06-17-2020, 09:55 AM
If I understand it correctly, you have an APFS which is encrypted with Filevault2.
In order to extract the hash, you used apfs2hashcat, which gave you $fvde$1$...
Note that the hash mentions $1$, which means the Filevault was originally from HFS+-filesystem. An original APFS-filevault would have $fvde$2$...
Also, the hash you extracted has a different iterations count, namely 190883, in stead of the "default" 20000. This explains your question why your hash is one char longer.
Imho, JtR isn't compatible with variable iterations, and Hashcat is. But that is a guess.
Other smarter people will confirm this or not.
In order to extract the hash, you used apfs2hashcat, which gave you $fvde$1$...
Note that the hash mentions $1$, which means the Filevault was originally from HFS+-filesystem. An original APFS-filevault would have $fvde$2$...
Also, the hash you extracted has a different iterations count, namely 190883, in stead of the "default" 20000. This explains your question why your hash is one char longer.
Imho, JtR isn't compatible with variable iterations, and Hashcat is. But that is a guess.
Other smarter people will confirm this or not.