Most users lock their computer screens when they temporarily step away from them. While this seems like a good security measure, it isn’t good enough, a security researcher demonstrated this week.
Security researcher Rob Fuller has discovered a unique attack method that can steal PC credentials from Windows and Mac computers.Fuller’s attack is effective against locked computers on which the user has already logged in.

If the Mac is running Lion or above, type the following commands instead, changing the username and newpassword accordingly: You should now be able to access your Mac without restrictions. Part 3: Protecting your Mac from Mac OS X Password Bypass As you can see, it is really easy to hack into your own Mac. May 22, 2020  Short of someone with a tech-savvy family member who’s suddenly died, it’s astonishingly unlikely to ever encounter someone who’s been unaware of a firmware password on their Mac.

Fuller used USB-based Ethernet adapters, for which he modified the firmware code to run special software that sets the plug-and-play USB device as the network gateway, DNS, and WPAD(Web Proxy Auto-discovery Protocol ) servers on the computer it’s connected to.

The attack is possible because most computers will automatically install any plug-and-play USB device.

USB is Plug-and-Play. This means that even if a system is locked out, the device still gets installed,” Fuller wrote on his blog .

“Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list.”

Mdified device includes software that intercepts these credentials and saves them to an SQLite database. The password is in its hashed state, but this can be cracked using currently available technology

According to Fuller, computers in a locked state still generate network traffic, allowing for the account name and hashed password to be extracted. The time it takes for a USB device to capture credentials from a system using this attack is around 13 seconds. He used two ethernet dongles USB Armory and Hak5 Turtle.

Fuller successfully tested his attack against Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1, Windows 10 (Enterprise and Home), OS X El Capitan, and OS X Mavericks.

He says the attack was successful against Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1, Windows 10 (Enterprise and Home), OS X El Capitan, and OS X Mavericks. He is about to test linux OS.

This page will help you to retrieve/extract the hash associated to an OSX account. We tried to enumerate all the OS X flavors available, but this article is still 'in beta' depending on the new OS X versions.
Once the hash is extracted, you can send it here and we will try to recover it.

The same as in 10.2 (Jaguar). See below.

Mac Firmware Password Hack

The same as in 10.2 (Jaguar). See below.

Forgot Firmware Password Mac

Dump the hash :
This hash is created using the Unix DES Crypt(3) function, where the password is first truncated to 8 characters.

First find out a users' GUID:
Next take that GUID and dump the hash file
The first 64 characters are the NTLM hash (first 32 NT, next 32 LM) and the last 40 characters are the SHA1 hash.

You can obtain the GUID just as in 10.3 (Panther). See above.
After obtaining the GUID, you can dump the passwords just as in 10.5 (Leopard). See below.

First find a users' GUID:
After getting the GUID you can dump various hashes. By default the only hash stored is the salted SHA1. If the user has turned on SMB file sharing then the NTLM hash will also be stored.
If you upgraded from 10.3->10.4->10.5 then the zero salted SHA1 is also stored.
Salted SHA1 (first 8 characters are the salt)
Zero-Salted SHA1 (first 8 characters are the salt and will always be all zeros)
NTLM (first 32 characters are NT, next 32 are LM)

Use this tutorial

The shadow files are stored on the filesystem at /var/db/dslocal/nodes/Default/users/%user%.plist.
They are in plist format so you'll need to use the plutil command to view them or use the defaults command to extract/write specific keys if desired.
Only the root user has access to the files.
To view the contents of a shadow file for a user: To get the hash: Where %username% in the above example is the user you're looking for the hash for.
Finally the wanted hash starts with '$ml$' and length is 203 characters.

Few links to help you :
- http://lionsurf.wordpress.com/crack-user-password-in-os-x-mountain-lion/
- http://www.michaelfairley.co/blog/2014/05/18/how-to-extract-os-x-mavericks-password-hash-for-cracking-with-hashcat/
- script to automate the process (.app).

Turn Off Mac Firmware Password

The hashes of the users are stored in: To get the hash: or directly through directory services:

Davegrohl tool created in early 2011 is a password hash extractor & companion tool to John the Ripper.
Sadly the development of this tool has been stopped (but could be forked..), the current status is :

Dave compiles fine on Yosemite and will happily (but very slowly) crack user passwords. Out of the box, OS X uses PBKDF2 to encrypt its user passwords which is very slow to crack for one machine. Turning on Windows (SMB) file sharing will disable this feature.