Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 23 Sep 2011 12:51:04 -0500
From: "jfoug" <>
To: <>
Subject: RE: Mac OS X 10.7 Lion password hashes (salted SHA-512)

This perl script works, but again, like Alex mentioned, 'test on MORE and
report back'.  I think the problem is in your new hash, there is a \n within
the binary data of the hash string.  So, to 'work' around this, I convert
the whole file blob to a hex string in the beginning, and then search that
hex string.


I also added code to find the user id.  It 'should' find user id's from 1
byte, to 32 bytes long.


#!/usr/bin/perl -w

use strict;


my $hexfile; my $hash; my $user;


read(STDIN, $_, 1000000) || die;


$hexfile = unpack('H*', $_); $_ = $hexfile;


# hex string below:  bplist00\xd1\x01\x02]SALTED-SHA512\xf4\x10\x44 followed
by the pass hash.

($hash) =


if (!$hash) {

        print "Could not find a Mac OS X 10.7 Lion salted SHA-512 hash\n";

        exit 1;



# hex string below:  :SHA1.hex(40)user_name\xa1\x35\x4f\x10 followed by the
pass hash.

($user) = /3a534841312e.{80}(.{2,64})a1354f10/;


if (!$user) { $user = "unk_username"; }

else        { $user =~ s/([a-f0-9][a-f0-9])/chr(hex($1))/eg; }


print $user, ":", $hash, "\n";



From: Link, Peter R. [] 
Sent: Friday, September 23, 2011 9:36 AM
Subject: Re: [john-users] Mac OS X 10.7 Lion password hashes (salted



I used your Perl script this morning on my original test user plist and it
worked fine. I then changed the password of the user to something simple to
make sure john could fine it. When running the script again, it came up with
the error message, "Could not find a Mac OS X 10.7 Lion salted SHA-512
hash." I only changed the password to <tomorrow> from <Ydo!Ucar3>. I ran
this on two different computers and it does the same thing. I'm attaching
both plists for your review. 


robert1new.plist is the one that doesn't work. 



On Sep 22, 2011, at 8:33 PM, Solar Designer wrote:

Rich, Jean-Michel, all -

Here's a trivial Perl script I just hacked together to process Lion's
plist files (such as /var/db/dslocal/nodes/Default/users/username.plist)
and print the hashes in a format directly usable by John 1.7.8-jumbo-7.


./ < username.plist > username.hash

or for many files:

for f in *.plist; do ./ < $f; done > hashes


read(STDIN, $_, 1000000) || die;

($hash) = /bplist00\xd1\x01\x02\x5dSALTED-SHA512\x4f\x10\x44(.{68})/;
if (!$hash) {
print "Could not find a Mac OS X 10.7 Lion salted SHA-512 hash\n";
exit 1;

print unpack('H*', $hash), "\n";

Please test this on more plist files and report back.




Peter Link

Cyber Security Analyst

Cyber Security Program

Lawrence Livermore National Laboratory

PO Box 808, L-315

Livermore, CA 94550


The contents of this message are mine personally and do not reflect the
views or position of the U.S. Department of Energy, Federal Government,
National Nuclear Security Administration, Lawrence Livermore National
Security, or Lawrence Livermore National Laboratory.




Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.