Apple - OS X 10.9: where are password hashes stored
Starting with Lion, OS X introduced a shadow file per user that is a plist dictionary that contains password hashes and other GID/UID/kerberos and open directory type keys.
The shadow files are stored on the filesystem at /var/db/dslocal/nodes/Default/users
. They are in plist format so you'll need to use the plutil command to view them or use the defaults command to extract/write specific keys if desired. Only the root
user has access to the files.
To view the contents of a shadow file for a user:
sudo plutil -p /var/db/dslocal/nodes/Default/users/<username>.plist
To get the hash:
sudo defaults read /var/db/dslocal/nodes/Default/users/<username>.plist ShadowHashData|tr -dc 0-9a-f|xxd -r -p|plutil -convert xml1 - -o -
Where <username>
in the above examples is the user you're looking for the hash for. You want the <data>
section that corresponds to the <key>entropy</key>
key in that plist output.
To continue on to try and crack the password see this tutorial.