This guide outlines the steps required to acquire the password of a local Mac OS X account. The procedure is a bit command heavy but should be relatively straightforward.
The full guide is written below, but I’ve put together a screencast on our YouTube channel to help walk you through the process (embedded below), but feel free to skip it and read on below.
- A computer running 10.6 Snow Leopard, 10.5 Leopard, or 10.4 Tiger (we have Mountain Lion 10.8 in a separate guide, and another one for Lion 10.7)
- Either the ability to boot into single-user mode or to log in using the root password. (If the computer has a firmware password be sure to check out our accessing single-user mode guide.)
- Access to an account on the computer you are trying to access. (Administrator account, a limited account, or even a network account. You just need to be able to open up terminal.)
1. Log in and open Terminal.
Log into any account on the computer and open up the Terminal application. This application can be found at /Applications/Utilities/Terminal.app
2. Finding the GUID (Globally Unique Identifier)
You first need to find out the Globally Unique Identifier. This identifies the user to the Mac OS X authentication system, and is the name of the shadow file in which the password is contained. Depending on your version of OS X, enter one of the following commands:
If you are using 10.5 Leopard or 10.6 Snow Leopard enter this command:
dscl localhost -read /Search/Users/<username> | grep GeneratedUID | cut -c15-
If you’re on a 10.4 Tiger machine, enter this command:
niutil -readprop . /users/<username> generateduid
In both cases replace
<username> with the shortname of the account you want to find the password for. (i.e.
root) You should get a value that looks like
A66BCB30-2413-422A-A574-DE03108F8AF2. This is the GUID. Write it down, we’ll need it later on.
3. Obtaining the Password Hash
Password hashes are the encrypted form of the user’s password. When the user enters their password to log in, the computer encrypts it using an encryption scheme to create a salted SHA1 hash, which it checks against the stored hash in the computer. If they match, the computer logs you in. We will be using the same method the computer uses to authenticate the login to crack the password.
To obtain the password hashes, we need root access. If you have the root password just login as the root user through terminal: type
login root, enter the root password when prompted and then continue to Step 3b. However, if you aren’t lucky enough to have the root password you’ll need to boot into single-user mode.
3a. Booting in Single User Mode
To boot into single-user mode restart the computer. When you hear the start up chime hold down CMD+S. Soon you should see a black screen with a lot of white text appear. If single-user mode is locked follow one of the other guides on how to gain access.
3b. Obtaining the Hash
Enter the following into the command line, replacing <GUID> with the GUID you wrote down from Step 2.
cat /var/db/shadow/hash/<GUID> | cut -c169-216
After running the command, it should spit back out a hash that’s formatted like this: 3
4. Decrypting the Hash
At this point, you need access to another computer (could be the same computer, if you have access for a long time), where we will use the application “John the Ripper” (“John”) to decrypt the hash. John will use ‘brute force’ to determine what the password is in cleartext. That means that the application will systematically generate passwords, encrypt them into the salted SHA1 hash, and check them against the hash you found to see if the password matches.
Open up the zip file and drag the “John the Ripper” folder into your base directory. Now it gets a little tricky so be sure to follow the instructions correctly.
4a. Create a Text File Containing the Hash
Create a text file in your John the Ripper folder called sha1.txt. Inside this file you should have the username and the hash. So if I wanted to find the password for the account crackMe inside sha1.txt I would see:
4b. Navigating to John the Ripper
Now you need to open up the terminal application and navigate into the directory of your John the Ripper folder. If you followed the directions and put the folder into your base directory the command should be:
If you decided to be a rebel and leave the John the Ripper folder in a different directory, you just need to type in the full path to the directory.
4c. Cracking the Password with John the Ripper
All we have left is to load the hash into John. To do so, type in the following terminal command:
If John is successful in decrypting the hash, you’ll get a message in the form of:
Loaded 1 password hash (Mac OS X 10.4+ salted SHA1 [32/64]
Depending on the complexity of the password this process could take anywhere from a second to a day, so be patient. When John is succesful at cracking the hash, it will display something along the lines of:
password (crackMe) guesses: 1 time: 0:00:00:00 100% (2) c/s: 153000 trying: password
Any text after
trying: should be the password.
The contents of this guide are for educational use only. For more information, see our Disclaimer.