Crack OS X Mountain Lion Passwords
This guide is an updated version of our extremely popular guide, Decrypt OS X User Account Passwords. The guide has been updated to work with Mountain Lion 10.8.
Requirements
- Physical access to the machine.
If you need to crack passwords on Tiger, Leopard, or Snow Leopard, please use our tried-and-true Decrypt OS X User Account Passwords guide.
If you need to crack passwords on Mac OS X Lion 10.7 (NOT Mountain Lion), our guide for that is here: Crack Password Hashes in OS X Lion.
Procedure
Watch the screencast or scroll down to continue reading the written tutorial.
1. Gain Root OR Admin Access
If you don’t have access to an administrator already, you need to acquire root access.
If you don’t have admin access, boot the computer into Single-User Mode by holding CMD+S on startup, mount the drive, and type the command:
/sbin/mount -uw /
Followed by:
launchctl load /System/Library/LaunchDaemons/com.apple.opendirectoryd.plist
And finally:
passwd
Then, enter your new root password when prompted twice. After the password has been reset, type:
restart
And hit return/enter.
2. Log In
Log into an administrator account that you have access to on the computer, or, if you don’t have access to one, select “Other” in the Login Window (only if you have User Account Pictures enabled), and enter “root” as the username, and then the password that you just set.
3. Download Utility
For 10.8, we’ll be using the DaveGrohl utility to both crack the password and extract the hash.
The utility works by extracting the hash from the User Profile, which is located in:
/private/var/db/dslocal/nodes/Default/users/.plist
Withreplaced with the name of the target user. It pulls the hash from the ‘ShadowHashData’ field and begins cracking.
Download the DaveGrohl 10.8 cracking utility.
If the above link isn’t working, please visit DaveGrohl.org to download.
4. Open Up Terminal and Open the Directory
Once you’ve downloaded the utility, open up Terminal and type:
cd Downloads/DaveGrohl
5. Crack The Password
Type the following to begin cracking the password:
sudo ./dave -u
Replacing with the shortname of the target user and entering your password when prompted (it will not prompt you for a password if you’re logged into the root account).
That’s It!
DaveGrohl will begin cracking your password via wordlists and then continue with brute-forcing until it gets the password.
It can take quite a bit of time, depending on the complexity of the password, so be patient! Passwords we’ve cracked have ranged from a few seconds to several days, and Apple’s new password encryption scheme with Mountain Lion (PBKDF2) really throttles the speed at which DaveGrohl can work.
When DaveGrohl has successfully cracked the hash, it’ll spit out a message like this:
-- Found password : 'banana'
-- (dictionary attack)
Finished in 0.772 seconds / 51,860 total guesses…
67,209 guesses per second.
5. Optional: Extract Hashes
If you only have a limited window of access to the target computer, DaveGrohl can give you the hash formatted for cracking in John The Ripper, so you can crack the password on a computer of your choice at your convenience. We cover how to use John in our other guide, so check that out if you’re interested.
To extract a correctly formatted hash, use this command:
sudo ./dave -j
Replacing with the target user’s shortname, and again, entering your password if prompted.
You can then copy and paste the output into a .txt file and load it into John.
Advanced Options
Here are a few advanced options that can be used when cracking passwords with DaveGrohl. Type:
sudo ./dave
before entering any of the following parameters.
-u username : Crack a user’s password.
-i : Incremental attack only.
-c chars : Specify possible characters in the password.
-m # : Specify minimum length of the password.
-M # : Specify maximum length of the password.
-v : Verbose mode. (hella slow)
-j username : Dump a user’s password hash formatted for John the Ripper.
-h : Help
Let us know in the comments if this worked for you, and if you can get the cracking times anywhere near the times you got with Lion!
10788 
333
67
14 Comments
forumhero
10.24.2012
Awesome! thank you Dave, if you’re reading this, for the great tool and also congrats on being the first cracking tool to support osx 10.8.
I’ve tested on my MBP-R running 10.8.2 and it worked as advertised. I’ve submitted a feature request to the folks at hashcat.net, hopefully we can get GPU support for this as well.
Nick Jones
10.24.2012
Can you make a video for this version as well?
Anonymous
11.08.2012
The user I am trying to crack is called “Don’t delete”
I am logged in using the root user, but when I type
sudo ./dave -u Don’t delete
terminal just says
>
and nothing happens.
What do I need to do?
Slyzon
11.14.2012
Trying to use this on 10.8.2 but I am getting a “No readable password file” message. What should I try from here?
Sam Groeller
11.29.2012
Hi, i recently tried this on my computer and when i get to typing in the new password it won’t let me type anything at all because ‘root’ account has been disabled?
BIGFAN
11.30.2012
May you please give us a shortname to use, so we can practice. I have asked people to give me their shortname but it doesn’t work. I said i wont hack them, but it doesn’t work. Thanks! i am your biggest fan ever Jeff!
Bris
12.03.2012
I wonder how do you change the name from Apple to other user names?
Danny
12.03.2012
Could you please make a PDF version of this like you made with the Snow Leopard version?
Thanks!
Forrest Sams
12.05.2012
Does this work with 10.8.2?
Marcel
12.24.2012
Great tutorial, thanks again.
JohnnyBoy
01.19.2013
So, I followed this tutorial, and I was able to execute
sudo ./dave -u
However, it takes forever on the mac, and I can’t wait that long. So, I tried executing
sudo ./dave -j
to get the hashcode. So, I saved the hashcode in a .txt file and supplied it to my windows computer(I also tried in ubuntu). However, everytime I try to use john the ripper to crack it, it says “No password hashes loaded.” The FAQ on the John the ripper site says the hashcode is shadowed. However, I thought the hashcode became unshadowed after using the davegrohl utility with flag -j
I’m confused, any help would be appreciated.
Levi
02.10.2013
Doesn’t work for me…
I type in ;
cd Downloads/DaveGrohl
Then;
sudo ./dave -MountainLion
(mountainlion is my short name)
and it just sits there?
Also I tried earlier replacing ‘dave’ instead with my shortname, and got ‘command not found’ error message… I assume this is because I got the syntax wrong.
Levi
02.12.2013
OK, I rectified the first issue.
sudo ./dave -u MountainLion
(i forgot to put in the -u before the short name)
I have now left the Mac for several days doing its thing… but It looks different to yours, for example- here’s a line:
0000:00:41 2,766 (charlotte) (ablated) [qm] [va1] [e7c] [uh5]
Instead of saying “Started 8 digit passwords” like yours, it spits out what seems to be some workings?… Im not sure that its doing anything :(
If I use the arrow key down, it shows more lines like the above.
Im now up to:
0019:01:11 4,474,738 [pafde] [30e0e] [6jt0e] [u430e]
What does it all mean?!
bob
02.15.2013
Great tuts, by the way.
IT’S OH ESS TEN, NOT OH ESS EX
considering the fact that Apple went from OS 9 to MAC OS X as in TEN or 10.
Decrypt OS X User Account Passwords - Hack Mac
10.22.2012
[...] computer running 10.6 Snow Leopard, 10.5 Leopard, or 10.4 Tiger (we have Mountain Lion 10.8 in a separate guide, and another one for Lion [...]
There are no trackbacks to display at this time.