Mavericks logon pas...
 
Notifications
Clear all

Mavericks logon password

5 Posts
2 Users
0 Likes
361 Views
johnny
(@johnny)
Posts: 21
Eminent Member
Topic starter
 

Hoping for some help with this one.

I have a MacBook with a password protected user account, the OS is 10.9.1 - Mavericks and I'd like to be able to either reset the password or make an attempt to break it.

I am aware that the latter will not be easy as it is probably a salted SHA hash. What's more the method I have used in the past to locate the hash appears to have disappeared in this version of OSX.

I still have the user's .plist file in \private\var\db\dslocal\nodes\Default\users

but I can't find the corresponding file and .state file under \private\var\db\shadow\hash.

I've looked for any file with the UID string in its name but there are none, only a folder. This contains a number of .playlist files none of which appear to contain the hash.

Something has obviously changed, can anyone out there assist in either bypassing the logon password or identifying where the hash is now kept?

I've done some Googling on the subject but haven't turned up anything of use.

Many thanks

john

 
Posted : 13/02/2014 9:41 pm
(@joel08)
Posts: 13
Active Member
 

This may not be the best method but you can usually reset passwords for users.

http//coolestguidesontheplanet.com/reset-forgotten-admin-password-osx-10-8-mountain-lion/

I've used this a couple of times when people forget there admin passwords!

May want to look at the effects this has forensically thou. I believe if you document it, it will probably be okay.

Joel

 
Posted : 14/02/2014 3:02 am
johnny
(@johnny)
Posts: 21
Eminent Member
Topic starter
 

Thanks Joel!!

john

 
Posted : 17/02/2014 12:35 pm
johnny
(@johnny)
Posts: 21
Eminent Member
Topic starter
 

I used Joel's suggestion to reset the password to something known. Having done so I've hashed the drive and did a before and after compare. Only 4 files changed including the user's plist file. This recorded the time and date of the password change as well as a few other differences in hex values.

Sadly, i'm not able to determine which is the before and after hash. cry

 
Posted : 18/02/2014 3:03 pm
(@joel08)
Posts: 13
Active Member
 

Thanks for posting your findings

Joel

 
Posted : 19/02/2014 2:02 pm
Share: