Tuesday, March 8, 2011

get the password from an osx 10.5 leopard user account

sometimes we have business need to log in as an ex employee, on a mac it is handy to be able to retain the user's keychain, if we use the standard password reset means we will lose access to the keychain, therefore it is handy to gain access to the user's password so as to retain keychain access

using the latest john the ripper, here is the process i used to complete this procedure on a 10.5.8 mac system

1) extract guid for user:
dscl localhost -read /Search/Users/$username | grep GeneratedUID | cut -c15-

will return the guid, similar to this:
4554C58F-FA33-41E5-BE5E-996283326248

2) extract hashes:
cat /var/db/shadow/hash/$guid | cut -c169-216

will return the sha1 hash like this:
4C7C490529E21548221182CD40EEC6EC80026D61E0901F82

3) create a text file with the user's username:passwordhash like:
duder: 4C7C490529E21548221182CD40EEC6EC80026D61E0901F82

4) run john the ripper on the file, that's it!