Either my Google skills are weaksauce or there are no good references regarding cracking OS X's password hashes using Hashcat. This isn't a tutorial on how to install oclHashcat or best crack user passwords, but a simple how-to so you can use it to start cracking right away.
Before you start.. some assumptions. While you will be obtaining the hashes on an OS X (v10.4 - 10.6) computer, you are using a Linux workstation with a fully working oclHashcat v0.26 or greater to do the hash cracking. Previous versions don't support hex salts and hex character sets.
So, let's get started... OS X versions from 10.4 - 10.6 store password hashes in /var/db/shadow/hash in files named after each user's GUID that look similar to this: 0B32C1A9-1352-4A13-BBA0-79EB0BA317E3. They have accompanying .state files, but we're not interested in those for the purposes of cracking.
We're going to try and crack all hashes, but to look up specific users and their GUIDs, check out this blog post, or just use the following commands:
$ niutil -readprop . /users/<username> generateduid
10.5 - 10.6
$ dscl localhost -read /Search/Users/<username> | grep GeneratedUID | cut -c15-
These hash files store various hashes including LM and NTLM, but we will concentrate on OS X's native hashing algorithm which is a salted SHA-1. You can use this simple one-liner to extract just the SHA-1 hashes and write them to a file:
$ sudo su -
# cut -c169-216 /var/db/shadow/hash/* > /tmp/my_hashes.txt
Within this file, you should see something similar to this:
The first 8 characters in each line are the hex representations of the salt and the rest is the actual hash. For example, in the first hash the salt would be C2252228 and the hash is 94237AEAFA66F93EEA5F98BEFE3095B9F8C1C1D1.
For the purposes of oclHashcat, we'll have to convert these lines to a hash:salt style format. We can do that with another one-liner:
# sed -i.orig 's/^\(........\)\(.*\)/\2:\1/g' /tmp/my_hashes.txt
After which, you should end up with something like this:
Now, we're ready to feed this file to oclHashcat (or cudaHashcat for NVIDIA users). For the purposes of this tutorial, we're just going to do a mindless brute-force and assume the password is 8 characters with at least 1 upper, 1 lower, 1 number, and 1 special character.