Is there a mask, if only one (unkown) digit of the pass is wrong?
#1
Question 
Hello,

a friend of mine has a HDD that is filevault 2 encrypted. She does not know what happened exactly, but like she told me she changed her password on her mac from one to another. After that both passwords (old and new) where not accepted any more.

She gave it to me, as Im her "IT-friend of trust" :-D
Now I try to find the best way to help her out. I cloned the HDD with DD, so the original HDD is untouched and Im fine to try a few things out.

It seems to me, that there is still a user that has unlock-privileges. If I start up the mac I have a (user)password prompt. All the passwords she gave me are not accepted on this prompt.

There is an option to switch the prompt and use the 24-digit long recovery key to decrypt the HDD. Unfortunatly she did not save it.

So in short:

it is possible to unlock per user-pass, but none is accepted.

My Question:

I suspect, that she typed one digit of the password wrong two times. That also happened to me one time, then I changed one password and typed two times "0" instead of "o".

Is there a mask that goes through each digit and cycles a defiened char-set to test this out, if the password is known, but only one, unknown digit is wrong?


greets uenno
#2
There is no such mask. Several solutions are possible.

1. create a hcmask file that has a mask for each position you want to alter. eg
Code:
?aassword
p?aassword
pa?asword
…
2. create a table file with suitable replacements for each character and pipe hashcat-legacy into hashcat. See https://hashcat.net/wiki/doku.php?id=tab...kup_attack
3. write a rule file with repace rules (rules s or o) for each character. See https://hashcat.net/wiki/doku.php?id=rule_based_attack
#3
Wow, thats a quick answer Smile.....thx for support

(09-02-2018, 12:48 PM)undeath Wrote: There is no such mask.

If there is not such a mask/option I think it will be a good feature for next versions, as I think this problem is out there (not much, but I think it will be helpful and fast to try out, if your "100% sure you know the password, but it does not work").

Ok, I will tryout what you told.
#4
No, that's simply not something masks were desgined to be used for, hence no such option.