tinyapps.org / docs / Cracking FileVault 2 (HFS+ or APFS)


1. HFS+

1.1 Download and compile fvde2john and hashcat on iMac:

$ git clone https://github.com/kholia/fvde2john.git
$ cd fvde2john/
$ ./configure
$ make

$ git clone https://github.com/hashcat/hashcat.git
$ cd ../hashcat/
$ make

1.2 Start MacBook Air in Target Disk Mode and connect to iMac via Thunderbolt, FireWire, or USB:

$ diskutil list
...
/dev/disk2 (external):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                         251.0 GB   disk2
   1:                        EFI EFI                     209.7 MB   disk2s1
   2:          Apple_CoreStorage Macintosh HD            250.1 GB   disk2s2
   3:                 Apple_Boot Recovery HD             650.0 MB   disk2s3

Offline
                                 Logical Volume Macintosh HD on disk2s2
                                 C59F0385-4F65-7EBA-36DB-3977388EB4AA
                                 Locked Encrypted

$ diskutil mount /dev/disk2s3
Volume Recovery HD on /dev/disk2s3 mounted

$ find /Volumes/Recovery\ HD -name Encry*
/Volumes/Recovery HD/com.apple.boot.S/System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey

$ sudo ./fvdetools/fvdeinfo -e /Volumes/Recovery\ HD/com.apple.boot.S/System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey -p dont-know /dev/disk2s2
...
$fvde$1$16$3fc886d887bef6f52b6d3f275c290e23$135098$5f852cd981bdad55bd8e60de04ab28742961b3c55e28a0f5
...

$ diskutil unmount /Volumes/Recovery\ HD/
Volume Recovery HD on disk2s3 unmounted

1.3 Save hash to hash.txt and begin cracking with hashcat, e.g.,

$ ./hashcat/hashcat -a 0 -m 16700 -o found.txt hash.txt wordlist.txt

2. APFS

2.1 Install apfs-fuse on PC

$ sudo add-apt-repository universe

$ sudo apt update

$ sudo apt install fuse3 libfuse3-dev libbz2-dev cmake git libattr1-dev zlib1g-dev

$ git clone https://github.com/sgan81/apfs-fuse.git

$ cd apfs-fuse/

$ git submodule init

$ git submodule update

$ mkdir build && cd build

$ cmake ..

$ make
...
[100%] Built target apfs-dump-quick

2.2 Start MacBook Pro in Target Disk Mode, connect to PC, and determine disk name, e.g.,

$ cat /proc/partitions 
major minor  #blocks  name

   8        0  125034840 sda
...
   8       16  118489088 sdb

2.3 Acquire hash

$ sudo ./apfs-dump-quick /dev/sdb log.txt

Device /dev/sdb opened. Size is 121332826112
Info: Found valid GPT partition table on main device. Dumping first APFS partition.
...
Volume Macintosh HD is encrypted.
...
Enter Password: JUST PRESS ENTER
...
[KEK]
Unk 80  : 0
UUID    : 48BCAEEB-4E7A-C5D2-B7EB-C21DCD1366F9
Unk 82  : 00000000 0002 15 174
KEK Wrpd: 2FDEAFAA0F6A971F674B487270A5AE59578B29FB377F76E35CF23985E045EBB8F70687086B6ED7F5
Iterat's: 100000
Salt    : 692B540738291E8B5248A74444E5B1EF
...

2.4 Arrange the hash and save to hash.txt

$fvde$2$16$692B540738291E8B5248A74444E5B1EF$100000$2FDEAFAA0F6A971F674B487270A5AE59578B29FB377F76E35CF23985E045EBB8F70687086B6ED7F5

2.5 Install hashcat (see §1.1) and start cracking

$ hashcat -a 0 -m 18300 -o found.txt hash.txt wordlist.txt

Notes

Sources


last update: 2019.05.28