passwordlogin

Decrypt OS X User Account Passwords

This guide outlines the steps required to acquire the password of a local Mac OS X account. The procedure is a bit command heavy but should be relatively straightforward.

The full guide is written below, but I’ve put together a screencast on our YouTube channel to help walk you through the process (embedded below), but feel free to skip it and read on below.

Requirements

    • A computer running 10.6 Snow Leopard, 10.5 Leopard, or 10.4 Tiger (we have Mountain Lion 10.8 in a separate guide, and another one for Lion 10.7)
    • Either the ability to boot into single-user mode or to log in using the root password. (If the computer has a firmware password be sure to check out our accessing single-user mode guide.)
    • Access to an account on the computer you are trying to access. (Administrator account, a limited account, or even a network account. You just need to be able to open up terminal.)

We have separate guides for cracking Mountain Lion (10.8) passwords or cracking OS X Lion (10.7) passwords, if you’re running a newer version of the OS.

Procedure

1. Log in and open Terminal.

Log into any account on the computer and open up the Terminal application. This application can be found at /Applications/Utilities/Terminal.app

2. Finding the GUID (Globally Unique Identifier)

You first need to find out the Globally Unique Identifier. This identifies the user to the Mac OS X authentication system, and is the name of the shadow file in which the password is contained. Depending on your version of OS X, enter one of the following commands:

If you are using 10.5 Leopard or 10.6 Snow Leopard enter this command:

dscl localhost -read /Search/Users/<username> | grep GeneratedUID | cut -c15-

If you’re on a 10.4 Tiger machine,  enter this command:

niutil -readprop . /users/<username> generateduid

In both cases replace <username> with the shortname of the account you want to find the password for. (i.e. admin or root) You should get a value that looks like A66BCB30-2413-422A-A574-DE03108F8AF2. This is the GUID. Write it down, we’ll need it later on.

3. Obtaining the Password Hash

Password hashes are the encrypted form of the user’s password. When the user enters their password to log in, the computer encrypts it using an encryption scheme to create a salted SHA1 hash, which it checks against the stored hash in the computer. If they match, the computer logs you in. We will be using the same method the computer uses to authenticate the login to crack the password.

To obtain the password hashes, we need root access. If you have the root password just login as the root user through terminal: type login root, enter the root password when prompted and then continue to Step 3b. However, if you aren’t lucky enough to have the root password you’ll need to boot into single-user mode.

3a. Booting in Single User Mode

To boot into single-user mode restart the computer. When you hear the start up chime hold down CMD+S. Soon you should see a black screen with a lot of white text appear. If single-user mode is locked follow one of the other guides on how to gain access.

3b. Obtaining the Hash

Enter the following into the command line, replacing <GUID> with the GUID you wrote down from Step 2.

cat /var/db/shadow/hash/<GUID> | cut -c169-216

After running the command, it should spit back out a hash that’s formatted like this: 33BA7C74C318F5D3EF40EB25E1C42F312ACF905E20540226.

4. Decrypting the Hash

At this point, you need access to another computer (could be the same computer, if you have access for a long time), where we will use the application “John the Ripper” (“John”) to decrypt the hash. John will use ‘brute force’ to determine what the password is in cleartext. That means that the application will systematically generate passwords, encrypt them into the salted SHA1 hash, and check them against the hash you found to see if the password matches.

You can download John the Ripper for Mac OS X here, and for Windows here.

Open up the zip file and drag the “John the Ripper” folder into your base directory. Now it gets a little tricky so be sure to follow the instructions correctly.

4a. Create a Text File Containing the Hash

Create a text file in your John the Ripper folder called sha1.txt. Inside this file you should have the username and the hash. So if I wanted to find the password for the account crackMe inside sha1.txt I would see: crackMe:33BA7C74C318F5D3EF40EB25E1C42F312ACF905E20540226

4b. Navigating to John the Ripper

Now you need to open up the terminal application and navigate into the directory of your John the Ripper folder. If you followed the directions and put the folder into your base directory the command should be:
cd /name_of_your_john_folder/.

If you decided to be a rebel and leave the John the Ripper folder in a different directory, you just need to type in the full path to the directory.

4c. Cracking the Password with John the Ripper

All we have left is to load the hash into John. To do so, type in the following terminal command:

./run/john sha1.txt

If John is successful in decrypting the hash, you’ll get a message in the form of:

Loaded 1 password hash (Mac OS X 10.4+ salted SHA1 [32/64]

Depending on the complexity of the password this process could take anywhere from a second to a day, so be patient. When John is succesful at cracking the hash, it will display something along the lines of:

password (crackMe) guesses: 1 time: 0:00:00:00 100% (2) c/s: 153000 trying: password

Any text after trying: should be the password.

The contents of this guide are for educational use only. For more information, see our Disclaimer.

369 Comments

  1. Mark

    11.14.2010

    Reply

    Thanks a bunch. Got a used Mac, couldn’t update anything. Done just right.

    • Bobby

      07.07.2011

      Hi. I don’t have the first step down. I don’t have a user account because the guy who uses the computer (the only one who admin password) is in germany. I am locked out. How do I find the admin password? I can’t access the first step without an account password…. How do I “Hack” the admin password? Thanks!

    • Jeff Browning

      07.09.2011

      Just boot into Single-User Mode to retrieve the hash, instead of via terminal. You can then take the hash and decrypt it on another computer that you do have access to (it can even be a Windows machine!)

    • Bobby

      07.17.2011

      But if I don’t have an account how can I get the GUID that i need for it to access the hash? How do I get the hash without having an account?

    • Rex

      08.09.2011

      Make your own account via deleting the applestartup thing in SUM. I think it’s listed here someone, plus you’ll get it as an Admin account to.

    • jeffh38

      02.21.2012

      Is there an alternative to using john. Found this website. Will it work? http://www.md5decrypter.co.uk/

  2. Rob

    11.16.2010

    Reply

    I cant get this to work! i cant run the last command of “./run/john sha1.txt”, it always says “-bash: ./run/johnsha1.txt: No such file or directory”
    can someone please help?

    Thanks,
    Rob

    • Alex Galvin

      11.16.2010

      Hey Rob – Did you cd into your john folder? You have to navigate into the John the Ripper folder you downloaded to be able to run the command. Also, make sure you’re including the space; You said you entered “./run/johnsha1.txt”, and it should be “./run/john sha1.txt”.

    • Santiago

      02.15.2011

      i have done everything the instructions tell me to, but when i do”./run/john sha1.txt” it tells no such file or directory

    • Jeff Browning

      02.17.2011

      Chances are, you haven’t cd’d into the proper directory — some other people in the comments have done that too. In Terminal, make sure you navigate to the ‘john’ folder first. If you’re unclear as to where you are, open up a new Terminal window (it starts pre-navigated to your home folder), and you can always check to see what files are in the current directory by typing “ls” (Short for LIST — make sure it’s l as in Lion, not i as in ice cream. The letters tend to look similar.)

    • Andrew Swait

      06.08.2011

      Most important of all make sure you’ve actually put that sha1.txt file INTO your john directory before running the command. You can’t run the file if it doesn’t exist in that location. Forgive me if you’ve already tried this!

    • Thewalker

      12.07.2011

      The command is ./run/john sha1.txt.

      Note that there is a space between john and sha1.txt, which your command seems to be missing.

    • Forrest

      01.02.2012

      I have done all of this and I keep getting the message about the file or directory not existing. I can CD into it, but when I try to enter “./run/john sha1.txt” it spits back the error

    • Nate

      02.27.2012

      I had a similar problem. in the sha1.txt make sure that there is no space between the username, the : , and the code thing

    • Alex Myers

      07.09.2012

      That happened to me too. But you have to make sure you put it in your home directory.

  3. Agnusmaximus

    12.25.2010

    Reply

    Nice tutorial!
    What does the -c169-216 and -c15- represent before the cut commands?

    • arandomguy

      01.25.2011

      characters 169 to 216 and characters 15 to end.

    • Agnusmaximus

      02.08.2011

      Cool thanks!

  4. masiewpao

    12.25.2010

    Reply

    good stuff good stuff, this is an awesome site! keep the posts coming please!!

  5. Penguin

    01.25.2011

    Reply

    Hi
    I’m having trouble once I get to 4a
    When I download John the Ripper it come in a folder called john-1.7.3.1-macosx-universal
    not a zip file as far as I can tell (I’m not particularly good with computers)
    I moved it into my home folder anyway, created a text file and all that, I tried a number of things in Terminal but it didn’t seem to find it.
    What am I doing wrong?

    Thankyou

    • Jeff Browning

      02.01.2011

      @Penguin,

      It is a zip file, but nowadays Mac OS X unzips it for your when it hits your downloads folder.
      Are you able to “cd” into the folder? If not, when you have Terminal open, type in “ls” (without quotations). That will display a list of all of the folders in your home folder, and just make sure that it’s there.
      Also, just in case Terminal is having some issue with dashes (it shouldn’t, but you never know), try renaming the folder to just “john”, and then cd into the directory.

      Let me know if this works, or if you’re still having trouble!

    • Penguin

      02.01.2011

      I type in is and this is what it says
      -bash: is: command not found

    • Jeff Browning

      02.01.2011

      Ah, that’s a bit of a reading error; the command is lowercase LS (short for list), not IS. The lowercase i’s and l’s look a bit too similar.

    • Penguin

      02.02.2011

      oh right. sorry! :)
      thanks for all the help

      after I run john it come up with

      Loaded 1 password hash (Lotus5 [Lotus v5 Proprietary])

      is that correct and all I have to do is wait now?

    • Penguin

      02.02.2011

      I’ve got it to work!
      thank you so much :)

    • Jeff Browning

      02.09.2011

      Great to hear it worked out for you!

    • Twizt

      03.15.2011

      How did you get it to work.. I got it running with “Loaded 1 password hash (Lotus5 [Lotus v5 Proprietary])”
      But!
      guesses: 0 time: 7:14:01:34 (3) c/s: 149433 trying: Db0b4or
      long time, can this even be right?

    • Jeff Browning

      03.16.2011

      Yep, it can take forever depending on the complexity of the password. See what I wrote in response to Ryan below.

    • jeffh38

      02.21.2012

      I got the code that looks like this. B7998PFEE92AA4E77072204D7D8462D6CC3CB34CC7501EBA I had a time limit on the mac and expired, but i have access to a windows 7 laptop. I have the john file in the main programs file and added the text file. Now what?

    • Bo

      05.23.2012

      When I downloaded John the Ripper it came in as john-1.7.9. I think I’ve finally got it to accept when I type it in but in attempting the last step (./run/john sha1txt) I keep getting “no such file or directory”. I typed “ls” and it shows as john.tar. sha1.txt also shows. I’ve tried numerous times. What am I doing wrong?

  6. James

    01.30.2011

    Reply

    Jeff I can’t evan get into the first stage of creating Administrator account!! I hold down the CMDS after the opening chime but nothing happens it just goes straight to login. Is there a way to do it like different way to press the buttons and do i have to press the + simble after the D?? Please help!

    • Jeff Browning

      02.05.2011

      @James – The CMD+S key combination means the “command” key, also known as the “Apple” key, which is the key directly to the left of your spacebar. If you hold down that key and the “S” key when the computer boots, it’ll bring you into Single User Mode.

      Sorry for the confusion!

  7. MaxMac

    02.16.2011

    Reply

    Hey Jeff, thanks for this guide man. I have 1 issue though. Once i get to step 4b., i can’t figure out what to do. I have tried your solution to Penguin’s issue (which basically is the same as mine), and “john” is now under the “ls” command. What should I do now? because “cd /john/” won’t work!

    Thanks in advance,

    Max

    • MaxMac

      02.16.2011

      Wait I’m sorry; new question. I figured out it was “cd john” in stead of “cd /john/”. But my issue now is that I hash’ed the wrong password. On my mac, I’m trying to get to know the admin password or the password to the parental control system. What should i use as my username to get to know the GUID? Just admin or root? Or maybe the real username as in the username that is required to log in? (Which in my case would be Joe) Please help me on this Jeff,

      Max

    • Jeff Browning

      02.17.2011

      Max – in the sha1.txt file, it should have the username that is connected with the hash that you’re trying to crack (i.e., the administrator account), but you should be running these commands from root (if you’re not an administrator).

      Follow our guide on making your account an administrator if you need root or administrator access.

  8. Lilah

    02.17.2011

    Reply

    I too have loaded my file through terminal and get the message:
    Loaded 1 password hash (Lotus5 [Lotus v5 Proprietary])

    is that correct and all I have to do is wait now? – It has been 32 hours now. I don’t know if this is correct?
    Thanks for all of yur help. Your site is brillient!!

    • Jeff Browning

      02.17.2011

      That should work – another commenter (Penguin) had the same message, and it seemed to work out for them.

      However long it takes is completely dependent on the password’s complexity. Let it run for another couple days and let us know how it goes!

  9. marbleduck

    02.18.2011

    Reply

    If I close my laptop (putting it to sleep), will the program continue running when I open it up again?

    Thanks.

    • Jeff Browning

      02.19.2011

      To be honest, I’m not entirely sure — I would assume that it wouldn’t (Your computer stops commands/processes when your computer goes to sleep, and most need to manually be resumed), but I don’t have anything to support that.

      I’ll have to try it out later this week and let you know how it goes; great question!

  10. MaxMac

    02.18.2011

    Reply

    Hey Jeff, thanks for the great information! One more question though, please: you posted a link to one of your other guides. I was wondering that when i follow that guide, will my account be fully unrestricted? Will all the time limits be gone? (Because now i have time limits which restrict me to only using the computer 1-several hours a day). This restriction is via Parental Controls. I do not know the password to the parental controls account. So will i still get these limits after i follow your guide? Also: will my restrictor be able to see that i have unrestricted it?

    Thanks again Jeff, keep up the awesome guides ;)

    Max

    • Jeff Browning

      02.19.2011

      Thanks for the support Max!

      The restrictions would no longer apply, but the administrator who placed the restrictions on you would be able to see that the restrictions cannot be put on your account (because it’s an administrator). If you follow the guide to change the root password instead of changing your account from “Managed” to administrator, you can just enter in that password when the computer locks you out due to the time limit. You could allow yourself hours of more time by entering in the password you set for the root account.

    • MaxMac

      02.23.2011

      Ok, thanks Jeff. I got something else to work. I first made a new admin account, then i created a second admin account. But I made the second one a “hidden” user admin account. After that i just removed the first, visalble, one and now I have full acces to the computer without letting the original admin know. Maybe you could make a guide on this for the other people that want full access, but don’t want anyone knowing? Oh, and Jeff, I just got a mail on your guide to controlling another person’s computer. Pretty damn awesome! Thanks for all mate ;)

      Max

    • Jeff Browning

      02.24.2011

      We’ve got something published that might help with the “hidden administrator” thing, but in a different way.

      It explains how to activate the root account or change the root password from inside Single User Mode (which effectively gives you a hidden administrator account).

      It’s in this article under “Additional Information.”

      Let me know if that helps, or if you still think we should make a clear guide on hiding user accounts. All of these comments are great really help us clarify everything.

      I’m also really happy you like the guide, and thanks for subscribing — we’ve got some more exclusive stuff for everyone on our newsletter coming soon, so stay tuned!

  11. Shauna

    02.24.2011

    Reply

    It says “No password hashes loaded”
    I am in the folder, and I have my file named sha1.txt with my user:hash, so why won’t it work?

    • Jeff Browning

      02.25.2011

      Shauna — Is the sha1.txt file in the john folder? And in Terminal, if you type “ls” (l as in Lion and s as in Snake), is one of the files listed the sha1.txt file?

    • Zack

      08.30.2011

      yeah i got exactly that and yes it is listed.

  12. Keegan

    02.28.2011

    Reply

    Hey Jeff,
    You’ve been super helpful on the other comments so I thought I’d give you a shot.

    I’ve followed all the directions but when I type ./run/john sha1.txt, it just says that no password hashes were loaded. What could I have done wrong?

    • Jeff Browning

      02.28.2011

      Keegan, that’s what I’m here for!

      For no password hashes loaded, it means either that something is wrong with your hash, or just the formatting of the sha1.txt file. The sha1.txt file placed within the john folder (make sure it’s in there!) should look something like this:

      crackMe:33BA7C74C318F5D3EF40EB25E1C42F312ACF905E20540226

      Let me know if this helps!

  13. John Jacob

    03.01.2011

    Reply

    Hey Jeff!
    I’m having a problem with the ./run/john sha1.txt portion of the guide. It keeps telling me that there is no such file or directory, but I see them when I use the ls function in terminal. I named my folder john, and I put the sha1.txt file with the hash and user shortname in the folder. I had to use without the brackets to find the folder, but now I am stuck. Some help would be much appreciated.
    Keep up the great work by the way!
    JJ

    • Jeff Browning

      03.01.2011

      Hey John — if you type the two letters “ls” (without quotes, and it’s l as in Lion, not i as in Ice Cream), does the john folder show up? If it does, make sure you then type “cd john” (again, without quotes) to enter it, and try running the command again.

      Thanks for the kind words; please feel free to report back with your results!

  14. Cory

    03.01.2011

    Reply

    Hi Jeff,
    I’m pretty new to terminal and single-user mode, so sorry.
    When I try to Find the GUID in terminal, I get one of two messages. the first, when i type “admin” for I recieve the message:\

    grep: UID: No such file or directory
    DS Error: -14136 (eDSRecordNotFound)

    Or, when I type the account name I’m trying to hack, I get the “grep: UID: NO such file or directory” message. Any suggestions?

    • Jeff Browning

      03.01.2011

      Cory — If the username you are trying to hack is “admin”, for example, you would enter the following as the command:

      dscl localhost -read /Search/Users/admin | grep GeneratedUID | cut -c15-

      Are you entering that, or just typing the word “admin”?

    • Cory

      03.01.2011

      Ya, typed that exactly… recieved the message;

      DS Error: -14136 (eDSRecordNotFound).

    • Cory

      03.01.2011

      Ok actually i just punched it in and when i hit return it simply put up a new terminal line for usage. it didnt give me anything that looks like a GUID

    • Evan Savage

      03.03.2011

      Hi Cory –

      If the error message is:

      DS Error: -14136 (eDSRecordNotFound)

      That means the user doesn’t exist. For example, if you entered the command that Jeff gave you, it would mean that there is no user name ‘admin’ on the computer.

      If you enter it and it just puts up a new line, it means you typed something wrong or missed a letter. You could have typed an extra letter or transposed two letters – it just means the command wasn’t entered correctly.

      So based on the errors you gave, you should make sure you have two things right:
      1. The username of the account
      2. The command must be entered completely correctly

      Hope that helps!

    • James

      07.15.2011

      Try this, it worked for me.

      $ /sbin/fsck -fy
      $ /sbin/mount -uw /
      $ launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist
      $ touch /var/db/.AppleSetupDone
      $ passwd root
      $ reboot

  15. Hieu

    03.09.2011

    Reply

    i tried this but it pops up this:
    -bash: /usr/bin/dscl: Permission denied
    is there anyway i can bypass this and single-user mode is blocked to

  16. peep139

    03.11.2011

    Reply

    Hey Jeff, first of all your a gangsta for keeping with the posts! But on 4a i get lost. I got the hash and downloaded the john file. But I dont know where or what the “base directory” is, and when i try to create a .txt via TextEdit.app i can only make .rtf files, there is no .txt option. How can i make a .txt and where should i move the jack file once i get the .txt file in it? Thanks!

    • Jeff Browning

      03.13.2011

      I keep falling a day or two behind all the comments, but I try to get to all of them!

      Your “base directory” is just another name for your “home folder” — we call it that because when you open up Terminal, it uses that folder as a base from which you can start navigating. So you’d put the ‘john’ folder (yep, the whole folder!) into your home folder, then you’d place the .txt file within that.

      You make a good point about the .rtf files in TextEdit. Rtf stands for Rich Text Format, and TextEdit opens these files as default. Since we don’t want rich text (fonts and colors and all that jazz), we want to create plain text files (.txt). To change that, you can open up TextEdit, then go to the menu Format -> Make Plain Text. That will tell TextEdit you want to be able to save as a .txt file. To change it, just go back to the Format menu and you’ll see the button has changed to ‘Make Rich Text’.

      Hope this helps!

  17. Ben

    03.12.2011

    Reply

    i want to know more about how this works
    first it reads the GUID of the username and cuts it out to terminal right?
    then it gets the hash in the directory

    could you explain what the cat command is and what is a GUID

    thank you so much

    • Jeff Browning

      03.13.2011

      Ben — glad you want to know more! We explain a bit about the GUID in the post, so I’ll be copying and pasting a bit. Let me know if you need any further clarification:

      For the cat command, because I don’t have a better definition, here’s Wikipedia’s:
      “The cat command is a standard Unix program used to concatenate and display files.”

      So, what we’re doing is viewing the contents of the file that’s named after the user’s GUID (Globally Unique IDentifier), then using the ‘cut’ command to only show the characters that pertain to us, i.e. the hash.

      The GUID is the string of characters that the computer identifies the user by in the deep system directories. The reason we need to know it, is because the file that contains the hash is named by the GUID of the user whose hash it’s for.

      If you need any more clarification, just ask!

  18. Ryan

    03.16.2011

    Reply

    Just needed a little reassurance – this process can take a while right?

    I’ve had this message on my Terminal.app for the past 15 hours – no movement.

    ” Loaded 1 password hash (Mac OS X 10.4+ salted SHA-1 [32/64]) ”

    Waiting game at this point?

    Also, I’ve hit enter to see what would happen and got this message -

    ” guesses: 0 time: 0:15:24:07 (3) c/s: 2874K trying: fd00ich ”

    Did I mess anything up?

    Thanks for your help!

    • Jeff Browning

      03.16.2011

      Ryan – So far, it looks pretty good. The time it takes is completely dependent on the complexity of the password, and I’ve heard of times running past a week before, but most are resolved by then.

      Again, by complexity, I mean use of uppercase and lowercase letters, numbers, and symbols (!@#&$^). The time increases exponentially depending on how many of these are used in the password.

      When you hit enter, it’ll display the most recent guess that it’s generated, so no, you didn’t screw anything up.

  19. Roel

    03.18.2011

    Reply

    hello,

    looks nice, but after excecuting the script it will return a password, however this is not the good one
    it said:
    guesses: 0 time: 0:00:10:13 (3) c/s: 166145 trying: tc4ctha
    but after reading the comments i figured out it was because i was hitting return :D

    really respect for the one who figured this out!

    • Roel

      03.19.2011

      just one more question, when the decryption started it said:
      Loaded 1 password hash (lotus5 [lotus]

      this is different from the “Loaded 1 password hash (Mac OS X 10.4+ salted SHA1 [32/64]” in the discryption is this going right? or is it decrypting a wrong type of hash?

    • Jeff Browning

      03.20.2011

      Roel — I hadn’t seen that before until several readers told me that’s what John is spitting back out at them, and a few said it worked from there, so it should be just fine.
      If it goes longer than a week, either it’s a really secure password or something’s wrong. Check back in to let us know how it’s going!

  20. bob

    03.20.2011

    Reply

    when i go into the terminal and type sudo passwd root and i put in a password. it says sorry try agian.
    what do do i do?

    • bob

      03.20.2011

      never mind i figured it out but i have another question. after i finished seting p the root acount it show up on the front screen as other on the list of acounts on the startup screen. i thought i was an invisible acount.

    • Jeff Browning

      03.21.2011

      It shouldn’t be showing up on the users list, usually it will just add another option that says “Other…”, which when clicked displays a username and password field.

      What version of OS X are you running?

  21. PaulyD

    03.21.2011

    Reply

    hey guys iv gotten a problem while trying to obtain the password hash on;
    }
    3b. Obtaining the Hash

    Enter the following into the command line, replacing with the GUID you wrote down from Step 2.

    cat /var/db/shadow/hash/ | cut -c169-216

    } and all i get is

    cat: /var/db/shadow/hash/: Permission denied

    is my actual GUID e.g. = A66BCB30-2413-422A-A574-DE03108F8AF2

    i am logged into an admin terminal

    • Jeff Browning

      03.21.2011

      PaulyD, admin ain’t enough! You have to be logged into root (check the requirements at the top of the post). As long as you’ve got the root password, just type:
      login root
      and enter your password, then run the commands. If you don’t have the root password, follow the second half of this guide:

      http://www.hackmac.org/hacks/from-standard-to-administrator/

  22. robby

    03.24.2011

    Reply

    Hey jeff, thanks so much for getting back to all of the inquiries! everything has gone pretty smoothly for me but i just want to make sure i have the last part totally right. at 4. “decrypting the hash” you say we’ll need access to another computer. does that mean that john the ripper should eventually decrypt the hash from any computer, even if that computer is not tied to the targeted account? Also, going back to a previous question…if it can take up to a week or more to decrypt, does that mean i have to keep the computer i am running terminal in up and awake non-stop? if i were to put the computer to sleep and wake it up later would the john application pick up where it left off or start all over again? let me know when you get a chance, thanks so much!

  23. John Levine

    03.26.2011

    Reply

    Hi Jeff! This site is great! I have a quick question: I’m running “john” on a PB G4 (10.5.8), and in the “Loaded 1 password hash” line it says at the end “[32/32]” (without quotes).

    I’m guessing that’s because the G4 isn’t capable of 64-bit mode? This won’t make any difference, will it?

    Everything else came up as described, with no errors, so now I just wait? Is there a way to confirm that it is, indeed, running, other than checking in Activity Monitor?

    I think I read above that if I hit “Enter” it will return the latest guess, without interrupting the process?

    Thanks! Good stuff here!

    • Jeff Browning

      03.28.2011

      Yep, it won’t interrupt anything, and it’s a good way to check on it.

      You can also check your system logs, as it should show up in there.

  24. Phil

    03.26.2011

    Reply

    Hi,

    I have followed your instructions completely and have had a look at all the other responses and I seem to be doing this correctly.

    I have Downloaded John the ripper I have saved the hash file into the run folder. when i try to run it it comes up:

    sh: ./sha1.txt: Permission denied

    I am logged into the root account, the password i am trying to get is for a standard account. Does this make a difference? I also used a hash for an admin account and it does the same thing as well.

    I think my problem is when i install Jack the Ripper, I downoaded it, extract the file, save the folder onto my desktop. Then I open up the terminal and do all the commands, I find the file and run it but that error comes up. Should I be doing something with the Jack The Ripper files?

    can you help me please?

    • Jeff Browning

      03.28.2011

      Phil – If you followed our instructions completely, then the John the Ripper (not Jack! Jack is a serial killer) folder should be in your Home folder, not the Desktop.

      Try moving it there, with the properly formatted sha1.txt file inside the run folder. Also, out of curiosity, what OS version are you running?

    • Phil

      03.28.2011

      Sorry just so use to saying jack.

      I have moved everything over to the home folder, logged in as root user and it still comes up with permission denied. I have logged as each type of account (admin, standard and now root) I have double checked the text file and it has been formatted correctly. Used text edit and also microsoft work (apple).

      The OS I am running is 10.6.7. Do you think that this is the issue? I have looked all over the internet and can’t seem to find help on this.

    • Phil

      03.28.2011

      Ok I figured it out. In the terminal I had to go one more level down and enter the run folder. Then i went ./john sha1.txt and now the file has run.

      Thanks for your help

  25. Mark

    03.27.2011

    Reply

    I am having problems with 4b. I have the ‘john’ folder in my C directory on my PC, but can’t naivigate to it. I get an error that says “The system can’t find the file path specified”

    What should I do?

  26. Mark

    03.27.2011

    Reply

    OK, I’m now on 4c, but when I type in
    ..run/john sha1.txt

    I get an error that says “.” is not recognized as an internal or external command

    What should I do?

    • Jeff Browning

      03.28.2011

      Mark – the commands in this guide are Bash commands, designed for Apple’s Terminal (which isn’t available on the PC).

      You’d have to check out the documentation for John the Ripper (http://www.openwall.com/john/doc/) to find the equivalent commands.

  27. John Levine

    03.31.2011

    Reply

    Hello again, Jeff,

    I’m trying to get the GUID for the “root” account, and when I entered the command, I got what looks like 2 separate GUIDs??? i.e. 2 lines formatted like your example:

    FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000
    7CCC2E64-DCAB-445A-997D-1C5C02193465

    What do I do? enter both with a space between them in the cat /var command line?

    Thanks!

    (My other one is still chugging away… almost a week, but it’s theIT Staff PW)

  28. Andrew

    04.03.2011

    Reply

    i can’t get the (dscl localhost -read /Search/Users/ | grep GeneratedUID | cut -c15-) command to work

    • Andrew

      04.03.2011

      it comes up with this bash: syntax error near unexpected token `|’

    • Jeff Browning

      04.08.2011

      Hmm… what OS are you running?

    • greg

      06.03.2011

      i think your problem is that you are leaving the in on which ever step you were on. like this line “cat /var/db/shadow/hash/ | cut -c169-216″ you would replace with your GUID and remove the I only know this because i ran into this problem myself.

    • greg

      06.03.2011

      i see that putting those together does not show up on this page, so let me start over. i think your problem is that you are leaving the in on which ever step you were on. for example, “cat /var/db/shadow/hash/ | cut -c169-216″ you would replace GUID and remove the i had the same issue

  29. Miles M

    04.04.2011

    Reply

    Hey Jeff,
    I keep on having a problem with 3b. When I type in the cat thingy (I’ve triple checked my spelling) into single user mode and press enter, a new command line appears as if nothing happened. I am running Panther, but from the research that I’ve done the method of obtaining the GUID is the same, so I don’t know what’s wrong.

    • Jeff Browning

      04.08.2011

      Miles – I’m pretty sure Panther doesn’t have the ‘cut’ command in it’s kernel (can anyone else verify this?), so I’d just leave it out and try this command:

      cat /var/db/shadow/hash/GUID

      You’ll get a LOT more characters with this one. The ‘cut’ command just takes isolates the hash out of the file. For Panther, the SHA1 hash (the one we’re interested in) should be the last 40 characters of whatever Terminal spits back out at you.

      Let us know how if that fixes it!

  30. Bob

    04.05.2011

    Reply

    Hello,
    my keyboard doesn’t have the ‘ | ‘ key are there any alternatives for the ‘cat /var…’ command?
    Thank You

    • Jeff Browning

      04.08.2011

      Are you sure? Any modern keyboards have it, it’s just the backslash (\) key, but you hold shift (|). It’s usually right above the return key on Mac keyboards.

    • Bob

      04.09.2011

      Apparently I have a german key board. I do have the backslash key, but it won’t turn into the (|) command when pressing shift. But thank you for your help.

  31. Nolan

    04.06.2011

    Reply

    Hey Jeff! I love the guide… so far everything’s going good… I just decided to try it out using an account I already know the password to (sort of for the challenge), and if it’s successful, I’m going to actually put this method to good use. Anyway, I was wondering… is using the root password necessary? I simply booted into single user mode and got the hash from there (never used the root password). My mac is working hard at cracking the hash, so I had to have done something right? And also, is there any danger in using the root account? Thanks so much in advance?

    • Jeff Browning

      04.08.2011

      Hey Nolan — great to hear you like the guide!

      You DO need the root account, but no worries; when you log into Single-User Mode, all of the commands you run are automatically run as root, without you having to enter a password. The only danger in using the root account is that it “takes away the safety rail.” When you’re on another user account, Mac OS X has some restrictions as to what you can do to system files, and you have to confirm everything on the system level with your administrator password or the root password. If you use the root account, the safety rail is gone and the OS will do whatever you tell it to do, no questions asked.

      Hope that helped!

  32. Semblance

    04.10.2011

    Reply

    I am really confused.
    I am almost at the end…
    I will show you what I have written into terminal:

    cd john
    ./run
    -bash: ./run: is a directory
    ./john sha1.txt
    -bash: ./john: No such file or directory

    Ah, please help me.
    I have tortured over this for hours. I just need to know exactly what I must put into Terminal.
    Thank you!

    • Semblance

      04.10.2011

      Argh.
      I have managed to get further.
      However it says now, “No password hashes loaded”.
      I got my password or code thing, it looks like yours, I have the right username. But…
      It doesn’t work.

    • Jeff Browning

      04.19.2011

      Check your .txt file again. Is it in the right folders? Did you format it correctly (no extra spaces or anything)?

  33. Kevin

    04.11.2011

    Reply

    Hey Jeff! I love this guide!

    Alright well I did everything correctly, and it came exactly as you said
    Loaded 1 password hash (Mac OS X 10.4+ salted SHA1 [32/64]
    Only thing I noticed is that the passwords won’t continue guessing unless you press enter/arrow keys or some random key. So that means that if I want to get the password I would have to continue pressing enter/arrow keys repeatedly until it comes up with the password? Also I saw that the guesses stays at 0, like it’s at:
    guesses: 0 time : 0:02:09:17 (3) c/s: 2240K trying: 15lyreyC
    is it supposed to be at 0 guesses?

    • Jeff Browning

      04.19.2011

      Hey Kevin – It’s actually guessing continuously, but displays the most recent guess when you press the enter key. The guesses won’t go up until it finds the correct password.

      Just sit back and relax, John is on the job.

  34. Ben

    04.11.2011

    Reply

    When I type :

    ./run/john sha1.txt

    and i press enter it says :

    Loaded 1 password hash (Lotus5 [Lotus v5 Proprietary])
    Crash recovery file is locked: ./run/john.rec

    why is that file locked? how do I unlock it?

    • Jeff Browning

      04.19.2011

      Hmm, sometimes that happens. Just delete the file and start again, something got corrupted with the crash recovery file, so if you delete it (which is fine because you’ve only just loaded the file and haven’t generated any guesses yet), it’ll generate a new one and work from there.

  35. Kevin

    04.12.2011

    Reply

    I just have two questions. I did everything that you said to, and it worked fine, it did show
    Loaded 1 password hash (Mac OS X 10.4+ salted SHA1 [32/64]
    but then I noticed that a guess won’t show up unless you press a button like enter/arrow keys/space bar/etc. Does that mean that you have to continually press a button until the correct password shows up?
    Also another thing is that each guess I noticed, in the beginning it shows guesses: 0. Is that what is it supposed to be? And how do you know when it’s the correct password?

    • Jeff Browning

      04.19.2011

      Yep, that’s all fine. If you read through the other comments, you’ll notice that I’ve mentioned a few times (twice, I believe?), hitting enter will display the most recent guess, but it will continue to work without you hitting any buttons. And as it says at the bottom of the article, it will display something like this when the password has been cracked. Note the “password (user)” format at the beginning:
      password (crackMe) guesses: 1 time: 0:00:00:00 100% (2) c/s: 153000 trying: password

  36. Apple951

    04.25.2011

    Reply

    When I boot into Single User Mode and type this in cat /var/db/shadow/hash/ | cut -c169-216 ( With the GUID) It said Find the dscl before continuing. What do I do?

    • Apple951

      04.25.2011

      To be more exact it say this. “For Single User Mode you must run the following command to enable use of dscl
      launchctl load :System:Library:LaunchDaemons/com.apple.DirectoryServicesLocal.plist”

    • Jeff Browning

      04.29.2011

      Apple951 – give this a shot before entering in the cat /var… command:

      launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist

      (make sure it’s all one line)

  37. John F. Levine

    04.26.2011

    Reply

    Can this POSSIBLY be still running? It’s been three weeks (or more) and seems to still be running in Activity Monitor, but no final result. Also, all of the “guesses” are only eight characters???

    Please advise. Thanks!

    • Jeff Browning

      04.29.2011

      John — It looks like you’re dealing with a really tough password. If it’s trying only eight character passwords at this point, it means it’s probably guessed all possible password combinations under 8 characters. Whenever you add a letter, you increase the processing time exponentially, so it looks like it’s still working through the eight character passwords.

      Hang in there!

  38. John F. Levine

    04.30.2011

    Reply

    OK, Thanks!

    Yeah, I’ve seen the IT guys type in the PW, and it looks like it’s about 12 characters, so I’ll just keep letting it run.

    Thanks again!

  39. Josh Fletcher

    05.01.2011

    Reply

    Hi Jeff,
    I’ve been reading up on your posts, and they are really helpful! Just recently however, i have had the need to crack a password on a computer, and i will only have about a minute of physical access time. I’m going to boot into SUM, run the command “mount -uw /” and then “passwd” to quickly set up or just change the password of the root account. From there i’ll reboot the computer and log in via root. I’m counting on all of this to not take more than 45 seconds. Once i’m in the root account, rather than navigating to your site and messily copying and pasting all the code and then having to make a text document, i decided to try to make an applescript for this process. Everything has been running smoothly, I am only stuck on one small part. Here is what i have so far:

    display dialog “Username” default answer “Place user name here…”
    set theUsername to (text returned of result)

    tell application “Terminal”
    activate
    do script “dscl localhost -read /Search/Users/” & theUsername & ” | grep GeneratedUID | cut -c15-”
    set theGUID to “What would i put here?”
    do script “cat /var/db/shadow/hash/” & theGUID & ” | cut -c169-216″
    end tell

    As you could tell by the “What would i put here?”, i have no idea how i would set the GUID terminal spits out as the variable “theGUID” in applescript. Also, is there any way to paste a variable as text (after i tell application “textedit” to activate)? Thank you so much,

    ~Josh Fletcher

    • Jeff Browning

      05.03.2011

      Hey Josh – Evan is our AppleScript guy, so I’m not totally sure about the answer to your question. I noticed that you posted a comment on one of his posts too, but alas, I usually check the comments and respond on the site. I’ll let him know that you posted, but if you want to join our new forums (http://www.hackmac.org/forum/) and post the question there, you’ll probably get a faster response from him or other members of the community (Evan’s always on there)!

  40. Radish

    05.03.2011

    Reply

    Hi, this is a great tutorial and seems to be working fine on my MacBook for a lost admin password.

    One question though, reading through the documentation it seems John can also work with other password hashes. I have been trying for weeks to locate a lost user password in a mysql database. I have the md5 hash but do I need to call the .txt file something other then sha1.txt?

    Thanks

    • Jeff Browning

      05.03.2011

      You should be all set! You can name it whatever you like, i.e. md5.txt — just remember to type md5.txt when loading the text file into John.

  41. Can you please help me

    05.05.2011

    Reply

    ./run/john sha1.txt
    Loaded 1 password hash (Lotus5 [Lotus v5 Proprietary])
    Crash recovery file is locked: ./run/john.rec

    what dose this mean??

    • Can you please help me

      05.05.2011

      it didn’t let me run command ./run/john.rec

    • Jeff Browning

      05.07.2011

      Go into your “john” folder and delete the john.rec file, then give it a shot. Let me know if that fixed it!

  42. Kev

    05.06.2011

    Reply

    Hey Jeff,
    I’m having some trouble with the first steps on the procedure.
    I’m logged in as root under single user mode, but when I type
    dscl localhost -read /Search/Users/name | grep GeneratedUID | cut -c15-

    I get

    launch_msg(): Socket is not connected
    For Single User Mode you must run the following command to enable use of dscl.
    launchctl load /System/Library.LaunchDaemons/com.apple.DirectoryServicesLocal.plist
    dscl localonly

    and yet when I type that command, it tells me again
    launch_msg(): Socket is not connected

    Any advice?
    Thanks

    • Jeff Browning

      05.07.2011

      Give this command a shot:

      launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist

      I’m pretty sure Apple prompts for the wrong command (there’s not supposed to be a Local at the end). Let me know if that fixes it.

    • Kev

      05.09.2011

      No good, I get another

      launch_msg(): Socket is not connected

      message. This may be a stupid question, but the computer is running a French version of Snow Leopard, does that mean the commands like System and Library should be Systeme and Bibliotheque?

    • Jeff Browning

      05.09.2011

      I’ve never used any non-English OS X distributions, but I would imagine the file structure would stay the same…

      Can you log in and check the folder name on the HD and make sure the paths are the same?

    • Kev

      05.10.2011

      I’m afraid I don’t have the admin password to check the paths. But I tried the process on two other macbooks, American OS this time, and both of them message “socket is not connected” when I try it in single user mode. From their terminals though, everything works perfectly, I’ve tried it and it’s flawless. The single user mode though, just won’t work :(

    • Jack

      05.14.2011

      Try:
      launchctl load /System/Library.LaunchDaemons/com.apple.DirectoryServicesLocal.plist [enter the command]
      You should get a pause and it will go to the next line.
      dscl localonly [enter the command]
      You should get a “>” appearing and you’ve successfully entered dscl mode.

    • Jack

      05.14.2011

      Dont forget to mount the drive first: /sbin/mount -uw :)

    • ps

      07.17.2011

      Hi Jeff,

      I am having the same problem as Kev in the single use mode. I’ve looked through your comments and Jacks.

      Here is what I am doing:

      :/ root# /sbin/mount – uw

      usage: mount [-dfruvw] [-o options] [-t ufs | external_type] special node
      mount [-adfruvw] [-t ufs | external_type]
      mount [-dfruvw] special | node

      :/ root# launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist

      launch_msg(): Socket is not connected <– this is where I got stuck

    • Jeff Browning

      07.21.2011

      The fact that it’s showing you the usage means that the drive is being mounted incorrectly.

      It looks like you’re leaving off that trailing slash. The command should read:
      /sbin/mount -uw /

      Give that a shot. Good job with the research though!

  43. alex

    05.11.2011

    Reply

    So it’s officially been 24 hours and it hasn’t cracked the hash yet…
    any advice? have i maybe done something wrong?
    Any advice would be much appreciated.

    • Jeff Browning

      05.11.2011

      Alex – the time it takes depends on the complexity of the password. If it’s a really tough one, it could theoretically take weeks or longer (but that’s REALLY tough). if you’re concerned about it’s progress, feel free to hit the return key to retrieve the latest guess and check up on it.

    • alex

      05.11.2011

      Well it’s just a personal password i wouldn’t think it would be THAT complicated. But this method is a guaranteed way? as in though it might take longer it will still find it?
      I’ve hit return dozens of times its giving me stuff like this :
      guesses: 0 time: 1:00:23:42 (3) c/s: 1783K trying: Snkypr5o
      It always says 0 guesses in case that’s important.
      Thanks for you help Jeff,
      -Alex

  44. Atlas

    05.13.2011

    Reply

    Jeff,

    I control-clicked on the user name in Accounts and it listed a “UUID” in the window that popped up. Is that the same thing as the GUID? It has the same format so I tried using it and it’s worked for the remaining steps so far (John has been running for an hour now).

    • Jeff Browning

      05.14.2011

      Hmm, I haven’t tried this before, but it very well could work. Let us know how it goes!

  45. Jack

    05.13.2011

    Reply

    I wanted to prank one of my friends for his birthday and the problem is I do not have access to any account on his computer.

    I’ve successfully loaded dscl in single user mode by entering the following:
    /sbin/mount -uw
    launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServicesLocal.plist
    dscl localonly

    However, when I try to run the command to grab the GUID (dscl localhost -read /Search/Users/ | grep GeneratedUID | cut -c15-) I only get different kinds of error (maybe because I tried different variations of the script).

    What am I doing wrong? Is there a way to get the GUID in single user mode? Are there any other ways to get around this.

    Thank you for your help :)

    • Jeff Browning

      05.14.2011

      Hey Jack – what kinds of errors are you getting? Search for your error in the comments section of this post (we’ve got 110 of them as of now), and see if I’ve covered it.

      If not, hit up our forum (http://www.hackmac.org/forum) and ask about it in the “Content Support” forum. We’ve got some knowledgeable guys over there who might figure it out before I do.

    • Jack

      05.14.2011

      I got “read: Invalid Path” and ” DS Error: -14009 ” but I checked that the path is correct (I am testing on my computer now and the same path works in terminal).

    • Jeff Browning

      05.15.2011

      Hmm… this definitely looks like a question for the forums. Post it over there (http://www.hackmac.org/forum) and we’ll see if we can put together a solution.

  46. Simão

    05.14.2011

    Reply

    Thank you Jeff. You help me a lot :)

  47. Grant

    05.19.2011

    Reply

    When I enter the text “./run/john sha1.txt” I get the response of “No password hashes loaded (see faq)” What should I do?

    • Jeff Browning

      05.20.2011

      Check the format of your text file, sha1.txt

      If it’s all correct, hop onto the forum and ask there under “Content Support” — you’ll get a speedier response and we’ve got a great group of people helping out there.

      http://www.hackmac.org/forum

    • Sydcul

      12.09.2011

      I guess you’ve entered (if the GUID should be “1234567890″) “1234567890″, but you have to enter “username:1234567890″ in the file.

  48. Inca

    05.25.2011

    Reply

    How do i get Jack the Ripper to run in Windows? I only have 1 hour per day on the mac, but have a windows computer where i could run it. For example, where in windows do i enter the terminal commands? WinXP.

    • Jeff Browning

      05.28.2011

      For Windows, go to the Start menu, click Run, type ‘command’ (no quotes) and press enter.

      You might want to look on the JTR site for a Windows guide.

  49. Bingham

    06.01.2011

    Reply

    I am able to find the GUID but when i log into single user mode and put in the comand above(ive replaced the Guid with the actual numbers/text) it says no such file directory. what can i do to fix this?

    • Jeff Browning

      06.03.2011

      Bingham – If you’re retyping the GUID into SUM, there’s a pretty big chance that you may have copied it incorrectly. Also, when you log into Single-User Mode, did you mount the file-system before entering the commands?

  50. greg

    06.03.2011

    Reply

    hello, just a quick question. I get the no hashes loaded error when I enter ./john crackME.txt (different name, because I’m actually attempting to crack my own account pass, as a test). My question is could you be more specific when you say to have the .txt file in my john folder? I put my john folder on the desktop instead of the base directory and even did a make command to compile it (no questions!). my crackMe.txt file is inside john-1.7.7.tar/john-1.7.7/run is there somewhere else I should be putting it? perhaps move it back one directory to Desktop/john-1.7.7/john-1.7.7 ? thanks for any help you can provide. great article, keep them coming!

    • greg

      06.03.2011

      I am using Mac OS X 10.6.7 .also i have seen that my problem could be that i need to combine my passwd file and the shadowed file but i cant locate etc/shadow or anything like it. ls under etc does reveal passwd, but no shadow file, even as SU or Root. Firevault is on on my computer, and i cannot turn it off (errors out, i need to go see the Apple store for repairs anyway, i’ll get them to take care of transferring everything) if that makes a difference.

    • Jeff Browning

      06.03.2011

      Greg – Thanks for the positive feedback!

      As for your problem: The file does NOT go into the ‘run’ folder, and just goes in the main john folder, so like you suggested, move it up one directory to the original john folder.

      If that doesn’t fix it, go back to the top of the article and watch the YouTube video (it’s in HD, so you can view fullscreen and see everything clearly). Make sure all of your files are going into the same place as they are in the video and you follow the same steps (you don’t have to find the hash all over again, but put the john folder in your home directory, rename it “john” and put the text file in that folder).

  51. Andrew Swait

    06.08.2011

    Reply

    Great site! Keep the tutorials coming!
    Andrew

    • Jeff Browning

      06.08.2011

      Thanks for the feedback Andrew! We certainly will — we’re planning on launching new features soon, which is why we haven’t been able to keep up with our usual article schedule.

      If you’re hungry for more tutorials, some guys on our forums (http://www.hackmac.org/forum/) have written some great ones and scripts to automate most of the process. Hope to see you over there!

  52. Reid

    06.09.2011

    Reply

    Will this method handle passwords that have special characters and spaces in them?

    • Jeff Browning

      06.12.2011

      Yes, but adding special characters and spaces to passwords adds enormously to the processing time.

  53. Sean C

    06.10.2011

    Reply

    I’ve been cracking the hash to my account for 20+ days… is this normal for a strong password?

    • Jeff Browning

      06.12.2011

      Well, if the password is EXTREMELY strong, yes, but that seems to be a very long time.

  54. Louis

    06.10.2011

    Reply

    Great tutorial, very easy to understand.
    I’m nearly 2 days into the process of cracking a sha1 hash and so far everything is going fine.

    I did a test with a wordlist filled with 10 millions strings of 20 characters each, and then adding my name after the last one. I then converted my name into a sha1 hash and made that what John is looking for.
    I timed it, and it took roughly 6.6 seconds to find that the password is my name using the wordlist approach. I’m not the best at computing, but i can say that 6.6 seconds for 10 million strings is pretty fast. Just letting you know roughly the speed in which it tests.

    • Jeff Browning

      06.12.2011

      Thanks for reporting Louis! Great information to share.

      We’ve done completely random six-character all-lowercase passwords in well under 30 minutes, so hopefully that shows that you need to throw in some numbers, symbols, and capitalization into your passwords.

  55. Joey

    06.19.2011

    Reply

    Whenever I try to do the ./run/john sha1.txt part, it says that the arguments are too long. What am I doing wrong?

    • Jeff Browning

      06.19.2011

      Joey — I’ve never come across that error before, and I’m not sure what could be causing it.

      Perhaps this article could shed some light on the subject: http://www.linuxjournal.com/article/6060

    • Joey

      06.20.2011

      Thanks Jeff, that error has now stopped. Now, however, it’s saying -sh: ./run/john: cannot execute binary file. Any advice please?

    • Greg

      06.20.2011

      Same for me, what do I do???? Please help..

  56. Hot&Windy

    06.20.2011

    Reply

    Great tutorial. Got it working on first try. However, it has been cranking one core on my MacPro for 30 days with no messages in Terminal after the initial response “Loaded 1 password hash..”. How long is this going to take? Is it hung? Is there a way to ask John what’s going on?

  57. Greg

    06.20.2011

    Reply

    Is it possible to decrypt a hash that comes from an account from another computer?

    • Joey

      06.22.2011

      Yeah probably, I mean you would have to have the hash in encrypted form (as in GUID decrypted, but not the hash decrypted) and then just create the text file and crack it using John the Ripper. So long as you have the encrypted hash on a drive like a USB key, or somewhere where you can access it on your computer, you should be able to decrypt it. I don’t know though, but Jeff may be able to help.

  58. Hot&Windy

    06.20.2011

    Reply

    Good tutorial! Got it running fine on first try. However, it has been full blast on one core of my MacPro for 30 days. Is there any way to ask John if he’s hung up, or to check on progress?

    • Jeff Browning

      06.26.2011

      Hit the return key and John should spit out the most recent guess.

  59. Nicosnow

    06.22.2011

    Reply

    Hey everyone k so awesome job for this website but i have a couple question. first of all, if my password is bigger then length 8 will it still decrypt it? because ive been looking at the log and it says “1:02:14:31 – Trying length 8, fixed @4, character count 22″ nd the password is more then length 10. Jeff could u explain in detail what the all the significance of the log is, cuz im confused. Second of all is there anyway you could accelerate the decrypting speed?
    PLz help
    Nicosnow

    • Jeff Browning

      06.26.2011

      Decryption speed is affected a by several different factors: the difficulty of the password, how many other applications are running at the same time, how many processor cores you have, what speed that processor/those cores are clocked at, how much RAM you have, and whether you’ve tethered multiple machines together to make a cluster (this is more advanced).

      As for password length, John starts lower and works it’s way up to longer character passwords. It wouldn’t make sense to start guessing at 16 and then guess 4 letter combinations, so it guesses incrementally.

  60. Zach

    06.23.2011

    Reply

    Any idea where the hashes are located in Mac OS Lion? It seems like they moved them again.

    • Jeff Browning

      06.26.2011

      We’ve just put Lion on a couple of our laptops, so we’ll be testing all of our scripts and updating guides with new information in the upcoming weeks.

      Stay tuned.

  61. Charles

    06.24.2011

    Reply

    I have a Mac Os X 10.4.8. When i type in “niutil -readprop . /users/admin generateduid” into terminal, i get the command “-bash: niutil: command not found”. What am i doing wrong?

  62. Joey

    06.26.2011

    Reply

    Now John says that it cannot execute the binary file, any way to help, Jeff?

  63. Greg

    06.28.2011

    Reply

    Is there a way to estimate how much time is left for the decryption because the decryption I have in progress is taking forever.

    Thanks in advance,

    Greg

  64. Christian

    06.30.2011

    Reply

    MAN WAS THIS AWESOME
    I have been looking everywhen but couldnt find anything…..
    Its still decrypting lol but i hope will find it soon

  65. Jonathan

    07.09.2011

    Reply

    1. To find the GUID you only need to use these simpler commands:
    dscl . read /Users/ generateduid

    • Jeff Browning

      07.10.2011

      Nice. Shorter is always better.

      Ideally, we’d have something that just spits out the GUID, which is what we ended up with using our current command, so we can then pass on that output to the next step when scripting the entire process.

      Any thoughts on that? We’ve been working on scripting the entire thing from start to finish on our forum, and we have a fully functional application with a GUI already coded by one of our community members, Josh Fletcher.

  66. Edmund

    07.12.2011

    Reply

    hello Jeff,

    i know you will tell me to check the files and everything but i have check it for over an hour and i get this error message “-bash: ./run/john: No such file or directory”.

    i have tried it in windows but as i do not really know the windows command, i get this error message “‘.’ is not recognized as an internal or external command” at least can you help me with the windows command and let me have a crack at it please?

    this is my sha1.txt file:
    jcaburian:2A0212C10D964640A04C240B5615ABBC73F715A09AE4C9BF

    can you get the password please.

    Edmund

    • Jeff Browning

      07.21.2011

      There might be some guys who know more about the Windows commands on the forums (feel free to ask over there!), but I’m sure the John website has documentation as well.

  67. Ben

    07.17.2011

    Reply

    my question is i have done all that you beast review told em to and when i enter the cat code deal i entered it corectly but then it says when i enter the guid after the stuff it says the exact same guid and then says permission denied please help me please reply quick please man im desperate thank you…:( fix = :))

  68. BEN

    07.17.2011

    Reply

    i have a question i have a mac 10.6.4 and im assuming its a snow leopard and when i type cat ect.and put guid and then then the rest of the command i get the same guid and it says permission denied ive done this whole process 9 times now and all i get when i try to get the hash is the guid and permission denied what do i do help me please…

    • Jeff Browning

      07.21.2011

      Are you sure you’re logged in as root, or are logged into Single-User Mode?

  69. Henrik

    07.19.2011

    Reply

    Why is it that the newer version I download from the JTR website outputs “No password hashes loaded” but the linked version here works just fine? I see that others may strive with the same problem.

    • Jeff Browning

      07.21.2011

      Hmm, that’s odd.

      What version of the OS are you running?

  70. Anthony

    07.21.2011

    Reply

    Hai Jeff, I want to ask : why when i enter
    dscl localhost -read /Search/Users/
    the terminal write -bash: syntax error near unexpected token `newline’
    WHY jeff? Please tell me…..

    • Jeff Browning

      07.21.2011

      Are you entering the entire thing on one line?

  71. James

    07.21.2011

    Reply

    when i attempt to do step 3b to retrieve the hash, i enter my guid along with the code you said and it comes up with ‘no such file or directory’, tried this with a different user and same result any ideas? is it something to do with i have just upgraded to mac os x lion?(10.7)

    • Jeff Browning

      07.21.2011

      Yep, Apple has moved the hashes all around and encrypted them in a different salted encryption scheme in Lion.

      We’re working on a new, updated guide. Stay posted.

  72. user159

    07.24.2011

    Reply

    I’d advice to use hashcat advanced password recovery http://hashcat.net/hashcat or better the GPU accelerated versions (oclHashcat) if you have an access to any powerful Windows box. Its just MANY TIMES faster, way more versatile (i.e. can take advantage of NTLM hash if stored)

    The config is a bit trickier though, but I can provide quick scenario.

    And I’m personally interested in Lion hash dumping too :)

    • Jeff Browning

      07.31.2011

      That’s pretty damn cool. That might be worth revising the article to add in, though I may wait until the Lion stuff. I just wish there was a Mac version, because all my Windows boxes are slower than my Mac ones.

      They changed the encryption scheme and the hash location on us in Lion, so we’re still digging and working on another script to decrypt it.

  73. Brad

    08.01.2011

    Reply

    It says “No Password Hashes Loaded”…PLEASE PLEASE HELP!

    • Jeff Browning

      08.02.2011

      Double check the hashes, and make sure your .txt file is formatted correctly (user:hash) and it’s in plaintext, and in the correct folder.

  74. Magellan R

    08.08.2011

    Reply

    when i enter my password in the beginning after in type login root it tells me incorrect but i know its correct.

    • Jeff Browning

      08.14.2011

      Did you set the root password yourself? Can you log into the root account through the login window?

  75. Russell

    08.08.2011

    Reply

    Hey, I just wanted to say thanks for the article!! I was wondering if you have a Windows version of the site, as I see most of the hacks are for Macs.

    But anyways, thanks for the article!! I always thought that with John you had to download some huge dictionary file, I’m glad I was wrong :)

    • Jeff Browning

      08.14.2011

      Sorry to hear that you’re not on a Mac! I’m sure since Windows has a lot larger user-base, there should be a website of some kind (or many different websites) that can teach you how to do similar things.

      No dictionary file is required for John, but you can speed up the process with one if the password happens to be in that dictionary file — it’s all up to the user.

  76. Jon

    08.08.2011

    Reply

    The result i got was
    Loaded 1 password has (Mac OS X 10.5+ salted SHA-1 [32/32] instead of [32/64].

    Was it still succesful? Meaning should I let it continue to run to see if a password appears?

    • Jeff Browning

      08.14.2011

      That just means that you’re on a 32bit system. That message means it has BEGUN cracking, and has NOT successfully cracked the hash yet. You can hit enter to see the latest guess, but yes, you should continue to let it run until it has successfully cracked the password.

  77. deb

    08.13.2011

    Reply

    I don’t get a successful hash into John message in single user mode. Instead, it states this:

    dyld: Library not loaded: /usr/lib/libcrypto.0.9.7.dylib
    Referenced from: /Users//john/./run/john
    Reason: no suitable image found. Did find:
    /usr/lib/libcrypto.0.9.7.dylib: no matching architecture in universal wrapper
    /usr/lib/libcrypto.0.9.7.dylib: no matching architecture in universal wrapper
    Trace/BPT trap

    Any thoughts?

    Thanks for your time and expertise!
    deb

    • Jeff Browning

      08.14.2011

      What version of the OS are you running?

      Also, did you download the version of John from the download link on our site, or theirs? Try downloading and running the other one (they’re different versions). We haven’t updated ours yet because we have received a few reports of people not being able to run the current version but being able to run the version linked from our site.

      For you, the inverse may be true.

      Let me know if that helped!

  78. Philippe

    08.14.2011

    Reply

    I have read all the above but I have not tried it…yet. When I create an encrypted disc image I always use the character palette to add a few unusual characters in the password. My question is: will John the Ripper be able to crack such a password? Or is it almost uncrackable although it is only 8 characters long? I want to include these characters in my login password. Is there a way of accessing the character palette when I log in in order to pick the characters I have used in my password. This is great site! What is discussed here will never be discussed in the A forum. Thanks.

    • Jeff Browning

      08.14.2011

      It certainly would not be discussed there — that’s why we have our own forums in addition to the main site!

      Adding unusual characters for a password will greatly add to the time required to crack the password. A good service to check out that I think is (relatively) accurate is http://howsecureismypassword.net/

      As for the character palette, I don’t believe you can bring it up when entering your password, but usually there is a key combination linked to a special character. For example, Shift+Alt+K makes this symbol appear: , and Alt+J gets you ∆.

      Play around in any word processor or text field and form a very secure password!

  79. Will

    08.17.2011

    Reply

    Right okay, So I’ve read all that and.. I’ve still got a few queries regarding getting the password..

    I’ve set myself a little test to get from a very.. blocked account, To getting the password of an Admin,

    Now at the start, You said to Open up Terminal. Now, In my Test.. Terminal is Blocked, and I can’t access it without the Admin Password. How’d you suggest I get around that one if I just want to find out what the Admin Password is, WITHOUT Changing it?

    • Jeff Browning

      08.17.2011

      Boot into Single-User mode, mount the drive, and then follow the same steps to get the hash. You can then write down the hash on a piece of paper, and do the John steps at your own convenience on another computer, be it Mac or PC.

  80. Rahul

    08.19.2011

    Reply

    Hi,

    I’m having a problem with this method which I don’t know about. So right after I ran:

    ./run/john sha1.txt

    Terminal displayed what you said it would;

    Loaded 1 password hash (Mac OS X 10.4+ salted SHA-1 [32/64])

    but then right after that it displayed this:

    Crash recovery file is locked: ./run/john.rec

    and then gave me back my command line. Well I tried running it again with no luck, and it won’t start the process of cracking the password. I have no idea what’s going on or how to fix it so I’d like some help with this.

    • Jeff Browning

      08.23.2011

      Hey Rahul, a couple of people have had the same problem (you might actually be able to find them if you scroll up to the previous comments). Try deleting the john.rec file in the /run/ folder, and running it again. It should be regenerated without any issues and start cracking.

  81. caroline

    08.22.2011

    Reply

    works fine up untill i try to decrypt the hash; at that point it says access denied. what should i do?

    • Jeff Browning

      08.23.2011

      Are you using sudo or logged in as root, as the article requires?

  82. Brad

    08.24.2011

    Reply

    Following command was loaded
    Loaded 1 password hash (Mac OS X 10.4+ salted SHA-1 [32/64])

    Been waiting over two days and keep checking on a regular basis. How do I know everything is ok with guid and hash–I’m asking because the wait seems very long and I’m content to wait if everything comes out ok–but if I’ve done something wrong, I’d prefer to start over. Any thoughts? Thanks.

    • Jeff Browning

      08.25.2011

      It can take a long time, but a good way to check up on it is to hit enter and see the latest guess.

  83. Brad

    08.25.2011

    Reply

    Yes, I keep doing that–but the latest guess is not the password, right? It is my understanding that the password will appear only when there is a line that says password (crackMe) guesses: 1 time: 0:00:00:00 100% (2) c/s: 153000 trying: password. So, my point is, checking by hitting the enter button only tells you that the program hasn’t come up with the password yet, right? Is there any other value to see what the latest guess is? Ie. Try the latest guess and see if it works? Thank you so much.

  84. Brad

    08.25.2011

    Reply

    Also, will John program stop on terminal once program has successfully come up with the password?

  85. Brad

    08.26.2011

    Reply

    Also, how many characters will John program reveal?–what is the largest character password?

  86. Ben

    08.26.2011

    Reply

    what does the c/s mean?
    Does it mean cracks per second?
    If it does mean that mine says: ‘guesses: 0 time: 1:21:22:54 (3) c/s: 1968K trying: 1euy35h7′
    Is 1968K too slow?
    Because when i look at the other comments, they have way more c/s than me. please reply.

    Ben

  87. Zachary13

    08.28.2011

    Reply

    Hi!
    It seems to be when i look for the GUID and i copy and paste this into the terminal

    dscl localhost -read /Search/Users/ | grep GeneratedUID | cut -c15-

    it replies with

    -bash: syntax error near unexpected token `|’

    And i cant get past this point if you can help it would be appreciated! Thanks , zack

    • Jeff Browning

      08.29.2011

      Are you adding in the short name for the target account into the command?

      If so, what OS are you running?

  88. Kosta

    08.29.2011

    Reply

    hey when ever i open up terminal and stuff and out in the code it says DS Error: -14136 (eDSRecordNotFound)
    what do i do :(

    • Jeff Browning

      08.29.2011

      Are you sure that is the exact error number? I can’t find any sources with information pertaining to that DS Error; it looks like it has an extra number in it.

  89. Zack

    08.30.2011

    Reply

    I got as far as loading the hash! All is says now is

    zacksmac:john admin$ ./run/john sha1.txt
    No password hashes loaded

    • Jeff Browning

      09.05.2011

      Check to make sure your sha1.txt file is in the right folder and is formatted correctly.

      Also, what OS are you on?

  90. Gerasimo

    09.01.2011

    Reply

    Hey Jeff, is there a free working version that will work with mac osx 10.4.11?

    Can’t seem to find the link exept for the pro ver.

    RC2:/john-1.7.3.1-macosx-universal root# ./run/john sha1.txt
    dyld: Library not loaded: /usr/lib/libcrypto.0.9.7.dylib
    Referenced from: /john-1.7.3.1-macosx-universal/./run/john
    Reason: no suitable image found. Did find:
    /usr/lib/libcrypto.0.9.7.dylib: no matching architecture in universal wrapper
    /usr/lib/libcrypto.0.9.7.dylib: no matching architecture in universal wrapper
    Trace/BPT trap
    RC2:/john-1.7.3.1-macosx-universal root#

    If not, could we run our own from UNIX binaries?

    Thanxx

    • Jeff Browning

      09.05.2011

      Hmm, you might be able to download an older version and compile the code yourself. I’d Google the library that it’s requesting and see if there are installation instructions that could make everything play nice.

  91. Luke

    09.02.2011

    Reply

    Hi Jeff,
    I have followed your instructions to the dot, but when i finally get to the command :

    cat /var/db/shadow/hash/E54E8A9C-BA42-46DD-B3D3-5D9D7574D7CC| cut -c169-216

    I get this message every time:

    cat: /var/db/shadow/hash/E54E8A9C-BA42-46DD-B3D3-5D9D7574D7CC: Permission denied

    I have tried it all twice, re-logging into the root, but still the same message.

    Any help would be much appreciated.

    • Jeff Browning

      09.05.2011

      That looks to me like you’re forgetting a space between the GUID and the |. Try it again with the correct spacing.

  92. Brad

    09.03.2011

    Reply

    Still running 11 days 12 hours no luck yet. Is there a way to use password hint to load potential words and make john program more effective and efficient? Also still waiting for your response to my earlier questions regarding whether terminal will stop if it finds password or how many characters will John program reveal. Thank you so much for your help.

    • Jeff Browning

      09.05.2011

      Not that I know of, but that would be a good idea for a feature request.

      I can’t find your previous question in my system backend that I use to reply to comments (and I’m sorry about the delay; I am only one man, after all), but yes, the program will stop when it finds the password and displays the final output. Please watch the video included at the top of the article for an example. JTR cracks the password, which is “banana” — John will display all of the characters of the password.

  93. Hi Five

    09.08.2011

    Reply

    Is it just me or is john jumping back in password size? is this normal?

    Loaded 1 password hash (Lotus5 [Lotus v5 Proprietary])
    guesses: 0 time: 0:00:00:09 (3) c/s: 109549 trying: bubuga
    guesses: 0 time: 0:00:00:16 (3) c/s: 135984 trying: may2711
    guesses: 0 time: 0:00:01:16 (3) c/s: 161459 trying: plip132
    guesses: 0 time: 0:00:01:18 (3) c/s: 161092 trying: djosam
    guesses: 0 time: 0:00:03:58 (3) c/s: 162691 trying: msthooin
    guesses: 0 time: 0:00:04:03 (3) c/s: 162865 trying: chirlat1
    guesses: 0 time: 0:00:04:04 (3) c/s: 162888 trying: matunino
    guesses: 0 time: 0:00:04:05 (3) c/s: 162915 trying: mshLDoor
    guesses: 0 time: 0:00:04:53 (3) c/s: 164160 trying: gwa36g
    guesses: 0 time: 0:00:04:55 (3) c/s: 164214 trying: 45938050
    guesses: 0 time: 0:00:06:45 (3) c/s: 167403 trying: bmqqg2
    guesses: 0 time: 0:00:06:46 (3) c/s: 167421 trying: thqaid
    guesses: 0 time: 0:00:06:47 (3) c/s: 167446 trying: detz10
    guesses: 0 time: 0:00:07:38 (3) c/s: 166228 trying: jaaalak
    guesses: 0 time: 0:00:13:42 (3) c/s: 154836 trying: li23et
    guesses: 0 time: 0:00:13:43 (3) c/s: 154811 trying: gecl3i
    guesses: 0 time: 0:00:13:44 (3) c/s: 154787 trying: hiltld
    guesses: 0 time: 0:00:43:34 (3) c/s: 148402 trying: jm5055r

  94. Kai Lamarr

    09.09.2011

    Reply

    Question: How do you make the | symbol on the keyboard? O_O

  95. Arjarnto

    09.09.2011

    Reply

    I waited a little code to help out for 3 days then it is not up to me I want you to John User Administrator Code E652EB272A0CBCDE12571F0320722B6EA1FE37B006598EC6

    • Arjarnto

      09.09.2011

      Any help is very important.

  96. luca

    09.09.2011

    Reply

    what does “c/s: 71769″ stand for in terminal? the “c/s” part. thanks

  97. rute

    09.10.2011

    Reply

    I’ve noticed a lot of people are just trying to change their parental control settings. For that, this guide may be overkill. If you open activity monitor and find the parental control process, you can use the utility to quit the process (until the next login). I hope this works, as it’s a great deal simpler than cracking the administrator password (which is more or less the cure-all magic bullet for such problems.)
    Good luck!

  98. Mitch

    09.12.2011

    Reply

    Hi Jeff,
    I am trying to find the admin password out for a friends mini mac running osx 10.4.11. I can’t get the password hash it says access denied? Is this because I’m not logged in as the root user? I’m unsure how to change the root password as I don’t know what it is? Any help would be great, thanks.

  99. Dylan

    09.13.2011

    Reply

    dscl localhost -read /Search/Users/admin | grepGeneratedUID | cut -c15
    -bash: grepGeneratedUID: command not found

    Get this error everytime. Tried the other one just in case and got…

    niutil -readprop . /users/admin generatedui
    -bash: niutil: command not found

    Any help on what I can do? Im running on lion 10.7.1

  100. Brad

    09.14.2011

    Reply

    Still running 22 days 11 hours–have you heard of it taking this long? I’m just hoping everything is ok and it will eventually figure it out. Also, if the password is greater than 8 characters, will it display over 8 characters? Thank you so much for your continued help.

  101. Jake

    09.14.2011

    Reply

    hey! I notice that one of the passwords I’m cracking is in Lotus, not sha1, which is odd, because it goes a lot slower in its cracking than sha1. I’ve been running it for 5 total hashes and it hasn’t gotten one yet in 20 hours.

    Also, I notice that you haven’t discussed all the things you can do, like little hidden things with JTR. For instance, you can stop and resume it later using:
    ./john –restore

    As it saves its progress every 10 minutes. Food for thought =]

  102. rashid

    09.16.2011

    Reply

    john when i finished all command
    it say
    Loaded 1 password hash (Mac OS X 10.4+ salted SHA-1 [32/64])
    then there is no password what i most do

  103. Jim

    09.16.2011

    Reply

    After entering the 1st command I get the same error message that Kosta (Aug 29) got.

    DS Error: -14136 (eDSRecordNotFound)

    I checked it twice. That is the exact number.

  104. Brad

    09.21.2011

    Reply

    Jeff–still running 29 days. How can I load a wordfile to make John’s work easier. ie like a dictionary or word list? If this is possible, can it run at the same time I am continuing to run the brute force mode? HELP!! Thanks.

    • Sultan

      12.12.2011

      Did it come up with the password?

  105. Tristan Lalor

    09.21.2011

    Reply

    Is there a way to decrypt OS X administrator account passwords?

    • Jeff Browning

      10.23.2011

      Scroll up for the guide on how to do that!

  106. David

    09.25.2011

    Reply

    Simple question: Can you have more than 1 root user on a Mac? –I’d like to do this to my computer to see how effective my password is and would like to know if someone is trying to hack machine.. Thanks!

    • Jeff Browning

      10.23.2011

      Nope, but you can have more than one administrative user!

  107. sassiekassie

    09.25.2011

    Reply

    Okay, so I can get into single user mode, but once I get there, My Keyboard doesn’t work!!! What can I do?!

  108. David

    09.26.2011

    Reply

    Also, unrelated to my previous question, is there a way to optimize John to run to find a password within a finite or range of possible characters? Say you heard in between 14-16 keystrokes for the password you’re trying to find. For days, John will guess at passwords in between 4-8 characters, which as a user is a complete waste of time. Is there a way to rewrite the operation to function within a set of ‘character parameters’ so that you can bypass thi initial process?

    Also, how can you access the files on another user’s login when logged into te root user login?

    And is there a way to display the root user password I have set? I don’t want people to be able to hack in and see my root password ;)

    Thanks!!

  109. Magic-Hack

    10.23.2011

    Reply

    Now I have access to my parents computer (but john has not finish to find the passwd).

  110. I should attempt this on one of the macs at my school and then tell “Technology Services” (the bozos that manage the firewall and computers) just to watch them shit themselves! :D

  111. Ben

    10.24.2011

    Reply

    what does the c/s mean?
    Does it mean cracks per second?
    If it does mean that mine says: ‘guesses: 0 time: 1:21:22:54 (3) c/s: 1968K trying: 1euy35h7′
    Is 1968K too slow?
    Because when i look at the other comments, they have way more c/s than me. please reply.

    Ben

    • Sydcul

      12.09.2011

      Mine is way less (“107370″). So you should just wait…

  112. John

    10.24.2011

    Reply

    This has been running for more than a day. Is there something wrong with it?

  113. Drew

    10.27.2011

    Reply

    First off – fantastic, awesome article. Thanks for this.

    I got it working just fine with several accounts. However, I am having one issue when attempting to decrypt one certain admin password. I get it to run just fine, and then it displays this as soon as I hit enter.

    Loaded 1 password hash (Mac OS X 10.4+ salted SHA-1 [32/64])
    (meadowscommunity)
    guesses: 1 time: 0:00:00:00 100% (2) c/s: 81200 trying:

    The next thing I see is another typable command line. Pressing enter just results in another command line.

    One guess I have now is that the hash code was typed incorrectly into the text. I checked it several times, though. Any ideas? Help!

  114. Sam

    10.28.2011

    Reply

    Hi,
    Just wondering if we are in any of these situations:
    -don’t have the root password
    -root password has not been set/enabled
    -can’t be bothered rebooting to single user mode

    in step 3b, could we just type:
    sudo cat /var/db/shadow/hash/ | cut -c169-216

    Would that work without having to login as root…?

    Cheers.

  115. Lale

    11.01.2011

    Reply

    um jeff, my username has 2 names, but when i type it down and hit enter it comes up with this “No Such Keys: Rany ” btw, my username is “Lale Rany” and i typed “dscl localhost -read /Search/Users/Lale Rany | grep GeneratedUID | cut -c15-”
    Thanks For your help ,
    Lale

  116. Bob Smay

    11.03.2011

    Reply

    Hello so I tried doing this with my account that i knew the password to just to see how it would go. Everyone went fine until i started trying to crack the password with your application. I set the password to “password” and its been over 3 hours and it still has not found it out.

    Also if i do get help is there a way to find out the administrator password from a server. For example at a school so that i can bypass the access denied?

    Thanks for all the help!

  117. Bob Smay

    11.04.2011

    Reply

    How would you go about hacking a network account? Thanks

  118. James

    11.05.2011

    Reply

    If their was a password like
    r3Dr0veR or b3nAuD
    How long would it take?

  119. Cathrine

    11.10.2011

    Reply

    Hey, your post was a great help for me, but there is one concern.
    Since I cannot access the root password on my computer, I had to boot in SUM. But within Single User Mode, when I typed in the GUID and the phrase inside the terminal, it comes out as ‘access denied’.
    Is there anyway to fix this?

  120. Styx293

    11.10.2011

    Reply

    Hi! Here’s my issue:

    adss-MacBook:~ matthewbishop$ cat /var/db/shadow/hash/A3635821-8EE8-4F09-B62B-3222AA295BE6 | cut -c169-216
    cat: /var/db/shadow/hash/A3635821-8EE8-4F09-B62B-3222AA295BE6: Permission denied

    everytime i type in the hash into this command line, it gives me “permission denied”. How do i get the hash that should be spat out?

  121. shiv

    11.10.2011

    Reply

    hey i am unable to run the cd /john/ thing on my terminal window i even changed the file name to john … all i get is -bash: cd: /john/.: No such file or directory

  122. Dat

    11.17.2011

    Reply

    This is a great guide, thanks! I just had one question. If the username contains a space (for example if the username isn’t “john” but “john smith”), when I create the text file should the username have quotation marks around it or just as is? for pretty much all other unix commands (like cd’ing into a folder with a space), I have to use quotes and I’m just wondering whether or not the same applies to JTR. Thanks!

    • Dat

      11.17.2011

      So I’m running john in three different windows concurrently, each on a slightly different text file. they all have the same hash, but the username varies. one is John (the short username), one is John Smith, and the third is “John Smith”. Does it even matter which one I use? I’d like to take some stress off of my computer and only be running it once so any feedback would be awesome.

      Thanks!!

  123. Buddy

    11.21.2011

    Reply

    you may also find the GUID under system preferences>Users then right click (command+click) on the user you would like to find the GUID for and select advanced options. A window will pop up, it gives you a bunch of stuff and in one line it lists the UUID (which is the same as that users GUID [dont worry i checked]) then you may use this in your next command in root or single user mode and continue from there.

  124. Josh

    11.23.2011

    Reply

    I’m not able to get the GUiD. What should the username look like?

    • Josh

      11.23.2011

      nevermind

  125. shiv

    11.27.2011

    Reply

    i cant get john to run helpp pls

  126. Nick

    11.29.2011

    Reply

    5th day, still nothing. I don’t think this works. Have you any ideas on how to decrypt an encrypted dmg file? Or at least how to extract the AES key?

  127. Sam

    11.30.2011

    Reply

    Hey Jeff,
    I was wondering if there was any way to alter the John The Ripper program to only try passwords WITHOUT numbers? If not is there any other program that does this?

  128. ds

    12.01.2011

    Reply

    -bash: syntax error near unexpected token `|’
    plz help

  129. Sam Wise

    12.02.2011

    Reply

    Hey Guys,

    I’m having a major problem right now. I was running john last night ( because my mom couldn’t remember her password) and this morning her macbook air had this sort of fractal flower on the screen and all these messed up colorful lines across the screen. After turning it it off and attempting to turn it on again, the screen stayed black and this odd beeping noise. Do you know what could be wrong? I’m rather worried.

  130. Leo

    12.02.2011

    Reply

    Help! i got the GUID and then the hash, but nothing seems to be able to decrypt my password! I have left John the ripper on for 2 weeks and it didnt crack it, and every website i have tried says the hash is “Invalid.” i know my hash is the right one because i followed all the instructions perfectly and it did everything it was supposed to. If it helps, the hash is this: (im not that much of an idiot because this isnt my password for anything else)

    CD0B55168C603F6FF5501C2D2CDAE5104CBEABA4AB2D605C

  131. networkpunk

    12.03.2011

    Reply

    hello ..

    im getting this on the first step to find the GUID

    DS Error: -14136 (eDSRecordNotFound)

    help..

  132. Claudio

    12.05.2011

    Reply

    How becomes the following command

    dscl localhost -read /Search/Users/ | grep GeneratedUID | cut -c15-

    if include spaces, like John Doe?

    Something like:

    dscl localhost -read /Search/Users/John Doe | grep GeneratedUID | cut -c15-

    I guess it gives an error.

  133. curtis

    12.05.2011

    Reply

    Hey jeff. My dad recently bought a Mac running tiger off his buddy. There is an admin password on it for his account, but the guy can’t remember what the pass was. It’s restricting most of my downloads. I’ve tried several ways of fixing it but nothing has worked. This helped, but i think he must have deleted textedit off it too, i can’t find it anywhere. I tried using a few other programs but when i tried to open it on terminal this came up:

    dyld: Library not loaded: /usr/lib/libcrypto.0.9.7.dylib
    Referenced from: /Users/arnie/john/./run/john
    Reason: no suitable image found. Did find:
    /usr/lib/libcrypto.0.9.7.dylib: no matching architecture in universal wrapper
    /usr/lib/libcrypto.0.9.7.dylib: no matching architecture in universal wrapper
    Trace/BPT trap

    Not really sure what any of that means. I just need the password gone. Thanks!

  134. David

    12.05.2011

    Reply

    I am having problems with the GUID on a lion. Any suggestions?

  135. Claudio

    12.06.2011

    Reply

    If the username has a blanck character, how is formatted the following command?

    dscl localhost -read /Search/Users/ | grep GeneratedUID | cut -c15-

    ?

    For example, if username is John Doe, should I type

    dscl localhost -read /Search/Users/’John Doe’ | grep GeneratedUID | cut -c15-

    ?

    Regards
    Claudio

  136. Luke

    12.08.2011

    Reply

    Hello, I am back again.
    I was wondering, as JTR has been running for 2 days now, if you had an estimate on how long it would take?
    A previous password I cracked from the same place was ” ti0fsmdgt@e!2009 “.
    Do you know on average how much longer it would take?

    Any help would be much appreciated.

    Regards,
    Luke.

    • Luke

      12.10.2011

      Also, I am used to windows more, but I am still alright with the commands. I was going to ask how to assign both of my cores to JTR to make it run faster.

      Thanks.

  137. Sydcul

    12.09.2011

    Reply

    Hello! I used your tutorial for creating an admin account, it was great! But here my terminal says:
    Last login: Fri Dec 9 13:00:07 on ttys000
    MB-10-18:~ lukasvandendijssel$ cd /Users/lukasvandendijssel/Desktop/john-1.7.3.1-macosx-universal
    MB-10-18:john-1.7.3.1-macosx-universal lukasvandendijssel$ ./run/john sha1.txt
    Loaded 1 password hash (Lotus5 [Lotus v5 Proprietary]

    And it takes forever…
    Should i just wait?

    • Sydcul

      12.09.2011

      Busy for 3 hours how…

  138. Jonathan Kingsley

    12.09.2011

    Reply

    I Am trying step 2 but it gives me this: -sh: syntax error near unexpected token `|’

    I Am Running Snow Leopard 10.6.8 if that helps.

  139. brysicle

    12.11.2011

    Reply

    Ok.. so I dont know whats wrong with what I am doing here lol, but when I go into Single User mode and get my password hash I get:
    5E214E24F9B21D582C4811FD44091A0A623774F16C742D13.
    when I go back to jtr this is what I get:
    Loaded 1 password hash (Lotus5 [Lotus v5 Proprietary])

    I am going to go back into single usermode and double check everything but I am stumped as to why its not loading it into the write hash algorithm. I am on 10.6.8. Someone somehow got in and changed my root password on me and I didnt notice until today when I was trying to change some system prefs.

  140. Sultan

    12.12.2011

    Reply

    Hi

    umm if the password is very complex lets say like MC$t1w!f! how much will it take?

  141. justin

    12.16.2011

    Reply

    Hi, im having trouble of navigating to john the ripper. I type in “cd /john/” and is says no such file or directory. Please help me.

    • justin

      12.16.2011

      By the way i`m running on 10.5.8

  142. CJ

    12.17.2011

    Reply

    Ugh, I’m trying to find my mom’s admin so I can install something, but it says permission denied when I start the .run/… part.

  143. Ben

    12.20.2011

    Reply

    what does the c/s mean?
    Does it mean cracks per second?
    If it does mean that mine says: ‘guesses: 0 time: 1:21:22:54 (3) c/s: 1968K trying: 1euy35h7′
    Is 1968K too slow?
    Because when i look at the other comments, they have way more c/s than me. please reply.

    Ben

    P.S: you didnt reply to my previous comment about this so can you please reply to this one. Thanks.

    • Kai Nau

      01.03.2012

      c/s is cracks per second or how many new passwords it guesses in a second.
      1968K c/s is just fine, it is the the abbreviated form of 1,968,000 c/s.
      Other people in the form might just have a bit newer or faster computer than you.

    • Ryan

      01.19.2012

      similar to Ben’s question above, I fired up John The Ripper, pointing it the Hash file, and it said ‘Loaded 1 password hash….’, then sat there not indicating anything was happening.

      I’ve hit enter a few times over the last couple hours and am returned with similar status of Ben’s.

      I can see JTR using massive CPU (98.2+-), but am wondering if it’s stuck, or I didn’t initiate it correctly.

      Thanks for the resources here and any further help you may have!

    • Jim

      01.20.2012

      I’m not sure if this is very helpful, but I believe c/s is combinations/second. However, my number started at around 150,000, and has fallen to 50,000 in the past 72 which the program has been running… So no 196800 isnt that bad, its better than what i’ve been getting :)

      -Jim

      p.s. I’m not 100% sure c/s means combinations/second, cause that’s pretty slow. Wikipedia gives the example of 2^56 combinations a second, which is 7.2*10^16, or 7,200,000,000,000,000… So :/

      http://en.wikipedia.org/wiki/Brute-force_attack#Theoretical_limits

    • kiborg

      01.23.2012

      Hi Ben you can tell me this when applying to a reading with four letters

  144. Arthur

    12.21.2011

    Reply

    Hi, after using DaveGrohl for OSX 10.7, I found out it was too slow to crack the password. So I’m using JTR to decrypt the hash, but after I cd into my john folder, I type in ./run/john sha1.txt, and it just says -sh: ./run/john: No such file or directory

    Anyone?

  145. Jorge Staislav

    12.28.2011

    Reply

    What if the root account is in use?

  146. Ben

    01.01.2012

    Reply

    well i ran john, after running it my laptop closed due to power shortage and the program “terminal” was closed too since the computer was restarted, will john stop working? Because when i go to the activity monitor it shows me that the process “john” is taking 98% from the CPU

  147. Woeser,

    01.02.2012

    Reply

    I have created two accounts users, one is administrator of course and one is guest, but today I didn’t see the administrator, I am a kind of worried about losing my documents on the desktop. How can I get the administrator?
    Thanks

  148. Kai Nau

    01.03.2012

    Reply

    Last login: Tue Jan 3 05:46:03 on ttys000
    KaiNs-MacBook:~ kainau$ cd /Users/kainau/Documents/untitled\ folder/john-1.7.9
    KaiNs-MacBook:john-1.7.9 kainau$ ./run/john sha1.txt
    -bash: ./run/john: No such file or directory
    KaiNs-MacBook:john-1.7.9 kainau$

    What am I doing wrong?

  149. Alexandre

    01.06.2012

    Reply

    Hey there! I love all the work you put into this guide, thank you very much! I have but one question. If one were to use the “sudo passwd root” command in single-user mode, would one be required to enter an administrator password? Or will i just be able to change the root password with being prompted for a username and pass seeing as I am already in single-user mode? Thx.

    • Alexandre

      01.06.2012

      Sorry, I meant “without” being prompted….

  150. Luke

    01.06.2012

    Reply

    Hey Jeff, I just want to go back on something someone said earlier. They asked if John the ripper would still run if the computer is closed. I really want an answer to this. Mine has been running for 6 days now, and when I close the laptop, the timer still runs (Thus why its up to 6 days now) but is the actual rest of the program running. It’s just I don’t want to keep my laptop open because it may overheat.

  151. george

    01.06.2012

    Reply

    Hey JEFFFF!!!!!!!!YOUR GUIDE IS AMAZING!!!!!!!!!!!!!!!! IT HELPED A LOT SO THANKS!!!!!!!!!!!HOWEVER WHEN I PUT THE LAST COMMAND IT SAYS CRASH RECOVERY FILE IS LOCKED ./run/john.rec wha t to do??

  152. Cam

    01.07.2012

    Reply

    When I run john, I get the message “no password hashes loaded.” I have the hash in the .txt, any ideas as to what is going on?

  153. Robert

    01.09.2012

    Reply

    I have the hash, but how do I crack it on windows? I have john the ripper downloaded, but in the guide it never says how to crack the hash in windows.

  154. Logan

    01.09.2012

    Reply

    I keep getting stuck at ./run/john sha1.txt. It says “No such files or directory” every time. I am familiar with Terminal so I know what I am doing. I am cd’ed into my john folder and have my sha1.txt file within the folder. Any advice on how to get past this? Thanks

  155. Hiroki

    01.17.2012

    Reply

    Does John the ripper continue to run even if you sign off your user account (not log out)?

  156. Henry

    01.19.2012

    Reply

    howdy, i’ve found everything very useful so thanks for providing this information in such an accessible way. I have found myself a bit stuck however and i was wondering if you could offer some more assistance, i’ve looked through previous comments for something similar however i couldnt find out a lot without asking you. After changing the root password and logging in, i went through the steps of chapter 6 but when it gives me the message “Loaded 1 password hash (Mac 0S X 10.4+ salted SHA-1 [32/64]) it doesnt give me a password, but it does give me an update each time i press enter, always “guesses: 0 time: (however long its been) (3) c/s:1800K (going up each time) trying: (random assortment of letters and numbers). Im fairly sure the password im looking for is rather simple, and ive been through the entire process maybe 4 times, and left it for quite some time with each attempt. I understand it can take a while with complex passwords but like i said im pretty sure this password is one word, likely without numbers. is all this normal? such as it never presenting more than 0 guesses?

  157. Jim

    01.19.2012

    Reply

    I’ve been running the program for.. 71 days now, and it isn’t coming up with a password. I have closed my computer on multiple occasions, but I haven’t shut it off since it started. Is something wrong? Or is it just an extremely complicated password? Should I abandon the process?

    Also, in Terminal it says the following:
    guesses: 0 time: 71:07:01:27 (3) c/s: 53822 trying: 37ASd67

    What is the c/s number? It started out around 10,000, went to 15,000, then steadily declined to what it is now, and it’s still going down.

    • Jim

      01.19.2012

      Sorry, I meant 100,000 and 150,000

  158. Mike

    01.19.2012

    Reply

    Hey, when I put in the first command from step 1, all I get is this:

    DS Error: -14136 (eDSRecordNotFound)

    [Process completed]

    What am I doing wrong?

  159. johnnyleethe1

    01.19.2012

    Reply

    hello, heres my problem
    i have a macbook air 11″ 2010 the firmware is locked and i dont have the password for the admin user
    i can only use the guest account!

    is there a way to reset the firmware password or the admins user name and password?
    and because of the firmware password i cant access SUM and also its a macbook air wich i cant do anything to the ram
    any help would be great!!!!!!!!!!!
    please dont tell me theres no hope!!!!!!!!!

  160. Ryan

    01.19.2012

    Reply

    oh my bad – I see you explained how the program runs in the video. Looks like I just need to be patient.

    Thanks again for this resource, Jeff!

  161. Dexter

    01.22.2012

    Reply

    Okay….. So What went Wrong Here?

    DS Error: -14136 (eDSRecordNotFound)

    I Copied this directly out of terminal to be exact

    • Dexter

      01.22.2012

      Nevermind…….. It appears that you must put a space after the / when entering the shortname. Although, Next I tried this the correct way and a GUID did not appear. What went wrong Here?

  162. Chelsea

    01.25.2012

    Reply

    This may seem like a dumb question, but do I have to leave my computer on throughout the cracking process? Or will I be able to turn it off once it starts cracking?

  163. Natcho

    01.29.2012

    Reply

    hi for some reason when I type in .run/john sha1.txt (it is a txt file and before I type stuff it has a script that says “??? -Macbookpro:john root#)so after I’ve typed this in it decides that “.run/john: no such file in directory”

  164. ryan

    01.30.2012

    Reply

    Is “(Lotus5 [Lotus v5 Proprietary])” OK for a Mac OS X 10.7 hash?

    Process is currently running with:

    Loaded 1 password hash (Lotus5 [Lotus v5 Proprietary])
    guesses: 0 time: 0:00:02:26 (3) c/s: 141620 trying: dc71577
    guesses: 0 time: 0:00:02:46 (3) c/s: 141671 trying: higeit
    guesses: 0 time: 0:00:03:02 (3) c/s: 141848 trying: sapopa1
    guesses: 0 time: 0:00:03:03 (3) c/s: 141873 trying: bomukkl
    guesses: 0 time: 0:00:03:57 (3) c/s: 142278 trying: Syd209
    guesses: 0 time: 0:00:04:07 (3) c/s: 142345 trying: 19mcs3

  165. mark

    02.01.2012

    Reply

    I read your post on the password hacking and was wondering if you or anyone can help. I recently locked myself out of my mac with a firmware password. what makes it worse is that I tried to install snow leopard on a 2011 macbook pro so I deleted my hard drive and upon reboot could not access anything not even a command line or anything. The only thing that does boot is a lion dvd until it comes up with a mobile me lock code. any ideas on how apple gets a hash from the firmware screen maybe i can then run it through john the ripper. Whats worse is that everything was fine before this and I even tried installing lion onto the hard drive using another mac pro and popping it back in the new mac but all i get is a white screen. The firmware lock is my main problem. (newer macs firmware does not allow anything older then lion to be installed)

  166. billy

    02.02.2012

    Reply

    Good tutorial.

    I found the best way to decrypt my hash was on-line with http://recovermypass.com . It does all the work for you and doesn’t cost that much.

    I tried to crack it myself with JtR but I could not manage. They cracked it in about 30 minutes. I recommend it.

  167. Max

    02.10.2012

    Reply

    Hi, Jeff. I carried out the process without any trouble until I got to the point where John’s meant to give me the password. I get the correct readout (Loaded 1 password hash (Mac OS X 10.4+ salted SHA-1 [32/64])
    (student)
    guesses: 1 time: 0:00:00:00 100% (2) c/s: 960 trying: ) but, as you can see from my copy/paste, it’s blank after “trying.” Please send me an e-mail if you have any suggestions. Thanks. Love your site, by the way!

  168. Kent

    02.13.2012

    Reply

    Hi Jeff, I am lost. What is the base directory? how do I drag the folder into it? Also, my computer automatically unzipped the downloaded John the ripper file and named it john-1.7.3.1-macosx-universal. When I try to open it it automatically comes up with 2 folders and a read me file. The 2 folders are doc and run. If I open the run folder I see something called john. When I open that it brings me to terminal-80×24. At the bottom it says process completed. Am I as lost as I seem? Can you please help?

  169. sam

    02.17.2012

    Reply

    what do I do if the username I want to hack is two words? the username is sam nesss
    should it be or or or ?

    • sam

      02.17.2012

      sorry. or or or

    • sam

      02.17.2012

      sorry, don’t know what is going on… samnesss or sam nesss or sam-nesss or sam_nesss

  170. Liza

    02.23.2012

    Reply

    Hey :)
    I’ve gone through the tutorial and right now, I’m waiting for JTR to output a final password, I’m pressing return every so often and it was outputting random strings of 8 characters, in correct format of “guesses: 0 time: 0:20:39:16 (3) c/s: 1232K trying: kzudmee4″ and everything. But for a while now, it output 6 character strings of words. Is this normal (for example, is it testing for a double space at the end of the password?)
    I just would like to check if this is normal ^_^

  171. Mr. Hacker

    02.26.2012

    Reply

    Hi! I really liked the guide, very straightforward and easy to follow. The only thing I didn’t like was the fact that John the ripper would take several lifetimes for it to decrypt the administrator password… I know that’s beyond you guys, but I don’t really care.

    The way we found the administrator password the last time was when the technician was sleepy we asked for the admin and he practically told it to us. Now they changed it and it is far more complicated, and maybe it will take it forever to decrypt the password. Would you recommend an excellent free key logger that does record passwords. And by the way the admin we’re trying to find is the one for our laptops, but the school put admin passwords on them, so nothing illegal at work here.

    Thanks guys for the guide! Really appreciate the work done.

  172. Jake

    02.29.2012

    Reply

    please help,

    when i press enter after the ./run/john sha1.txt i get this message

    ./run/john sha1.txt
    dyld: Library not loaded: /usr/lib/libcrypto.0.9.7.dylib
    Referenced from: /Users/Fatty/john/./run/john
    Reason: no suitable image found. Did find:
    /usr/lib/libcrypto.0.9.7.dylib: no matching architecture in universal wrapper
    /usr/lib/libcrypto.0.9.7.dylib: no matching architecture in universal wrapper
    Trace/BPT trap

    there are no spelling errors and the text file is in the correct place

    • Jake

      03.01.2012

      MacBook Pro running OS X 10.4.11

  173. A Fan

    03.03.2012

    Reply

    You rock! Thanks so much for the tutorial – I have learned a lot!!! Still running JTR at 2 days 15hrs but I’m very hopeful. The only problem I ran into was I skipped the cd step to get to JTR but then I went back and read your directions again, they work perfectly when you follow everything. :-)

  174. John Smith

    03.08.2012

    Reply

    Nice job. I have been looking for a way to do that for a while. I was locked out of my old computer, and now i’m back in.

  175. David

    03.24.2012

    Reply

    After step 3b, terminal said that the permission is denied…. What should i do?
    Thanks :)

  176. James

    03.29.2012

    Reply

    Hi! I used this once before, and I’m trying to do it again but…when i type in “./run/john sha1.txt” (without quotations) it just creates a new command line. (“name of computer”: “directory” “login name$”).

    i dont know what to do.
    help?

    cheers.

  177. bob

    04.16.2012

    Reply

    i cant put my password. what kind of password is it?? is it the password i used to log-in this account (limited) or the password for the admin??

    right after I put login root then I place the password of this account (limited) it says login incorrect. then what???

  178. bob

    04.16.2012

    Reply

    how do i get the password of the login root???

  179. carey34

    05.02.2012

    Reply

    Hi This doesn’t seem to work on lion – is there another

  180. Jarod

    05.02.2012

    Reply

    Hello again,

    I can’t seem to find the “base directory.” Could you please explain that part to me?

  181. Urs Brunner

    05.03.2012

    Reply

    Thank you a ton, you just saved my day !

  182. mehtab

    05.15.2012

    Reply

    Hi

    I have manage to get code in hash, but for some reason the hash code in the sha1.txt file does not allow me to run john the on it. my code is

    glen : 58EEB1864EBD4332B94C9AAB2D48DE8D

    some times the terminal responds with a permission denied and sometime it says something about hash is not correct, and sometime it just does not allow me to read the files

    can you just please crack the code for me?

  183. Stefan

    05.18.2012

    Reply

    I can’t get the hash to work. After I enter the code and the GUID i get it kicked back to me with : no such file or directory

    What am I doing wrong?

  184. Michael

    05.21.2012

    Reply

    So I got to the very end of the tutorial and then hit a problem i don’t know how to fix..

    ./run/sha1.txt: line 1: michael:594590A0CA35FE42909D3C26A32C968B9D4F5AB12BCBC3B1: command not found
    myMacbooklocal:john michael$

    In the sha1.txt file, I put my username:hashpassword, what went wrong?
    what happened? what should I try differently?

  185. suvik

    05.31.2012

    Reply

    hey i was wondering for JTR when you give it you sha1.txt file can u tell the program some characters you saw the user typing. for example say i saw the user type in a “pal” can you type in ./run/john sha1.txt -c pal. Or something like that please reply and if you don’t understand i would love to clarify it more for you. thanks.

  186. sam

    06.01.2012

    Reply

    well when i type in the comand cat /var/db/shadow/hash/ | cut -c169-216 it comes up with cat: /var/db/shadow/hash/FFF20DFC-83E5-4F3C-BBDA-0DF143A02218: Permission denied what dose this mean? how do i bypass this?

  187. firsthill

    06.06.2012

    Reply

    Is the hash case-sensitive? When you paste it into your sha-1.txt file, do you have to use “E” instead of “e”… I’ve been running JTR for two days now, and just thought of this potential problem.

    Also, this is called a salted sha-1 hash? Is the user name required to crack it?

  188. Chris

    06.11.2012

    Reply

    Once i get to step 3b i type all the info exactly and it comes up with permission denied.. idk what to do?

  189. Jeff

    06.28.2012

    Reply

    Jeff,

    I correctly placed the sha1.txt file in the base directory and all that. I have one question though… when I run .run/john sha1.txt the terminal then says “No password hashes loaded” What have I done wrong?

  190. Patrick

    07.15.2012

    Reply

    Hello, so i have this strange problem, i did everything like in the tutorial and when i try to run sha1.txt from terminal it says : no such file or directory.

    new-host:~ root# cd john
    new-host:john root# ls
    README doc sha1.txt
    run src
    new-host:john root# ./run/john sha1.txt
    -sh: ./run/john: No such file or directory
    new-host:john root#

    Can someone help?
    thanks.

  191. Oliver

    07.18.2012

    Reply

    Does John the Ripper have to be in the central directory? Or can it be anywhere?

  192. Joe

    07.24.2012

    Reply

    i can do all the steps, but when i get to the ./run/john sha1.txt part, i enter it in, but it says no such file or directory :l i cded it properly, but the sha1.txt part is really just not working… help please jeff ^_^

  193. Joe

    07.24.2012

    Reply

    okay, um… it says

    Loaded 1 password hash (Mac OS X 10.4+ salted SHA-1 [32/64])
    Crash recovery file is locked: ./run/john.rec

    whuts that? did i screw up somewhere >_>

  194. Steven

    07.28.2012

    Reply

    I tried using john on a simple password but i got a message that said “Loaded 1 password hash (Lotus5 [Lotus v5 Proprietary]).

    I used daveGrohl to crack this passwd before, and it only took half a second. John has not cracked it yet and it has been several min.

    Is this normal?

    • Jeff Browning

      Jeff Browning

      07.30.2012

      Is the password a Lion password? John doesn’t currently support cracking Lion passwords (hence the misidentification). You should load your hash into daveGrohl with the -f command:

      cd /Path/To/Dave/Folder
      ./dave -f /Path/To/HashFile.txt

  195. Jason

    07.29.2012

    Reply

    When I open up terminal while in the temp administrator account, I’m already logged in so it seems. And the dscl localhost -read ect. command does not work. Can’t seem to get around it. Could you help me?
    Just a side thought, this will work on macbook just the same right?

  196. Jack

    08.02.2012

    Reply

    Okay, so I’ve followed these steps and so far I’ve gone pretty well, but when using John the Ripper I’ve had to switch over to my Windows since on the account I have you need an admin password to unzip downloads and install programmes and so on…

    Anyway, I’m not too savvy with commands, so here’s where I am so far: I’ve unzipped Jack the Ripper to my Desktop, stuck the sha1.txt file into the john-1.7.3.1-win32 folder (I don’t know if I should put it there or in john-1.7.3.1-win32/run). I’ve gone into Command Prompt, gone “cd C:\users\Jack\Desktop\john-1.7.3.1-win32 and then I have the screen:

    c:\users\Jack\Desktop\john-1.7.3.1-win32>

    Now, my problem is I don’t know what to type. “Run” isn’t recognised as a command so I’ve gone with what I believe to be the windows alternative: Start

    So I type in start/john sha1.txt and I get the message “The system cannot find the file john.

    I’ve tried plenty alternatives: .start, I’ve moved the slashes around to no avail and removing john from “john sha1.txt” just opens it up in notepad (as expected)

    So I’m lost, and I have no idea what I am supposed to do now to fix this and I don’t have a Mac handy as an alternative. Everything else in your tutorial has been great, just on the switchover from Mac to Windows I have become lost.

    Any help that anyone could give me would be appreciated, and please explain it as if I was 10 please, I’m decent with computers but this is not my field, so please don’t presume I know anything about code or commands please :)

    Thanks, Jack.

  197. Methylbutanoate

    08.07.2012

    Reply

    Hi Jeff,

    First off, thanks for the tutorial, I really appreciate the effort of making these tips accessible to the tech-illiterate types such as myself.

    Now; I’m currently at 3a, Step 2 where you obtain the hash from single-user mode. I managed to get the hash, but it was formatted with a vast quantity of 0′s before and after the code as you described above. Can I ignore these, or is this part of the hash?

    Sorry if this sounds idiotic, I’ve never so much as OPENED terminal in my life.

  198. Patrick J

    08.10.2012

    Reply

    so i do everything right and everything is going smoothly until the last command. Once i enter the last command it says “no password hashes loaded” i titled the file right, its in the home directory and i put the hash in the sha1.txt file. i made the file in microsoft word for mac 2004

  199. Aman

    08.11.2012

    Reply

    I keep getting

    Crash recovery file is locked: ./run/john.rec
    At the last step I put cd john then ./run/john sha1.txt and thats what comes up! Pls help!
    What do I do?

    • duck

      10.08.2012

      Go to utilities,find activity monitor, select my processes from drop down menu find john under process name, select quit process.
      hope this helps a bit.

  200. Sean

    08.18.2012

    Reply

    When I got to the part about making the hash, I got B49A3832F5BB3365F8A6EEDEE59EEFAD2FF936008214A92 surrounded by zeros on both sides (… 000000000000000000000000000B49A3832F5BB3365F8A6EEDEE59EEFAD2FF936008214A920000000000000000 …) I’m assuming that I just use the non-zero block of text?

  201. Dan

    08.22.2012

    Reply

    To people getting “No password hashes loaded (see FAQ)”, make sure to use the “Pro” or “community-enhanced” (both free to download) versions of John the Ripper.

  202. Sean12

    08.27.2012

    Reply

    After 3B and I press enter to get the other hash it says this

    cat: /var/db/shadow/hash/61BB4306-A85B-496D-863E-23603FFEF249: Permission denied

    what do I do?

  203. Massimo

    08.27.2012

    Reply

    I can’t get step 3b to work. There’s always a synta error at | cat …
    Why doesn’t it work?

  204. Herman

    09.02.2012

    Reply

    I get a message saying “no password hashes loaded” when i finally type “./run/john sha1.txt”

    WHAT DO I DO WRONG?
    I HAVE DONE THIS BEFORE AND THEN IT WORKED

  205. Jonathan

    09.14.2012

    Reply

    Just wondered if anyone is still getting the launch_msg(): Socket is not connected error. I am attempting to generate the GUID from Single-User mode but cannot run the relevant command until dscl is enabled.

    I have mounted the drive as well as witheld ‘Local’ in the Directory Services command. Just keep getting the same errors.

  206. Rose

    09.18.2012

    Reply

    hi there,
    Im trying to crack the admin password on a used Mac 10.5.8 from an unlocked account on the same computer. I can’t get passed step 1 though, because when I put in the code to find the GUID, it says
    DS Error: -14136 (eDSRecordNotFound)
    I’ve tried typing the admin name every way i can think of, but it doesn’t work. what does this mean???

  207. Liam

    09.20.2012

    Reply

    What do you do If you you dont have root access or the ability to go into Sum (My school IT put firmware on our macs) XC

  208. toczenie

    09.29.2012

    Reply

    Everyone loves it when folks come together and share ideas.
    Great site, stick with it!

  209. duck

    10.08.2012

    Reply

    Hey Jeff,

    I found some numbers in key chain under admin titled Sha1, is that it? john is working hard on it and my CPU, no guesses so far.

  210. Sheldon

    10.21.2012

    Reply

    Hi,

    Thanks for the tutorial, which is crystal clear.

    “John the Ripper” is now already running 20 days… and in fact I need to upgrade the software of my iMac and restart my machine…
    Is there a way to pause and resume “John the Ripper” or do I need to start all over again and loose the 20 days?
    Any other suggestions to speed up the cracking?

    Regards,
    Guy

    Guy

  211. XplozionMan

    10.22.2012

    Reply

    Hey. I was just wondering… is there anyway of deciphering the hash rather than attacking it, brute force. It’s just that, if you use a good password like “good#578paS$”, or something like that, even if you go 10,000 hits/second it could take a month to decrypt.

    So, also, I was looking at this tutuorial linked from the “ssh take control of someone’s computer” tutorial, and I was wondering if there was anyway of bypassing it without even having to get the password.

  212. Someone

    11.10.2012

    Reply

    I have had my mac running now for 3 days, almost 4 straight with no result yet. Is that normal?

  213. TORmanaTOR

    12.03.2012

    Reply

    hey all I have been having an issue with john being lazy, it seems I have to push him to keep going and he will not run on his own.

    I only get results when i am holding down a key, if I stop holding the key john stop working and sits idle.

    any ideas on how to get john to work on his own before i kick his ass?

  214. Jacob

    12.04.2012

    Reply

    Thankyou so much!

Leave a Reply