25 Rue de Cîteaux, 75012 Paris

How to extract hashes and crack Mac OS X Passwords

Une Technologie à la secours de vos mots de passe perdus

How to extract hashes and crack Mac OS X Passwords

This page will help you to know how to extract hashes from OS X systems and crack them.




This page will help you to retrieve/extract the hash associated to an OSX account. We tried to enumerate all the OS X flavors available, but this article is still « in beta » depending on the new OS X versions.
Once the hash is extracted, you can send it here and we will try to recover it.


OS X 10.0 (Cheetah)

The same as in 10.2 (Jaguar). See below.


OS X 10.1 (Puma)

The same as in 10.2 (Jaguar). See below.


OS X 10.2 (Jaguar)

Dump the hash :

nidump passwd . | grep username | cut -d':' -f2

This hash is created using the Unix DES Crypt(3) function, where the password is first truncated to 8 characters.

OS X 10.3 (Panther)

First find out a users’ GUID:

niutil -readprop . /users/username generateduid

Next take that GUID and dump the hash file

cat /var/db/shadow/hash/GUID

The first 64 characters are the NTLM hash (first 32 NT, next 32 LM) and the last 40 characters are the SHA1 hash.

OS X 10.4 (Tiger)

You can obtain the GUID just as in 10.3 (Panther). See above.
After obtaining the GUID, you can dump the passwords just as in 10.5 (Leopard). See below.


OS X 10.5 (Leopard) + OS X 10.6 (Snow Leopard)

First find a users’ GUID:

dscl localhost -read /Search/Users/username | grep GeneratedUID | cut -c15-

After getting the GUID you can dump various hashes. By default the only hash stored is the salted SHA1. If the user has turned on SMB file sharing then the NTLM hash will also be stored.
If you upgraded from 10.3->10.4->10.5 then the zero salted SHA1 is also stored.

Salted SHA1 (first 8 characters are the salt)

cat /var/db/shadow/hash/GUID | cut -c105-152

Zero-Salted SHA1 (first 8 characters are the salt and will always be all zeros)

cat /var/db/shadow/hash/GUID | cut -c169-216

NTLM (first 32 characters are NT, next 32 are LM)

cat /var/db/shadow/hash/GUID | cut -c-64

OS X 10.7 (Lion)

Use this tutorial


OS X 10.8 (Mountain) & 10.9 (Mavericks) & 10.10 (Yosemite)

The shadow files are stored on the filesystem at /var/db/dslocal/nodes/Default/users/%user%.plist.
They are in plist format so you’ll need to use the plutil command to view them or use the defaults command to extract/write specific keys if desired.
Only the root user has access to the files.
To view the contents of a shadow file for a user:

sudo plutil -p /var/db/dslocal/nodes/Default/users/%username%.plist

To get the hash:

sudo defaults read /var/db/dslocal/nodes/Default/users/%username%.plist ShadowHashData|tr -dc 0-9a-f|xxd -r -p|plutil -convert xml1 - -o -

Where %username% in the above example is the user you’re looking for the hash for.

Finally the wanted hash starts with « $ml$ » and length is 203 characters.Few links to help you :
script to automate the process (.app).


OS X 10.11 (El Capitan)

The hashes of the users are stored in:


To get the hash:

sudo defaults read /var/db/dslocal/nodes/Default/users/%user%.plist ShadowHashData | tr -dc '0-9a-f ' | xxd -p -r | plutil -convert xml1 - -o -

or directly through directory services:

sudo dscl . read /Users/%user% AuthenticationAuthority
sudo dscl . read /Users/%user% dsAttrTypeNative:ShadowHashData





Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *