DECRYPT OS X USER ACCOUNT PASSWORDS - Printable Version +- Tricks Duniya -ONLINE SHOPPING GUIDE, MOBILE TRICKS, ANDROID TRICKS, HACKING (http://tricksduniya.com) +-- Forum: RULEBRAKER ZONE (http://tricksduniya.com/forum-3.html) +--- Forum: Ethical Hacking (http://tricksduniya.com/forum-8.html) +--- Thread: DECRYPT OS X USER ACCOUNT PASSWORDS (/thread-1573.html) |
DECRYPT OS X USER ACCOUNT PASSWORDS - Pammy - 05-12-2015 DECRYPT OS X USER ACCOUNT PASSWORDS PROCEDURE 1. LOG IN AND OPEN TERMINAL. Log into any account on the computer and open up the Terminal application. This application can be found at /Applications/Utilities/Terminal.app 2. FINDING THE GUID (GLOBALLY UNIQUE IDENTIFIER) You first need to find out the Globally Unique Identifier. This identifies the user to the Mac OS X authentication system, and is the name of the shadow file in which the password is contained. Depending on your version of OS X, enter one of the following commands: If you are using 10.5 Leopard or 10.6 Snow Leopard enter this command: Code: dscl localhost -read /Search/Users/<username> | grep GeneratedUID | cut -c15- If you’re on a 10.4 Tiger machine, enter this command: Code: niutil -readprop . /users/<username> generateduid In both cases replace Code: <username> with the shortname of the account you want to find the password for. (i.e. Code: admin or Code: root ) You should get a value that looks like Code: A66BCB30-2413-422A-A574-DE03108F8AF2 . This is the GUID. Write it down, we’ll need it later on. 3. OBTAINING THE PASSWORD HASH Password hashes are the encrypted form of the user’s password. When the user enters their password to log in, the computer encrypts it using an encryption scheme to create a salted SHA1 hash, which it checks against the stored hash in the computer. If they match, the computer logs you in. We will be using the same method the computer uses to authenticate the login to crack the password. To obtain the password hashes, we need root access. If you have the root password just login as the root user through terminal: type Code: login root , enter the root password when prompted and then continue to Step 3b. However, if you aren’t lucky enough to have the root password you’ll need to boot into single-user mode. 3A. BOOTING IN SINGLE USER MODE To boot into single-user mode restart the computer. When you hear the start up chime hold down CMD+S. Soon you should see a black screen with a lot of white text appear. If single-user mode is locked follow one of the other guides on how to gain access. 3B. OBTAINING THE HASH Enter the following into the command line, replacing <GUID> with the GUID you wrote down from Step 2. Code: cat /var/db/shadow/hash/<GUID> | cut -c169-216 After running the command, it should spit back out a hash that’s formatted like this: 3 Code: 3BA7C74C318F5D3EF40EB25E1C42F312ACF905E20540226 . 4. DECRYPTING THE HASH At this point, you need access to another computer (could be the same computer, if you have access for a long time), where we will use the application “John the Ripper” (“John”) to decrypt the hash. John will use ‘brute force’ to determine what the password is in cleartext. That means that the application will systematically generate passwords, encrypt them into the salted SHA1 hash, and check them against the hash you found to see if the password matches. Open up the zip file and drag the “John the Ripper” folder into your base directory. Now it gets a little tricky so be sure to follow the instructions correctly. 4A. CREATE A TEXT FILE CONTAINING THE HASH Create a text file in your John the Ripper folder called sha1.txt. Inside this file you should have the username and the hash. So if I wanted to find the password for the account crackMe inside sha1.txt I would see: Code: crackMe:33BA7C74C318F5D3EF40EB25E1C42F312ACF905E20540226 4B. NAVIGATING TO JOHN THE RIPPER Now you need to open up the terminal application and navigate into the directory of your John the Ripper folder. If you followed the directions and put the folder into your base directory the command should be: Code: cd /name_of_your_john_folder/ . If you decided to be a rebel and leave the John the Ripper folder in a different directory, you just need to type in the full path to the directory. 4C. CRACKING THE PASSWORD WITH JOHN THE RIPPER All we have left is to load the hash into John. To do so, type in the following terminal command: Code: ./run/john sha1.txt If John is successful in decrypting the hash, you’ll get a message in the form of: Code: Loaded 1 password hash (Mac OS X 10.4+ salted SHA1 [32/64] Depending on the complexity of the password this process could take anywhere from a second to a day, so be patient. When John is succesful at cracking the hash, it will display something along the lines of: Code: password (crackMe) guesses: 1 time: 0:00:00:00 100% (2) c/s: 153000 trying: password Any text after Code: trying: should be the password. |