-m 16700 Filevault
#1
A couple of days ago I read the tweet that -m 16700 Filevault is now supported.
Many thanks for this, because it has been a long time on the wish-list for many, including myself.

Now, maybe I missed it in the doc/commit, but can one give me a hint on how to recover the hash ?
Is it always on the some offset and it just needs some copy-pasting?
Even better, is there a script?

Thanks!
#2
I didn't try myself, but this could work: https://github.com/kholia/fvde2john
#3
After a lot of messing around, I got it working. It only works for Filevault on HFS+ filesystem, and not on the newest APFS.

For educational purposes, I'll post the steps that I followed (on a mac):

0) Install fvde2john as documented on his GitHub
1) First attach your image; 
Code:
hdiutil attach -imagekey diskimage-class=CRawDiskImage -nomount /Volumes/path/to/.DD

2) MacOS gives a pop-up that Filevault-protected-disk is detected and prompts you for the password;
3) Do not forget to click on "show hint", if shown ;-)
4) MacOS shows us that the image is correctly attached; the CoreStorage is the one we need
Code:
/dev/disk3   GUID_partition_scheme
/dev/disk3s1 EFI
/dev/disk3s2 Apple_Corestorage
/dev/disk3s3 Apple_Boot

5) Obtain the Encrypted.plist.wipekey (different ways possible, but nicely documented on this GitHub-page)
6) Finally, execute the following:
Code:
sudo fvdetools/fvdeinfo -e Encrypted.plist.wipekey -p whatever /dev/disk3s2

7) It will give the hash (and some errors), needed to work with -m 16700

Good luck!
#4
Nice info. Thanks for this walkthrough, I'll give it a try
#5
Little update:
-m 16700 works also for Filevault on latest APFS filesystem, but only on macOS High Sierra (10.13)

Simply follow the guide of this fork in order to recover the hash.
Cut the padding zeroes (16 bytes) and you are good to go.

This technique is not possible any more since macOS Mojave (10.14); I suppose that Apple did some small changes and that apfs-fuse (or the fork?) needs to be recalibrated.
#6
(07-31-2018, 03:04 PM)Karamba Wrote: 5) Obtain the Encrypted.plist.wipekey (different ways possible, but nicely documented on this GitHub-page)

Hello,

can you show me a way, how I can obtain the Encrypted.plist.wipekey without mmls? I have the drive physically attached, so I dont use a .dd-image (made a 1:1 clone of the encrypted drive on a HDD with same capacity).

Or maybe I can use mmls with the physical drive? Both tools (mmls & fls) are also not installed on the mac bye default, so I guess I have to install them?!

Im using Mojave in Virtualbox to work, but the Filevault 2-encrypted Volume is pre-Sierra I think.

Maybe we can fuel this Thread with more Information, as people stumbling about this will get useful information Smile

greetz
uennotec
#7
mmls and others are part of the Sleuthkit; it can easily be installed on a mac via brew

if you have the drive physically attached, why not simply search with diskutil list for the RecoveryHD and mount it? finally, you can drag-and-drop the file with finder
#8
Support for APFS -m 18300 was added with release of hashcat v5.1.0
#9
(12-26-2018, 07:14 PM)Karamba Wrote: mmls and others are part of the Sleuthkit; it can easily be installed on a mac via brew

if you have the drive physically attached, why not simply search with diskutil list for the RecoveryHD and mount it? finally, you can drag-and-drop the file with finder

Hi,

I mounted the RecoveryHD and extracted the "EncryptedRoot.plist.wipekey". I then did:

sudo fvdetools/fvdeinfo -e EncryptedRoot.plist.wipekey -p whatever /dev/disk3s2

(mine is not called Encrypted.plist.wipekey, as in your command)

It then gives me 2 different Hashes. (which are displayed 2 times each, so 4 lines with 2 different hashes)

How do I know which is the correct one? Could it be, that this error is connected to the fact, that the userpassword on this machine was changed, and after that either the old, nor ne new password worked any more?

greetz uennotec