Posts: 3
Threads: 1
Joined: Feb 2026
I have a 2013 iMac with 2 user accounts on it. I know the password for one user account, the other I do not.
I obtain an image of the mac using CAINE.
I was able to decrypt 632GB of data from that image.
The user account that has the unknown password...can I obtain a password list from the various keychain databases? Or any useful information what so ever?
Posts: 181
Threads: 6
Joined: Mar 2018
Since you have a non-encrypted image of the device, you can try to crack the user password by extracting the login-hash from the correct user-plist file...or (and this one is much faster) by extracting the keychain-hash from the login.keychain of that user.
Since there is a high probability that the user used the same password for login and keychain, I would try the keychain-hash. Do not forget the --keep-guessing in order to tackle the false positives.
You can obtain the content of the keychain of your first user with some dedicated (commercial) tools, like Chainbreaker.
Posts: 3
Threads: 1
Joined: Feb 2026
So, the login.keychain from the user account that I do not have the password for..I do have that file, but it is encrypted. You are saying I can get the hash of that file and perform a dictionary attack ect. of that hash with hashcat?
My question now, how do I obtain a hash for that? It is not just like the MD5 of the file correct? Can I use chainbreaker to obtain that, then use hashcat on that hash?
Posts: 181
Threads: 6
Joined: Mar 2018
Posts: 3
Threads: 1
Joined: Feb 2026
(11 hours ago)Banaanhangwagen Wrote: https://github.com/openwall/john/blob/bl...in2john.py
So use that to get the hash for the keychain, then use hash cat on that
