Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 23 Apr 2018 04:09:34 -0700
From: Eric Oyen <>
Subject: Re: loading OS X hashes from Davegrohl

well, the file was formatted with user:hash from the davegrohl output (using both -passwd and -shadow options).

Also, I checked the directory in question after getting the inconsistent output from that perl script. It appears that the folder referenced under /private/var/db didn't exist.  so, I am at a loss as to why davegrohl could get a full hash dump.

also, the SSE2 version of john in the site you provided failed with an illegal instruction 4. so, I will try the V3 version. If that fails, then I will go into the historical folder and find a version consistent with my current OS.

Also, as reported in another email, I was able to dump hashes and salts using the dscl command. I don't know if that will work or not. However, I am willing to give it a try.


PGP fingerprint: 6DFB D6B0 3771 90F1 373E 570C 7EA2 1FF3 6B68 0386

On Apr 23, 2018, at 3:40 AM, Solar Designer wrote:

> On Sun, Apr 22, 2018 at 09:22:41PM -0700, Eric Oyen wrote:
>> well, I tried to run that perl script you sent me and here is the output:
> I don't know why it failed, and especially these messages are weird,
> possibly indicating the system itself is in an inconsistent state:
>> Cannot open /private/var/db/shadow/hash/333223CF-BE81-44BC-95C9-6A3C4BA13D37: No such file or directory
>> There is no hashes available for the user proudhawk
>> Cannot open /private/var/db/shadow/hash/F7D3F545-5DD8-4D89-9132-E16AF0BE8639: No such file or directory
>> There is no hashes available for the user eric
> However, have you tried using a different version/build of John as I
> suggested in another message?  The version you said you had tried first
> doesn't support OS X hashes at all.
> Also, what is the input file you provide to John (with the hash(es)
> obtained from Davegrohl) like?  It should be something like:
> user:12345678F9083C7F66F46A0A102E4CC17EC08C8AF120571B
> That is, username followed by a colon followed by some hex digits.
> Is this the case?  How many hex digits are there in your case?
> For the above example, you crack it with the "--format=xsha" option
> provided to a version of John supporting OS X hashes, such as one of
> those you download from:
> For your older OS X, you'll need to take a version from the "historical"
> subdirectory.
> BTW, why are you doing this?  Is it just for fun and learning, or do you
> need this password recovered (and why)?  Since you seem to be able to
> use the system and even access the root account with sudo, you probably
> do know the password(s) anyway?  I am asking just so that we might help
> you achieve your ultimate goal, rather than an intermediate one.
> Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.