nOOb help

[mh1]

Sorry Karamba, I'm not experienced enough to feel comfortable running that script. I really don't know enough about any of this to do it. I've never used Linux before, I'm basically a windows 7 user with a need to discreetly crack a password on a MacAir running OS X 10.11 and I don't want to do something that screws up my Windows machine or the target Mac machine, especially since I don't know code (unless you can point me in the direction of a tutorial that would help me figure out what I'm doing). Thx for your suggestion though.

That said, I feel like I've been getting closer to cracking it, but I'm still running into some frustrations, so I'll post a few of the angles I've tried with the results and see if anybody has pointers.

1: Several weeks ago, I had what seemed initially like a break through and was able to extract what looked like the hash that was removed from my first post in this thread, by using this command that I found on a website (althought I've since tried this same command on the same target machine and gotten this error msg: "the domain/default pair of (/Volumes/Macintosh\ HD/var/db/dslocal/nodes/Default/user/mxxxxxxh.plist, ShadowHashData) does not exist"

The command was:
-bash-3.2# defaults read /Volumes/Macintosh\ HD/var/db/dslocal/nodes/Default/users/matthish.plist ShadowHashData|tr -dc 0-9a-f|/Volumes/Macintosh\ HD/usr/bin/xxd -r -p|/Volumes/Macintosh\ HD/usr/bin/plutil -convert xml1 - -o -

It originally produced the ShadowHashData which had two sections, the first of which included:
key SALTED-SHA512-PBKDF2
entropy <data>
iterations <data>
and salt <data>

the second section included:
key SRP-RFC5054-4096-SHA512-PBKDF2
iterations <data>
salt <data>
verifier <data>

I'm assuming I'm supposed to use the first section with entropy, iterations, and salt as the hashes to collate and run through hashcat, NOT the second part with iterations, salt, and verifier, correct?

(At this point can someone explain to me how to post/mask a hash for people to view to help me without getting into trouble? Do I just need to manually change a few characters so they aren't visible?)

Question, what format are the data portions of this section in? And how can I tell what format they are in? Binary? Base64? Already in Hex. Then how do I get it into Hex (if not already) if I have to work on a Windows 7 machine?

Something else I tried was I ran the collated hash Philsmd recommended above "$ml$32894$f75ad5635a1bad19b0ae22efd80f1765a5d132254aeeadfb0b01f6367ba4fa07$4bdfe8db60c785ff662f28f9f07a53db5bb58939e930a345d51329d0bcaae97d0dc72a141f5f9f96ca1d08aac6a7923d50b84668db789ffbb3952dad8f696144" through hashcat on a dictionary attack with rockyou.txt wordlist and it returned two Hex results

$Hex[2321676f7468] -> $Hex[042a0337c2a156616d6f732103]
that when I ran through an online Hex converter gave me the password: "#!goth*" and "7¡Vamos!"
which didn't work and I wouldn't even know how to type in those weird characters    anyway. Thoughts on this? Also how do I make sure hashcat spits out text results and not Hex results? or does it matter?

The last thing I tried was just to copy the .plist onto a thumb drive and it worked, I now have it on a thumb drive and I opened it in on my Windows 7 machine in Note++ to reveal the ShadowHashData data section, but now I don't know what format that ShadowHashData is in or how to convert it into something I can work with on my Windows 7 machine with hashcat.

I apologize ahead of time if I accidentally violated any forum etiquette, I read the rules Philsmd linked me to, so I think I did everything correctly. Thanks also for any feedback.