https://blog.csdn.net/taoyanqi8932/article/details/51945122 《UNIX环境高级编程》–6系统数据文件和信息
https://unix.stackexchange.com/questions/373309/mac-os-command-to-resolve-hostnames-like-getent-on-linux
https://superuser.com/questions/592921/mac-osx-users-vs-dscl-command-to-list-user

dscl . -list /Users
dscl . -readall /Users
dscl . -read /Users/wurui AuthenticationAuthority

sudo plutil -extract ShadowHashData xml1 /var/db/dslocal/nodes/Default/users/wurui.plist -o test.plist

sudo defaults read /var/db/dslocal/nodes/Default/users/wurui.plist ShadowHashData
sudo defaults read /var/db/dslocal/nodes/Default/users/wurui.plist authentication_authority

pwpolicy -a diradmin -u username -setpassword
PasswordService
mkpassdb(8) launchctl(8) pwpolicy(8)

sysadminctl

https://www.freesion.com/article/41491259374/

https://github.com/apple-oss-distributions/libcppabi
https://github.com/apple-oss-distributions/Libc
https://github.com/apple-oss-distributions/libcpp

https://www.itdaan.com/blog/2015/09/13/f8e0f3eb4ed48292a167ee1cc57ec3b7.html

https://man7.org/linux/man-pages/man3/shadow.3.html
shadow不再鼓励使用 建议使用pam

https://github.com/apple-oss-distributions/DSTools

https://github.com/octomagon/davegrohl 密码暴力破解
http://www.defenceindepth.net/2009/12/cracking-os-x-passwords.html

Goals:
1.检查密码/登录
2.密码是否过期 macOS貌似不会过期 user->pw_expire = 0
3.checksamepass

https://cryptobook.nakov.com/mac-and-key-derivation/pbkdf2
https://wiki.elvis.science/index.php?title=Acquisition_and_Cracking_of_macOS_User_Passwords
https://www.jianshu.com/p/06d7182e71ec
PBKDF2-HMAC-SHA512

https://wiki.elvis.science/index.php?title=Acquisition_and_Cracking_of_macOS_User_Passwords

https://gist.github.com/teddziuba/3ff08bdda120d1f7822f3baf52e606c2

git clone https://github.com/apple-oss-distributions/Libc.git
git clone https://github.com/apple-oss-distributions/OpenDirectory.git
git clone https://github.com/apple-oss-distributions/DirectoryService.git
git clone https://github.com/apple-oss-distributions/CommonCrypto.git

case kAuthChangePasswd:

https://zhuanlan.zhihu.com/p/33560946
为什么空密码能够取得你的ROOT权限?

https://developer.apple.com/security/
corecrypto
https://github.com/darlinghq/darling-corecrypto

https://www.cnpython.com/qa/697714 CCKeyDerivationPBKDF线程安全吗?
https://zhuanlan.zhihu.com/p/164482769 破解Windows、Linux和Mac操作系统密码的理论研究
MacOS密码认证机制
在Mac OS中,用户登录口令信息的存储位置不固定。在Mac OSX10.4-Mac OSX10.6版本中,shadow文件的存放路径是/var/db/shadow/hash/[https://blog.csdn.net/libin_1/article/details/8190516];在Mac OS X10.7及其以后的版本中,用户口令的散列值保存在/var/db/dslocal/nodes/Default/users/文件夹下的plist文件中。与Linux系统不同,Mac OS中每个用户有其单独的shadow文件,每个文件以用户的GUID作为用户散列密码文件的标识。在加密算法上,MacOS主要使用SHA-1(或SHA-512)进行加密,并加上长度为4byte的salt,最终生成密文。

1
2
3
4
5
6
int
CCKeyDerivationPBKDF( CCPBKDFAlgorithm algorithm, const char *password, size_t passwordLen,
                      const uint8_t *salt, size_t saltLen,
                      CCPseudoRandomAlgorithm prf, unsigned rounds,
                      uint8_t *derivedKey, size_t derivedKeyLen)
                      API_AVAILABLE(macos(10.7), ios(5.0));

Username/password combinations can be checked in two ways:

  1. PAM(3): with the “checkpw” service.
  2. OpenDirectory: ODRecordVerifyPassword() - if you are
    currently using OpenDirectory.

OpenDirectory –> CFOpenDirectory(DirectoryService) –> Auth(like shadowhash)

pam(checkpw) –> pam_opendirectory.m[OpenDirectory(ODRecordVerifyPassword)]
当一个用户(或攻击者)试图验证这样一个账户时,在MacOS系统上,这个过程是由OpenDirectory的后台处理(opendirectoryd)的

https://developer.apple.com/documentation/kernel?language=objc