160 lines
5.2 KiB
Bash
Executable File
160 lines
5.2 KiB
Bash
Executable File
#!/bin/bash
|
|
#===============================================================================
|
|
#
|
|
# DIRECTORY:
|
|
# /home/*/.local/share/nautilus/scripts/05b-macOS/
|
|
# OR
|
|
# /home/*/.gnome2/nautilus-sctipts/05b-macOS/ (deprecated)
|
|
#
|
|
# FILE:
|
|
# 05b-E01-dump-SALTED-SHA1-v10.7
|
|
#
|
|
# USAGE:
|
|
# Right klick on an EWF image (.E01) and
|
|
# choose this nautilus script from the context menu.
|
|
#
|
|
# OPTIONS:
|
|
# none
|
|
#
|
|
# DESCRIPTION:
|
|
# Extracts the Hashes out of the last Mac OS X (10.7)
|
|
#
|
|
# REQUIREMENTS:
|
|
# bash, zenity, sleuthkit, awk, findutils, libplist-utils, sed, grep,
|
|
# coreutils and xxd
|
|
#
|
|
# BUGS:
|
|
# ---
|
|
#
|
|
# NOTES:
|
|
# Tested on
|
|
# - Debian 8+
|
|
# - Arch Linux
|
|
#
|
|
# AUTHOR:
|
|
# Patrick Neumann, patrick@neumannsland.de
|
|
#
|
|
# COMPANY:
|
|
# (privately)
|
|
#
|
|
# VERSION:
|
|
# 0.9 (beta)
|
|
#
|
|
# LINK TO THE MOST CURRENT VERSIONS:
|
|
# https://...
|
|
#
|
|
# CREATED:
|
|
# 21.06.2020
|
|
#
|
|
# COPYRIGHT (C):
|
|
# 2015-2020 - Patrick Neumann
|
|
#
|
|
# LICENSE:
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# WARRANTY:
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
# TODO:
|
|
# ----
|
|
#
|
|
# HISTORY:
|
|
# 0.9 - Patrick Neumann - Initial (public) release
|
|
#
|
|
#===============================================================================
|
|
|
|
#-------------------------------------------------------------------------------
|
|
# Additional supported Distribution(s) (add before Library!).
|
|
#-------------------------------------------------------------------------------
|
|
# fred-report-templates have to be copied manually to!
|
|
SUPPORTED_OSR="arch"
|
|
|
|
#-------------------------------------------------------------------------------
|
|
# Check for library (casualscripter_nautilus-scripts_functions.sh).
|
|
#-------------------------------------------------------------------------------
|
|
readonly LIBRARY="${0%/*/*}/.casualscripter_nautilus-scripts_functions.sh"
|
|
if [ ! -f "${LIBRARY}" ] ; then
|
|
zenity --error \
|
|
--text \
|
|
"ERROR: casualscripter_nautilus-scripts_functions.sh MISSING!"
|
|
exit 1
|
|
fi
|
|
|
|
source "${LIBRARY}"
|
|
|
|
#-------------------------------------------------------------------------------
|
|
# Checks (see library "casualscripter_nautilus-scripts_functions.sh").
|
|
#-------------------------------------------------------------------------------
|
|
check_dep "${IFIND_BIN}" "sleuthkit"
|
|
check_dep "${FLS_BIN}" "sleuthkit"
|
|
check_dep "${AWK_BIN}" "awk"
|
|
check_dep "${ICAT_BIN}" "sleuthkit"
|
|
check_dep "${FIND_BIN}" "findutils"
|
|
check_dep "${PLUTIL_BIN}" "libplist-utils"
|
|
check_dep "${SED_BIN}" "sed"
|
|
check_dep "${GREP_BIN}" "grep"
|
|
check_dep "${TR_BIN}" "coreutils"
|
|
check_dep "${BASE64_BIN}" "coreutils"
|
|
check_dep "${XXD_BIN}" "xxd"
|
|
|
|
check_ext "${SOURCE}" "[eE]01"
|
|
|
|
check_tmp
|
|
|
|
#-------------------------------------------------------------------------------
|
|
# A little bit of configuration before the magic.
|
|
#-------------------------------------------------------------------------------
|
|
readonly OFFSET="$( choose_partition "${SOURCE}" | ${AWK_BIN} -F "_" '{ print $3; }' )"
|
|
|
|
readonly HASHES="${TMP}/${OFFSET}-hashes.txt"
|
|
|
|
#-------------------------------------------------------------------------------
|
|
# Extract user plists and get the password with a little bit of command line
|
|
# kung fu.
|
|
# Only HFS+ support is needed.
|
|
#-------------------------------------------------------------------------------
|
|
if ! [ -f "${HASHES}" ] ; then
|
|
USERS="$( ${IFIND_BIN} -o "${OFFSET}" -n "/private/var/db/dslocal/nodes/Default/users" "${SOURCE}" )"
|
|
for line in $( ${FLS_BIN} -o "${OFFSET}" "${SOURCE}" "${USERS}" | ${AWK_BIN} '$NF !~ /^_/ { print $(NF-1) $NF; }' ) ; do
|
|
${ICAT_BIN} -o "${OFFSET}" "${SOURCE}" "${line%:*}" > "${TMP}/user-${line#*:}"
|
|
done
|
|
|
|
for plist in $( ${FIND_BIN} "${TMP}" -type f -iname "user-*.plist" -size +1k ) ; do
|
|
user="${plist#*user-}"
|
|
user="${user%.plist}"
|
|
|
|
${PLUTIL_BIN} --infile "${plist}" \
|
|
| ${SED_BIN} --silent '/ShadowHashData/,/<\/array>/ p' \
|
|
| ${GREP_BIN} --extended-regexp --invert-match "<.*>" \
|
|
| ${SED_BIN} --regexp-extended 's/[[:space:]]//g' \
|
|
| ${TR_BIN} --delete '\n' \
|
|
| ${BASE64_BIN} --decode \
|
|
> "${TMP}/shadowhashdata-${user}.plist"
|
|
|
|
${PLUTIL_BIN} --infile "${TMP}/shadowhashdata-${user}.plist" \
|
|
| ${SED_BIN} --silent '/SALTED-SHA512/,/<\/data>/ p' \
|
|
| ${GREP_BIN} --extended-regexp --invert-match "<.*>" \
|
|
| ${SED_BIN} --regexp-extended 's/[[:space:]]//g' \
|
|
| ${BASE64_BIN} --decode \
|
|
| ${XXD_BIN} -bits -plain \
|
|
| ${TR_BIN} --delete '\n' \
|
|
>> "${HASHES}"
|
|
done
|
|
fi
|
|
|
|
#-------------------------------------------------------------------------------
|
|
# Display content of the resultfile "hashes.txt".
|
|
#-------------------------------------------------------------------------------
|
|
display_resultfile "${HASHES}"
|
|
|
|
exit 0
|