Cracking macOS account passwords with John The Ripper

I toyed with including this last time, but in the end opted to go a different way as macOS Catalina seems to (as of writing this) refuse to work very well with the latest version of John The Ripper. Worse still, the homebrew version seems to either not work at all or throw out very peculiar permissions-based errors no matter what machine I try and run it on. Still, undeterred, here’s how to use the “Pro” version of John The Ripper to crack macOS passwords.

Obligatory note: This is not in anyway an invitation to anyone to try and break into anyone else’s Mac. As mentioned last week, Apple includes very good security options right out of the box on their computers, and those are absolutely things that everyone should be employing. At the very least I implore you to turn on Filevault. Come on, folks.

Additional Obligatory note: Everything in this article would only be possible if you were able to follow the instructions I put in the last article about this sort of thing and thus had full, unfettered, unobstructed access to the OS.

A word about that “Pro” thing. Openwall – who host and distribute JtR – offer it for download to the world for free but will also sell you a copy for about $40 that gives you the kinds of boring things that you like to have when you’re a legitimate IT outfit and that are worth the money; i.e., something you can deduct from your taxes as a business expense and something to put in your asset file that helps you keep tabs on your tools and equipment. Openwall also offer tiered options and licenses that include assorted types of support, but I opted for the simple download sans support because I like figuring this stuff out for myself.

Which, it turns out, is shockingly straightforward. Just like last time, we’ll use the following command to go grab a copy of the target’s hashed password:

sudo cp /var/db/dslocal/nodes/Default/users/test.plist ~/Desktop

…and then use to pull the hash out and put it into a file that we can use:

sudo python ~/Desktop/test.plist

Next, download and build/use Homebrew to install/buy the pre-assembled binary of John The Ripper from Openwall, then download and unzip it into a directory of your choosing. I threw it in my $PATH, but your mileage may vary and I can think of a few good reasons that you might want to just tuck something like this away in a safe place and only pull it out when needed.

Fire up the Terminal, then cd to the run directory in the unzipped John folder. Once there, the syntax to run the thing is about as straightforward as it gets. I’m using the same hashed file as last time, thus:

./John ~/Desktop/test_hash.txt

Now, hashcat is great and it’s well-supported and super-flexible, but compared to John The Ripper it’s like swimming through a sea of molasses with concrete flippers. John The Ripper is fast. Like, seriously fast. From hitting return on that last command I counted twenty-two seconds before it spat out the following:

Twenty-two seconds to digest that hashed password and spit out “test1” which, drumroll, is the correct answer.

Again, as I pointed out last week this kind of thing is only useful on machines that aren’t using encryption like Filevault, and this only makes it clearer than ever that those kinds of protections are no longer optional in a day and age where someone with $40 and a little free time can break into your Mac seemingly at will…