This post is not for Mac Noobs. This is a very technical EDU with a lengthy intro. How you can use it to get a Mac's passwords is at the end. How you can prevent this (my hack) is also at the end. So I got bored the other day and wanted to find out how the new Mac USB police password cracker works. Essentially, it is a USB dongle that reads all keychain passwords without root or admin access. I programmed a USB FPGA capture device from NI to trace all USB activity from and to the USB device. What I found is that when you log in, your password is automatically loaded into RAM as a recent entry. I tried to flush the password out by using all the RAM and then swapping out, but it stays in there. I guess the mac likes having your password in memory. So what you do is plug this USB device in and the first thing it does is copy /var/vm/sleepimage 16MB at a time and then searches using Terminal on the USB side (embedded Unix controller) to search for shel/bin/basusername and shel/bin/basshouldunmoun. If it isn't found (the sleepimage is the size of the amount of RAM you have), the next 16MB are copied until it is found. This reference has your password in hex before it. Unix converts it on the fly. Bingo, there's your password. All the dongle has to do at this point is type that in to your keychain through Unix USB push commands and then it can grab the rest of your passwords. You can do this yourself in Terminal quite easily, but you'll need another mac to host if you don't have admin access on the machine you're trying to crack. 1. Open Terminal 2. Boot unknown password machine into firewire target mode 3. Plug FWtarget machine into your Mac with known admin password. 4. Use Blind (application) to reveal all files on Mac 5. Go to var/vm/ on both your machine and the slave machine 6. Move the sleepimage from the known password machine to any other folder 7. Copy the sleepimage from the unknown machine to the known machine in the var/vm directory 8. In Terminal, type: sudo strings -n 8 /var/vm/sleepimage | grep shel/bin/basusername 9. The unknown password is returned in a few seconds. It will ask for your password. Enter your known password on the host machine. Ok, so that sucks. How do you disable it? Well, I tried to use secure virtual memory, but the password in RAM is excluded from the secure virtual memory (otherwise, the Mac would not be able to verify any password you entered without entering that password first, which would make an infinite circle... Essentially the password has to remain unencrypted since it is how the machine verifies any password entry). So how do you change this? Well, I just disabled the sleepimage. This is easy: 1. In Terminal, sudo pmset -a hibernatemode 0; sudo nvram "use-nvramrc?"=false 2. Restart 3. rm /var/vm/sleepimage 4. Then go to security in system preferences and enable secure virtual memory. 5. Go back to terminal and type: pmset -g | grep hibernatemode 6. If all went well, the response is hibernate mode 0. If it is instead hibernate mode 3, you messed something up. One warning here: Since we just disabled RAM -> HD indexing, if your machine is loses power completely, it will not hibernate (deep sleep). It will just turn off (we removed the HD saved RAM state). This is how all Apples behaved prior to 2005. One added benefit: since you are no longer writing RAM data to HD on sleep and restart/shutdown, the machine sleeps, restarts, an shuts down much faster. Real fast. I love it! This advice is offered as it. If you do everything right, there is no risk. If you suck at typing or fuck anything up, bad things can happen. Proceed at your own risk!