The passwords are stored in the xf_user_authenticate table in the database. See this file for the auth code:
XenForo uses a salted double hash using either SHA1 OR SHA256:
sha1(sha1(password) . salt)
sha256(sha256(password) . salt)
You will need to fetch the auth record and then verify the password using PHP code. This is because the data is serialized so it can't be queried directly. And MySQL doesn't have a SHA256 function, only SHA1.