Posted: . At: 10:56 PM. This was 6 years ago. Post ID: 7056
Page permalink. WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters.
These cookies expire two weeks after they are set.

How to list the password files on a Macintosh OSX Sierra computer.

by

Get ahold of the Mac OSX Sierra password files

This is how to list the password files on a Macintosh machine, but the folder is only readable by the superuser.

deusexmachina:~ jason$ sudo ls -l /var/db/dslocal/nodes/Default/users

This will return a listing of many files that contain passwords. But these are binary files on the latest Mac OSX release. Sierra.

More information here: http://unix.stackexchange.com/questions/44517/etc-shadow-on-mac.

Use this command to show the contents of the plist file.

deusexmachina:~ jason$ sudo plutil -p /var/db/dslocal/nodes/Default/users/jason.plist

This is how to get the password hash from a Mac OSX Sierra machine. This is output in XML format, with the salt and the hash.

deusexmachina:~ jason$ sudo defaults read /var/db/dslocal/nodes/Default/users/jason.plist ShadowHashData|tr -dc 0-9a-f|xxd -r -p|plutil -convert xml1 - -o -
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>SALTED-SHA512-PBKDF2</key>
	<dict>
		<key>entropy</key>
		<data>
		xJgaIW/EXYeihhLSSNm9LjNfFysNX8yJ3bojm9isti9N6AwYryC19C9PDMHH
		OfV/Ps8gAo9sZJW2I1O3HWF4eb8gRS/11YvSrUsGLaS+X+SDdg0fV8+Jk4tc
		mg3KGGejp/Slvdk8NkQeScSt3Qse4fCrQZ1Xvk2vzW914r7243E=
		</data>
		<key>iterations</key>
		<integer>39525</integer>
		<key>salt</key>
		<data>
		bbpTmTME5JuxsVBrA0G3Yqli+WsiUv89VQHwRU0z+6k=
		</data>
	</dict>
	<key>SRP-RFC5054-4096-SHA512-PBKDF2</key>
	<dict>
		<key>iterations</key>
		<integer>38910</integer>
		<key>salt</key>
		<data>
		+KE6TCSbO/SZmh9KJBltO3YWDGfMoCLKaN/jj7cxeP0=
		</data>
		<key>verifier</key>
		<data>
		RiIQ21jazF8yP3Qpvf7dLX/SlSrs1odC+uqrwxTc9QaUYPpSB7lPVdQGgg5R
		YZ5MQwkS/XNaE8owAVVPH+rekUSeWokisQMUIakO2XhYP6uhAfSx+EQz4FJ0
		19SeLjoEFMKtuBEymXqX5zzCfsPKOzbpl/11E+N5PhysuKBFWbKSZbOuQcdD
		+zvneykp3V4flviMyM1HtvhYqCsp86SMP0lPhuzhIeJQHoaOVVyyhFfdhhIc
		JJLZLBM5Ml/iro+2NwHQ0m/aB3ddm16A5FS/4dVV152IYB2WLtTd03KP7EuF
		6uLf3FzEHcUHTHNzpTtczoWzDOZelYv/A/AvKIE9Uih5atb9DHLI5EkZCuCN
		mEMX+bZrv54+T0I/ejEICgfCISu8gYO0Vtpe+RzFrxsZIgNa5CL7kdH8GHMQ
		KDeh/0fNa83YZ32KP4SkRwlZezWdYznU0S4P0CX0wa6xUVSl4ucUB0vnDrbZ
		tDeSaAIBFbDEbfNEtmBWNyMarbNXECP3eA3dugU9v1LaQ/9keSIHqPyya2Xn
		I228SwHQ38q4WiDMyY+y3rk6Y5w/ZFfbSLCtyEEN1W4txLUiHmwBms0Gm6co
		0K7ZARyTI/HUmFr7QZ5QphWBN4BJYumsUP37747idCt9TLwNBF4hVr/GAHmf
		R/zTmhhETxJXxzIOcpbo83o=
		</data>
	</dict>
</dict>
</plist>

Then the user could try and crack the hash and get the password. But you already need superuser access to do this anyway so…. But this is an interesting exercise. Good to know you can get ahold of the password files, if somehow the attacker gains root access. And the user might re-use the same password for something else…

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.