Help needed cracking a Mac password
#1
Hi, I'm new to this and trying to crack the password on my old laptop running MacOS El Capitan
I've followed guides and believe I have the hash which I extracted from the username.plist, but I can't figure out how to get Hashcat to decrypt it
Can anyone help?

The code I'm trying to feed into Hashcat is:

$ml$27855$0f00d525e3c304eb2f7364b649e644c5b52d7ec9436c05e98bc71662601da9c9$43da1a97b943dd7cca9a5702d11e3a8befc0e3803428a9d05f7d01aff774c91e6f7d97fdb67dd2191554a00dcd03b2c1fd7898ddcf77f33714f058a7bd1c4cc15523dd707cb76c9ba37c57399f1721dfe5d209c5128b9549a46ae804f1cbcf929a429664fe6e8e1c931eb59899b3038ae722d9d4ea66b6da2f550b6bc5ba5558

The main hash I extracted is 256 characters and the salt is 64 Characters.

I've downloaded plist2hashcat incase I made a mistake extracting the info from the username.plist, but have no idea how to use it and can't find any instructions. Do I need to compile it into an app somehow?

Also wondering how rules work, as I know the password is probably less than 8 lowercase letters and definitely ends with 321 

Thanks!
#2
The exact same problem and solution are explained here.
https://hashcat.net/forum/thread-7792.html

The plist2hashcat is a script, so you need to run it. Do some research how. You'll learn a lot. Wink

In order to understand rules, begin here.
https://hashcat.net/wiki/doku.php?id=rule_based_attack

Lowercase and appending 321 will be:
Code:
l $3 $2 $1
#3
(01-07-2019, 12:18 PM)Karamba Wrote: The exact same problem and solution are explained here.
https://hashcat.net/forum/thread-7792.html

The plist2hashcat is a script, so you need to run it. Do some research how. You'll learn a lot. Wink

In order to understand rules, begin here.
https://hashcat.net/wiki/doku.php?id=rule_based_attack

Lowercase and appending 321 will be:
Code:
l $3 $2 $1

Thanks, yes I spent all weekend researching and got to the point where I seem to have correctly extracted and edited all the has data from the plist. What I'm feeding hash cat though says it will take '73 days' to complete so I'm trying to get some rules in place and don't have access to maskprocessor since it seems there's no Mac build. I realise I'm using attack type 3 (Brute Force).

What I'm feeing into Hashcat is:

./hashcat -a 3 -m 7100 /Users/username/hashcat/hash.txt ?l?l?l?l?l?l?l321 /Users/username/hashcat/dic/lower.txt --potfile-path /tmp/cracked_hash.pot

Hashcat runs and displays:

Session..........: hashcat

Status...........: Running

Hash.Type........: macOS v10.8+ (PBKDF2-SHA512)

Hash.Target......: $ml$27855$0f00d525e3c304eb2f7364b649e644c5b52d7ec94...1c4cc1

Time.Started.....: Mon Jan  7 16:08:16 2019 (12 secs)

Time.Estimated...: Wed Mar 20 14:10:50 2019 (71 days, 22 hours)

Guess.Mask.......: ?l?l?l?l?l?l?l321 [10]

Guess.Queue......: 1/1 (100.00%)

Speed.#2.........:      646 H/s (8.73ms) @ Accel:8 Loops:4 Thr:256 Vec:1

Speed.#3.........:      646 H/s (8.72ms) @ Accel:8 Loops:4 Thr:256 Vec:1

Speed.#*.........:     1293 H/s

Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts

Progress.........: 0/8031810176 (0.00%)

Rejected.........: 0/0 (0.00%)

Restore.Point....: 0/308915776 (0.00%)

Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:5268-5272
Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:5268-5272


What I'm trying to do is tell Hashcat to do a dictionary attack, and tell it that the password is formed of between 6 and 9 lower case letters followed by 321 but when I choose different attack modes, it gives me ?l?l?l?l?l?l?l321: No such file or directory.
#4
Don't create multiple threads for basically the same issue
https://hashcat.net/forum/thread-8057-post-43265.html