tinyapps.org / docs / Cracking FileVault 2 (HFS+ or APFS)

0. Determine filesystem

via diskutil list:

• Apple_CoreStorage = HFS+ (CoreStorage-wrapped)
• Apple_APFS / APFS Container = APFS

1. HFS+

1.1 System volume

• Target: FileVault-encrypted MacBook Air running macOS 10.12.6
• Attacker: iMac running macOS 10.14.2

1.1.1 Download and compile fvde2john and hashcat on iMac

git clone https://github.com/kholia/fvde2john.git && cd fvde2john/
./configure && make
git clone https://github.com/hashcat/hashcat.git && cd hashcat/
make

1.1.2 Start MacBook Air in Target Disk Mode and connect to iMac via Thunderbolt, FireWire, or USB

$ diskutil list
...
/dev/disk2 (external):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                         251.0 GB   disk2
   1:                        EFI EFI                     209.7 MB   disk2s1
   2:          Apple_CoreStorage Macintosh HD            250.1 GB   disk2s2
   3:                 Apple_Boot Recovery HD             650.0 MB   disk2s3

Offline
                                 Logical Volume Macintosh HD on disk2s2
                                 C59F0385-4F65-7EBA-36DB-3977388EB4AA
                                 Locked Encrypted

$ diskutil mount /dev/disk2s3
Volume Recovery HD on /dev/disk2s3 mounted

$ find /Volumes/Recovery\ HD -name Encry*
/Volumes/Recovery HD/com.apple.boot.S/System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey

$ sudo ./fvdetools/fvdeinfo -e /Volumes/Recovery\ HD/com.apple.boot.S/System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey -p dummy /dev/disk2s2
...
$fvde$1$16$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx$135098$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
...
$ diskutil unmount /Volumes/Recovery\ HD/
Volume Recovery HD on disk2s3 unmounted

1.1.3 Save hash to hash.txt and begin cracking with hashcat, e.g.,

$ ./hashcat -a 0 -m 16700 -o found.txt hash.txt wordlist.txt

1.2 Removable media volume

• Target: FileVault-encrypted USB hard drive
• Attacker: Mac mini running macOS 15.6.1

1.2.1 System volumes vs. removable media volumes:

"For the system volume you'll first need to obtain the EncryptedRoot.plist.wipekey and pass it to fvdemount. For removable media volumes this is not necessary because the relevant data is stored on the encrypted volume."

1.2.2 Download and compile John the Ripper jumbo:

git clone https://github.com/openwall/john.git -b bleeding-jumbo
cd john/src && ./configure && make -s clean && make -sj4

1.2.3 Extract hash from disk (e.g., rdisk4):

sudo python3 ./fvde2john.py /dev/rdisk4
:$fvde$1$16$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx$41000$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx::: ::

2. APFS

2.1 System volume

2.1.1 Linux attacker

• Target: FileVault-encrypted MacBook Pro running macOS 10.14.2
• Attacker: PC running Ubuntu 19.04

2.1.1.1 Install apfs-fuse on PC

sudo add-apt-repository universe && sudo apt update
sudo apt install fuse3 libfuse3-dev libbz2-dev cmake git libattr1-dev zlib1g-dev
git clone https://github.com/sgan81/apfs-fuse.git && cd apfs-fuse/
git submodule update --init
mkdir build && cd build
cmake ..
make

2.1.1.2 Start MacBook Pro in Target Disk Mode, connect to PC, and determine device name, e.g.,

$ cat /proc/partitions
major minor  #blocks  name

   8        0  125034840 sda
...
   8       16  118489088 sdb

2.1.1.3 Acquire hash

$ sudo ./apfs-dump-quick /dev/sdb log.txt

Device /dev/sdb opened. Size is 121332826112
Info: Found valid GPT partition table on main device. Dumping first APFS partition.
...
Volume Macintosh HD is encrypted.
...
Enter Password: JUST PRESS ENTER
...
[KEK]
Unk 80  : 0
UUID    : 48BCAEEB-4E7A-C5D2-B7EB-C21DCD1366F9
Unk 82  : 00000000 0002 15 174
KEK Wrpd: 2FDEAFAA0F6A971F674B487270A5AE59578B29FB377F76E35CF23985E045EBB8F70687086B6ED7F5
Iterat's: 100000
Salt    : 692B540738291E8B5248A74444E5B1EF
...

2.1.1.4 Arrange the hash and save to hash.txt

$fvde$2$16$692B540738291E8B5248A74444E5B1EF$100000$2FDEAFAA0F6A971F674B487270A5AE59578B29FB377F76E35CF23985E045EBB8F70687086B6ED7F5

2.1.1.5 Install hashcat (see §1.1.1) and start cracking

$ hashcat -a 0 -m 18300 -o found.txt hash.txt wordlist.txt

2.1.2 macOS attacker

• Target: FileVault-encrypted MacBook Pro (Retina, 15-inch, Mid 2014) with 250GB SSD, running macOS Big Sur
• Attacker: Mac mini (M1, 2020) running macOS Sequoia

2.1.2.1 Download apfs2hashcat and compile apfs-dump-quick on Mac mini:

brew install cmake pkg-config git
git clone "https://github.com/Banaanhangwagen/apfs2hashcat.git" && cd apfs2hashcat
git submodule update --init --recursive
mkdir build && cd build
cmake .. -DCMAKE_POLICY_VERSION_MINIMUM=3.5
make apfs-dump-quick

2.1.2.2 Start MacBook Pro in Target Disk Mode, connect to Mac mini via Thunderbolt (ejecting target Macintosh HD if it mounts and dismissing password prompt), and determine disk identifier, e.g.,

% diskutil list
...
/dev/disk5 (external, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *251.0 GB   disk5
   1:                        EFI EFI                     209.7 MB   disk5s1
   2:                 Apple_APFS Container disk6         250.8 GB   disk5s2

/dev/disk6 (synthesized):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      APFS Container Scheme -                      +250.8 GB   disk6
                                 Physical Store disk5s2
   1:                APFS Volume Macintosh HD - Data     122.3 GB   disk6s1
   2:                APFS Volume Preboot                 365.5 MB   disk6s2
   3:                APFS Volume Recovery                613.8 MB   disk6s3
   4:                APFS Volume VM                      1.1 GB     disk6s4
   5:                APFS Volume Macintosh HD            24.0 GB    disk6s5

2.1.2.3 Acquire hash

% sudo ./apfs-dump-quick /dev/disk5 log.txt
...
$fvde$1$16$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX$93003$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX00000000000000000000000000000000
...

• Whether specifying the physical disk (disk5) or the synthesized logical container (disk6), the resulting hash was identical (salt and wrapped KEK segment redacted here).

• Strip any zero padding at the end of the wrapped KEK segment prior to saving the hash as hash.txt.

• $fvde$1$ (vs. $fvde$2$) may indicate that FileVault was enabled on HFS+ pre-APFS; hash mode 16700 applies rather than 18300.

2.1.2.4 Install hashcat (see §1.1.1) and begin cracking

hashcat -a 0 -m 16700 -w 4 --force hash.txt combos.txt

• Options: straight attack (-a 0), hash mode 16700 (not 18300 — see above), workload profile 4 ("insane"), --force to bypass warnings, hash.txt saved in step 2.1.2.3, and combos.txt generated with this Python script based on user's vague recollection:

  from itertools import product
  
  symbols = ['@', '!', '#', '$', '%', '^', '&', '*']
  words = [
      'sing', 'sinG', 'siNg', 'siNG', 'sIng', 'sInG', 'sINg', 'sING',
      'Sing', 'SinG', 'SiNg', 'SiNG', 'SIng', 'SInG', 'SINg', 'SING'
  ]
  
  with open('combos.txt', 'w') as f:
      for sym, word in product(symbols, words):
          # Just symbol + word
          f.write(f"{sym}{word}\n")
          # symbol + word + 1-digit numbers
          for i in range(10):
              f.write(f"{sym}{word}{i}\n")
          # symbol + word + 2-digit numbers
          for i in range(100):
              f.write(f"{sym}{word}{i:02}\n")
          # symbol + word + 3-digit numbers
          for i in range(1000):
              f.write(f"{sym}{word}{i:03}\n")
          # symbol + word + 4-digit numbers
          for i in range(10000):
              f.write(f"{sym}{word}{i:04}\n")

2.2 Removable media volume

• Target: FileVault-encrypted USB hard drive
• Attacker: Mac mini running macOS 15.6.1

2.2.1 Download and compile hashcat on Mac mini:

git clone https://github.com/hashcat/hashcat.git && cd hashcat && make

2.2.2 Extract hash from disk (e.g., disk8):

sudo python3 ./tools/apfs2hashcat.py /dev/disk8
...
Found password hash: $fvde$1$16$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx$142377$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

3. Notes

• If a firmware password is set, there are a few options:

  • At the firmware password prompt, press SHIFT + CONTROL + OPTION + COMMAND + S to reveal a one-time use hash; provide it along with proof of purchase to Apple, which will send an SCBO file that removes the firmware password.
  • On older Macs, simply change the amount of physical memory and reboot.
  • If the encrypted drive is removable, remove and connect to appropriate adapter (e.g., OWC Envoy Pro).
  • Flash the EFI chip on your own, with a purpose-built tool, or via mail-in service.
  • Bypass the built-in EFI ROM permanently with a Matt Card.

• The full output of apfs-dump-quick /dev/sdb log.txt included two distinct KEK sections; the first contained the desired hash.

• Pairing rules with wordlists increases efficacy. According to Tevora.com, "Append_d is by far the most effective rule. It added an average of 10% more cracks to each wordlist it was paired with." Can be appended to the above hashcat commands like so: -r ./hashcat/rules/hybrid/append_d.rule.

4. See also

• Create fvde2john.py #5623 and README.FileVault2

• From FileVault to T2: How to Deal with Native Apple Encryption includes Decrypting FileVault2 volumes from Macs with a T2 chip via Passware Kit (currently unsupported by hashcat)

• Recovering saved macOS user passwords

• Crack Mac user password

• Cracking hashes in the cloud with hashcat

• Password hint recovery:

  • How do I get the password hint for an encrypted disk?
  • Find and decode bytes containing passphrase hint (CryptoUsers structure) in FileVault Drive Encryption of HFS+ encrypted drive
  • Which encrypted items show a hint?
  • How to recover a password hint from a drive encrypted with Disk Utility?

• Sources:

  • -m 18300 APFS
  • -m 16700 Filevault
  • Obtaining EncryptedRoot.plist.wipekey
  • hashcat man page
  • Example hashes

created: 2019.05.27, updated: 2026.02.25