/etc/shadow on Mac

Starting with Lion, there is a shadow file per user. All of those are stored in /var/db/dslocal/nodes/Default/users directory and are accessible by root only. For example:

$ ls -lah /var/db/dslocal/nodes/Default/users/
total 296
drwx------  77 root  wheel   2.6K Jul 27 20:30 .
drw-------  12 root  wheel   408B Jul 27 20:30 ..
-rw-------   1 root  wheel   4.0K Jul 27 20:30 Guest.plist
-rw-------   1 root  wheel   260B Jul 27 20:17 _amavisd.plist
-rw-------   1 root  wheel   254B Jul 27 20:17 _appleevents.plist
-rw-------   1 root  wheel   261B Jul 27 20:17 _appowner.plist
-rw-------   1 root  wheel   276B Jul 27 20:17 _appserver.plist

Also, those are binary property list files. The easiest way of viewing them is using plist command. For example:

$ plutil -p /var/db/dslocal/nodes/Default/users/root.plist 
{
  "smb_sid" => [
    0 => "XXXX-XXXX"
  ]
  "uid" => [
    0 => "0"
  ]
  "passwd" => [
    0 => "XXYYXX"
  ]
}

Mac OS X doesn't use the standard /etc/passwd and /etc/shadow. Instead, it uses a database. There use to be a GUI called NetInfo, but that has been replaced with the dscl command (Directory Services Command Line).

$ dscl
> read /Local/Default/Users/David Password
Password: ********

Unfortunately, that's about as far as I can get with the utility. It printed out asterisks instead of the password. Maybe there's a way to make it give up the hash, but I haven't found it.

Her's an article detailing using DSCL and cracking passwords on a Mac.

/etc/shadow on Mac

Tags:

Linux

Bash

Osx

Related

Recent Posts