Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <B472EBDA-4C59-4B1E-922A-AAFB29373A24@gmail.com>
Date: Mon, 23 Apr 2018 04:09:34 -0700
From: Eric Oyen <eric.oyen@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: loading OS X hashes from Davegrohl

well, the file was formatted with user:hash from the davegrohl output (using both -passwd and -shadow options).

Also, I checked the directory in question after getting the inconsistent output from that perl script. It appears that the folder referenced under /private/var/db didn't exist.  so, I am at a loss as to why davegrohl could get a full hash dump.

also, the SSE2 version of john in the site you provided failed with an illegal instruction 4. so, I will try the V3 version. If that fails, then I will go into the historical folder and find a version consistent with my current OS.

Also, as reported in another email, I was able to dump hashes and salts using the dscl command. I don't know if that will work or not. However, I am willing to give it a try.

-eric

PGP fingerprint: 6DFB D6B0 3771 90F1 373E 570C 7EA2 1FF3 6B68 0386

On Apr 23, 2018, at 3:40 AM, Solar Designer wrote:

> On Sun, Apr 22, 2018 at 09:22:41PM -0700, Eric Oyen wrote:
>> well, I tried to run that perl script you sent me and here is the output:
> 
> I don't know why it failed, and especially these messages are weird,
> possibly indicating the system itself is in an inconsistent state:
> 
>> Cannot open /private/var/db/shadow/hash/333223CF-BE81-44BC-95C9-6A3C4BA13D37: No such file or directory
>> There is no hashes available for the user proudhawk
>> Cannot open /private/var/db/shadow/hash/F7D3F545-5DD8-4D89-9132-E16AF0BE8639: No such file or directory
>> There is no hashes available for the user eric
> 
> However, have you tried using a different version/build of John as I
> suggested in another message?  The version you said you had tried first
> doesn't support OS X hashes at all.
> 
> Also, what is the input file you provide to John (with the hash(es)
> obtained from Davegrohl) like?  It should be something like:
> 
> user:12345678F9083C7F66F46A0A102E4CC17EC08C8AF120571B
> 
> That is, username followed by a colon followed by some hex digits.
> Is this the case?  How many hex digits are there in your case?
> 
> For the above example, you crack it with the "--format=xsha" option
> provided to a version of John supporting OS X hashes, such as one of
> those you download from:
> 
> http://download.openwall.net/pub/projects/john/contrib/macosx/
> 
> For your older OS X, you'll need to take a version from the "historical"
> subdirectory.
> 
> BTW, why are you doing this?  Is it just for fun and learning, or do you
> need this password recovered (and why)?  Since you seem to be able to
> use the system and even access the root account with sudo, you probably
> do know the password(s) anyway?  I am asking just so that we might help
> you achieve your ultimate goal, rather than an intermediate one.
> 
> Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.