6
2
How can I access the encrypted value of a local user account password in osx? Would it be possible to check against it or even copy it to another account?
user51799
Posted 2010-10-08T20:36:51.053
Reputation: 61
Where are Mac user account passwords stored?
Answers
6
The hashes were in /var/db/shadow/hash/ in 10.6 and earlier, but they are stored in /var/db/dslocal/nodes/Default/users/username.plist in 10.7 and 10.8.
You can print the hash data with DaveGrohl (sudo dave -s $USER) or something like this:
sudo defaults read /var/db/dslocal/nodes/Default/users/$USER.plist ShadowHashData | tr -dc '0-9a-f ' | xxd -p -r | plutil -convert xml1 - -o -
If automatic login is enabled, the password of the login keychain is also stored in /etc/kcpassword encrypted with XOR cipher.
sudo ruby -e 'key = [125, 137, 82, 35, 210, 188, 221, 234, 163, 185, 31]; IO.read("/etc/kcpassword").bytes.each_with_index { |b, i| break if key.include?(b); print [b ^ key[i % key.size]].pack("U*") }'
Lri
Posted 2010-10-08T20:36:51.053
Reputation: 34 501
4
I don't know that much about it, but from what I could gather using opensnoop:
login accesses the local directory service (possibly related to some Kerberos stuff -- maybe that's the underlying implementation for the local directory, it reads /Library/Preferences/edu.mit.Kerberos, /etc/krb5.conf, /usr/etc/krb5.conf etc.).
dscl, the directory service command line utility, then cd Local/Default/Users/yourusername, read reveals the usual unixy account-related stuff, plus: GeneratedUID: 1A5EF9B7-4DB6-4C01-919A-xxxxx (don't know the implications, so I censored a little) -- you can also read this UUID via Accounts.prefPane in System Preferences.app.
That matches a filename in /private/var/db/shadow/hash/ also accessed by login!
I guess your best bet is to rename/copy the files with the GeneratedUID name, or change the reference in the directory service.
Included all my "research" to allow you to retrace my steps and allow for refutability.
I don't have the time to trash and restore my user accounts, so you're on your own now. Good luck.
TLDR: Open Accounts.prefPane, check your UUID (right-click your user in the list) and look for a file by that name in /private/var/db/shadow/hash/. Don't know if it works at all. Good luck.
Daniel Beck
Posted 2010-10-08T20:36:51.053
Reputation: 98 421
To expand on my answer, /private/var/db/shadow/hash/ really contains the password hashes (not like encrypted passwords, there's no way to restore them directly). Also see here and here.
1I love googling for obscure system directories to find out what they're for :-) – Daniel Beck – 2010-10-09T09:05:47.847
This is not quite right. The "break" should only happen when (b == key[i% key.size]), but I found your code enlightening. Thanks! – Kayvan Sylvan – 2015-11-25T00:51:42.637
Brillant, how do you learn such an intimate knowledge of OS X? – Edgar Aroutiounian – 2014-04-26T18:29:19.477