exit 1
fi
source "${LIBRARY}"
#-------------------------------------------------------------------------------
# Checks (see library "casualscripter_nautilus-scripts_functions.sh").
#-------------------------------------------------------------------------------
check_dep "${AWK_BIN}" "awk"
check_dep "${FLS_BIN}" "sleuthkit"
check_dep "${FSSTAT_BIN}" "sleuthkit"
check_dep "${GREP_BIN}" "grep"
check_dep "${ICAT_BIN}" "sleuthkit"
check_dep "${IFIND_BIN}" "sleuthkit"
check_dep "${MMLS_BIN}" "sleuthkit"
check_dep "${PLUTIL_BIN}" "libplist-utils"
check_dep "${RM_BIN}" "coreutils"
check_dep "${XXD_BIN}" "vim-common"
# https://github.com/casualscripter/mac-osx-forensics
# (forked from https://github.com/moxilo/mac-osx-forensics)
check_dep "${KCPPY_BIN}" "kcpass.py"
# https://raw.githubusercontent.com/casualscripter/debian-stuff
check_dep "${PPEPY_BIN}" "print_plist_entry.py"
# actually only working correct with EWF images!
check_ext "${SOURCE}" "[eE]01"
check_tmp
#-------------------------------------------------------------------------------
# A little bit of configuration before the magic.
#-------------------------------------------------------------------------------
readonly OFFSET="$( choose_partition "${SOURCE}" | ${AWK_BIN} -F "_" '{ print $3; }' )"
readonly CREDENTIALS="${TMP}/${OFFSET}_credentials.txt"
#-------------------------------------------------------------------------------
# The wonder...
#-------------------------------------------------------------------------------
if ${FSSTAT_BIN} -o "${OFFSET}" "${SOURCE}" > /dev/null 2>&1 ; then
(
echo -e -n "Partition (mmls line):\n " >> "${CREDENTIALS}"
${MMLS_BIN} -aM "${SOURCE}" \
| ${AWK_BIN} '$3=="'"${OFFSET}"'" { print $0; }' \
>> "${CREDENTIALS}"
users="$( ${IFIND_BIN} -o "${OFFSET}" \
-n "/private/var/db/dslocal/nodes/Default/users" \
"${SOURCE}" )"
if [ "${users}" != "File not found" ] ; then
echo -e "\n Some contents from the OpenDirectory (users):\n" \
>> "${CREDENTIALS}"
users_ls="$( ${FLS_BIN} -o "${OFFSET}" "${SOURCE}" "${users}" \
| ${GREP_BIN} --extended-regexp \
--invert-match \
".*[[:space:]](Guest|_.*|daemon|nobody|root)\.plist" \
| ${AWK_BIN} '{ sub( /:/, "", $2 ); print $2; }' )"
for user in ${users_ls} ; do
if [ ! -f "${user}.plist" ] ; then
if ! ${ICAT_BIN} -o "${OFFSET}" "${SOURCE}" "${user}" > "/tmp/${user}.plist" ; then
echo " During the execution of icat an error occurred." >> "${CREDENTIALS}"
fi
${PLUTIL_BIN} -i "/tmp/${user}.plist" -o "${TMP}/${user}.plist"
${RM_BIN} "/tmp/${user}.plist"
fi
echo -e -n " " >> "${CREDENTIALS}"
${PPEPY_BIN} "${TMP}/${user}.plist" "name" >> "${CREDENTIALS}"
echo -e -n " " >> "${CREDENTIALS}"
${PPEPY_BIN} "${TMP}/${user}.plist" "hint" >> "${CREDENTIALS}"
echo >> "${CREDENTIALS}"
done
else
echo -e " Directory \"/private/var/db/dslocal/nodes/Default/users\" not found.\n" \
>> "${CREDENTIALS}"
fi
calp="$( ${IFIND_BIN} -o "${OFFSET}" \
-n "/Library/Preferences/com.apple.loginwindow.plist" \
"${SOURCE}" )"
if [ "${calp}" != "File not found" ] ; then
if [ ! -f "${calp}.plist" ] ; then
if ! ${ICAT_BIN} -o "${OFFSET}" "${SOURCE}" "${calp}" > "/tmp/${calp}.plist" ; then
echo " During the execution of icat an error occurred." \
>> "${CREDENTIALS}"
fi
${PLUTIL_BIN} -i "/tmp/${calp}.plist" -o "${TMP}/${calp}.plist"
${RM_BIN} "/tmp/${calp}.plist"
fi
echo -e -n " Some content from com.apple.loginwindow.plist:\n " \
>> "${CREDENTIALS}"
${PPEPY_BIN} "${TMP}/${calp}.plist" "lastUserName" \
>> "${CREDENTIALS}"
echo -e -n " " >> "${CREDENTIALS}"
${PPEPY_BIN} "${TMP}/${calp}.plist" "autoLoginUser" \
>> "${CREDENTIALS}"
echo >> "${CREDENTIALS}"
else
echo -e " File \"/Library/Preferences/com.apple.loginwindow.plist\" not found.\n" \
>> "${CREDENTIALS}"
fi
kcpw="$( ${IFIND_BIN} -o "${OFFSET}" -n "/private/etc/kcpassword" "${SOURCE}" )"
if [ "${kcpw}" != "File not found" ] ; then
echo -e "\nPassword (kcpass.py CREDENTIALS):" >> "${CREDENTIALS}"
if ! ${KCPPY_BIN} "$( ${ICAT_BIN} -o "${OFFSET}" "${SOURCE}" "${kcpw}" \
| ${XXD_BIN} -p )" \
>> "${CREDENTIALS}" ; then
echo "During the execution of kcpass.py an error occurred." \
>> "${CREDENTIALS}"
fi
else
echo -e " File \"/private/etc/kcpassword\" not found.\n" \
>> "${CREDENTIALS}"
fi
) | ${ZENITY_BIN} --progress \
--title="credentials" \
--text="Please wait..." \
--pulsate
else
echo -e " ? (The Sleuth Kit does not support the filesystem!)\n" \
>> "${CREDENTIALS}"
fi
#-------------------------------------------------------------------------------
# Display content of the resultfile "credentials.txt".
#-------------------------------------------------------------------------------
display_resultfile "${CREDENTIALS}"
exit 0
Reference in New Issue View Git Blame Copy Permalink