Decrypt OS X User Account Passwords
This guide outlines the steps required to acquire the password of a local Mac OS X account in cleartext. The procedure is a little command heavy but is relatively straightforward.
The full guide is written below, but Jeff Browning has put together a screencast on our YouTube channel if you want to watch the process visually (embedded below), and if not, feel free to read on.
Requirements
- Either the ability to boot into single-user mode or to log in using the root password. (If the computer has a firmware password be sure to check out our accessing single-user mode guide.)
- Access to some kind of account on the computer you are trying to access. (Administrator account, a limited account, or even a network account. You just need to be able to open up terminal.)
We have a separate guide for Lion here: How to Crack Passwords in Lion
Procedure
1. Log in and open Terminal.
Log into any account on the computer and open up the Terminal application. This application can be found at /Applications/Utilities/Terminal.app
2. Finding the GUID (Globally Unique Identifier)
You first need to find out the Globally Unique Identifier. This identifies the user to the Mac OS X authentication system, and is the name of the shadow file in which the password is contained. Depending on your version of OS X, enter one of the following commands:
If you are using 10.5 Leopard or 10.6 Snow Leopard enter this command:
dscl localhost -read /Search/Users/<username> | grep GeneratedUID | cut -c15-
If you’re on a 10.4 Tiger machine, enter this command:
niutil -readprop . /users/<username> generateduid
In both cases replace <username> with the shortname of the account you want to find the password for. (i.e. admin or root) You should get a value that looks like A66BCB30-2413-422A-A574-DE03108F8AF2. This is the GUID. Write it down, we’ll need it later on.
3. Obtaining the Password Hash
Password hashes are the encrypted form of the user’s password. When the user enters their password to log in, the computer encrypts it using an encryption scheme to create a salted SHA1 hash, which it checks against the stored hash in the computer. If they match, the computer logs you in. We will be using the same method the computer uses to authenticate the login to crack the password.
To obtain the password hashes, we need root access. If you have the root password just login as the root user through terminal: type login root, enter the root password when prompted and then continue to Step 3b. However, if you aren’t lucky enough to have the root password you’ll need to boot into single-user mode.
3a. Booting in Single User Mode
To boot into single-user mode restart the computer. When you hear the start up chime hold down CMD+S. Soon you should see a black screen with a lot of white text appear. If single-user mode is locked follow one of the other guides on how to gain access.
3b. Obtaining the Hash
Enter the following into the command line, replacing <GUID> with the GUID you wrote down from Step 2.
cat /var/db/shadow/hash/<GUID> | cut -c169-216
After running the command, it should spit back out a hash that’s formatted like this: 33BA7C74C318F5D3EF40EB25E1C42F312ACF905E20540226.
4. Decrypting the Hash
At this point, you need access to another computer (could be the same computer, if you have access for a long time), where we will use the application “John the Ripper” (“John”) to decrypt the hash. John will use ‘brute force’ to determine what the password is in cleartext. That means that the application will systematically generate passwords, encrypt them into the salted SHA1 hash, and check them against the hash you found to see if the password matches.
You can download John the Ripper for Mac OS X here, and for Windows here.
Open up the zip file and drag the “John the Ripper” folder into your base directory. Now it gets a little tricky so be sure to follow the instructions correctly.4a. Create a Text File Containing the Hash
Create a text file in your John the Ripper folder called sha1.txt. Inside this file you should have the username and the hash. So if I wanted to find the password for the account crackMe inside sha1.txt I would see: crackMe:33BA7C74C318F5D3EF40EB25E1C42F312ACF905E20540226
4b. Navigating to John the Ripper
Now you need to open up the terminal application and navigate into the directory of your John the Ripper folder. If you followed the directions and put the folder into your base directory the command should be:
cd /name_of_your_john_folder/.
If you decided to be a rebel and leave the John the Ripper folder in a different directory, you just need to type in the full path to the directory.
4c. Cracking the Password with John the Ripper
All we have left is to load the hash into John. To do so, type in the following terminal command:
./run/john sha1.txt
If John is successful in decrypting the hash, you’ll get a message in the form of:
Loaded 1 password hash (Mac OS X 10.4+ salted SHA1 [32/64]
Depending on the complexity of the password this process could take anywhere from a second to a day, so be patient. When John is succesful at cracking the hash, it will display something along the lines of:
password (crackMe) guesses: 1 time: 0:00:00:00 100% (2) c/s: 153000 trying: password
Any text after trying: should be the password.
The contents of this guide are for educational use only. For more information, see our Disclaimer.
Thanks a bunch. Got a used Mac, couldn’t update anything. Done just right.
Hi. I don’t have the first step down. I don’t have a user account because the guy who uses the computer (the only one who admin password) is in germany. I am locked out. How do I find the admin password? I can’t access the first step without an account password…. How do I “Hack” the admin password? Thanks!
Just boot into Single-User Mode to retrieve the hash, instead of via terminal. You can then take the hash and decrypt it on another computer that you do have access to (it can even be a Windows machine!)
But if I don’t have an account how can I get the GUID that i need for it to access the hash? How do I get the hash without having an account?
Make your own account via deleting the applestartup thing in SUM. I think it’s listed here someone, plus you’ll get it as an Admin account to.
I cant get this to work! i cant run the last command of “./run/john sha1.txt”, it always says “-bash: ./run/johnsha1.txt: No such file or directory”
can someone please help?
Thanks,
Rob
Hey Rob – Did you cd into your john folder? You have to navigate into the John the Ripper folder you downloaded to be able to run the command. Also, make sure you’re including the space; You said you entered “./run/johnsha1.txt”, and it should be “./run/john sha1.txt”.
i have done everything the instructions tell me to, but when i do”./run/john sha1.txt” it tells no such file or directory
Chances are, you haven’t cd’d into the proper directory — some other people in the comments have done that too. In Terminal, make sure you navigate to the ‘john’ folder first. If you’re unclear as to where you are, open up a new Terminal window (it starts pre-navigated to your home folder), and you can always check to see what files are in the current directory by typing “ls” (Short for LIST — make sure it’s l as in Lion, not i as in ice cream. The letters tend to look similar.)
Most important of all make sure you’ve actually put that sha1.txt file INTO your john directory before running the command. You can’t run the file if it doesn’t exist in that location. Forgive me if you’ve already tried this!
Nice tutorial!
What does the -c169-216 and -c15- represent before the cut commands?
characters 169 to 216 and characters 15 to end.
Cool thanks!
good stuff good stuff, this is an awesome site! keep the posts coming please!!
Hi
I’m having trouble once I get to 4a
When I download John the Ripper it come in a folder called john-1.7.3.1-macosx-universal
not a zip file as far as I can tell (I’m not particularly good with computers)
I moved it into my home folder anyway, created a text file and all that, I tried a number of things in Terminal but it didn’t seem to find it.
What am I doing wrong?
Thankyou
@Penguin,
It is a zip file, but nowadays Mac OS X unzips it for your when it hits your downloads folder.
Are you able to “cd” into the folder? If not, when you have Terminal open, type in “ls” (without quotations). That will display a list of all of the folders in your home folder, and just make sure that it’s there.
Also, just in case Terminal is having some issue with dashes (it shouldn’t, but you never know), try renaming the folder to just “john”, and then cd into the directory.
Let me know if this works, or if you’re still having trouble!
I type in is and this is what it says
-bash: is: command not found
Ah, that’s a bit of a reading error; the command is lowercase LS (short for list), not IS. The lowercase i’s and l’s look a bit too similar.
oh right. sorry!
thanks for all the help
after I run john it come up with
Loaded 1 password hash (Lotus5 [Lotus v5 Proprietary])
is that correct and all I have to do is wait now?
I’ve got it to work!
thank you so much
Great to hear it worked out for you!
How did you get it to work.. I got it running with “Loaded 1 password hash (Lotus5 [Lotus v5 Proprietary])”
But!
guesses: 0 time: 7:14:01:34 (3) c/s: 149433 trying: Db0b4or
long time, can this even be right?
Yep, it can take forever depending on the complexity of the password. See what I wrote in response to Ryan below.
Jeff I can’t evan get into the first stage of creating Administrator account!! I hold down the CMDS after the opening chime but nothing happens it just goes straight to login. Is there a way to do it like different way to press the buttons and do i have to press the + simble after the D?? Please help!
@James – The CMD+S key combination means the “command” key, also known as the “Apple” key, which is the key directly to the left of your spacebar. If you hold down that key and the “S” key when the computer boots, it’ll bring you into Single User Mode.
Sorry for the confusion!
Hey Jeff, thanks for this guide man. I have 1 issue though. Once i get to step 4b., i can’t figure out what to do. I have tried your solution to Penguin’s issue (which basically is the same as mine), and “john” is now under the “ls” command. What should I do now? because “cd /john/” won’t work!
Thanks in advance,
Max
Wait I’m sorry; new question. I figured out it was “cd john” in stead of “cd /john/”. But my issue now is that I hash’ed the wrong password. On my mac, I’m trying to get to know the admin password or the password to the parental control system. What should i use as my username to get to know the GUID? Just admin or root? Or maybe the real username as in the username that is required to log in? (Which in my case would be Joe) Please help me on this Jeff,
Max
Max – in the sha1.txt file, it should have the username that is connected with the hash that you’re trying to crack (i.e., the administrator account), but you should be running these commands from root (if you’re not an administrator).
Follow our guide on making your account an administrator if you need root or administrator access.
I too have loaded my file through terminal and get the message:
Loaded 1 password hash (Lotus5 [Lotus v5 Proprietary])
is that correct and all I have to do is wait now? – It has been 32 hours now. I don’t know if this is correct?
Thanks for all of yur help. Your site is brillient!!
That should work – another commenter (Penguin) had the same message, and it seemed to work out for them.
However long it takes is completely dependent on the password’s complexity. Let it run for another couple days and let us know how it goes!
If I close my laptop (putting it to sleep), will the program continue running when I open it up again?
Thanks.
To be honest, I’m not entirely sure — I would assume that it wouldn’t (Your computer stops commands/processes when your computer goes to sleep, and most need to manually be resumed), but I don’t have anything to support that.
I’ll have to try it out later this week and let you know how it goes; great question!
Hey Jeff, thanks for the great information! One more question though, please: you posted a link to one of your other guides. I was wondering that when i follow that guide, will my account be fully unrestricted? Will all the time limits be gone? (Because now i have time limits which restrict me to only using the computer 1-several hours a day). This restriction is via Parental Controls. I do not know the password to the parental controls account. So will i still get these limits after i follow your guide? Also: will my restrictor be able to see that i have unrestricted it?
Thanks again Jeff, keep up the awesome guides
Max
Thanks for the support Max!
The restrictions would no longer apply, but the administrator who placed the restrictions on you would be able to see that the restrictions cannot be put on your account (because it’s an administrator). If you follow the guide to change the root password instead of changing your account from “Managed” to administrator, you can just enter in that password when the computer locks you out due to the time limit. You could allow yourself hours of more time by entering in the password you set for the root account.
Ok, thanks Jeff. I got something else to work. I first made a new admin account, then i created a second admin account. But I made the second one a “hidden” user admin account. After that i just removed the first, visalble, one and now I have full acces to the computer without letting the original admin know. Maybe you could make a guide on this for the other people that want full access, but don’t want anyone knowing? Oh, and Jeff, I just got a mail on your guide to controlling another person’s computer. Pretty damn awesome! Thanks for all mate
Max
We’ve got something published that might help with the “hidden administrator” thing, but in a different way.
It explains how to activate the root account or change the root password from inside Single User Mode (which effectively gives you a hidden administrator account).
It’s in this article under “Additional Information.”
Let me know if that helps, or if you still think we should make a clear guide on hiding user accounts. All of these comments are great really help us clarify everything.
I’m also really happy you like the guide, and thanks for subscribing — we’ve got some more exclusive stuff for everyone on our newsletter coming soon, so stay tuned!
It says “No password hashes loaded”
I am in the folder, and I have my file named sha1.txt with my user:hash, so why won’t it work?
Shauna — Is the sha1.txt file in the john folder? And in Terminal, if you type “ls” (l as in Lion and s as in Snake), is one of the files listed the sha1.txt file?
yeah i got exactly that and yes it is listed.
Hey Jeff,
You’ve been super helpful on the other comments so I thought I’d give you a shot.
I’ve followed all the directions but when I type ./run/john sha1.txt, it just says that no password hashes were loaded. What could I have done wrong?
Keegan, that’s what I’m here for!
For no password hashes loaded, it means either that something is wrong with your hash, or just the formatting of the sha1.txt file. The sha1.txt file placed within the john folder (make sure it’s in there!) should look something like this:
crackMe:33BA7C74C318F5D3EF40EB25E1C42F312ACF905E20540226Let me know if this helps!
Hey Jeff!
I’m having a problem with the ./run/john sha1.txt portion of the guide. It keeps telling me that there is no such file or directory, but I see them when I use the ls function in terminal. I named my folder john, and I put the sha1.txt file with the hash and user shortname in the folder. I had to use without the brackets to find the folder, but now I am stuck. Some help would be much appreciated.
Keep up the great work by the way!
JJ
Hey John — if you type the two letters “ls” (without quotes, and it’s l as in Lion, not i as in Ice Cream), does the john folder show up? If it does, make sure you then type “cd john” (again, without quotes) to enter it, and try running the command again.
Thanks for the kind words; please feel free to report back with your results!
Hi Jeff,
I’m pretty new to terminal and single-user mode, so sorry.
When I try to Find the GUID in terminal, I get one of two messages. the first, when i type “admin” for I recieve the message:\
grep: UID: No such file or directory
DS Error: -14136 (eDSRecordNotFound)
Or, when I type the account name I’m trying to hack, I get the “grep: UID: NO such file or directory” message. Any suggestions?
Cory — If the username you are trying to hack is “admin”, for example, you would enter the following as the command:
dscl localhost -read /Search/Users/admin | grep GeneratedUID | cut -c15-Are you entering that, or just typing the word “admin”?
Ya, typed that exactly… recieved the message;
DS Error: -14136 (eDSRecordNotFound).
Ok actually i just punched it in and when i hit return it simply put up a new terminal line for usage. it didnt give me anything that looks like a GUID
Hi Cory –
If the error message is:
DS Error: -14136 (eDSRecordNotFound)That means the user doesn’t exist. For example, if you entered the command that Jeff gave you, it would mean that there is no user name ‘admin’ on the computer.
If you enter it and it just puts up a new line, it means you typed something wrong or missed a letter. You could have typed an extra letter or transposed two letters – it just means the command wasn’t entered correctly.
So based on the errors you gave, you should make sure you have two things right:
1. The username of the account
2. The command must be entered completely correctly
Hope that helps!
Try this, it worked for me.
$ /sbin/fsck -fy
$ /sbin/mount -uw /
$ launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist
$ touch /var/db/.AppleSetupDone
$ passwd root
$ reboot
i tried this but it pops up this:
-bash: /usr/bin/dscl: Permission denied
is there anyway i can bypass this and single-user mode is blocked to
Hieu, as we state at the beginning of the article, you do have to be logged in as root, or be an administrator. If your single-user mode is blocked, check this out: we’ve got an article for that: http://www.hackmac.org/hacks/workarounds/access-single-user-mode-when-locked-in-os-x/
Hey Jeff, first of all your a gangsta for keeping with the posts! But on 4a i get lost. I got the hash and downloaded the john file. But I dont know where or what the “base directory” is, and when i try to create a .txt via TextEdit.app i can only make .rtf files, there is no .txt option. How can i make a .txt and where should i move the jack file once i get the .txt file in it? Thanks!
I keep falling a day or two behind all the comments, but I try to get to all of them!
Your “base directory” is just another name for your “home folder” — we call it that because when you open up Terminal, it uses that folder as a base from which you can start navigating. So you’d put the ‘john’ folder (yep, the whole folder!) into your home folder, then you’d place the .txt file within that.
You make a good point about the .rtf files in TextEdit. Rtf stands for Rich Text Format, and TextEdit opens these files as default. Since we don’t want rich text (fonts and colors and all that jazz), we want to create plain text files (.txt). To change that, you can open up TextEdit, then go to the menu Format -> Make Plain Text. That will tell TextEdit you want to be able to save as a .txt file. To change it, just go back to the Format menu and you’ll see the button has changed to ‘Make Rich Text’.
Hope this helps!
i want to know more about how this works
first it reads the GUID of the username and cuts it out to terminal right?
then it gets the hash in the directory
could you explain what the cat command is and what is a GUID
thank you so much
Ben — glad you want to know more! We explain a bit about the GUID in the post, so I’ll be copying and pasting a bit. Let me know if you need any further clarification:
For the cat command, because I don’t have a better definition, here’s Wikipedia’s:
“The cat command is a standard Unix program used to concatenate and display files.”
So, what we’re doing is viewing the contents of the file that’s named after the user’s GUID (Globally Unique IDentifier), then using the ‘cut’ command to only show the characters that pertain to us, i.e. the hash.
The GUID is the string of characters that the computer identifies the user by in the deep system directories. The reason we need to know it, is because the file that contains the hash is named by the GUID of the user whose hash it’s for.
If you need any more clarification, just ask!
Just needed a little reassurance – this process can take a while right?
I’ve had this message on my Terminal.app for the past 15 hours – no movement.
” Loaded 1 password hash (Mac OS X 10.4+ salted SHA-1 [32/64]) ”
Waiting game at this point?
Also, I’ve hit enter to see what would happen and got this message -
” guesses: 0 time: 0:15:24:07 (3) c/s: 2874K trying: fd00ich ”
Did I mess anything up?
Thanks for your help!
Ryan – So far, it looks pretty good. The time it takes is completely dependent on the complexity of the password, and I’ve heard of times running past a week before, but most are resolved by then.
Again, by complexity, I mean use of uppercase and lowercase letters, numbers, and symbols (!@#&$^). The time increases exponentially depending on how many of these are used in the password.
When you hit enter, it’ll display the most recent guess that it’s generated, so no, you didn’t screw anything up.
hello,
looks nice, but after excecuting the script it will return a password, however this is not the good one
it said:
guesses: 0 time: 0:00:10:13 (3) c/s: 166145 trying: tc4ctha
but after reading the comments i figured out it was because i was hitting return
really respect for the one who figured this out!
just one more question, when the decryption started it said:
Loaded 1 password hash (lotus5 [lotus]
this is different from the “Loaded 1 password hash (Mac OS X 10.4+ salted SHA1 [32/64]” in the discryption is this going right? or is it decrypting a wrong type of hash?
Roel — I hadn’t seen that before until several readers told me that’s what John is spitting back out at them, and a few said it worked from there, so it should be just fine.
If it goes longer than a week, either it’s a really secure password or something’s wrong. Check back in to let us know how it’s going!
when i go into the terminal and type sudo passwd root and i put in a password. it says sorry try agian.
what do do i do?
never mind i figured it out but i have another question. after i finished seting p the root acount it show up on the front screen as other on the list of acounts on the startup screen. i thought i was an invisible acount.
It shouldn’t be showing up on the users list, usually it will just add another option that says “Other…”, which when clicked displays a username and password field.
What version of OS X are you running?
hey guys iv gotten a problem while trying to obtain the password hash on;
}
3b. Obtaining the Hash
Enter the following into the command line, replacing with the GUID you wrote down from Step 2.
cat /var/db/shadow/hash/ | cut -c169-216
} and all i get is
cat: /var/db/shadow/hash/: Permission denied
is my actual GUID e.g. = A66BCB30-2413-422A-A574-DE03108F8AF2
i am logged into an admin terminal
PaulyD, admin ain’t enough! You have to be logged into root (check the requirements at the top of the post). As long as you’ve got the root password, just type:
login rootand enter your password, then run the commands. If you don’t have the root password, follow the second half of this guide:
http://www.hackmac.org/hacks/from-standard-to-administrator/
Hey jeff, thanks so much for getting back to all of the inquiries! everything has gone pretty smoothly for me but i just want to make sure i have the last part totally right. at 4. “decrypting the hash” you say we’ll need access to another computer. does that mean that john the ripper should eventually decrypt the hash from any computer, even if that computer is not tied to the targeted account? Also, going back to a previous question…if it can take up to a week or more to decrypt, does that mean i have to keep the computer i am running terminal in up and awake non-stop? if i were to put the computer to sleep and wake it up later would the john application pick up where it left off or start all over again? let me know when you get a chance, thanks so much!
Hi Jeff! This site is great! I have a quick question: I’m running “john” on a PB G4 (10.5.8), and in the “Loaded 1 password hash” line it says at the end “[32/32]” (without quotes).
I’m guessing that’s because the G4 isn’t capable of 64-bit mode? This won’t make any difference, will it?
Everything else came up as described, with no errors, so now I just wait? Is there a way to confirm that it is, indeed, running, other than checking in Activity Monitor?
I think I read above that if I hit “Enter” it will return the latest guess, without interrupting the process?
Thanks! Good stuff here!
Yep, it won’t interrupt anything, and it’s a good way to check on it.
You can also check your system logs, as it should show up in there.
Hi,
I have followed your instructions completely and have had a look at all the other responses and I seem to be doing this correctly.
I have Downloaded John the ripper I have saved the hash file into the run folder. when i try to run it it comes up:
sh: ./sha1.txt: Permission denied
I am logged into the root account, the password i am trying to get is for a standard account. Does this make a difference? I also used a hash for an admin account and it does the same thing as well.
I think my problem is when i install Jack the Ripper, I downoaded it, extract the file, save the folder onto my desktop. Then I open up the terminal and do all the commands, I find the file and run it but that error comes up. Should I be doing something with the Jack The Ripper files?
can you help me please?
Phil – If you followed our instructions completely, then the John the Ripper (not Jack! Jack is a serial killer) folder should be in your Home folder, not the Desktop.
Try moving it there, with the properly formatted sha1.txt file inside the run folder. Also, out of curiosity, what OS version are you running?
Sorry just so use to saying jack.
I have moved everything over to the home folder, logged in as root user and it still comes up with permission denied. I have logged as each type of account (admin, standard and now root) I have double checked the text file and it has been formatted correctly. Used text edit and also microsoft work (apple).
The OS I am running is 10.6.7. Do you think that this is the issue? I have looked all over the internet and can’t seem to find help on this.
Ok I figured it out. In the terminal I had to go one more level down and enter the run folder. Then i went ./john sha1.txt and now the file has run.
Thanks for your help
I am having problems with 4b. I have the ‘john’ folder in my C directory on my PC, but can’t naivigate to it. I get an error that says “The system can’t find the file path specified”
What should I do?
OK, I’m now on 4c, but when I type in
..run/john sha1.txt
I get an error that says “.” is not recognized as an internal or external command
What should I do?
Mark – the commands in this guide are Bash commands, designed for Apple’s Terminal (which isn’t available on the PC).
You’d have to check out the documentation for John the Ripper (http://www.openwall.com/john/doc/) to find the equivalent commands.
Hello again, Jeff,
I’m trying to get the GUID for the “root” account, and when I entered the command, I got what looks like 2 separate GUIDs??? i.e. 2 lines formatted like your example:
FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000
7CCC2E64-DCAB-445A-997D-1C5C02193465
What do I do? enter both with a space between them in the cat /var command line?
Thanks!
(My other one is still chugging away… almost a week, but it’s theIT Staff PW)
i can’t get the (dscl localhost -read /Search/Users/ | grep GeneratedUID | cut -c15-) command to work
it comes up with this bash: syntax error near unexpected token `|’
Hmm… what OS are you running?
i think your problem is that you are leaving the in on which ever step you were on. like this line “cat /var/db/shadow/hash/ | cut -c169-216″ you would replace with your GUID and remove the I only know this because i ran into this problem myself.
i see that putting those together does not show up on this page, so let me start over. i think your problem is that you are leaving the in on which ever step you were on. for example, “cat /var/db/shadow/hash/ | cut -c169-216″ you would replace GUID and remove the i had the same issue
Hey Jeff,
I keep on having a problem with 3b. When I type in the cat thingy (I’ve triple checked my spelling) into single user mode and press enter, a new command line appears as if nothing happened. I am running Panther, but from the research that I’ve done the method of obtaining the GUID is the same, so I don’t know what’s wrong.
Miles – I’m pretty sure Panther doesn’t have the ‘cut’ command in it’s kernel (can anyone else verify this?), so I’d just leave it out and try this command:
cat /var/db/shadow/hash/GUIDYou’ll get a LOT more characters with this one. The ‘cut’ command just takes isolates the hash out of the file. For Panther, the SHA1 hash (the one we’re interested in) should be the last 40 characters of whatever Terminal spits back out at you.
Let us know how if that fixes it!
Hello,
my keyboard doesn’t have the ‘ | ‘ key are there any alternatives for the ‘cat /var…’ command?
Thank You
Are you sure? Any modern keyboards have it, it’s just the backslash (\) key, but you hold shift (|). It’s usually right above the return key on Mac keyboards.
Apparently I have a german key board. I do have the backslash key, but it won’t turn into the (|) command when pressing shift. But thank you for your help.
Hey Jeff! I love the guide… so far everything’s going good… I just decided to try it out using an account I already know the password to (sort of for the challenge), and if it’s successful, I’m going to actually put this method to good use. Anyway, I was wondering… is using the root password necessary? I simply booted into single user mode and got the hash from there (never used the root password). My mac is working hard at cracking the hash, so I had to have done something right? And also, is there any danger in using the root account? Thanks so much in advance?
Hey Nolan — great to hear you like the guide!
You DO need the root account, but no worries; when you log into Single-User Mode, all of the commands you run are automatically run as root, without you having to enter a password. The only danger in using the root account is that it “takes away the safety rail.” When you’re on another user account, Mac OS X has some restrictions as to what you can do to system files, and you have to confirm everything on the system level with your administrator password or the root password. If you use the root account, the safety rail is gone and the OS will do whatever you tell it to do, no questions asked.
Hope that helped!
I am really confused.
I am almost at the end…
I will show you what I have written into terminal:
”
cd john
./run
-bash: ./run: is a directory
./john sha1.txt
-bash: ./john: No such file or directory
Ah, please help me.
I have tortured over this for hours. I just need to know exactly what I must put into Terminal.
Thank you!
Argh.
I have managed to get further.
However it says now, “No password hashes loaded”.
I got my password or code thing, it looks like yours, I have the right username. But…
It doesn’t work.
Check your .txt file again. Is it in the right folders? Did you format it correctly (no extra spaces or anything)?
Hey Jeff! I love this guide!
Alright well I did everything correctly, and it came exactly as you said
Loaded 1 password hash (Mac OS X 10.4+ salted SHA1 [32/64]
Only thing I noticed is that the passwords won’t continue guessing unless you press enter/arrow keys or some random key. So that means that if I want to get the password I would have to continue pressing enter/arrow keys repeatedly until it comes up with the password? Also I saw that the guesses stays at 0, like it’s at:
guesses: 0 time : 0:02:09:17 (3) c/s: 2240K trying: 15lyreyC
is it supposed to be at 0 guesses?
Hey Kevin – It’s actually guessing continuously, but displays the most recent guess when you press the enter key. The guesses won’t go up until it finds the correct password.
Just sit back and relax, John is on the job.
When I type :
./run/john sha1.txt
and i press enter it says :
Loaded 1 password hash (Lotus5 [Lotus v5 Proprietary])
Crash recovery file is locked: ./run/john.rec
why is that file locked? how do I unlock it?
Hmm, sometimes that happens. Just delete the file and start again, something got corrupted with the crash recovery file, so if you delete it (which is fine because you’ve only just loaded the file and haven’t generated any guesses yet), it’ll generate a new one and work from there.
I just have two questions. I did everything that you said to, and it worked fine, it did show
Loaded 1 password hash (Mac OS X 10.4+ salted SHA1 [32/64]
but then I noticed that a guess won’t show up unless you press a button like enter/arrow keys/space bar/etc. Does that mean that you have to continually press a button until the correct password shows up?
Also another thing is that each guess I noticed, in the beginning it shows guesses: 0. Is that what is it supposed to be? And how do you know when it’s the correct password?
Yep, that’s all fine. If you read through the other comments, you’ll notice that I’ve mentioned a few times (twice, I believe?), hitting enter will display the most recent guess, but it will continue to work without you hitting any buttons. And as it says at the bottom of the article, it will display something like this when the password has been cracked. Note the “password (user)” format at the beginning:
password (crackMe) guesses: 1 time: 0:00:00:00 100% (2) c/s: 153000 trying: passwordWhen I boot into Single User Mode and type this in cat /var/db/shadow/hash/ | cut -c169-216 ( With the GUID) It said Find the dscl before continuing. What do I do?
To be more exact it say this. “For Single User Mode you must run the following command to enable use of dscl
launchctl load :System:Library:LaunchDaemons/com.apple.DirectoryServicesLocal.plist”
Apple951 – give this a shot before entering in the cat /var… command:
launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist(make sure it’s all one line)
Can this POSSIBLY be still running? It’s been three weeks (or more) and seems to still be running in Activity Monitor, but no final result. Also, all of the “guesses” are only eight characters???
Please advise. Thanks!
John — It looks like you’re dealing with a really tough password. If it’s trying only eight character passwords at this point, it means it’s probably guessed all possible password combinations under 8 characters. Whenever you add a letter, you increase the processing time exponentially, so it looks like it’s still working through the eight character passwords.
Hang in there!
OK, Thanks!
Yeah, I’ve seen the IT guys type in the PW, and it looks like it’s about 12 characters, so I’ll just keep letting it run.
Thanks again!
Hi Jeff,
I’ve been reading up on your posts, and they are really helpful! Just recently however, i have had the need to crack a password on a computer, and i will only have about a minute of physical access time. I’m going to boot into SUM, run the command “mount -uw /” and then “passwd” to quickly set up or just change the password of the root account. From there i’ll reboot the computer and log in via root. I’m counting on all of this to not take more than 45 seconds. Once i’m in the root account, rather than navigating to your site and messily copying and pasting all the code and then having to make a text document, i decided to try to make an applescript for this process. Everything has been running smoothly, I am only stuck on one small part. Here is what i have so far:
display dialog “Username” default answer “Place user name here…”
set theUsername to (text returned of result)
tell application “Terminal”
activate
do script “dscl localhost -read /Search/Users/” & theUsername & ” | grep GeneratedUID | cut -c15-”
set theGUID to “What would i put here?”
do script “cat /var/db/shadow/hash/” & theGUID & ” | cut -c169-216″
end tell
As you could tell by the “What would i put here?”, i have no idea how i would set the GUID terminal spits out as the variable “theGUID” in applescript. Also, is there any way to paste a variable as text (after i tell application “textedit” to activate)? Thank you so much,
~Josh Fletcher
Hey Josh – Evan is our AppleScript guy, so I’m not totally sure about the answer to your question. I noticed that you posted a comment on one of his posts too, but alas, I usually check the comments and respond on the site. I’ll let him know that you posted, but if you want to join our new forums (http://www.hackmac.org/forum/) and post the question there, you’ll probably get a faster response from him or other members of the community (Evan’s always on there)!
Hi, this is a great tutorial and seems to be working fine on my MacBook for a lost admin password.
One question though, reading through the documentation it seems John can also work with other password hashes. I have been trying for weeks to locate a lost user password in a mysql database. I have the md5 hash but do I need to call the .txt file something other then sha1.txt?
Thanks
You should be all set! You can name it whatever you like, i.e. md5.txt — just remember to type md5.txt when loading the text file into John.
./run/john sha1.txt
Loaded 1 password hash (Lotus5 [Lotus v5 Proprietary])
Crash recovery file is locked: ./run/john.rec
what dose this mean??
it didn’t let me run command ./run/john.rec
Go into your “john” folder and delete the john.rec file, then give it a shot. Let me know if that fixed it!
Hey Jeff,
I’m having some trouble with the first steps on the procedure.
I’m logged in as root under single user mode, but when I type
dscl localhost -read /Search/Users/name | grep GeneratedUID | cut -c15-
I get
launch_msg(): Socket is not connected
For Single User Mode you must run the following command to enable use of dscl.
launchctl load /System/Library.LaunchDaemons/com.apple.DirectoryServicesLocal.plist
dscl localonly
and yet when I type that command, it tells me again
launch_msg(): Socket is not connected
Any advice?
Thanks
Give this command a shot:
launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plistI’m pretty sure Apple prompts for the wrong command (there’s not supposed to be a Local at the end). Let me know if that fixes it.
No good, I get another
launch_msg(): Socket is not connected
message. This may be a stupid question, but the computer is running a French version of Snow Leopard, does that mean the commands like System and Library should be Systeme and Bibliotheque?
I’ve never used any non-English OS X distributions, but I would imagine the file structure would stay the same…
Can you log in and check the folder name on the HD and make sure the paths are the same?
I’m afraid I don’t have the admin password to check the paths. But I tried the process on two other macbooks, American OS this time, and both of them message “socket is not connected” when I try it in single user mode. From their terminals though, everything works perfectly, I’ve tried it and it’s flawless. The single user mode though, just won’t work
Try:
launchctl load /System/Library.LaunchDaemons/com.apple.DirectoryServicesLocal.plist [enter the command]
You should get a pause and it will go to the next line.
dscl localonly [enter the command]
You should get a “>” appearing and you’ve successfully entered dscl mode.
Dont forget to mount the drive first: /sbin/mount -uw
Hi Jeff,
I am having the same problem as Kev in the single use mode. I’ve looked through your comments and Jacks.
Here is what I am doing:
:/ root# /sbin/mount – uw
usage: mount [-dfruvw] [-o options] [-t ufs | external_type] special node
mount [-adfruvw] [-t ufs | external_type]
mount [-dfruvw] special | node
:/ root# launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist
launch_msg(): Socket is not connected <– this is where I got stuck
The fact that it’s showing you the usage means that the drive is being mounted incorrectly.
It looks like you’re leaving off that trailing slash. The command should read:
/sbin/mount -uw /Give that a shot. Good job with the research though!
So it’s officially been 24 hours and it hasn’t cracked the hash yet…
any advice? have i maybe done something wrong?
Any advice would be much appreciated.
Alex – the time it takes depends on the complexity of the password. If it’s a really tough one, it could theoretically take weeks or longer (but that’s REALLY tough). if you’re concerned about it’s progress, feel free to hit the return key to retrieve the latest guess and check up on it.
Well it’s just a personal password i wouldn’t think it would be THAT complicated. But this method is a guaranteed way? as in though it might take longer it will still find it?
I’ve hit return dozens of times its giving me stuff like this :
guesses: 0 time: 1:00:23:42 (3) c/s: 1783K trying: Snkypr5o
It always says 0 guesses in case that’s important.
Thanks for you help Jeff,
-Alex
Jeff,
I control-clicked on the user name in Accounts and it listed a “UUID” in the window that popped up. Is that the same thing as the GUID? It has the same format so I tried using it and it’s worked for the remaining steps so far (John has been running for an hour now).
Hmm, I haven’t tried this before, but it very well could work. Let us know how it goes!
I wanted to prank one of my friends for his birthday and the problem is I do not have access to any account on his computer.
I’ve successfully loaded dscl in single user mode by entering the following:
/sbin/mount -uw
launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServicesLocal.plist
dscl localonly
However, when I try to run the command to grab the GUID (dscl localhost -read /Search/Users/ | grep GeneratedUID | cut -c15-) I only get different kinds of error (maybe because I tried different variations of the script).
What am I doing wrong? Is there a way to get the GUID in single user mode? Are there any other ways to get around this.
Thank you for your help
Hey Jack – what kinds of errors are you getting? Search for your error in the comments section of this post (we’ve got 110 of them as of now), and see if I’ve covered it.
If not, hit up our forum (http://www.hackmac.org/forum) and ask about it in the “Content Support” forum. We’ve got some knowledgeable guys over there who might figure it out before I do.
I got “read: Invalid Path” and ” DS Error: -14009 ” but I checked that the path is correct (I am testing on my computer now and the same path works in terminal).
Hmm… this definitely looks like a question for the forums. Post it over there (http://www.hackmac.org/forum) and we’ll see if we can put together a solution.
Thank you Jeff. You help me a lot
That’s what I’m here for!
When I enter the text “./run/john sha1.txt” I get the response of “No password hashes loaded (see faq)” What should I do?
Check the format of your text file, sha1.txt
If it’s all correct, hop onto the forum and ask there under “Content Support” — you’ll get a speedier response and we’ve got a great group of people helping out there.
http://www.hackmac.org/forum
How do i get Jack the Ripper to run in Windows? I only have 1 hour per day on the mac, but have a windows computer where i could run it. For example, where in windows do i enter the terminal commands? WinXP.
For Windows, go to the Start menu, click Run, type ‘command’ (no quotes) and press enter.
You might want to look on the JTR site for a Windows guide.
I am able to find the GUID but when i log into single user mode and put in the comand above(ive replaced the Guid with the actual numbers/text) it says no such file directory. what can i do to fix this?
Bingham – If you’re retyping the GUID into SUM, there’s a pretty big chance that you may have copied it incorrectly. Also, when you log into Single-User Mode, did you mount the file-system before entering the commands?
hello, just a quick question. I get the no hashes loaded error when I enter ./john crackME.txt (different name, because I’m actually attempting to crack my own account pass, as a test). My question is could you be more specific when you say to have the .txt file in my john folder? I put my john folder on the desktop instead of the base directory and even did a make command to compile it (no questions!). my crackMe.txt file is inside john-1.7.7.tar/john-1.7.7/run is there somewhere else I should be putting it? perhaps move it back one directory to Desktop/john-1.7.7/john-1.7.7 ? thanks for any help you can provide. great article, keep them coming!
I am using Mac OS X 10.6.7 .also i have seen that my problem could be that i need to combine my passwd file and the shadowed file but i cant locate etc/shadow or anything like it. ls under etc does reveal passwd, but no shadow file, even as SU or Root. Firevault is on on my computer, and i cannot turn it off (errors out, i need to go see the Apple store for repairs anyway, i’ll get them to take care of transferring everything) if that makes a difference.
Greg – Thanks for the positive feedback!
As for your problem: The file does NOT go into the ‘run’ folder, and just goes in the main john folder, so like you suggested, move it up one directory to the original john folder.
If that doesn’t fix it, go back to the top of the article and watch the YouTube video (it’s in HD, so you can view fullscreen and see everything clearly). Make sure all of your files are going into the same place as they are in the video and you follow the same steps (you don’t have to find the hash all over again, but put the john folder in your home directory, rename it “john” and put the text file in that folder).
Great site! Keep the tutorials coming!
Andrew
Thanks for the feedback Andrew! We certainly will — we’re planning on launching new features soon, which is why we haven’t been able to keep up with our usual article schedule.
If you’re hungry for more tutorials, some guys on our forums (http://www.hackmac.org/forum/) have written some great ones and scripts to automate most of the process. Hope to see you over there!
Will this method handle passwords that have special characters and spaces in them?
Yes, but adding special characters and spaces to passwords adds enormously to the processing time.
I’ve been cracking the hash to my account for 20+ days… is this normal for a strong password?
Well, if the password is EXTREMELY strong, yes, but that seems to be a very long time.
Great tutorial, very easy to understand.
I’m nearly 2 days into the process of cracking a sha1 hash and so far everything is going fine.
I did a test with a wordlist filled with 10 millions strings of 20 characters each, and then adding my name after the last one. I then converted my name into a sha1 hash and made that what John is looking for.
I timed it, and it took roughly 6.6 seconds to find that the password is my name using the wordlist approach. I’m not the best at computing, but i can say that 6.6 seconds for 10 million strings is pretty fast. Just letting you know roughly the speed in which it tests.
Thanks for reporting Louis! Great information to share.
We’ve done completely random six-character all-lowercase passwords in well under 30 minutes, so hopefully that shows that you need to throw in some numbers, symbols, and capitalization into your passwords.
Whenever I try to do the ./run/john sha1.txt part, it says that the arguments are too long. What am I doing wrong?
Joey — I’ve never come across that error before, and I’m not sure what could be causing it.
Perhaps this article could shed some light on the subject: http://www.linuxjournal.com/article/6060
Thanks Jeff, that error has now stopped. Now, however, it’s saying -sh: ./run/john: cannot execute binary file. Any advice please?
Same for me, what do I do???? Please help..
Great tutorial. Got it working on first try. However, it has been cranking one core on my MacPro for 30 days with no messages in Terminal after the initial response “Loaded 1 password hash..”. How long is this going to take? Is it hung? Is there a way to ask John what’s going on?
Is it possible to decrypt a hash that comes from an account from another computer?
Yeah probably, I mean you would have to have the hash in encrypted form (as in GUID decrypted, but not the hash decrypted) and then just create the text file and crack it using John the Ripper. So long as you have the encrypted hash on a drive like a USB key, or somewhere where you can access it on your computer, you should be able to decrypt it. I don’t know though, but Jeff may be able to help.
Good tutorial! Got it running fine on first try. However, it has been full blast on one core of my MacPro for 30 days. Is there any way to ask John if he’s hung up, or to check on progress?
Hit the return key and John should spit out the most recent guess.
Hey everyone k so awesome job for this website but i have a couple question. first of all, if my password is bigger then length 8 will it still decrypt it? because ive been looking at the log and it says “1:02:14:31 – Trying length 8, fixed @4, character count 22″ nd the password is more then length 10. Jeff could u explain in detail what the all the significance of the log is, cuz im confused. Second of all is there anyway you could accelerate the decrypting speed?
PLz help
Nicosnow
Decryption speed is affected a by several different factors: the difficulty of the password, how many other applications are running at the same time, how many processor cores you have, what speed that processor/those cores are clocked at, how much RAM you have, and whether you’ve tethered multiple machines together to make a cluster (this is more advanced).
As for password length, John starts lower and works it’s way up to longer character passwords. It wouldn’t make sense to start guessing at 16 and then guess 4 letter combinations, so it guesses incrementally.
Any idea where the hashes are located in Mac OS Lion? It seems like they moved them again.
We’ve just put Lion on a couple of our laptops, so we’ll be testing all of our scripts and updating guides with new information in the upcoming weeks.
Stay tuned.
I have a Mac Os X 10.4.8. When i type in “niutil -readprop . /users/admin generateduid” into terminal, i get the command “-bash: niutil: command not found”. What am i doing wrong?
Are you logged in as root?
Now John says that it cannot execute the binary file, any way to help, Jeff?
Is there a way to estimate how much time is left for the decryption because the decryption I have in progress is taking forever.
Thanks in advance,
Greg
MAN WAS THIS AWESOME
I have been looking everywhen but couldnt find anything…..
Its still decrypting lol but i hope will find it soon
1. To find the GUID you only need to use these simpler commands:
dscl . read /Users/ generateduid
Nice. Shorter is always better.
Ideally, we’d have something that just spits out the GUID, which is what we ended up with using our current command, so we can then pass on that output to the next step when scripting the entire process.
Any thoughts on that? We’ve been working on scripting the entire thing from start to finish on our forum, and we have a fully functional application with a GUI already coded by one of our community members, Josh Fletcher.
hello Jeff,
i know you will tell me to check the files and everything but i have check it for over an hour and i get this error message “-bash: ./run/john: No such file or directory”.
i have tried it in windows but as i do not really know the windows command, i get this error message “‘.’ is not recognized as an internal or external command” at least can you help me with the windows command and let me have a crack at it please?
this is my sha1.txt file:
jcaburian:2A0212C10D964640A04C240B5615ABBC73F715A09AE4C9BF
can you get the password please.
Edmund
There might be some guys who know more about the Windows commands on the forums (feel free to ask over there!), but I’m sure the John website has documentation as well.
my question is i have done all that you beast review told em to and when i enter the cat code deal i entered it corectly but then it says when i enter the guid after the stuff it says the exact same guid and then says permission denied please help me please reply quick please man im desperate thank you…:( fix =
)
Make sure you’re logged in as root!
i have a question i have a mac 10.6.4 and im assuming its a snow leopard and when i type cat ect.and put guid and then then the rest of the command i get the same guid and it says permission denied ive done this whole process 9 times now and all i get when i try to get the hash is the guid and permission denied what do i do help me please…
Are you sure you’re logged in as root, or are logged into Single-User Mode?
Why is it that the newer version I download from the JTR website outputs “No password hashes loaded” but the linked version here works just fine? I see that others may strive with the same problem.
Hmm, that’s odd.
What version of the OS are you running?
Hai Jeff, I want to ask : why when i enter
dscl localhost -read /Search/Users/
the terminal write -bash: syntax error near unexpected token `newline’
WHY jeff? Please tell me…..
Are you entering the entire thing on one line?
when i attempt to do step 3b to retrieve the hash, i enter my guid along with the code you said and it comes up with ‘no such file or directory’, tried this with a different user and same result any ideas? is it something to do with i have just upgraded to mac os x lion?(10.7)
Yep, Apple has moved the hashes all around and encrypted them in a different salted encryption scheme in Lion.
We’re working on a new, updated guide. Stay posted.
I’d advice to use hashcat advanced password recovery http://hashcat.net/hashcat or better the GPU accelerated versions (oclHashcat) if you have an access to any powerful Windows box. Its just MANY TIMES faster, way more versatile (i.e. can take advantage of NTLM hash if stored)
The config is a bit trickier though, but I can provide quick scenario.
And I’m personally interested in Lion hash dumping too
That’s pretty damn cool. That might be worth revising the article to add in, though I may wait until the Lion stuff. I just wish there was a Mac version, because all my Windows boxes are slower than my Mac ones.
They changed the encryption scheme and the hash location on us in Lion, so we’re still digging and working on another script to decrypt it.
It says “No Password Hashes Loaded”…PLEASE PLEASE HELP!
Double check the hashes, and make sure your .txt file is formatted correctly (user:hash) and it’s in plaintext, and in the correct folder.
when i enter my password in the beginning after in type login root it tells me incorrect but i know its correct.
Did you set the root password yourself? Can you log into the root account through the login window?
Hey, I just wanted to say thanks for the article!! I was wondering if you have a Windows version of the site, as I see most of the hacks are for Macs.
But anyways, thanks for the article!! I always thought that with John you had to download some huge dictionary file, I’m glad I was wrong
Sorry to hear that you’re not on a Mac! I’m sure since Windows has a lot larger user-base, there should be a website of some kind (or many different websites) that can teach you how to do similar things.
No dictionary file is required for John, but you can speed up the process with one if the password happens to be in that dictionary file — it’s all up to the user.
The result i got was
Loaded 1 password has (Mac OS X 10.5+ salted SHA-1 [32/32] instead of [32/64].
Was it still succesful? Meaning should I let it continue to run to see if a password appears?
That just means that you’re on a 32bit system. That message means it has BEGUN cracking, and has NOT successfully cracked the hash yet. You can hit enter to see the latest guess, but yes, you should continue to let it run until it has successfully cracked the password.
I don’t get a successful hash into John message in single user mode. Instead, it states this:
dyld: Library not loaded: /usr/lib/libcrypto.0.9.7.dylib
Referenced from: /Users//john/./run/john
Reason: no suitable image found. Did find:
/usr/lib/libcrypto.0.9.7.dylib: no matching architecture in universal wrapper
/usr/lib/libcrypto.0.9.7.dylib: no matching architecture in universal wrapper
Trace/BPT trap
Any thoughts?
Thanks for your time and expertise!
deb
What version of the OS are you running?
Also, did you download the version of John from the download link on our site, or theirs? Try downloading and running the other one (they’re different versions). We haven’t updated ours yet because we have received a few reports of people not being able to run the current version but being able to run the version linked from our site.
For you, the inverse may be true.
Let me know if that helped!
I have read all the above but I have not tried it…yet. When I create an encrypted disc image I always use the character palette to add a few unusual characters in the password. My question is: will John the Ripper be able to crack such a password? Or is it almost uncrackable although it is only 8 characters long? I want to include these characters in my login password. Is there a way of accessing the character palette when I log in in order to pick the characters I have used in my password. This is great site! What is discussed here will never be discussed in the A forum. Thanks.
It certainly would not be discussed there — that’s why we have our own forums in addition to the main site!
Adding unusual characters for a password will greatly add to the time required to crack the password. A good service to check out that I think is (relatively) accurate is http://howsecureismypassword.net/
As for the character palette, I don’t believe you can bring it up when entering your password, but usually there is a key combination linked to a special character. For example, Shift+Alt+K makes this symbol appear: , and Alt+J gets you ∆.
Play around in any word processor or text field and form a very secure password!
Right okay, So I’ve read all that and.. I’ve still got a few queries regarding getting the password..
I’ve set myself a little test to get from a very.. blocked account, To getting the password of an Admin,
Now at the start, You said to Open up Terminal. Now, In my Test.. Terminal is Blocked, and I can’t access it without the Admin Password. How’d you suggest I get around that one if I just want to find out what the Admin Password is, WITHOUT Changing it?
Boot into Single-User mode, mount the drive, and then follow the same steps to get the hash. You can then write down the hash on a piece of paper, and do the John steps at your own convenience on another computer, be it Mac or PC.
Hi,
I’m having a problem with this method which I don’t know about. So right after I ran:
./run/john sha1.txt
Terminal displayed what you said it would;
Loaded 1 password hash (Mac OS X 10.4+ salted SHA-1 [32/64])
but then right after that it displayed this:
Crash recovery file is locked: ./run/john.rec
and then gave me back my command line. Well I tried running it again with no luck, and it won’t start the process of cracking the password. I have no idea what’s going on or how to fix it so I’d like some help with this.
Hey Rahul, a couple of people have had the same problem (you might actually be able to find them if you scroll up to the previous comments). Try deleting the john.rec file in the /run/ folder, and running it again. It should be regenerated without any issues and start cracking.
works fine up untill i try to decrypt the hash; at that point it says access denied. what should i do?
Are you using sudo or logged in as root, as the article requires?
Following command was loaded
Loaded 1 password hash (Mac OS X 10.4+ salted SHA-1 [32/64])
Been waiting over two days and keep checking on a regular basis. How do I know everything is ok with guid and hash–I’m asking because the wait seems very long and I’m content to wait if everything comes out ok–but if I’ve done something wrong, I’d prefer to start over. Any thoughts? Thanks.
It can take a long time, but a good way to check up on it is to hit enter and see the latest guess.
Yes, I keep doing that–but the latest guess is not the password, right? It is my understanding that the password will appear only when there is a line that says password (crackMe) guesses: 1 time: 0:00:00:00 100% (2) c/s: 153000 trying: password. So, my point is, checking by hitting the enter button only tells you that the program hasn’t come up with the password yet, right? Is there any other value to see what the latest guess is? Ie. Try the latest guess and see if it works? Thank you so much.
Also, will John program stop on terminal once program has successfully come up with the password?
Also, how many characters will John program reveal?–what is the largest character password?
what does the c/s mean?
Does it mean cracks per second?
If it does mean that mine says: ‘guesses: 0 time: 1:21:22:54 (3) c/s: 1968K trying: 1euy35h7′
Is 1968K too slow?
Because when i look at the other comments, they have way more c/s than me. please reply.
Ben
Hi!
It seems to be when i look for the GUID and i copy and paste this into the terminal
dscl localhost -read /Search/Users/ | grep GeneratedUID | cut -c15-
it replies with
-bash: syntax error near unexpected token `|’
And i cant get past this point if you can help it would be appreciated! Thanks , zack
Are you adding in the short name for the target account into the command?
If so, what OS are you running?
hey when ever i open up terminal and stuff and out in the code it says DS Error: -14136 (eDSRecordNotFound)
what do i do
Are you sure that is the exact error number? I can’t find any sources with information pertaining to that DS Error; it looks like it has an extra number in it.
I got as far as loading the hash! All is says now is
zacksmac:john admin$ ./run/john sha1.txt
No password hashes loaded
Check to make sure your sha1.txt file is in the right folder and is formatted correctly.
Also, what OS are you on?
Hey Jeff, is there a free working version that will work with mac osx 10.4.11?
Can’t seem to find the link exept for the pro ver.
RC2:/john-1.7.3.1-macosx-universal root# ./run/john sha1.txt
dyld: Library not loaded: /usr/lib/libcrypto.0.9.7.dylib
Referenced from: /john-1.7.3.1-macosx-universal/./run/john
Reason: no suitable image found. Did find:
/usr/lib/libcrypto.0.9.7.dylib: no matching architecture in universal wrapper
/usr/lib/libcrypto.0.9.7.dylib: no matching architecture in universal wrapper
Trace/BPT trap
RC2:/john-1.7.3.1-macosx-universal root#
If not, could we run our own from UNIX binaries?
Thanxx
Hmm, you might be able to download an older version and compile the code yourself. I’d Google the library that it’s requesting and see if there are installation instructions that could make everything play nice.
Hi Jeff,
I have followed your instructions to the dot, but when i finally get to the command :
cat /var/db/shadow/hash/E54E8A9C-BA42-46DD-B3D3-5D9D7574D7CC| cut -c169-216
I get this message every time:
cat: /var/db/shadow/hash/E54E8A9C-BA42-46DD-B3D3-5D9D7574D7CC: Permission denied
I have tried it all twice, re-logging into the root, but still the same message.
Any help would be much appreciated.
That looks to me like you’re forgetting a space between the GUID and the |. Try it again with the correct spacing.
Still running 11 days 12 hours no luck yet. Is there a way to use password hint to load potential words and make john program more effective and efficient? Also still waiting for your response to my earlier questions regarding whether terminal will stop if it finds password or how many characters will John program reveal. Thank you so much for your help.
Not that I know of, but that would be a good idea for a feature request.
I can’t find your previous question in my system backend that I use to reply to comments (and I’m sorry about the delay; I am only one man, after all), but yes, the program will stop when it finds the password and displays the final output. Please watch the video included at the top of the article for an example. JTR cracks the password, which is “banana” — John will display all of the characters of the password.
Still running 22 days 11 hours–have you heard of it taking this long? I’m just hoping everything is ok and it will eventually figure it out. Also, if the password is greater than 8 characters, will it display over 8 characters? Thank you so much for your continued help.
Jeff–still running 29 days. How can I load a wordfile to make John’s work easier. ie like a dictionary or word list? If this is possible, can it run at the same time I am continuing to run the brute force mode? HELP!! Thanks.
Is there a way to decrypt OS X administrator account passwords?
Scroll up for the guide on how to do that!
Simple question: Can you have more than 1 root user on a Mac? –I’d like to do this to my computer to see how effective my password is and would like to know if someone is trying to hack machine.. Thanks!
Nope, but you can have more than one administrative user!
Okay, so I can get into single user mode, but once I get there, My Keyboard doesn’t work!!! What can I do?!
what does the c/s mean?
Does it mean cracks per second?
If it does mean that mine says: ‘guesses: 0 time: 1:21:22:54 (3) c/s: 1968K trying: 1euy35h7′
Is 1968K too slow?
Because when i look at the other comments, they have way more c/s than me. please reply.
Ben
Hello, I am back again.
I was wondering, as JTR has been running for 2 days now, if you had an estimate on how long it would take?
A previous password I cracked from the same place was ” ti0fsmdgt@e!2009 “.
Do you know on average how much longer it would take?
Any help would be much appreciated.
Regards,
Luke.
Also, I am used to windows more, but I am still alright with the commands. I was going to ask how to assign both of my cores to JTR to make it run faster.
Thanks.
what does the c/s mean?
Does it mean cracks per second?
If it does mean that mine says: ‘guesses: 0 time: 1:21:22:54 (3) c/s: 1968K trying: 1euy35h7′
Is 1968K too slow?
Because when i look at the other comments, they have way more c/s than me. please reply.
Ben
P.S: you didnt reply to my previous comment about this so can you please reply to this one. Thanks.