Mac OS X Lion stores salted SHA512 hashes of user accounts passwords.
NOTE: if a memory image of a target computer is available, Mac OS X login passwords could be recovered instantly.
Password hashes are stored in
These files can be copied for further analysis:
Each file contains a ShadowHashData key that stores 4 bytes of a salt (
95 A9 0B 45) and 64 bytes of a SHA512 password hash (
F9 32 ... F1 56) for this particular sample file:
To crack passwords for Mac OS X user accounts, run Passware Kit Forensic, click “Recover File Password” (or press Ctrl+O) and select the .plist file:
Click Advanced to customize password recovery settings or select Use Predefined Settings to use default attacks.
Let’s use Predefined Settings for this sample file.
The software will start searching for the password and will find it approximately in 5 minutes:
We can now verify that this password (being salted) has the very same SHA512 hash (
F9 32 ... F1 56):
We have now successfully recovered Max OS X Lion user password from SHA512 hash.
Software used: Passware Kit Forenisc version 11.7 Build 5256
Sample file: johndoe.plist