Mac 10.13, 10.14 where are the hash passwords located?

Solution 1:

10.14 protects these files with SIP, so even root cannot access the files without using the directory services command. If you need to get this information deactivate SIP. Remember to reactivate SIP after you are finished. If you attempt to access using the directory services call shown above then you do not need to deactivate SIP.

Solution 2:

Disabling SIP, or trying to read the files directly, is not the thing to do here if you want to read a user record. You should use dscl to read things from Directory Services.

dscl . read Users/<username>
sudo dscl . read Users/<username> ShadowHashData

You can choose different formats for the output as well like -plist.

Solution 3:

You need to deactivate the SIP, which protects these files. In terminal, you need to write this to disable it, and you should get this message:

csrutil disable

Successfully disabled System Integrity Protection. Please restart the machine for the changes to take effect.

restart your computer once the command is successful. Then, you type your code into terminal:

sudo plutil -p /var/db/dslocal/nodes/Default/users/<username>.plist

and extract the files accordingly.

Once you are finished, remember to re-enable the SIP.

csrutil enable