tinyapps.org / docs / Cracking FileVault 2 (HFS+ or APFS)

1. HFS+

• Target: FileVault-protected MacBook Air running macOS 10.12.6
• Attacker: iMac running macOS 10.14.2

1.1 Download and compile fvde2john and hashcat on iMac:

$ git clone https://github.com/kholia/fvde2john.git
$ cd fvde2john/
$ ./configure
$ make

$ git clone https://github.com/hashcat/hashcat.git
$ cd hashcat/
$ make

1.2 Start MacBook Air in Target Disk Mode and connect to iMac via Thunderbolt, FireWire, or USB:

$ diskutil list
...
/dev/disk2 (external):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                         251.0 GB   disk2
   1:                        EFI EFI                     209.7 MB   disk2s1
   2:          Apple_CoreStorage Macintosh HD            250.1 GB   disk2s2
   3:                 Apple_Boot Recovery HD             650.0 MB   disk2s3

Offline
                                 Logical Volume Macintosh HD on disk2s2
                                 C59F0385-4F65-7EBA-36DB-3977388EB4AA
                                 Locked Encrypted

$ diskutil mount /dev/disk2s3
Volume Recovery HD on /dev/disk2s3 mounted

$ find /Volumes/Recovery\ HD -name Encry*
/Volumes/Recovery HD/com.apple.boot.S/System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey

$ sudo ./fvdetools/fvdeinfo -e /Volumes/Recovery\ HD/com.apple.boot.S/System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey -p dont-know /dev/disk2s2
...
$fvde$1$16$3fc886d887bef6f52b6d3f275c290e23$135098$5f852cd981bdad55bd8e60de04ab28742961b3c55e28a0f5
...

$ diskutil unmount /Volumes/Recovery\ HD/
Volume Recovery HD on disk2s3 unmounted

1.3 Save hash to hash.txt and begin cracking with hashcat, e.g.,

$ ./hashcat/hashcat -a 0 -m 16700 -o found.txt hash.txt wordlist.txt

2. APFS

• Target: FileVault-protected MacBook Pro running macOS 10.14.2
• Attacker: PC running Ubuntu 19.04

2.1 Install apfs-fuse on PC

$ sudo add-apt-repository universe

$ sudo apt update

$ sudo apt install fuse3 libfuse3-dev libbz2-dev cmake git libattr1-dev zlib1g-dev

$ git clone https://github.com/sgan81/apfs-fuse.git

$ cd apfs-fuse/

$ git submodule init

$ git submodule update

$ mkdir build && cd build

$ cmake ..

$ make
...
[100%] Built target apfs-dump-quick

2.2 Start MacBook Pro in Target Disk Mode, connect to PC, and determine disk name, e.g.,

$ cat /proc/partitions
major minor  #blocks  name

   8        0  125034840 sda
...
   8       16  118489088 sdb

2.3 Acquire hash

$ sudo ./apfs-dump-quick /dev/sdb log.txt

Device /dev/sdb opened. Size is 121332826112
Info: Found valid GPT partition table on main device. Dumping first APFS partition.
...
Volume Macintosh HD is encrypted.
...
Enter Password: JUST PRESS ENTER
...
[KEK]
Unk 80  : 0
UUID    : 48BCAEEB-4E7A-C5D2-B7EB-C21DCD1366F9
Unk 82  : 00000000 0002 15 174
KEK Wrpd: 2FDEAFAA0F6A971F674B487270A5AE59578B29FB377F76E35CF23985E045EBB8F70687086B6ED7F5
Iterat's: 100000
Salt    : 692B540738291E8B5248A74444E5B1EF
...

2.4 Arrange the hash and save to hash.txt

$fvde$2$16$692B540738291E8B5248A74444E5B1EF$100000$2FDEAFAA0F6A971F674B487270A5AE59578B29FB377F76E35CF23985E045EBB8F70687086B6ED7F5

2.5 Install hashcat (see §1.1) and start cracking

$ hashcat -a 0 -m 18300 -o found.txt hash.txt wordlist.txt

Notes

• System volume vs. removable media volume: "For the system volume you'll first need to obtain the EncryptedRoot.plist.wipekey and pass it to fvdemount. For removable media volumes this is not necessary because the relevant data is stored on the encrypted volume."

• If a firmware password is set, there are a few options:

  • At the firmware password prompt, press SHIFT + CONTROL + OPTION + COMMAND + S to reveal a one-time use hash; provide it along with proof of purchase to Apple, which will send an SCBO file that removes the firmware password.
  • On older Macs, simply change the amount of physical memory and reboot.
  • If the encrypted drive is removable, remove and connect to appropriate adapter (e.g., OWC Envoy Pro).
  • Flash the EFI chip on your own, with a purpose-built tool, or via mail-in service.
  • Bypass the built-in EFI ROM permanently with a Matt Card.

• The full output of apfs-dump-quick /dev/sdb log.txt included two distinct KEK sections; the first contained the desired hash.

• Pairing rules with wordlists increases efficacy. According to Tevora.com, "Append_d is by far the most effective rule. It added an average of 10% more cracks to each wordlist it was paired with." Can be appended to the above hashcat commands like so: -r ./hashcat/rules/hybrid/append_d.rule.

• See also Recovering saved macOS user passwords and Crack Mac user password.

Sources

• -m 18300 APFS
• -m 16700 Filevault
• Obtaining EncryptedRoot.plist.wipekey
• hashcat man page
• Example hashes

created: 2019.05.27, updated: 2020.04.19