A couple of days ago I read the tweet that -m 16700 Filevault is now supported.
Many thanks for this, because it has been a long time on the wish-list for many, including myself.
Now, maybe I missed it in the doc/commit, but can one give me a hint on how to recover the hash ?
Is it always on the some offset and it just needs some copy-pasting?
Even better, is there a script?
Thanks!
After a lot of messing around, I got it working. It only works for Filevault on HFS+ filesystem, and
not on the newest APFS.
For educational purposes, I'll post the steps that I followed (on a mac):
0) Install
fvde2john as documented on
his GitHub
1) First attach your image;
Code:
hdiutil attach -imagekey diskimage-class=CRawDiskImage -nomount /Volumes/path/to/.DD
2) MacOS gives a pop-up that Filevault-protected-disk is detected and prompts you for the password;
3) Do not forget to click on "show hint", if shown ;-)
4) MacOS shows us that the image is correctly attached; the CoreStorage is the one we need
Code:
/dev/disk3 GUID_partition_scheme
/dev/disk3s1 EFI
/dev/disk3s2 Apple_Corestorage
/dev/disk3s3 Apple_Boot
5) Obtain the
Encrypted.plist.wipekey (different ways possible, but nicely documented on
this GitHub-page)
6) Finally, execute the following:
Code:
sudo fvdetools/fvdeinfo -e Encrypted.plist.wipekey -p whatever /dev/disk3s2
7) It will give the hash (and some errors), needed to work with -m 16700
Good luck!
Nice info. Thanks for this walkthrough, I'll give it a try
Little update:
-m 16700 works also for Filevault on latest APFS filesystem, but only on macOS High Sierra (10.13)
Simply follow the guide of
this fork in order to recover the hash.
Cut the padding zeroes (16 bytes) and you are good to go.
This technique is not possible any more since macOS Mojave (10.14); I suppose that Apple did some small changes and that apfs-fuse (or the fork?) needs to be recalibrated.
(07-31-2018, 03:04 PM)Karamba Wrote: [ -> ]5) Obtain the Encrypted.plist.wipekey (different ways possible, but nicely documented on this GitHub-page)
Hello,
can you show me a way, how I can obtain the
Encrypted.plist.wipekey without mmls? I have the drive physically attached, so I dont use a .dd-image (made a 1:1 clone of the encrypted drive on a HDD with same capacity).
Or maybe I can use mmls with the physical drive? Both tools (mmls & fls) are also not installed on the mac bye default, so I guess I have to install them?!
Im using Mojave in Virtualbox to work, but the Filevault 2-encrypted Volume is pre-Sierra I think.
Maybe we can fuel this Thread with more Information, as people stumbling about this will get useful information
greetz
uennotec
mmls and others are part of the Sleuthkit; it can easily be installed on a mac via brew
if you have the drive physically attached, why not simply search with diskutil list for the RecoveryHD and mount it? finally, you can drag-and-drop the file with finder
Support for APFS -m 18300 was added with release of hashcat v5.1.0
(12-26-2018, 07:14 PM)Karamba Wrote: [ -> ]mmls and others are part of the Sleuthkit; it can easily be installed on a mac via brew
if you have the drive physically attached, why not simply search with diskutil list for the RecoveryHD and mount it? finally, you can drag-and-drop the file with finder
Hi,
I mounted the RecoveryHD and extracted the "EncryptedRoot.plist.wipekey". I then did:
sudo fvdetools/fvdeinfo -e Encrypted
Root.plist.wipekey -p whatever /dev/disk3s2
(mine is not called Encrypted.plist.wipekey, as in your command)
It then gives me 2 different Hashes. (which are displayed 2 times each, so 4 lines with 2 different hashes)
How do I know which is the correct one? Could it be, that this error is connected to the fact, that the userpassword on this machine was changed, and after that either the old, nor ne new password worked any more?
greetz uennotec