This guide is an updated version of our extremely popular guide, Decrypt OS X User Account Passwords. The guide has been updated to work with Mountain Lion 10.8.
- Physical access to the machine.
If you need to crack passwords on Tiger, Leopard, or Snow Leopard, please use our tried-and-true Decrypt OS X User Account Passwords guide.
If you need to crack passwords on Mac OS X Lion 10.7 (NOT Mountain Lion), our guide for that is here: Crack Password Hashes in OS X Lion.
Watch the screencast or scroll down to continue reading the written tutorial.
1. Gain Root OR Admin Access
If you don’t have access to an administrator already, you need to acquire root access.
If you don’t have admin access, boot the computer into Single-User Mode by holding CMD+S on startup, mount the drive, and type the command:
/sbin/mount -uw /
launchctl load /System/Library/LaunchDaemons/com.apple.opendirectoryd.plist
Then, enter your new root password when prompted twice. After the password has been reset, type:
And hit return/enter.
2. Log In
Log into an administrator account that you have access to on the computer, or, if you don’t have access to one, select “Other” in the Login Window (only if you have User Account Pictures enabled), and enter “root” as the username, and then the password that you just set.
3. Download Utility
For 10.8, we’ll be using the DaveGrohl utility to both crack the password and extract the hash.
The utility works by extracting the hash from the User Profile, which is located in:
Withreplaced with the name of the target user. It pulls the hash from the ‘ShadowHashData’ field and begins cracking.
Download the DaveGrohl 10.8 cracking utility.
If the above link isn’t working, please visit DaveGrohl.org to download.
4. Open Up Terminal and Open the Directory
Once you’ve downloaded the utility, open up Terminal and type:
5. Crack The Password
Type the following to begin cracking the password:
sudo ./dave -u
Replacing with the shortname of the target user and entering your password when prompted (it will not prompt you for a password if you’re logged into the root account).
DaveGrohl will begin cracking your password via wordlists and then continue with brute-forcing until it gets the password.
It can take quite a bit of time, depending on the complexity of the password, so be patient! Passwords we’ve cracked have ranged from a few seconds to several days, and Apple’s new password encryption scheme with Mountain Lion (PBKDF2) really throttles the speed at which DaveGrohl can work.
When DaveGrohl has successfully cracked the hash, it’ll spit out a message like this:
-- Found password : 'banana'
-- (dictionary attack)
Finished in 0.772 seconds / 51,860 total guesses…
67,209 guesses per second.
5. Optional: Extract Hashes
If you only have a limited window of access to the target computer, DaveGrohl can give you the hash formatted for cracking in John The Ripper, so you can crack the password on a computer of your choice at your convenience. We cover how to use John in our other guide, so check that out if you’re interested.
To extract a correctly formatted hash, use this command:
sudo ./dave -j
Replacing with the target user’s shortname, and again, entering your password if prompted.
You can then copy and paste the output into a .txt file and load it into John.
Here are a few advanced options that can be used when cracking passwords with DaveGrohl. Type:
before entering any of the following parameters.
-u username : Crack a user’s password.
-i : Incremental attack only.
-c chars : Specify possible characters in the password.
-m # : Specify minimum length of the password.
-M # : Specify maximum length of the password.
-v : Verbose mode. (hella slow)
-j username : Dump a user’s password hash formatted for John the Ripper.
-h : Help
Let us know in the comments if this worked for you, and if you can get the cracking times anywhere near the times you got with Lion!