How to crack SHA1 hash with salt?
#1
Hello,

I am trying to recover an iMac account login password but I keep getting a Token Length Exception. I've already obtained the hash file but can't tell which characters are the salt (This password is for an iMac that has Mac OSX 10.6.8 btw). I don't even know if there's a salt at all. A short description of the file: the hash is surrounded by 0's. I've tried running the following commands with no luck:
  • hashcat -m100 -a3 filetocrack.txt (Excluded the salt, which I think is 8 zeroes)
  • hashcat -m110 -a3 filetocrack.txt (Included the salt, I tried writing it like this for all commands -> hashConfusedalt & salt:hash)
  • hashcat -m120 -a3 filetocrack.txt
  • hashcat -m130 -a3 filetocrack.txt
I have no idea what i'm missing. Can someone help me please?
Reply
#2
make sure your hash has the format as seen on https://hashcat.net/wiki/doku.php?id=example_hashes

also note that OSX hashes have specific hash modes
Reply
#3
For macOS v10.6, the user-password is stored in /var/db/shadow/hash/GUID_of_your_user.
(The correct GUID can be found in the /private/var/db/dslocal/nodes/Default/users/[yourusername].plist)

Open that file with an Hex-viewer, and you should find the salted SHA1.

When looking at https://hashcat.net/wiki/doku.php?id=example_hashes, you'll see that you need -m 122 in order to crack it.
Reply
#4
(01-20-2021, 12:04 AM)johnmap007 Wrote: Hello,

I am trying to recover an iMac account login password but I keep getting a Token Length Exception. I've already obtained the hash file but can't tell which characters are the salt (This password is for an iMac that has Mac OSX 10.6.8 btw). I don't even know if there's a salt at all. A short description of the file: the hash is surrounded by 0's. I've tried running the following commands with no luck:
  • hashcat -m100 -a3 filetocrack.txt (Excluded the salt, which I think is 8 zeroes)
  • hashcat -m110 -a3 filetocrack.txt (Included the salt, I tried writing it like this for all commands -> hashConfusedalt & salt:hash)
  • hashcat -m120 -a3 filetocrack.txt
  • hashcat -m130 -a3 filetocrack.txt
I have no idea what i'm missing. Can someone help me please?

(01-20-2021, 01:25 PM)Karamba Wrote: For macOS v10.6, the user-password is stored in /var/db/shadow/hash/GUID_of_your_user.
(The correct GUID can be found in the /private/var/db/dslocal/nodes/Default/users/[yourusername].plist)

Open that file with an Hex-viewer, and you should find the salted SHA1.

When looking at https://hashcat.net/wiki/doku.php?id=example_hashes, you'll see that you need -m 122 in order to crack it.

I got it. Thanks! But why did I need a hex viewer? I was able to print the hash from the terminal with cat. Also, since I don't have the right computer to do this (because I don't have good hardware), I won't be able to crack it otherwise my fan will scream and the cracking speed will take years.
Reply