A disabled MacBook can be compromised in less than three minutes. With a few commands, it is possible for an attacker to remove a target's loose hash and crack it without their knowledge.
The objective of this article is to acquire a .plist file that contains their hashed password. Then, using a Python script to convert the .plist file to a format that Hashcat can interpret, it is brutally forced to disclose the password. The easiest method for performing this attack requires physical access to MacBook, reset mode, USB flash drive, other MacBook and Hashcat dimensions.
You can also leave the USB flash drive and the attacker's MacBook instead of creating a temporary user on the MacBook's target where commands can be performed. The temporary user can then be deleted when it is completed. However, for this guide, we will show the USB flash drive method.
Buy USB Flash Drives on Amazon | Best Buy | Walmart
Recovery Mode is one of several boot modes supported by Mac devices. It contains a number of tools to reinstall MacOS, restore password for accounts, and configure a firmware password. While this feature was designed to help users lock their accounts and wipe the internal hard drive, they are often exploited by hackers trying to gain unauthorized access to sensitive files.
Since Mojave 10.14, macOS no longer allows users (not even root) to change .plist files that contain hashed passwords while running the operating system. These data can now only be acquired with recovery mode.
The USB flash drive is required to move the destination .plist file from the MacBook to the attacker. The USB flash drive used in this tutorial is FAT32 formatted, but NTFS and APFS formats will work as well.
There are some macOS-specific commands in the Python script that make it easy to convert .plist file to a format Hashcat can interpret. Therefore, another MacBook (or at least one other MacBook network account) is required.
To calculate the target's Mac password without changing it, the hash must be brutally forced and cracked. MacOS does an excellent job to secure the target password. You can not view user browsing in plain text. CPU-based cracking solutions (like JohnTheRipper) literally take decades to crack a single hash and are therefore not effective. Hashcat with a decent GPU is highly recommended.
Step 1: Enter Reset Mode
To access reset mode, first make sure that your MacBook is turned off completely. Then press the power button while holding Command + R on the keyboard. After about 30 seconds, the Apple logo and keys Command + R will be released. If the following screen appears, reset mode was enabled and readers can proceed to the next step in this guide.