12-07-2021, 03:13 AM
I'm trying to recover a lost password on a Mac OSX Snow Leopard (10.6.8 I believe) computer, but I'm having no luck trying to figure out how to convert the encoded password string into a form hashcat can use. (I'm also at the very bottom of a hashcat learning curve.) I see it says that mode 122 works against these passwords. I can access the user's plist file by mounting the hard drive on my Linux machine. The plist file contains an "authentication_authority" key with a two-element array as a value. The second element of that array appears to be the encoded password. It looks like this:
The two <hexdata> elements are perhaps salt and password? I found a program called hashdump.py which purports to massage Mac OSX password plist files for use by hashcat, but it appears to be aimed at a later version of Mac OSX and has no comments to describe the logical steps it's performing. Consequently, I can't quite figure out what it's doing.
I've taken a couple blind stabs at simply extracting parts of that Kerberosv5 line but just get token length exceptions. I've so far tried
Looking at the Algorithms section of the --help output, it seems the format 120 (sha1($salt.$pass)) is similar to what I might need, so I tried that (or rather, took a stab at trying that). Those are the last couple formatting attempts in the block above. Instead of "token length" errors I got "Separator unmatched." Maybe I'm moving slowly in the right direction, but I'm still pretty much stumbling around in the dark and could use some advice.
Is there some straightforward recipe to convert the above encoded password data into something hashcat can munch on? I just have the one password to crack, so doing it manually is fine.
Code:
<key>authentication_authority</key>
<array>
<string>;ShadowHash;</string>
<string>;Kerberosv5;;<username>@LKDC:SHA1.<hexdata>;LKDC:SHA1.<hexdata>;</string>
</array>The two <hexdata> elements are perhaps salt and password? I found a program called hashdump.py which purports to massage Mac OSX password plist files for use by hashcat, but it appears to be aimed at a later version of Mac OSX and has no comments to describe the logical steps it's performing. Consequently, I can't quite figure out what it's doing.
I've taken a couple blind stabs at simply extracting parts of that Kerberosv5 line but just get token length exceptions. I've so far tried
Code:
SHA1.<hexdata>;SHA1.<hexdata>
<hexdata>.<hexdata>
SHA1(<hexdata>.<hexdata>)
SHA1($<hexdata>.$<hexdata>)Looking at the Algorithms section of the --help output, it seems the format 120 (sha1($salt.$pass)) is similar to what I might need, so I tried that (or rather, took a stab at trying that). Those are the last couple formatting attempts in the block above. Instead of "token length" errors I got "Separator unmatched." Maybe I'm moving slowly in the right direction, but I'm still pretty much stumbling around in the dark and could use some advice.
Is there some straightforward recipe to convert the above encoded password data into something hashcat can munch on? I just have the one password to crack, so doing it manually is fine.
