Crack Mac Password Hashcat
A powered-off MacBook can be compromised in less than three minutes. With just a few commands, it's possible for a hacker to extract a target's password hash and crack it without their knowledge.The goal in this article is to acquire a target's.plist file which contains their hashed password. Then, using a Python script to convert the.plist file into a format can interpret, it's brute-forced it to reveal the password. The simplest method for performing this attack requires physical access to the target MacBook, recovery mode, a, another, and Hashcat.It's also possible to leave out the USB flash drive and attacker's MacBook by instead creating a temporary user on the target MacBook where the commands can be performed. The temporary user can then be deleted when done. For this guide, however, we will show the USB flash drive method.Shop USB Flash Drives on is one of supported by Mac devices. It includes a number of tools for reinstalling macOS, resetting account passwords, and configuring a firmware password.
While this feature was designed to aid users locked out of their account and wipe the internal hard drive, it's often abused by hackers attempting to gain unauthorized access to sensitive files.Since Mojave 10.14, macOS no longer allows users (not even root) to modify the.plist files containing hashed passwords while the operating system is running. This data can now only be acquired using recovery mode. Don't Miss:The USB flash drive is required to move the target's.plist file from their MacBook to the attacker's. The USB flash drive used in this tutorial is FAT32 formatted, but NTFS and APFS formats should work as well.There are a few macOS-specific commands in the featured Python script that make it easy to convert the.plist file into a format Hashcat can interpret.
This is why another MacBook (or at least another account on the target MacBook) is needed.To figure out the target's Mac password without changing it, the hash will need to be brute-forced and cracked. MacOS does an excellent job of securing the target's password. It's not possible to view user passwords in plain-text. CPU-based cracking solutions (like JohnTheRipper) will literally take decades to crack a single hash and are therefore not effective. Hashcat with a decent GPU is highly recommended. Don't Miss:Step 1: Enter Recovery ModeTo access recovery mode, first, make sure the target MacBook is fully powered off. Then, press the power button while holding Command + R on the keyboard.
After about 30 seconds, the Apple logo will appear and the Command + R keys can be released. If the below screen appears, recovery mode was enabled successfully and readers can proceed to the next step in this tutorial. Image viaIf the MacBook requests a password, it means the firmware is protected and configured to prevent recovery mode attacks. Unfortunately, this means the target MacBook isn't vulnerable to the attack shown in this article. Step 2: Disable SIP (Conditional)Apple's is a security feature designed to restrict parts of macOS from being modified. Since Mojave, the /var/db/dslocal/nodes/Default/ directory is within the scope of SIP's protection and will return an 'Operation not permitted' message if anyone attempts to view it. It even prevents root users from changing and accessing select directories.In one test, I found the Default/ directory couldn't be viewed or modified even in recovery mode.
This was a bit of an anomaly as other tests allowed access to Default/ without first disabling SIP. Don't Miss:To find out if SIP needs to be disabled, open a Terminal while in recovery mode. In the menu bar at the top of the screen, select 'Utilities,' then 'Terminal.' Then, use the below -R command.
Ls -R /Volumes//var/db/dslocal/nodes/Default/This command will attempt to recursively ( -R) list files in the Default/ directory. If the output returns many.plist files, don't disable SIP and proceed to the next step in this tutorial. If the output returns 'Operation not permitted,' disable SIP using the below command.
Csrutil disableSuccessfully disabled System Integrity Protection. Please restart the machine for the changes to take effect.After the restart prompt appears, shutdown and boot into recovery mode again. With SIP disabled, it's safe to proceed to the next step in this tutorial.
Step 3: Extract the Target PlistInsert the USB flash drive into the target MacBook. Wait a few seconds to allow it to auto-mount. Then, copy the desired.plist file to the USB drive using the below command. The target.plist will use the target's username (e.g., tokyoneon.plist). Cp /Volumes//var/db/dslocal/nodes/Default/users/.plist /Volumes//Be sure to change the in the above command.
This will likely be 'macOS,' but may be different if the target purchased the MacBook years ago and upgraded to Mojave or High Sierra. In that case, the hard drive name may appear as 'Macintosh HD' or some variation. Also, change the to the USB flash drive inserted into the MacBook. Don't Miss:That's it. The necessary file has been extracted, the target MacBook can be shut down, and the remainder of the tutorial requires a separate MacBook owned by the attacker. If SIP was disabled in the previous step, re-enable it before shutting down with the below command.
Csrutil enable Step 4: Copy the Plist to the Attack's MachineUsing the attacker's MacBook, insert the USB flash drive containing the target's.plist and copy ( cp) it to the /tmp/ directory. The /tmp/ directory is hardcoded into the Python script in the next step to make it generic enough for all readers to follow along. As long as the target's.plist file is in the /tmp/ directory, the Python script will be able to convert it into a hash. Cp /Volumes//.plist /tmp/. Don't Miss:Step 5: Download & Execute the Hashdump Python ScriptThe Python script used to convert the extracted.plist file into Hashcat's preferred format was taken from the and can be.
Open a Terminal and download the hashdump script with the following curl command. The -o argument will save the script with the 'hashdump.py' file name.
Curl '-o hashdump.pyThen, give the script permission to execute using the command. Chmod +x hashdump.pyFinally, execute the hashdump.py script with root privileges.
Sudo python hashdump.py('tokyoneon', '$ml$27548$ba6261885e349ecb847854136cf32e9561cd1af65616f7ce11abb3f04786729c$88ad7849c5b30cce20b9d6ecde9e5be3be040a574f864bafd9c5dc06fdb3cb189b877c3aa1312c2e4497ea854d36da78c93dace17d212ccbb6584e3350efe95bd1ad97166d2f11fb7a9e1ebeecb1a96750db53dbf75434c4b320b500589fa64bf5f8')Remove text surrounding the hash (shown below) and save it to a file called 'hash.txt.' Then, move hash.txt to the Hashcat machine. $ml$27548$ba6261885e349ecb847854136cf32e9561cd1af65616f7ce11abb3f04786729c$88ad7849c5b30cce20b9d6ecde9e5be3be040a574f864bafd9c5dc06fdb3cb189b877c3aa1312c2e4497ea854d36da78c93dace17d212ccbb6584e3350efe95bd1ad97166d2f11fb7a9e1ebeecb1a96750db53dbf75434c4b320b500589fa64bf5f8.
Mac Password Hash Location
Don't Miss:Step 6: Crack the HashTo crack the target's hash with, use the below command. Hashcat -a 0 -m 7100 /path/to/hash.txt /path/to/wordlists/passwords.txt -w 4 -potfile-path /tmp/crackedhash.potThe dictionary attack, or 'straight mode,' is specified using the -a 0 argument. The macOS-specific hashing mode is enabled using the -m 7100 argument and is required for all macOS hashes extracted from version 10.8 or later. To improve Hashcat's overall performance, set the -w (or -workload-profile) to 4, to maximize the cracking speed. Finally, the -potfile-path argument is used to save the cracked hash to the specified file.It's also possible to perform hybrid attacks where digit combinations are appended to the end of every word in the wordlist. For example, 'password12' and 'password77.'
How To Reset Password On Mac Mini
Hashcat -a 6 -m 7100 /path/to/hash.txt /path/to/wordlists/everyword.txt?d?d -w 4 -potfile-path /tmp/db.potThe hybrid-attack is enabled with the -a 6 argument. This time an ' wordlist is used in combination with?d?d which tells Hashcat to append every possible two digits combination to each password in the wordlist. To append three or four digits, use '?d?d?d' and '?d?d?d?d' respectively. Don't Miss:While Hashcat is running, the below data will be displayed. If the password is guessed correctly, it will appear at the bottom of the terminal and Hashcat will stop.