Hardening Your Macintoshos x security, auditing, hardening, pen-testing, privacy & more...
updated 4.19.05
advisories & vulnerabilities:
Securiteam
OSVDB - Open Source Vulnerability Data Base - Apple Search
Secunia's Apple Macintosh OS X Advisories
@tstake 2004 Advisories -
Security Tracker - Mac OS X
auditing / permissions:
FindWrite by JawnDoh! - A shorter more percise script to check for Write access.
CheckWrite by JawnDoh! - Run this script (via ssh) to check for write access to startup items and other interesting files.
auditing / passwords:
John The Ripper by Solar Designer - Can be used to crack OSX MD5 DES hashes and Samba hashes. Its primary purpose is to detect weak Unix passwords.
Erik Winkler has compiled some G4 & G5 optimized binaries of John the Ripper for MacOSX. - download
For comparison, the MMX version on a 3 GHz P4 is:
Benchmarking: Traditional DES [64/64 BS MMX]... DONE
OS X Password Analysis by DimBulb using John the Ripper - Like you really needed this ;)
Crack by Alex Muffet - Can be used to crack osx MD5 DES hashes
Lepton's Crack - Can be used to carck osx MD5 DES & Samba hashes
MacKrack by Braden - MacKrack is a freeware password hash brute forcer for Mac OS X, supporting the Crypt, MD5 and SHA-1 algorithms. It has two modes: dictionary and keyspace brute force. It also features Mac OS X password extraction, for 10.2 and 10.3 passwords. Version 1.3 supports dictionary/brute force attacks against .dmg image files, dictionary appending, customizable character set bruteforcing, and Estimated Time Remaining.
MHW - Mac Hacker's Workshop by Grungie - A suite a of open source security tools designed to test the resistance your password. It uses several modules: a word list cleaner (make dictionnary from a text file), a dictionnary maker (AA11->zz99 etc...), a Gecos read and the cracker. You can either bruteforce or dictionnary attack. The cracker test around 38000 passwords/sec on a powerbook G4 500mhz.
RainbowCrack - A password hash cracker. While a traditional brute force cracker try all possible plaintexts one by one in cracking time, RainbowCrack works in another way. It precompute all possible plaintext - ciphertext pairs in advance and store them in the file so called "rainbow table".
L0phtCrack - L0phtCrack 1.5 is a tool for turning Microsoft LANMAN and NT password hashes back into the original clear text passwords. The program does this using dictionary cracking and also brute force. L0phtCrack returns not just the LANMAN passord but the NT password up to 14 characters in length.
wordlistgen by Andres Roldan - Generates wordlists from a given keyword, useful for security assessment's brute force tests.
ExtractHash by JawnDoh! - Script to extract osx password hashes.
BruteDMG - Runs a dictionary attack against OS X FileVault & normal encrypted disk images
auditing / network:
Nessus - An easy to use remote security scanner.
MacNessus 0.1 - K9 Productions has released a Mac OS X gui for the Nessus security scanner.
THC-hydra - Rapid dictionary attacks against network login systems, including FTP, POP3, IMAP, Netbios, Telnet, HTTP Auth, LDAP NNTP, VNC, ICQ, Socks5, PCNFS, and more. It includes SSL support.
Nikto - A web server scanner which performs comprehensive tests against web servers for multiple items, including over 2600 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers.
sara - Security Auditor's Research Assistant - a third generation Unix-based security analysis tool.
ftp_crack by B-r00t - An FTP Protocol Hacker - Attempts to use brute force guesses to gain access to an ftp account on the target host.
ssh-brute by Jawn Doh! - AppleScript to run a dictionary attack against ssh servers.
auditing / router:
CrackAirport by Nico - A tool which mounts a dictionary attack on a WEP protected wireless network.
RouterBruteForce - Java based router brute force program
auditing / wireless:
New version of AirCrack 2.1 for OS X released - Aircrack is an 802.11 WEP cracking program that can recover a 40-bit or 104-bit WEP key once enough encrypted packets have been gathered.
Johny Cache has also released a distributed WEP cracker. Support the ability to crack arbitrary sized keys, save the state, and a pretty ncurses interface. If you have only one machine it will still run. Screenshots 1 & 2
Using Mac OS X to auditing wireless security - dwepcrack port source
KisMac - Wireless auditing, sniffing, passive attacks and more.
Kismet - wireless packet sniffer.
- advisories & vulnerabilities - auditing / permissions / passwords / network / router / wireless -
SecuriTeam Mac OS X Search
www.osvdb.org/searchdb.php?action=search_title&vuln_title=apple
secunia.com/product/96/
http://www.atstake.com/research/advisories/2004/
www.securitytracker.com/archives/target/884.html
FindWrite 1.1
CheckWrite 1.1
www.openwall.com/john/ - gui version - OS X binaries from DeepQuest.
This time the builds are optimized for Altivec and have numerous other patches from Solar Designers site. Some benchmarks from the new patches.Altivec Benchmarking: Traditional DES [32/32 BS]... DONE
Many salts: 663680 c/s real, 712103 c/s virtual
Only one salt: 526668 c/s real, 544079 c/s virtual
Many salts: 758314 c/s
Only one salt: 643683 c/s
osxpass_analysis.txt
ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/crack/ - compiling crack for osx - crack faq
freshmeat.net/projects/lcrack/
macKrack.dmg
grungie.code511.com/MHW_1.1_Release.sit.bin
www.antsight.com/zsl/rainbowcrack - patched (chroot.ath.cx/bgt/rainbowcrack_mac.html) to compile and run on OS X.
Binaries of RainbowCrack for G3/G4 and G5 are also available, thanks to Erik Winkler.
www.atstake.com/products/lc/ - lc 1.5 via darwinports
wordlistgen.c
ExtractHash
brutedmg.sh
www.nessus.org - Nessus FAQ on Mac OS X
- source
www.thc.org/thc-hydra
www.cirt.net/code/nikto.shtml
http://www-arc.com/sara/
ftp_crack.pl
ssh-brute
www.kist.nl/Nico/
www.RouterBruteForce.com
os x binaries - aircrack home
jc-wepcrack.tar.gz - packetstorm mirror
www.binaervarianz.de/projekte/programmieren/kismac/
www.kismetwireless.net - os x installation info in the documentation page - available via fink
