How To Hack Administrator Password Mac

Introduction

How To Hack Administrator Password On Macbook Pro
How To Hack Administrator Password Macbook Air
How To Crack Administrator Password Mac

I have been worried about security for a long time. When you read regular articles about security you will almost always face paragraph which tells you that it is very important to have a good password. Last time I tested how easy/hard it is to crack my wap2 secured wlan with weak password. I am now going to crack my macbook pro which is running OSx Mavericks.

Starting point

Jan 15, 2020 This isn't a replacement for Mac’s keychain but a secure storehouse for you to keep the information safe, one which you can access using a different, and hopefully not forgotten, password. 1Password is good, but there are many others to choose from, including LastPass, Dashlane, and mSecure. Right click the “Administrator” and select the option “Set Password” option. Now you will see a warning message, Click on proceed. Now the system asks you for “New Password” and “Confirm Password”. After entering the password click on “OK”. The password is changed.

I have actually learned something in past few months and I have very strong password at the moment. For this test I changed it to something which I feel is closer to password users normally have. I changed the password to: Laisk489 . It is a Finnish word meaning lazy with little bit of leetspeak and it will pass Apples password policy.

Like in router article I did not have any previous experience about cracking OSx password. So google was my friend again. Not so many searches later I found this very decent article about “How to Extract OS X Mavericks Password Hash for Cracking With Hashcat”. It is step by step guide of what I was looking for, perfect!

There is methods to obtain password hash(which is the password protected with mathematical algorithm) when you are unable to log into any account on the machine. I am not so interested about that since I just like to test how weak my own password is. So I skipped that part. After reading the article I knew that password hash in Mavericks is located in this path: /var/db/dslocal/nodes/Default/users/<user>.plist .

Getting the hash

I opened terminal on my mac and tried to acces to /var/db/dslocal/nodes/Default/users.

$ cd /var/db/dslocal/nodes/Default/users
-bash: cd: /var/db/dslocal/nodes/Default/users: Permission denied
$ ls /var/db/dslocal/nodes/Default/users
ls: /var/db/dslocal/nodes/Default/users: Permission denied

It did not worked cause I did not have permissions to that folder. I had to sudo.

$ sudo ls /var/db/dslocal/nodes/Default/users
There it was: tuukka.plist
I copied it to my desktop:
$ sudo cp /var/db/dslocal/nodes/Default/users/tuukka.plist Desktop/tuukka.plist

Extract the hash for hashcat

Now this part goes little bit tricky and I spent couple of hours thinking what is actually happening. After all this is actually very simple task. The hash is in binary format by default and we want to convert it in to XML.

On macs terminal I switch path to Desktop, then create a folder for our mission and moved the hash into that folder:

$ cd
$ cd Desktop/
$ mkdir password-crack
$ mv tuukka.plist password-crack/
$ cd password-crack/

To convert the hash I used following:

$ sudo plutil -convert xml1 tuukka.plist

After that I opened the hash with

$ sudo nano tuukka.plist

And there was lots of stuff in it. Line I was looking were under “ShadowHashData” surrounded by <data></data> tags. I copied that data to a clipboard with cmd+c and pasted it to sublime texteditor. I removed returns and put everyhting on the same line. Just hitted return like hundred times and took care that any letters were not deleted.

After return maraton I copy pasted it to terminal and entered some commands and did this:

$ sudo echo “YnBsaXN0MDDRAQJfEBRTQUxURUQtU0hBNTEyLVBCS0RGMtMDB
AUGBwhXZW50cm9weVRzYWx0Wml0ZXJhdGlvbnNPEIBWEto5iOf1chpuN/HDsV3iP3s
IjhFoXbrG2/5fPhBRgz9v8CDd/PlyONacUDcQrWFSAvEew1gKMwEP9haGH8sFA1jT9
kmFyFh0kpk+8dN1FdAZJxiP3K3QbRj+owIWZxMTYoMmkRh5ZrnxVqDb5zvGA5443
O1yV4DovhT6SuLrL08QIDOAL/Y5nd9PcXEBDAzO+N+6fNc5wvxGslginwn9iLDJEYi
VCAsiKTE2QcTnAAAAAAAAAQEAAAAAAAAACQAAAAAAAAAAAA
AAAAAAAOo=” | base64 -D > shadowhash
$ sudo file shadowhash
$ sudo plutil -convert xml1 shadowhash

Hash were now converted. I opened shadowhash with nano editor and there was data separated under tags entropy, iterations and salt. As said in the guide entropy and salt were still in base64 format and needed to convert again.

Like before I first copied entropy data to clipboard and then pasted it to sublime-text. On sublime I removed returns and put data on same line. After that I did following:

$ sudo echo “VhLaOYjn9XIabjfxw7Fd4j97CI4RaF26xtv+Xz4QUYM/b/Ag3fz5cjjWnFA3EK1hUgLxHsNYCjMBD/YWhh/LBQNY0/ZJhchYdJKZPvHTdRXQGScYj9yt0G0Y/qMCFmcTE2KDJpEYeWa58Vag2+c7xgOeONztcleA6L4U+kri6y8=” | base64 -D > entropy
$ sudo file entropy
$ sudo xxd entropy

There it was entropy data converted to hex values. Once more I had to copy and paste values from terminal to sublime-text and remove spaces. This time there were some data to be deleted. Hex values are the ones on to middle as highlighted in this screenshot:

Hex data required some fine-tuning. I copied the whole thing to clipboard and pasted it to sublime-text. Then removed “useles” part and spaces and it looked like this:

I repeated same process to the salt hash.

$ sudo echo “M4Av9jmd309xcQEMDM7437p81znC/EayWCKfCf2IsMk=” | base64 -D > salt
$ sudo file salt
$ sudo xxd salt

And then the copy-paste-removespaces operation blaa blaa…

Annoying part was almost over. Last thing to do was combine all those hex values for hashcat which I used for actual cracking. Hashcat requires data in this kind of format:
$ml$<iterations>$<salt>$<entropy>

Here is what I did in one screenshot (click for bigger size):

Please notice that everything is on the same line, there is just wordwrap turned on in sublime-text!

Crack with hashcat

For cracking I am using my mid 2012 13″ macbook pro with 2,9GHz i7.

Alright everything was prepared and ready for hashcat. At this point the guide went littlebit tricky and led to dictionary attack. It was obviously something that does not fitted my needs and I started to googling. Actually I am very happy that original guide was littlebit tricky and led me to google. I found this particularly fine blog about all kind of goodnes: http://www.unix-ninja.com/. And there was also very nice guide about hashcat.

I tought that bruteforce is something I would like to use, but unix-ninja teached me something new: brute force with masks. Basicly the mask is pattern for cracking software (hashcat in this case) which contains some facts we already know about password. For example if you know that password starts with uppercase letter, last three digits are numbers and is 8 characters long you can actually tell it to hashcat. With those kind of infos hashcat is able to crack the hash way more faster than without any foreknowledge.

Now let me take a self… No not that. I needed the hashcat and I downloaded it from here: http://hashcat.net/hashcat/ It went to my downloads folder which I opened in Finder. File was compressed and I extracted it by clicking on it(with The Unarchiver).

After that I opened new terminal and went to folder I just extracted and putted the hash in it:
$ cd
$ cd Downloads/hashcat-0.49
$ nano laiska.hash
Copy pasted the hash I made earlier and saved.

Everything was ready for the cracking. I got hashcat and I got hash prepared for it and I got mask. No I did not had a mask. As I said earlier my password is Laisk489. Starting with uppercase letter, last three characters are numbers and total of 8 characters long. I needed mask for that. I found almost right pattern for me from unix ninja. I made a small changes and here is the result:

?u?l?l?l?l?d?d?d

It contains this information about password: Starting with uppercase letter, last three characters are numbers and total of 8 characters long.

I started cracking with this command:

$ ./hashcat-cli64.app -m 7100 -a3 laiska.hash ?u?l?l?l?l?d?d?d
-m 7100 is mode for cracking OSx v10.8/v10.9 passwords
-a3 stands for brute-force
laiska.hash contains my hash
and last part is the mask
More info from hashcat manual.

Many hours later I decide to stop craking. It was just taking too long, At the stage five estimated time was over 3days as you can see:

Did the hash work/contained right info

I wanted to make sure that my hash was working. I made wordlist.txt file into hashcat directory and put there couple of words including my password Laisk489. I ran hahscats dictionary attack and it did break the hash and found that password was Laisk489.

$ ./hashcat-cli64.app -m 7100 laiska.hash wordlist.txt

After the execution were completed I found results in the file hashcat.pot. There was my password Laisk489.

Conclusion

Well it seems like my skills were littlebit inadequate. It was still very interesting and educational project. I might continue from this point later with new strategy and try to use modified version of wordlist which I used in router guide. I was suprised that it takes that long to break password with mask even it is not more than 8 characters. Of cource the method was still brute-force and my hardware is not that good and yes I was just using one laptop. Hard jacks might have bigger weapons. :p Which means that I am still going to use much more complex passwords than Laisk489 in the future.

If the time is not a problem or password is for example just only 4 or 5 characters it might be good shot to use these methods.

Sources

https://web.archive.org/web/20140703020831/http://www.michaelfairley.co/blog/2014/05/18/how-to-extract-os-x-mavericks-password-hash-for-cracking-with-hashcat/
http://www.unix-ninja.com/p/Exploiting_masks_in_Hashcat_for_fun_and_profit/
http://hashcat.net/wiki/doku.php?id=oclhashcat

Password is a very important security feature that lets you protect your important files from unauthorized users. If you have multiple accounts on your computer, then your administrator account will be the main account. To stop unauthorized users from gaining access to your important files, you would have likely set up a password to your administrator account. But what happens when you forget your administrator account password. You get a computer in which you can't go to the desktop or access your files. When you want to crack administrator password, then you will need the tricks to crack your administrator account password so that you can get access to your computer.

Part 1. How to Crack Administrator Password Using CMD

CMD or command prompt is an administrative tool in the Windows operating system. The command prompt is a command line tool that looks like MS-DOS and thus can be difficult to use for beginners. You can use various commands and utilities in command prompt to fix various system errors and issues. So it is no wonder that it can help crack administrator password. What you need for operating CMD is a little bit of skill and knowledge of the right commands.

Command prompt not really shows you the old password, instead lets you reset the password. As without password you can’t login to your account, you have to launch the CMD from another guest account if your PC has any or a Windows recovery disk. After that follow the steps below to use CMD to crack Administrator password.

Easy Steps to Use CMD to Crack Administrator Password

Step 1: Launch the CMD from Windows recovery disk or the other admin account.

Step 2: Type in the 'net user' command. It will show you all the accounts on your PC.

Step 3: See the admin account whose password you want to crack.

Step 4: Then type the following command - net user Username newpassword, where username is the admin account whose password you want to change and newpassword is the new password that you want. Here Username is 'BAM' and password is 'imbam'.

Step 5: Press 'Enter' and the password will be changed to whatever you had selected in the previous command.

Step 6: Restart the computer and log in with your new administrator password.

Part 2. How to Crack Administrator Password on Windows 10/8/7/XP Using Third-party Software

If you don't have another admin account on your PC or don't have the windows recovery disc, even then you can crack administrator password. Various third-party password recovery software online lets you do the deed. Windows Password Mate is one such software that lets you recover your admin account if you ever forget your password. Using Windows password Mate is very easy to use and you don't need any technical skills to recover your account password. Moreover, it can be used on all popular window type like XP/7/8/10 and recover admin and local user account password.

Follow the Steps to Use Windows Password Mate to Crack Administrator Password

How To Hack Administrator Password On Macbook Pro

Step 1: First you have to download and install the Windows Password Mate on an alternative PC and launch the program.

Step 2: Then, insert a USB flash drive and Click on Burn USB to create a bootable USB. You can use this bootable USB to crack your administrator password.

Step 3: Switch to your computer and change the default boot order to USB through quick boot menu or through the BIOS.

Step 4: Insert the bootable USB into the USB ports and the password recovery program will automatically load up.

Step 5: Choose your target operating system and select the username of the admin account whose password you want to crack.

Step 6: Finally click 'reset password' button and then 'Reboot'.

Part 3. How to Crack Administrator Password Without Software

Windows has a safety feature beforehand to reset the forgotten password if you have the need to do so anytime. This is the password reset disk that is created from Windows and is usually a USB flash drive. This password reset disk will come in very handy when you want to crack administrator password without CMD or third-party software. But that is if you had created the password reset disk beforehand you were locked out of your PC. If everything is according to plan, then follow the below steps to reset the forgotten password of your administrator account.

Steps to Crack Administrator Password Without Software

Step 1: Start your computer and enter any wrong password into the input box at the login screen.

Step 2: When the login failed dialog box appears, Click on 'Reset Password'.

Step 3: You will be shown a Welcome to Password reset wizard dialog box. Click 'Next' on this screen.