05-01-2019, 05:47 PM
As you could read in this post I explained a walk-through for extracting the FileVault hash.
I also explained that this method wasn't working anymore since macOS 10.14 (Mojave).
The tool from JtR (apfs2john, a fork of apfs-fuse) was for the same reason not working anymore.
It appeared that Apple used a 4096 byte sectors in the partition table. (Read this issue on GitHub for more details)
Finally, apfs-fuse got updated and it got forked.
You'll find a working "APFS-hash-extractor" (named apfs2hashcat) on this Github: https://github.com/Banaanhangwagen/apfs2hashcat
The readme explains also the reason of multiple extracted hashes.
Happy cracking!
I also explained that this method wasn't working anymore since macOS 10.14 (Mojave).
The tool from JtR (apfs2john, a fork of apfs-fuse) was for the same reason not working anymore.
It appeared that Apple used a 4096 byte sectors in the partition table. (Read this issue on GitHub for more details)
Finally, apfs-fuse got updated and it got forked.
You'll find a working "APFS-hash-extractor" (named apfs2hashcat) on this Github: https://github.com/Banaanhangwagen/apfs2hashcat
The readme explains also the reason of multiple extracted hashes.
Happy cracking!