-
Notifications
You must be signed in to change notification settings - Fork 2.2k
/
Copy pathREADME.FileVault2
69 lines (45 loc) · 2.48 KB
/
README.FileVault2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
This document is about cracking password protected FileVault 2 encrypted
volumes with JtR.
FileVault 2 hashes can be extracted from an encrypted volume using the tool run/fvde2john.py.
Hash extraction example:
$ python3 fvde2john.py FileVault2_image
testuser:$fvde$1$16$270186d6758a4426d3f015a019eabc46$101082$63a758b61183c5d4d06dda5e8f14dd0b1555fe2a1f2d0304:Full Name:mypasswordhint
The output of fvde2john.py is of the form username:password hash:full name:password hint
Alternatively the "fvde2john" (https://github.com/kholia/fvde2john) tool can be used.
First, build the "fvde2john" (https://github.com/kholia/fvde2john) project from
source. See https://github.com/libyal/libfvde/wiki/Building for help.
Second, use the built fvde2john project to extract hash(es) from the encrypted
FileVault 2 volume.
$ tar -xJf fvde-1.raw.tar.xz # sample image for testing, from fvde2john project
$ sudo kpartx -v -a fvde-1.raw
add map loop2p1 (253:5): 0 1048496 linear /dev/loop2 40
$ sudo fvdetools/fvdeinfo -p dummy /dev/mapper/loop2p1 # this extracts the hashes
fvdeinfo 20160918
$fvde$1$16$e7eebaabacaffe04dd33d22fd09e30e5$41000$e9acbb4bc6dafb74aadb72c576fecf69c2ad45ccd4776d76
Here is how to extract hashes without using kpartx,
$ fdisk -l fvde-2.raw
Disk fvde-2.raw: 512 MiB, 536870912 bytes, 1048576 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: EBED216B-95C5-40D3-9C15-D352C8E9E357
Device Start End Sectors Size Type
fvde-2.raw1 40 1048535 1048496 512M Apple Core storage
40 (Start) * 512 (Sector size) => 20480 => volume offset
$ ./fvdetools/fvdeinfo -o 20480 fvde-2.raw
fvdeinfo 20160918
$fvde$1$16$94c438acf87d68c2882d53aafaa4647d$70400$2deb811f803a68e5e1c4d63452f04e1cac4e5d259f2e2999
$fvde$1$16$94c438acf87d68c2882d53aafaa4647d$70400$2deb811f803a68e5e1c4d63452f04e1cac4e5d259f2e2999
Finally, give this hash string to JtR jumbo to crack.
$ cat hash
$fvde$1$16$e7eebaabacaffe04dd33d22fd09e30e5$41000$e9acbb4bc6dafb74aadb72c576fecf69c2ad45ccd4776d76
$ ../run/john hash -wordlist=wordlist
Using default input encoding: UTF-8
Loaded 1 password hash (FVDE, FileVault 2 [PBKDF2-SHA256 AES 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
openwall (?)
For more help with fvde2john, see the following URLs,
https://github.com/libyal/libfvde/wiki
https://github.com/libyal/libfvde/wiki/Troubleshooting