Extract a Mac OSX Catalina user's password hash as a hashcat-compatible string

osx_extract_hash.py

#!/usr/bin/env python3

"""
Mac OSX 10.7 Lion User Password Hash Extractor
Modified from https://gist.github.com/teddziuba/3ff08bdda120d1f7822f3baf52e606c2

Extracts a user's password hash from a plist file as a hashcat-compatible string.
Plist files can be found at `/var/db/dslocal/nodes/Default/users/{username}.plist`.
10.7 Lion stores passwords in SALTED-SHA512 format (hashcat type 1722).

Usage:
    ./osx-hash-convert.py <plist_file> > hash.txt
    hashcat -m 1722 -a 0 hash.txt wordlist.txt
"""

import plistlib
import sys

def extract_shadow_hash(user_plist):
    # Nested binary plist
    nested_bplist = user_plist["ShadowHashData"]
    shadow_hash_plist = plistlib.loads(nested_bplist[0])

    salted_sha512 = shadow_hash_plist["SALTED-SHA512"]
    return salted_sha512.hex()


def main(args):
    plist_path = args[1]
    with open(plist_path, "rb") as f:
        plist = plistlib.load(f)
    shadow = extract_shadow_hash(plist)
    print(shadow)


if __name__ == "__main__":
    main(sys.argv)