Date: Mon, 23 Apr 2018 04:09:34 -0700 From: Eric Oyen <eric.oyen@...il.com> To: john-users@...ts.openwall.com Subject: Re: loading OS X hashes from Davegrohl well, the file was formatted with user:hash from the davegrohl output (using both -passwd and -shadow options). Also, I checked the directory in question after getting the inconsistent output from that perl script. It appears that the folder referenced under /private/var/db didn't exist. so, I am at a loss as to why davegrohl could get a full hash dump. also, the SSE2 version of john in the site you provided failed with an illegal instruction 4. so, I will try the V3 version. If that fails, then I will go into the historical folder and find a version consistent with my current OS. Also, as reported in another email, I was able to dump hashes and salts using the dscl command. I don't know if that will work or not. However, I am willing to give it a try. -eric PGP fingerprint: 6DFB D6B0 3771 90F1 373E 570C 7EA2 1FF3 6B68 0386 On Apr 23, 2018, at 3:40 AM, Solar Designer wrote: > On Sun, Apr 22, 2018 at 09:22:41PM -0700, Eric Oyen wrote: >> well, I tried to run that perl script you sent me and here is the output: > > I don't know why it failed, and especially these messages are weird, > possibly indicating the system itself is in an inconsistent state: > >> Cannot open /private/var/db/shadow/hash/333223CF-BE81-44BC-95C9-6A3C4BA13D37: No such file or directory >> There is no hashes available for the user proudhawk >> Cannot open /private/var/db/shadow/hash/F7D3F545-5DD8-4D89-9132-E16AF0BE8639: No such file or directory >> There is no hashes available for the user eric > > However, have you tried using a different version/build of John as I > suggested in another message? The version you said you had tried first > doesn't support OS X hashes at all. > > Also, what is the input file you provide to John (with the hash(es) > obtained from Davegrohl) like? It should be something like: > > user:12345678F9083C7F66F46A0A102E4CC17EC08C8AF120571B > > That is, username followed by a colon followed by some hex digits. > Is this the case? How many hex digits are there in your case? > > For the above example, you crack it with the "--format=xsha" option > provided to a version of John supporting OS X hashes, such as one of > those you download from: > > http://download.openwall.net/pub/projects/john/contrib/macosx/ > > For your older OS X, you'll need to take a version from the "historical" > subdirectory. > > BTW, why are you doing this? Is it just for fun and learning, or do you > need this password recovered (and why)? Since you seem to be able to > use the system and even access the root account with sudo, you probably > do know the password(s) anyway? I am asking just so that we might help > you achieve your ultimate goal, rather than an intermediate one. > > Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.