Apple - OS X 10.9: where are password hashes stored

Starting with Lion, OS X introduced a shadow file per user that is a plist dictionary that contains password hashes and other GID/UID/kerberos and open directory type keys.

The shadow files are stored on the filesystem at /var/db/dslocal/nodes/Default/users. They are in plist format so you'll need to use the plutil command to view them or use the defaults command to extract/write specific keys if desired. Only the root user has access to the files.

To view the contents of a shadow file for a user:

sudo plutil -p /var/db/dslocal/nodes/Default/users/<username>.plist

To get the hash:

sudo defaults read /var/db/dslocal/nodes/Default/users/<username>.plist ShadowHashData|tr -dc 0-9a-f|xxd -r -p|plutil -convert xml1 - -o -

Where <username> in the above examples is the user you're looking for the hash for. You want the <data> section that corresponds to the <key>entropy</key> key in that plist output.

To continue on to try and crack the password see this tutorial.

Apple - OS X 10.9: where are password hashes stored

Tags:

Macos

Security

Password

Related

Recent Posts