hashcat Forum
MacOSX plist file format conversion - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: MacOSX plist file format conversion (/thread-10505.html)



MacOSX plist file format conversion - smontanaro - 12-07-2021

I'm trying to recover a lost password on a Mac OSX Snow Leopard (10.6.8 I believe) computer, but I'm having no luck trying to figure out how to convert the encoded password string into a form hashcat can use. (I'm also at the very bottom of a hashcat learning curve.) I see it says that mode 122 works against these passwords. I can access the user's plist file by mounting the hard drive on my Linux machine. The plist file contains an "authentication_authority" key with a two-element array as a value. The second element of that array appears to be the encoded password. It looks like this:

Code:
<key>authentication_authority</key>
<array>
    <string>;ShadowHash;</string>
    <string>;Kerberosv5;;<username>@LKDC:SHA1.<hexdata>;LKDC:SHA1.<hexdata>;</string>
</array>

The two <hexdata> elements are perhaps salt and password? I found a program called hashdump.py which purports to massage Mac OSX password plist files for use by hashcat, but it appears to be aimed at a later version of Mac OSX and has no comments to describe the logical steps it's performing. Consequently, I can't quite figure out what it's doing.

I've taken a couple blind stabs at simply extracting parts of that Kerberosv5 line but just get token length exceptions. I've so far tried

Code:
SHA1.<hexdata>;SHA1.<hexdata>
<hexdata>.<hexdata>
SHA1(<hexdata>.<hexdata>)
SHA1($<hexdata>.$<hexdata>)

Looking at the Algorithms section of the --help output, it seems the format 120 (sha1($salt.$pass)) is similar to what I might need, so I tried that (or rather, took a stab at trying that). Those are the last couple formatting attempts in the block above. Instead of "token length" errors I got "Separator unmatched." Maybe I'm moving slowly in the right direction, but I'm still pretty much stumbling around in the dark and could use some advice.

Is there some straightforward recipe to convert the above encoded password data into something hashcat can munch on? I just have the one password to crack, so doing it manually is fine.


RE: MacOSX plist file format conversion - Banaanhangwagen - 12-07-2021

For Mac OSX Snow Leopard, you'll find the hash to crack in the file /var/db/shadow/hash/GUID_of_your_user.

You should find a salted-SHA1, which you can crack with -m 122.


RE: MacOSX plist file format conversion - smontanaro - 12-08-2021

(12-07-2021, 11:35 AM)Banaanhangwagen Wrote: For Mac OSX Snow Leopard, you'll find the hash to crack in the file /var/db/shadow/hash/GUID_of_your_user.

You should find a salted-SHA1, which you can crack with -m 122.

Sweet, thanks! I guess I was too distracted by what I saw in the file I referenced to consider looking elsewhere. Moth to a flame?

I now have it at least running without error. Now to actually try exercising hashcat to crack the password.