On cracking Mac OS X Lion accounts passwords

Mac OS X Lion stores salted SHA512 hashes of user accounts passwords.

NOTE: if a memory image of a target computer is available, Mac OS X login passwords could be recovered instantly.

Password hashes are stored in
/private/var/db/dslocal/nodes/Default/users/<username>.plist files.

These files can be copied for further analysis:

Each file contains a ShadowHashData key that stores 4 bytes of a salt (95 A9 0B 45) and 64 bytes of a SHA512 password hash (F9 32 ... F1 56) for this particular sample file:

To crack passwords for Mac OS X user accounts, run Passware Kit Forensic, click “Recover File Password” (or press Ctrl+O) and select the .plist file:

Click Advanced to customize password recovery settings or select Use Predefined Settings to use default attacks.

Let’s use Predefined Settings for this sample file.

The software will start searching for the password and will find it approximately in 5 minutes:

We can now verify that this password (being salted) has the very same SHA512 hash (F9 32 ... F1 56):

We have now successfully recovered Max OS X Lion user password from SHA512 hash.

Software used: Passware Kit Forenisc version 11.7 Build 5256

Sample file: johndoe.plist

This entry was posted in How To, Passware, Tips and tagged , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

5 Comments

  1. Gabriele Savigni
    Posted July 10, 2012 at 9:01 am | Permalink

    What will understand a typical MAC user about this?

    • Posted July 16, 2012 at 4:06 am | Permalink

      Hello Gabriele,

      >What will understand a typical MAC user about this?
      Just copy the .plist file and launch Passware Kit Forensic software to recover a password!

      D.

  2. Posted December 12, 2012 at 12:45 pm | Permalink

    I see “SALTED-SHA512-PBKDF2″ not “SALTED-SHA512″. PBKDF2 should make cracking/recovery much much harder.

    Is it possible that your user, johndoe, was created under a much older version of OS X and hasn’t logged in under more recent versions?

    Or is there something unusual about my system?

    Cheers,

    -j

    –-
    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits

    • Posted December 13, 2012 at 1:44 am | Permalink

      As you can see from the post the sample was created with OS X Lion. Mountain Lion uses PBKDF2 and is supported by Passware Kit 12.1 as well.

      Regards,
      Dmitry Sumin

One Trackback

  • By Homepage on August 14, 2012 at 1:20 pm

    … [Trackback]…

    [...] There you will find 81012 more Infos: blog.lostpassword.com/2012/07/cracking-mac-os-x-lion-accounts-passwords/ [...]…

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>