Trying passwords (d...
 
Notifications
Clear all

Trying passwords (dictonary attack) on locked macbook

7 Posts
5 Users
0 Likes
276 Views
Dredd74
(@dredd74)
Posts: 2
New Member
Topic starter
 

The goal is to get a forensic image and get information of the device.
If you have a macbook powered on in a locked state. (I am not sure wheter encryption is in place so I don't want to turn it off)
I only see the password input screen and the username. What are the possibilities to try a lot of different passwords not inlcuding the typing of every password. I have some passwords so I have a prettty good idea what the password looks like. But still every possibility is a lot of typing.
I was thinking in the direction of an emulated keyboard, maybe like a rubberducky or something and then fire the keystrokes to the login screen. But I am just thinking out loud.

Anybody an idea to get my information out of the device?

Cheers!

 
Posted : 28/06/2016 4:53 pm
Dredd74
(@dredd74)
Posts: 2
New Member
Topic starter
 

Thanks for replying!

Good point in talking to suspect. I just jumped into nerd options.
RAM and HDD imaging not possible due to the machine being a Macbook Air.
After asking i am going for the nono option and note everything I do.

Any other ideas anyone?

Cheers

 
Posted : 01/07/2016 8:21 pm
jaclaz
(@jaclaz)
Posts: 5135
Illustrious Member
 

Failure to answer these questions or to provide false information would hugely hinder their defence.

Or simply be an assertion of the suspect's rights, and actually improve the defence, of course this depends on the local Law applicable.

@Dredd74
Something like this you mean?
http//www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle

Cannot say if you can actually connect/install a HID on a Mac while in "locked state".

jaclaz

 
Posted : 01/07/2016 8:58 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

We had exactly this case with a MacBook Air, we made a dictionary attack using a USB rubber ducky HID.

The dictionary was built based on the most common passwords, owner related names, dates, street and address strings and numbers, with a final opening result of the owner children's name and birthday year.

Kudos to the engineer building the dictionary!

 
Posted : 03/07/2016 6:16 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

Cannot say if you can actually connect/install a HID on a Mac while in "locked state".

jaclaz

We tried it first by simply attaching an USB keyboard and it worked. I'm not sure, but I think OS X is set by default like that, allowing login of people with disabilities using different USB or BT devices.

 
Posted : 03/07/2016 6:28 pm
gorvq7222
(@gorvq7222)
Posts: 225
Estimable Member
 

To get my information out of the device, all you need to do is to take advantage of "Target Disk Mode" method. You could use a forensic duplicator to acquire physical image from that Mac in Target Disk Mode. What to do with that physical image? Use EnCase or FTK or X-Ways Forensics any forensic tools you like.

What if FileVault is enabled? You could use Passware Kit to acquire a memory dump from that Mac, and the password is no longer a problem. Start to attack with that memory dump and Passware Kit will let you know what the password is.

 
Posted : 15/07/2016 6:02 am
mark_adp
(@mark_adp)
Posts: 63
Trusted Member
 

Check out this recent forum thread. May help.

http//www.forensicfocus.com/Forums/viewtopic/t=14364/

 
Posted : 15/07/2016 2:13 pm
Share:
Share to...