OS X 10.9: where are password hashes stored

Starting with Lion, OS X introduced a shadow file per user that is a plist dictionary that contains password hashes and other GID/UID/kerberos and open directory type keys.

The shadow files are stored on the filesystem at /var/db/dslocal/nodes/Default/users. They are in plist format so you'll need to use the plutil command to view them or use the defaults command to extract/write specific keys if desired. Only the root user has access to the files.

To view the contents of a shadow file for a user:

sudo plutil -p /var/db/dslocal/nodes/Default/users/<username>.plist

To get the hash:

sudo defaults read /var/db/dslocal/nodes/Default/users/<username>.plist ShadowHashData|tr -dc 0-9a-f|xxd -r -p|plutil -convert xml1 - -o -

Where <username> in the above examples is the user you're looking for the hash for. You want the <data> section that corresponds to the <key>entropy</key> key in that plist output.

To continue on to try and crack the password see this tutorial.

I want to add to the accepted answer, just in case someone tries to get the password hashes stored on an OS X Server in Open Directory. For network (OD) users you need to

sudo mkpassdb -dump

which will get you a list of users and their respective slot IDs. Copy the entire slot ID beginning with 0x and issue

sudo mkpassdb -dump slot_id_that_you_retrieved

You'll see several digest entries, amongst which *cmusaslsecretSMBNT is the NTLM password hash and *cmusaslsecretDIGEST-MD5 is the regular MD5 hash. Do with those what you wish, but I found it easier to submit those to https://hashkiller.co.uk/ntlm-decrypter.aspx which is a free online hash cracking service. It accepts your hash and if not yet in their database will start working on it. Return a week later and it should be cracked. This has been tested on OS X El Capitan and Mac OS Sierra. You may not see digests if some auth methods have been explicitly disabled on your server but they should be there by default.