{"id":16540531,"url":"https://github.com/dominicbreuker/macdump","last_synced_at":"2025-06-28T05:35:29.196Z","repository":{"id":65427638,"uuid":"497266342","full_name":"DominicBreuker/macdump","owner":"DominicBreuker","description":"Dump macOS 1.8+ password hashes to a hashcat-compatible format","archived":false,"fork":false,"pushed_at":"2022-05-29T07:58:12.000Z","size":91,"stargazers_count":10,"open_issues_count":0,"forks_count":0,"subscribers_count":4,"default_branch":"main","last_synced_at":"2024-09-27T13:47:29.532Z","etag":null,"topics":["cracking","hashcat","macos"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DominicBreuker.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-05-28T09:02:13.000Z","updated_at":"2024-06-21T01:17:32.000Z","dependencies_parsed_at":"2023-01-23T10:55:26.129Z","dependency_job_id":null,"html_url":"https://github.com/DominicBreuker/macdump","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DominicBreuker%2Fmacdump","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DominicBreuker%2Fmacdump/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DominicBreuker%2Fmacdump/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DominicBreuker%2Fmacdump/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DominicBreuker","download_url":"https://codeload.github.com/DominicBreuker/macdump/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":219859403,"owners_count":16556036,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cracking","hashcat","macos"],"created_at":"2024-10-11T18:52:41.657Z","updated_at":"2024-10-11T18:52:42.267Z","avatar_url":"https://github.com/DominicBreuker.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003e\n  \u003cimg src=\"assets/macdump.png\" alt=\"naabu\" width=\"600px\"\u003e\n  \u003cbr\u003e\n\u003c/h1\u003e\n\nDump macOS 1.8+ system user password hashes to a hashcat-compatible format.\nCan work either directly on the target system to dump password hashes of all users (root\nrequired) or offline on shadow hash data extracted from the system.\n\n## Installation\n\nUse the package manager pip to install to a local machine:\n\n```bash\npip install macdump\n```\n\nTo get a standalone executable to be transferred to target systems, either download\none from the release pages or build it with [pyinstaller](https://pyinstaller.org/en/stable/),\nas shown in the [Makefile](Makefile) (`make build-executable`).\n\nIf Python is installed (it should be), you can also just copy the standalone\nversion of the script. Find it in [macdump.py](macdump.py)\n\n## Usage\n\n### On target system\n\nTo run macdump directly on the target system, transfer either the standalone\nbinary or the script [macdump.py](macdump.py) and run it as root.\nObviously, this will only work on macOS.\nOutput will be roughly as seen below.\n\nRunning the script (`sudo python macdump.py`) or the binary (`sudo ./macdump`):\n\n```\n $ sudo python macdump.py\n[+] Dumping hashes of all system users\n[+] Dumping hash of testuser\n[+] Authentication hint:  This is our default password\ntestuser:$ml$45871$f601fc65d033857cfc926ec2332058f791c1844f4e4fbb763568e063eafd742b$6eaf4c347e36648d471fe07fcf17b099d5f82ad050438d39dbad18a824b86d23165e69a881d699b0f3442658fe3ab77e9720e37386e6d05ef4f945b443f61b51427582447514b810e3be3dce5d70ea8ec215b2babeed0d92275ad662a04467134140a807c28178bb377503a50d4be1ba9d5944af88df04824a7075d1f9f116d5\n[+] Put hashes into file 'hashes.txt', then crack with: hashcat -m 7100 --username hashes.txt -a 0 wordlist.txt\n```\n\n### Offline\n\nYou can extract the shadow hash data on the target Mac, store it to a text file and use that as\ninput for macdump.\nTo get the data for user `username`, run:\n\n```bash\nsudo dscl . -read /Users/username dsAttrTypeNative:ShadowHashData \u003e /tmp/shd.txt\n```\n\nNote: You may also just include all data by running `sudo dscl . -read /Users/username \u003e /tmp/shd.txt`,\nwhich will output a lot of text. macdump finds what it needs.\n\nThen get `/tmp/shd.txt` over to your machine and run:\n\n```bash\n $ macdump --from-file /tmp/shd.txt\n[+] Loading shadow hash data from /tmp/shd.txt\nUNKNOWN_USER:$ml$45871$f601fc65d033857cfc926ec2332058f791c1844f4e4fbb763568e063eafd742b$6eaf4c347e36648d471fe07fcf17b099d5f82ad050438d39dbad18a824b86d23165e69a881d699b0f3442658fe3ab77e9720e37386e6d05ef4f945b443f61b51427582447514b810e3be3dce5d70ea8ec215b2babeed0d92275ad662a04467134140a807c28178bb377503a50d4be1ba9d5944af88df04824a7075d1f9f116d5\n[+] Put hashes into file 'hashes.txt', then crack with: hashcat -m 7100 --username hashes.txt -a 0 wordlist.txt\n```\n\n### Cracking\n\nHashes are printed in hashcat format including usernames.\nStore them inside a file `hashes.txt`, then run a command like the following:\n\n```\n $ hashcat -m 7100 --username hashes.txt -a 0 wordlist.txt\n\nhashcat (v6.2.5) starting\n\n...\n\n$ml$45871$f601fc65d033857cfc926ec2332058f791c1844f4e4fbb763568e063eafd742b$6eaf4c347e36648d471fe07fcf17b099d5f82ad050438d39dbad18a824b86d23165e69a881d699b0f3442658fe3ab77e9720e37\n386e6d05ef4f945b443f61b51427582447514b810e3be3dce5d70ea8ec215b2babeed0d92275ad662a04467134140a807c28178bb377503a50d4be1ba9d5944af88df04824a7075d1f9f116d5:pass123\n\nSession..........: hashcat\nStatus...........: Cracked\nHash.Mode........: 7100 (macOS v10.8+ (PBKDF2-SHA512))\n...\n```\n\nTry this with the hash seen in the readme and a wordlist containing password\n`pass123` to verify that your setup works.\n\n## Disclaimer\n\nMacdump is for research and educational purposes only. \nDo not run this without consent on anybody's machine.\n\n## License\n[MIT](https://choosealicense.com/licenses/mit/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdominicbreuker%2Fmacdump","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdominicbreuker%2Fmacdump","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdominicbreuker%2Fmacdump/lists"}