How can I access the encrypted value of a local user account password in osx? Would it be possible to check against it or even copy it to another account?
Macos – Mac user account passwords stored
macmacososx-snow-leopardSecurityuser-accounts
macmacososx-snow-leopardSecurityuser-accounts
How can I access the encrypted value of a local user account password in osx? Would it be possible to check against it or even copy it to another account?
Best Answer
The hashes were in
/var/db/shadow/hash/
in 10.6 and earlier, but they are stored in/var/db/dslocal/nodes/Default/users/username.plist
in 10.7 and 10.8.You can print the hash data with DaveGrohl (
sudo dave -s $USER
) or something like this:sudo defaults read /var/db/dslocal/nodes/Default/users/$USER.plist ShadowHashData | tr -dc '0-9a-f ' | xxd -p -r | plutil -convert xml1 - -o -
If automatic login is enabled, the password of the login keychain is also stored in
/etc/kcpassword
encrypted with XOR cipher.sudo ruby -e 'key = [125, 137, 82, 35, 210, 188, 221, 234, 163, 185, 31]; IO.read("/etc/kcpassword").bytes.each_with_index { |b, i| break if key.include?(b); print [b ^ key[i % key.size]].pack("U*") }'