*** Disable System Extensions by holding down the Shift-key during start-up.
This is one of the easiest techniques but you would be surprised how often
it works! On Classics, try booting up off the ROM disk by holding down
Command-Option-x-o during boot-up.
*** Find the Finder. On some "secured" systems, you can gain access to locked
folders if you now the name of an unlocked file within. For example, here is
a FoolProof hack:
1) Search for the word 'finder'(a file we know is in the locked system
folder).
2) The locked file opens to display the Finder file. From here, you can
now move the FoolProof Preferences and Extensions out of the system
folder.
3) Reboot.
*** Break into the debugger by hitting the programmer's switch or the Command
Power key combo. Then type 'G FINDER', or 'G F'. You can also get to the
debugger by holding down the control-command-power key combo and restarting.
*** Crash the system! In some older security programs, you can get to the finder
by repeatedly opening applications until all the RAM is consumed.
Older versions of At Ease will open a dialogue box that asks if you would
like to quit At Ease to free up RAM. Click yes!
*** Boot from a floppy. Even if your sysadmin has floppy startup disabled, you
should be able to force it by holding down the command-option-shift-delete
key combo to boot the floppy. This key combo won't let the internal hard
drive mount
*** Plug an external hard drive into the SCSI port. Even if your sysadmin has
disabled floppy access and starting up without extensions you can copy any
programs on the drive if you know any of the passwords.
*** Social engineering is almost too obvious (and cliche) to mention,
but it seems to work. Remember to act computer stupid and/or get really
pissy.
B. WHAT DO I DO AFTER I GET TO THE FINDER? ==========================================
So you have finally found the finder...now what? Now you can run any programs you want, but why not make things easier on yourself for your next trip to the finder. If you know that your sysadmin keeps logs:
1) Copy the system folder to the hard drive.
2) Rename the original system
folder.
3) Reboot without At Ease.
4) When you are done, put the real system folder back and delete the second
one.
If you aren't concerned about logs, just move the At Ease Preferences out of the System Folder: Extensions folder and reboot. Remember to put them back when you are done. The logs have been bypassed but you really don't care to be rebooting over and over while the lab monitor glares at you. It would be much better to have the system supervisor's password so you can switch back and forth between At Ease and the finder at will. The easiest way is to install a key grabber, which is a system extension that logs and captures all the keystrokes on the computer. Oasis is a good key grabber for the mac that can be found on the internet or alt.2600. Unfortunately, it has no documentation. To use it:
1) Get into the Finder and copy Oasis into the folder: System Folder:
Extensions
2) Wait a few days.
3) Look for the log files in: System Folder:Preferences: ~Temporary Folder.
Another key grabber that is easier to find is MacLifeInsurance. You will have to weed through several hundred pages of inane poetry, reports and e-mail to Grandma but eventually one will have the password. If there are large number of users, you may be able to add your own account and password with the supervisor's password. Use your discretion. Look for those key grabbers on local boards and FTP sites.
E. MISCELLANEOUS HACKS AND INFO
===============================
Q: HOW DO I COPY A READ-ONLY FILE?
A: Many utilities allow you to copy read-only files, including StuffIt, Compact
Pro, etc.
Q: HOW DO I ACCESS THE CHOOSER WHEN IT IS PROTECTED ON FOOLPROOF?
A: First try the default password 'foolproof'; Yes, some sysadmins are that
dumb. If it doesn't work, try this:
1) Make a copy of the chooser.
2) Use ResEdit or another resource editor to change the creator code from
'dfil chzr' 'dfil keyc'.
3) The default password is reset to 'foolproof'.
4) Swap the original chooser with the modified copy. Remember to cover your
tracks and replace the original chooser when you are done. NOTE: Make sure
you work on copies when using ResEdit, especially when you are using
someone else's computer.
Q: HOW DO I DEFEAT FILEGUARD'S ENCRYPTION?
A: 1) Use FileGuard to encrypt or copyguard a file with the password 'test', for
example.
2) Use ResEdit to copy the resource 'high' from that file.
3) Paste it into the file that contains the unknown password.
4) Save changes and quit.
5) Decrypt the modified file with FileGuard using the password 'test'.
Q: WHERE CAN I GET THE LATEST VERSION OF MACPGP AND THE SOURCE CODE?
A: Telnet to net-dist.mit.edu and login as 'getpgp'. You will have to answer
four short questions to get the name of the file it is in(the name changes
every half hour). Then FTP there and go to the specified directory. The
current version is MACPGP2.6.2. You should also get the README files as the
interface barely follows the Macintosh Interface Guidelines.
Q: HOW DO I SET A NULL PASSWORD FOR AT EASE (not all versions)?
A: 1) Open the file System Folder:At Ease:At Ease Preferences with MSWord or any
other text editor.
2) Look for the string "MFDR\ ]".
3) Delete everything between "\" and "]".
4) Save the changes and you have a null password. Now you can go to At Ease
Setup and change the password to whatever you want!
Q: WHAT DO I DO IF I FORGET THE ADMINISTRATOR'S PASSWORD[in At Ease]?
A: <excerpt from the At Ease for Workgroups 2.0.1 update help files>
-> "IF YOU FORGET THE ADMINISTRATOR'S PASSWORD
->
-> If you forget the At Ease administrator's password, follow the directions -> below instead of those in the manual. If your startup disk is locked,
-> you'll first need to run the Unlock application on the AT Ease 2.0
-> Utilities disk to unlock the start-up disk. Consult the manual for
-> information about the Unlock application.
->
-> 1. Start up your computer from another startup disk. [...BS...]
-> 2. Open the System Folder of your usual startup disk.
-> 3. Open the At Ease Items folder inside your System Folder.
-> 4. Drag the At Ease Preferences file into the trash.
-> 5. Hold down the Option key while you choose Empty Trash from the
-> Special menu.
-> 6. Restart from your usual startup disk.
-> 7. Open the At Ease Setup for Workgroups application.
->
-> Note: If you are using an AppleShare server volume as the At Ease disk, -> your setups may not appear until you reset the At Ease disk to
-> this
-> server volume.
->
-> 8. Reconnect to the server volume and use the At Ease Disk command to
-> reselect the volume.
->
-> Note: Make sure you use the information on the server instead of
-> replacing it with the information on the startup disk.
->
-> 9. Add a new password and clue.
-> 10. Make sure the following options set correctly:
-> * Allow Remote Administration checkbox
-> * Lock Startup Volume checkbox
-> 11. Turn At Ease back on.
-> 12. Quit At Ease Setup for Workgroups."
>>Where do you get the Unlock application? Beats the hell out of me.
C. Tools for cracking Macintoshes.
==================================
The most basic tool for cracking Macintoshes is a BOOT DISK. For those of you who have had experience with PC-DOS/MS WINDOWS machines. these disks can be made just by going into the File Manager in Windows and clicking on Make System Disk in the Format dialog box or using the format a: /s command in PC-DOS.
Unfortunately, on Macs this process is a little bit harder for two reasons:
1) Macs can have different system software versions (7.0, 7.0.1, etc.)
2) Macs running System 7 can have different enablers on each machine, making one
boot disk a non-entity. On System 7.5, enablers are a thing of the past, but
the new version has its own pitfalls.
3) Obtaining a working boot disk for a particular job is a pain, because of
1) and 2). Plus, Apple Computer is being stringent about who they mail
working boot disks to.
How to build a boot disk
1. Use a backup copy of the disk tools disk that is provided with each
Macintosh. Be sure to check that the version number, listed on the rear edge
of the label, matches the version number of the machine that you are going to
hit.
2. Load it with some or all of the following software
Oasis
Softlock
Disease
Another issue is disk space. The amount of usable space on a High Density floppy disk is about 1.2 MB. A Boot Disk has a usable capacity after loading of about 50K. This presents a problem. Anything that you want to use to attack a machine must be on that one disk. If you have a copy of Oasis, it will fit and you will have no problem installing it on the target system/network. After the install, come back with an empty disk to pick up the password files.
D. How to stage a hit
=====================
A hit is a successful attempt to crack a Macintosh. The following are guidelines for a successful hit.
A. Build trust with the lab monitors/system administrators/etc. They may tip you
off to holes in the system/network.
B. Be prepared. The Scout motto pays off here. Have boot disks, guides, friends
to divert lab monitors, and minor disasters set up beforehand.
C. Know the layout of the room where the hit will take place. Know where the
computers are, how to bypass lab monitors, etc.
D. Know where the garbage barrels are in the room where the hit will take place
and directly outside of that room. You don't want to have boot disks,
password printouts, on you when you are caught, so throw them away. Usually,
one person will be chasing after you and will have all of their attention
focused on you, and not on obtaining proof that you obtained the passwords,
so you will get away.
E. Case the place beforehand. read magazines, check out books, make copies. Get
a feel of how things work
E. This is a list of every Mac HACK/PHREAK currently kn0wn of. It is taken from
