I normally don’t have a use for a password cracking application like John the Ripper, but a family member was having problems logging in to their Mac and they couldn’t remember what password they were using for the keychain. I decided to give John the Ripper a try and I’m glad I did. It picked the password for the keychain in about a minute using its built-in dictionary. If you get in a similar bind, the following worked for me running Mountain Lion Server.
The family member was remote, so they zipped up the login.keychain file and sent it to me. I moved the file to my local machine running Mountain Lion Server, but this should work on Mountain Lion, Lion, Snow Leopard, and maybe further back… I downloaded a jumbo build of John the Ripper, moved the login.keychain file into the same directory as the “run” directory of the downloaded JtR, and ran the following commands from JtR’s run directory with Terminal.app:
(running keychain2john spews out a few lines of characters, copy all of the lines to a .txt file and save it to the JtR directory – I copied keychain2john’s output to “clwlogin.txt”) and then I ran the following command from Terminal:
./john -i=all clwlogin.txt
While the command above is running, you can press “enter” and see JtR’s status. When JtR picks the password, it will automatically throw it up on the screen followed by a question mark in parentheses. At this point, JtR will keep running to look for more passwords, so I press Control-C to force it to quit. Success!