📄️ Introduction
Credential access involves retrieving password hashes, stored secrets, or other authentication material from a macOS system. Modern macOS systems employ strong protections, such as secure token encryption and FileVault, making direct password or hash retrieval challenging without elevated privileges or the proper decryption keys.
📄️ User Credentials
macOS User Database (Plist Files)
📄️ Password Cracking
Once you have obtained the user's .plist file from /var/db/dslocal/nodes/Default/users/ you can extract the hash, and format an entry that Hashcat will understand. Modern macOS systems use a PBKDF2-SHA512 hash.
📄️ Password Spraying
A password spraying attack involves attempting a single password across multiple user accounts to avoid account lockouts. This attack can target local accounts on a macOS system.
📄️ Physical Access
As mentioned in the beginning of this section, elevated privileges are required for the majority of credential access methods. There is one method to access credential files if there is physical access, plus the ability to boot from an external drive that is also running macOS. Even if all you have is a standard user account.