Get ahold of the Mac OSX Sierra password files
This is how to list the password files on a Macintosh machine, but the folder is only readable by the superuser.
deusexmachina:~ jason$ sudo ls -l /var/db/dslocal/nodes/Default/users |
This will return a listing of many files that contain passwords. But these are binary files on the latest Mac OSX release. Sierra.
More information here: http://unix.stackexchange.com/questions/44517/etc-shadow-on-mac.
Use this command to show the contents of the plist file.
deusexmachina:~ jason$ sudo plutil -p /var/db/dslocal/nodes/Default/users/jason.plist |
This is how to get the password hash from a Mac OSX Sierra machine. This is output in XML format, with the salt and the hash.
deusexmachina:~ jason$ sudo defaults read /var/db/dslocal/nodes/Default/users/jason.plist ShadowHashData|tr -dc 0-9a-f|xxd -r -p|plutil -convert xml1 - -o - <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>SALTED-SHA512-PBKDF2</key> <dict> <key>entropy</key> <data> xJgaIW/EXYeihhLSSNm9LjNfFysNX8yJ3bojm9isti9N6AwYryC19C9PDMHH OfV/Ps8gAo9sZJW2I1O3HWF4eb8gRS/11YvSrUsGLaS+X+SDdg0fV8+Jk4tc mg3KGGejp/Slvdk8NkQeScSt3Qse4fCrQZ1Xvk2vzW914r7243E= </data> <key>iterations</key> <integer>39525</integer> <key>salt</key> <data> bbpTmTME5JuxsVBrA0G3Yqli+WsiUv89VQHwRU0z+6k= </data> </dict> <key>SRP-RFC5054-4096-SHA512-PBKDF2</key> <dict> <key>iterations</key> <integer>38910</integer> <key>salt</key> <data> +KE6TCSbO/SZmh9KJBltO3YWDGfMoCLKaN/jj7cxeP0= </data> <key>verifier</key> <data> RiIQ21jazF8yP3Qpvf7dLX/SlSrs1odC+uqrwxTc9QaUYPpSB7lPVdQGgg5R YZ5MQwkS/XNaE8owAVVPH+rekUSeWokisQMUIakO2XhYP6uhAfSx+EQz4FJ0 19SeLjoEFMKtuBEymXqX5zzCfsPKOzbpl/11E+N5PhysuKBFWbKSZbOuQcdD +zvneykp3V4flviMyM1HtvhYqCsp86SMP0lPhuzhIeJQHoaOVVyyhFfdhhIc JJLZLBM5Ml/iro+2NwHQ0m/aB3ddm16A5FS/4dVV152IYB2WLtTd03KP7EuF 6uLf3FzEHcUHTHNzpTtczoWzDOZelYv/A/AvKIE9Uih5atb9DHLI5EkZCuCN mEMX+bZrv54+T0I/ejEICgfCISu8gYO0Vtpe+RzFrxsZIgNa5CL7kdH8GHMQ KDeh/0fNa83YZ32KP4SkRwlZezWdYznU0S4P0CX0wa6xUVSl4ucUB0vnDrbZ tDeSaAIBFbDEbfNEtmBWNyMarbNXECP3eA3dugU9v1LaQ/9keSIHqPyya2Xn I228SwHQ38q4WiDMyY+y3rk6Y5w/ZFfbSLCtyEEN1W4txLUiHmwBms0Gm6co 0K7ZARyTI/HUmFr7QZ5QphWBN4BJYumsUP37747idCt9TLwNBF4hVr/GAHmf R/zTmhhETxJXxzIOcpbo83o= </data> </dict> </dict> </plist> |
Then the user could try and crack the hash and get the password. But you already need superuser access to do this anyway so…. But this is an interesting exercise. Good to know you can get ahold of the password files, if somehow the attacker gains root access. And the user might re-use the same password for something else…