passwords on macos

[ele]

What files i need to copy to see what passwords admin set? Right now i have /etc/passwd file and few more from /etc. But in passwd it look like this:

nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico
_networkd:*:24:24:Network Services:/var/empty:/usr/bin/false
_installassistant:*:25:25:Install Assistant:/var/empty:/usr/bin/false
_lp:*:26:26:Printing Services:/var/spool/cups:/usr/bin/false
_postfix:*:27:27:Postfix Mail Server:/var/spool/postfix:/usr/bin/false
_scsd:*:31:31:Service Configuration Service:/var/empty:/usr/bin/false
_ces:*:32:32:Certificate Enrollment Service:/var/empty:/usr/bin/false
_mcxalr:*:54:54:MCX AppLaunch:/var/empty:/usr/bin/false
_pcastagent:*:55:55:Podcast Producer Agent:/var/pcast/agent:/usr/bin/false
_pcastserver:*:56:56:Podcast Producer Server:/var/pcast/server:/usr/bin/false
_serialnumberd:*:58:58:Serial Number Daemon:/var/empty:/usr/bin/false
_devdocs:*:59:59:Developer Documentation:/var/empty:/usr/bin/false
_sandbox:*:60:60:Seatbelt:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_ard:*:67:67:Apple Remote Desktop:/var/empty:/usr/bin/false
_www:*:70:70:World Wide Web Server:/Library/WebServer:/usr/bin/false
_eppc:*:71:71:Apple Events User:/var/empty:/usr/bin/false
_cvs:*:72:72:CVS Server:/var/empty:/usr/bin/false
_svn:*:73:73:SVN Server:/var/empty:/usr/bin/false
_mysql:*:74:74:MySQL Server:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_qtss:*:76:76:QuickTime Streaming Server:/var/empty:/usr/bin/false
_cyrus:*:77:6:Cyrus Administrator:/var/imap:/usr/bin/false
_mailman:*:78:78:Mailman List Server:/var/empty:/usr/bin/false
_appserver:*:79:79:Application Server:/var/empty:/usr/bin/false
_clamav:*:82:82:ClamAV Daemon:/var/virusmails:/usr/bin/false
_amavisd:*:83:83:AMaViS Daemon:/var/virusmails:/usr/bin/false
_jabber:*:84:84:Jabber XMPP Server:/var/jabberd/ChatHome:/usr/bin/false
_xgridcontroller:*:85:85:Xgrid Controller:/var/xgrid/controller:/usr/bin/false
_xgridagent:*:86:86:Xgrid Agent:/var/xgrid/agent:/usr/bin/false
_appowner:*:87:87:Application Owner:/var/empty:/usr/bin/false
_windowserver:*:88:88:WindowServer:/var/empty:/usr/bin/false
_spotlight:*:89:89:Spotlight:/var/empty:/usr/bin/false
_tokend:*:91:91:Token Daemon:/var/empty:/usr/bin/false
_securityagent:*:92:92:SecurityAgent:/var/empty:/usr/bin/false
_calendar:*:93:93:Calendar:/var/empty:/usr/bin/false
_teamsserver:*:94:94:TeamsServer:/var/teamsserver:/usr/bin/false
_update_sharing:*:95:-2:Update Sharing:/var/empty:/usr/bin/false
_installer:*:96:-2:Installer:/var/empty:/usr/bin/false
_atsserver:*:97:97:ATS Server:/var/empty:/usr/bin/false
_ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false
_softwareupdate:*:200:200:Software Update Service:/var/empty:/usr/bin/false
_coreaudiod:*:202:202:Core Audio Daemon:/var/empty:/usr/bin/false
_screensaver:*:203:203:Screensaver:/var/empty:/usr/bin/false
_locationd:*:205:205:Location Daemon:/var/empty:/usr/bin/false
_trustevaluationagent:*:208:208:Trust Evaluation Agent:/var/empty:/usr/bin/false
_timezone:*:210:210:AutoTimeZoneDaemon:/var/empty:/usr/bin/false
_lda:*:211:211:Local Delivery Agent:/var/empty:/usr/bin/false
_cvmsroot:*:212:212:CVMS Root:/var/empty:/usr/bin/false
_usbmuxd:*:213:213:iPhone OS Device Helper:/var/db/lockdown:/usr/bin/false
_dovecot:*:214:6:Dovecot Administrator:/var/empty:/usr/bin/false
_dpaudio:*:215:215:DP Audio:/var/empty:/usr/bin/false
_postgres:*:216:216:PostgreSQL Server:/var/empty:/usr/bin/false
_krbtgt:*:217:-2:Kerberos Ticket Granting Ticket:/var/empty:/usr/bin/false
_kadmin_admin:*:218:-2:Kerberos Admin Service:/var/empty:/usr/bin/false
_kadmin_changepw:*:219:-2:Kerberos Change Password Service:/var/empty:/usr/bin/false
_devicemgr:*:220:220:Device Management Server:/var/empty:/usr/bin/false
_webauthserver:*:221:221:Web Auth Server:/var/empty:/usr/bin/false
_netbios:*:222:222:NetBIOS:/var/empty:/usr/bin/false
_warmd:*:224:224:Warm Daemon:/var/empty:/usr/bin/false
_pcastlibrary:*:225:225:Podcast Library Server:/Library/Server/PodcastLibrary:/usr/bin/false
_dovenull:*:227:227:Dovecot Authentication:/var/empty:/usr/bin/false
_netstatistics:*:228:228:Network Statistics Daemon:/var/empty:/usr/bin/false
_avbdeviced:*:229:-2:Ethernet AVB Device Daemon:/var/empty:/usr/bin/false
_krb_krbtgt:*:230:-2:Open Directory Kerberos Ticket Granting Ticket:/var/empty:/usr/bin/false
_krb_kadmin:*:231:-2:Open Directory Kerberos Admin Service:/var/empty:/usr/bin/false
_krb_changepw:*:232:-2:Open Directory Kerberos Change Password Service:/var/empty:/usr/bin/false
_krb_kerberos:*:233:-2:Open Directory Kerberos:/var/empty:/usr/bin/false
_krb_anonymous:*:234:-2:Open Directory Kerberos Anonymous:/var/empty:/usr/bin/false

 

[ElDiabloConCaca]

The administrator password (and all other account passwords) are not stored, in the clear, in any file on the system. To put it another way, you cannot "see" the administrator password anywhere -- it's absolutely impossible, without "hacking" the passwd file (and good luck with that!).

What, precisely, are you looking for?

 

[ele]

Any password for any account. I read somewhere passwords are in database so not possible to just copy it like a simple file.

 

[Giaguara]

To store the passwords in clear, unscrambled text would be not only a bad practice but also a huge security risk. Thatswhy any password scramble you might see in any file is just scramble. It isn't stored in cleartext.
That is also why in the places you can see the old password, it shows as ***************

 

[ElDiabloConCaca]

Like Giaguara said, that would be a horrible implementation of passwords if anyone could just "look" at a database and get the password for any user account.

In UNIX, not even the person using a user account can "look" at their password. ALL passwords in UNIX (and Linux to some extent) are obfuscated and/or encrypted/hashed -- so the only thing a user can do is check to see if what they've entered matches their password, or reset their password. Nobody, not even the root user, can "retrieve" or "look" at a password for any other user account.

Read up on it:

http://www.defenceindepth.net/2011/09/cracking-os-x-lion-passwords.html

 

[ele]

I never said i dont understand it - ofc i understand it. But i was thinking on MacOS its simlar to Unix/Linux - i can find some crypted/hashed password in "/etc/passwd" file. When u got some cryped password you can try to brutal force cracked it. Some times its easy. In this case passwords are stored in DB, have no access to DB fiels, and i have no access to any shell account on this machine - so not possible to crack it. End of story.

 

[Whitehill]

Shell account? Start up Applications/Utilities/Terminal and crack away. However, after cracking, if you have screwed up something and your system stops working properly, you will know who to blame, won't you?

 

[ElDiabloConCaca]

I never said i dont understand it - ofc i understand it. But i was thinking on MacOS its simlar to Unix/Linux - i can find some crypted/hashed password in "/etc/passwd" file. When u got some cryped password you can try to brutal force cracked it. Some times its easy. In this case passwords are stored in DB, have no access to DB fiels, and i have no access to any shell account on this machine - so not possible to crack it. End of story.

I posted the link because that link describes exactly where the hashed passwords are stored in Mac OS X, not because I didn't think you knew what you were talking about.

The link I posted contains every bit of information you need in order to find where the hashed passwords are stored. Let us know if it helps.

 

[ele]

Ok, but im not sure i will get ftp access to this machine again. But we will see

 

[g/re/p]

Ok, but im not sure i will get ftp access to this machine again. But we will see

Here's hoping you get caught