mountain-lion-os-x

Crack OS X Mountain Lion Passwords

This guide is an updated version of our extremely popular guide, Decrypt OS X User Account Passwords. The guide has been updated to work with Mountain Lion 10.8.

Requirements

    • Physical access to the machine.

If you need to crack passwords on Tiger, Leopard, or Snow Leopard, please use our tried-and-true Decrypt OS X User Account Passwords guide.

If you need to crack passwords on Mac OS X Lion 10.7 (NOT Mountain Lion), our guide for that is here: Crack Password Hashes in OS X Lion.

Procedure

Watch the screencast or scroll down to continue reading the written tutorial.

1. Gain Root OR Admin Access

If you don’t have access to an administrator already, you need to acquire root access.

If you don’t have admin access, boot the computer into Single-User Mode by holding CMD+S on startup, mount the drive, and type the command:

/sbin/mount -uw /

Followed by:

launchctl load /System/Library/LaunchDaemons/com.apple.opendirectoryd.plist

And finally:

passwd

Then, enter your new root password when prompted twice. After the password has been reset, type:

restart

And hit return/enter.

2. Log In

Log into an administrator account that you have access to on the computer, or, if you don’t have access to one, select “Other” in the Login Window (only if you have User Account Pictures enabled), and enter “root” as the username, and then the password that you just set.

3. Download Utility

For 10.8, we’ll be using the DaveGrohl utility to both crack the password and extract the hash.

The utility works by extracting the hash from the User Profile, which is located in:

/private/var/db/dslocal/nodes/Default/users/.plist

Withreplaced with the name of the target user. It pulls the hash from the ‘ShadowHashData’ field and begins cracking.

Download the DaveGrohl 10.8 cracking utility.

If the above link isn’t working, please visit DaveGrohl.org to download.

4. Open Up Terminal and Open the Directory

Once you’ve downloaded the utility, open up Terminal and type:

cd Downloads/DaveGrohl

5. Crack The Password

Type the following to begin cracking the password:

sudo ./dave -u

Replacing with the shortname of the target user and entering your password when prompted (it will not prompt you for a password if you’re logged into the root account).

That’s It!

DaveGrohl will begin cracking your password via wordlists and then continue with brute-forcing until it gets the password.

It can take quite a bit of time, depending on the complexity of the password, so be patient! Passwords we’ve cracked have ranged from a few seconds to several days, and Apple’s new password encryption scheme with Mountain Lion (PBKDF2) really throttles the speed at which DaveGrohl can work.

When DaveGrohl has successfully cracked the hash, it’ll spit out a message like this:

-- Found password : 'banana'
-- (dictionary attack)

Finished in 0.772 seconds / 51,860 total guesses…
67,209 guesses per second.

5. Optional: Extract Hashes

If you only have a limited window of access to the target computer, DaveGrohl can give you the hash formatted for cracking in John The Ripper, so you can crack the password on a computer of your choice at your convenience. We cover how to use John in our other guide, so check that out if you’re interested.

To extract a correctly formatted hash, use this command:

sudo ./dave -j

Replacing with the target user’s shortname, and again, entering your password if prompted.

You can then copy and paste the output into a .txt file and load it into John.

Advanced Options

Here are a few advanced options that can be used when cracking passwords with DaveGrohl. Type:

sudo ./dave

before entering any of the following parameters.

-u username : Crack a user’s password.
-i : Incremental attack only.
-c chars : Specify possible characters in the password.
-m # : Specify minimum length of the password.
-M # : Specify maximum length of the password.
-v : Verbose mode. (hella slow)
-j username : Dump a user’s password hash formatted for John the Ripper.
-h : Help

Let us know in the comments if this worked for you, and if you can get the cracking times anywhere near the times you got with Lion!

14 Comments

  1. forumhero

    10.24.2012

    Reply

    Awesome! thank you Dave, if you’re reading this, for the great tool and also congrats on being the first cracking tool to support osx 10.8.

    I’ve tested on my MBP-R running 10.8.2 and it worked as advertised. I’ve submitted a feature request to the folks at hashcat.net, hopefully we can get GPU support for this as well.

  2. Nick Jones

    10.24.2012

    Reply

    Can you make a video for this version as well?

  3. Anonymous

    11.08.2012

    Reply

    The user I am trying to crack is called “Don’t delete”

    I am logged in using the root user, but when I type

    sudo ./dave -u Don’t delete

    terminal just says

    >

    and nothing happens.

    What do I need to do?

  4. Slyzon

    11.14.2012

    Reply

    Trying to use this on 10.8.2 but I am getting a “No readable password file” message. What should I try from here?

  5. Sam Groeller

    11.29.2012

    Reply

    Hi, i recently tried this on my computer and when i get to typing in the new password it won’t let me type anything at all because ‘root’ account has been disabled?

  6. BIGFAN

    11.30.2012

    Reply

    May you please give us a shortname to use, so we can practice. I have asked people to give me their shortname but it doesn’t work. I said i wont hack them, but it doesn’t work. Thanks! i am your biggest fan ever Jeff!

  7. Bris

    12.03.2012

    Reply

    I wonder how do you change the name from Apple to other user names?

  8. Danny

    12.03.2012

    Reply

    Could you please make a PDF version of this like you made with the Snow Leopard version?

    Thanks!

  9. Forrest Sams

    12.05.2012

    Reply

    Does this work with 10.8.2?

  10. Marcel

    12.24.2012

    Reply

    Great tutorial, thanks again.

  11. JohnnyBoy

    01.19.2013

    Reply

    So, I followed this tutorial, and I was able to execute
    sudo ./dave -u

    However, it takes forever on the mac, and I can’t wait that long. So, I tried executing
    sudo ./dave -j
    to get the hashcode. So, I saved the hashcode in a .txt file and supplied it to my windows computer(I also tried in ubuntu). However, everytime I try to use john the ripper to crack it, it says “No password hashes loaded.” The FAQ on the John the ripper site says the hashcode is shadowed. However, I thought the hashcode became unshadowed after using the davegrohl utility with flag -j
    I’m confused, any help would be appreciated.

  12. Levi

    02.10.2013

    Reply

    Doesn’t work for me…

    I type in ;
    cd Downloads/DaveGrohl

    Then;
    sudo ./dave -MountainLion

    (mountainlion is my short name)

    and it just sits there?
    Also I tried earlier replacing ‘dave’ instead with my shortname, and got ‘command not found’ error message… I assume this is because I got the syntax wrong.

  13. Levi

    02.12.2013

    Reply

    OK, I rectified the first issue.

    sudo ./dave -u MountainLion

    (i forgot to put in the -u before the short name)

    I have now left the Mac for several days doing its thing… but It looks different to yours, for example- here’s a line:

    0000:00:41 2,766 (charlotte) (ablated) [qm] [va1] [e7c] [uh5]

    Instead of saying “Started 8 digit passwords” like yours, it spits out what seems to be some workings?… Im not sure that its doing anything :(
    If I use the arrow key down, it shows more lines like the above.

    Im now up to:
    0019:01:11 4,474,738 [pafde] [30e0e] [6jt0e] [u430e]

    What does it all mean?!

  14. bob

    02.15.2013

    Reply

    Great tuts, by the way.

    IT’S OH ESS TEN, NOT OH ESS EX

    considering the fact that Apple went from OS 9 to MAC OS X as in TEN or 10.

Leave a Reply