Difference between revisions of "Mac OS X Commands"
(Obtaining the password hashes on OS X 10.3, 10.4 and 10.5) |
(→OS X 10.5 (Leopard): simplified things) |
||
Line 23: | Line 23: | ||
After obtaining the GUID, see below for how to get the password hashes. | After obtaining the GUID, see below for how to get the password hashes. | ||
====OS X 10.5 (Leopard)==== | ====OS X 10.5 (Leopard)==== | ||
Find a users' GUID: | |||
<pre> | <pre> | ||
dscl localhost -read /Search/Users/username | grep GeneratedUID | cut -c15- | dscl localhost -read /Search/Users/username | grep GeneratedUID | cut -c15- | ||
</pre> | </pre> | ||
After getting the GUID you can dump various hashes. By default the only hash stored is the salted SHA1. If the user has turned on SMB file sharing then the NTLM hash will also be stored. If you upgraded from 10.3->10.4->10.5 then the zero salted SHA1 is also stored. | |||
Salted SHA1 (first 8 characters are the salt) | Salted SHA1 (first 8 characters are the salt) |
Revision as of 21:23, 30 September 2008
Passwords
Obtaining the hashes
OS X 10.3 (Panther)
First find out the users' GUID:
niutil -readprop . /users/username generateduid
Next take that GUID and cat the hash file
cat /var/db/shadow/hash/GUID
The hashes in Panther are stored very plainly. The first 64 characters are the NTLM hash (first 32 NT, next 32 LM) and the last 40 characters are the SHA1 hash.
OS X 10.4 (Tiger)
The process for Tiger is very similar to Leopard. The only difference is that you need to use a utility called niutil instead of dscl to find out the GeneratedUID. It uses is as follows:
To obtain the GUID of a user in Tiger/Panther:
niutil -readprop . /users/username generateduid
After obtaining the GUID, see below for how to get the password hashes.
OS X 10.5 (Leopard)
Find a users' GUID:
dscl localhost -read /Search/Users/username | grep GeneratedUID | cut -c15-
After getting the GUID you can dump various hashes. By default the only hash stored is the salted SHA1. If the user has turned on SMB file sharing then the NTLM hash will also be stored. If you upgraded from 10.3->10.4->10.5 then the zero salted SHA1 is also stored.
Salted SHA1 (first 8 characters are the salt)
cat /var/db/shadow/hash/GUID | cut -c105-152
Zero-Salted SHA1 (first 8 characters are the salt and will always be all zeros)
cat /var/db/shadow/hash/GUID | cut -c169-216
NTLM (first 32 characters are NT, next 32 are LM)
cat /var/db/shadow/hash/GUID | cut -c-64