Crack Password Hashes in Lion – OS X 10.7
This guide is an updated version of our extremely popular guide, Decrypt OS X User Account Passwords. The guide has been updated to work with Lion.
Requirements
- Physical access to the machine.
If you need to crack passwords on Tiger, Leopard, or Snow Leopard, please use our tried-and-true Decrypt OS X User Account Passwords guide.
Procedure
1. Gain Root OR Admin Access
If you don’t have access to an administrator already, you need to acquire root access.
If you don’t have admin access, boot the computer into Single-User Mode by holding CMD+S on startup, mount the drive, and type the command:
/sbin/mount -uw /
Followed by:
launchctl load /System/Library/LaunchDaemons/com.apple.opendirectoryd.plist
And finally:
passwd
Then, enter your new root password when prompted twice. After the password has been reset, type:
restart
And hit return/enter.
2. Log In
Log into an administrator account that you have access to on the computer, or, if you don’t have access to one, select “Other” in the Login Window (only if you have User Account Pictures enabled), and enter “root” as the username, and then the password that you just set.
3. Download Utility
For 10.7, we’ll be using the DaveGrohl utility to both crack the password and extract the hash.
The utility works by extracting the hash from the User Profile, which is located in:
/private/var/db/dslocal/nodes/Default/users/
With
Download the DaveGrohl 10.7 cracking utility here.
4. Open Up Terminal and Open the Directory
Once you’ve downloaded the utility, open up Terminal and type:
cd Downloads/DaveGrohl
5. Crack The Password
Type the following to begin cracking the password:
sudo ./dave -u
Replacing
That’s It!
DaveGrohl will begin cracking your password via wordlists and then continue with brute-forcing until it gets the password.
It can take quite a bit of time, depending on the complexity of the password, so be patient! Passwords we’ve cracked have ranged from a few seconds to several days.
When DaveGrohl has successfully cracked the hash, it’ll spit out a message like this:
-- Found password : 'banana'
-- (dictionary attack)
Finished in 0.772 seconds / 51,860 total guesses...
67,209 guesses per second.
5. Optional: Extract Hashes
If you only have a limited window of access to the target computer, DaveGrohl can give you the hash formatted for cracking in John The Ripper, so you can crack the password on a computer of your choice at your convenience. We cover how to use John in our other guide, so check that out if you’re interested.
To extract a correctly formatted hash, use this command:
sudo ./dave -j
Replacing
You can then copy and paste the output into a .txt file and load it into John.
Advanced Options
Here are a few advanced options that can be used when cracking passwords with DaveGrohl. Type:
sudo ./dave
before entering any of the following parameters.
-u username : Crack a user’s password.
-i : Incremental attack only.
-c chars : Specify possible characters in the password.
-m # : Specify minimum length of the password.
-M # : Specify maximum length of the password.
-v : Verbose mode. (hella slow)
-j username : Dump a user’s password hash formatted for John the Ripper.
-h : Help
Let us know in the comments if this worked for you!
Hey Guys!
Dave Grohl should work fine on OS X Tiger and anything newer. If it doesn’t for you, please email me with details so I can fix it. youarestupid@davegrohl.org
First!
If you don’t have access to an administrator already, you need to acquire root access.
If you don’t have admin access, boot the computer into Single-User Mode by holding CMD+S on startup, mount the drive, and type the command:
passwd
here i get an error that says The daemon encountered an error processing request.. wha am i doing wrong?
Did you remember to mount the drive?
The first step, gaining admin/root access, didn’t work for me. ‘passed’ showed up that ‘a daemon had encountered and error’ or something of that caliber. Help anyone?
Did you mount the hard drive?
1 more thing, I meant ‘passwd’ not ‘passed’ up there…(Dangnammit spellchecker)
How do you mount the drive?
The system prompts you to enter it when you enter Single-User Mode. It’ll say something about making modifications to the file system, and then tells you to enter this command:
/sbin/mount -uw /
(Make sure you remember the space in between the -uw and the /)
I’m getting the daemon too, in spite of following directions above. My system is telling me that it’s booting up as read-only, if I want to alter files, type /sbin/fsck -fy and then /sbin/mount -uw / but I did that and no luck, message says the daemon encountered an error processing request, then back to :/ root#
Were you able to successfully mount the drive with “/sbin/mount -uw /”?
Then what command did you enter?
hello
i did what you say, but seems doesn t work
i did enter in enter Single-User Mode by pressing CMD+S on startup
then mount the drive by typing /sbin/mount -uw /
until this step it works but after you says we have to type passwd, when i do a meesage appear :
a deamond encountered an error
can you please help out thanks a lot
Okay, I think I’ve figured this out.
Instead of booting into Single-User Mode, boot into Recovery mode by holding Option+R on boot. Then go into Disk Utility and open Terminal, then enter in this:
write resetpasswordSelect root as the account, and set the root password, then restart your machine.
Hi I really need some help. I tried this on the forums and no one could help. I need a way to be able to get the password hash without using Dave Grohl’s application. I need just a few commands that I can type into terminal or single user mode and get the hash.
Thanks for your help,
G
I’m pretty sure you did NOT ask on the forums for two reasons:
1. There is no topic by anybody asking for this information
2. The information is already in a thread labeled “Cracking 10.7 Lion Password Hashes: Going a bit more in-depth”
People on the forum can ALWAYS help, so please, feel free to actually use it next time!
The command is this:
dscl . -read /Users/Username ShadowHashData | cut -f9-25 -d" " | cut -f3 -d ":" | tr -d ' '^^^^^
‘Okay, I think I’ve figured this out.
Instead of booting into Single-User Mode, boot into Recovery mode by holding Option+R on boot. Then go into Disk Utility and open Terminal, then enter in this:
write resetpassword
Select root as the account, and set the root password, then restart your machine.’
In that case, you would probably be better off editing the article rather than answering everyone’s questions.
Yeah, I agree. Article is updated with new instructions.
‘passwd’ doesn’t actually know how to change a user’s password anymore. Instead, it asks the guy in charge of user accounts ‘opendirectoryd’ to do it for him. In single-user mode, you have start the open directory daemon before you can reset anybody’s password.
The commands are:
/sbin/mount -uw /
launchctl load /System/Library/LaunchDaemons/com.apple.opendirectoryd.plist
passwd username
Depending on the specific version of OS X, passwd is sometimes smart enough to do this for you, but don’t count on it.
That’s awesome Zach, I’ll update the article — That should clear up the issues.
hi, please help with the exercise:
I am in Lion 10.7.1
Cmd-S
:/ root# mount -uw /
:/ root# launchctl load /System/Library/LaunchDaemons/com.apple.opendirectoryd.plist
:/ root# passwd
New password:
Retype new password:
passwd: Could not verify credentials because directory server does not support the requested authentication method.
:/ root#
What am I doing wrong?
Check your spelling on your commands.
I tried this on my password for just about everything and it took 7.9 seconds to crack it… Time to get a new password…
I am trying to use John the Ripper to break the Lion user password. I have tried the command that works on 10.6 salted hashes and variations but JTR doesn’t recognize the 10.7 hash. I have the latest version of JTR with the jumbo patch that supports Lion Sha512. I used Dave Grohl to extracted the salted hash and I have done it manually.
Can someone help me with correct command for JTR and Lion?
Thanks
Dave
What OS is the machine that you’re trying to crack on? Also, have you read our older guide on decrypting passwords in 10.5 and 10.6? The commands should be the same on those systems for JTR.
Hi, I am using Lion OSX. I’m trying to use terminal for a first time and then I have to type in the password it doesn’t work. I mean I can’t type anything at all. (I am using admin user). why is that? and what should i do about it?
Hey Eigle – It actually IS working. Terminal just doesn’t show any feedback when you’re entering the password. If you enter the password (even if it looks like you’re not typing), and then hit return, it should log you right in.