My wife’s grandfather passed away near the start of this year, and while going through his things her family found an iMac that nobody knew the password to. I’m sort of the go-to person in the family for problems like this, but it also seemed like a fun challenge so I figured I’d take a crack at it.

I didn’t learn this until later, but this iMac was from 2011 and was running OSX 10.7 Lion. What I could tell pretty quickly though is that this wasn’t a recent iMac at all. That was a good sign, because I figured that would make it unlikely that there would be any disk encryption or extra security that would make it difficult to extract the data or crack the password.

I was able to get to a boot menu with a little bit of trial and error. Turns out it only comes up if you hold the option key during boot from fully powered off, not after triggering a restart from the login screen! I plugged in a live Fedora USB and had Linux running soon after.

Now if all we cared about was getting the files off the internal drive, I could have stopped here. The Gnome file browser had no trouble browsing the drive, but I wanted to see if we could do one better by getting into OSX. This grandfather was really into photography, and there would be something neat about seeing the computer running as he had kept it, tools and all.

A quick search showed that this version of OSX stores user password hashes in plist files located at /var/db/dslocal/nodes/Default/users/{username}.plist. From Linux I was able to send a copy of this file over to my main computer to work on it.

I found a pretty simple Python script online for extracting password hashes on OSX 10.15 Catalina. Lion uses the simpler SALTED-SHA512 format instead of the PBKDF2-SHA512 that was introduced in 10.8 Mountain Lion. After a few small changes I was able to come up with a modified script that would work for 10.7 Lion.

With the hash extracted, I installed hashcat to start cracking. The command I used is:

hashcat -m 1722 -a 0 hash.txt rockyou.txt

• The m flag specifies the hash type, which you can find in the hashcat documentation.
• The a flag specifies an attack mode. 0 corresponds to a straight dictionary attack, which is what I wanted since I suspected the password would be something simple.
• I used the popular rockyou wordlist for the same reason. If it failed, I could always try again with a custom wordlist.

After about two seconds (yes the password was that simple) I had the password! Embarrassingly, it was something we easily could have and should have guessed. But we didn’t, so my effort was for something at least.

When we logged in, all of Grandpa’s windows reopened as he had last had them which was a neat sight. We had a great time going through all the old photos the rest of the night.

— JP