sudo ./plist2hashcat.py /Volumes/Target/var/db/dslocal/nodes/Default/users/username.plistuser:$ml$28328$7215a1faa91e6196fb53884c4320970d9705ae6f19e5b50e0a24243708629a9b$8e0588decbdb347e0b909a7a1b1bc9470fe7dd37e09a64f9d02b82cfba91116b13d7c172b5a65683ac8d2c873324b8d82255a51ced0792656e766fa1a9c23994
Save the output without the leading "user:" (otherwise you'll need to specify
--username when running hashcat) to hash.txt
hashcat -a 0 -m 7100 --status -o found.txt hash.txt wordlist.txt
Additional scripts and a program that accomplish the same goal as plist2hashcat.py (i.e., extracting hashcat-compatible hashes from binary plist shadow files generated by OS X 10.8 and up (SALTED-SHA512-PBKDF2)):
The process can also be done manually:
See also Recovering saved macOS user passwords and Cracking FileVault 2 (HFS+ or APFS).
/mac | Oct 30, 2019
Subscribe or visit the archives.