-m 18300 APFS
#1
As you could read in this post I explained a walk-through for extracting the FileVault hash.
I also explained that this method wasn't working anymore since macOS 10.14 (Mojave).
The tool from JtR (apfs2john, a fork of apfs-fuse) was for the same reason not working anymore.

It appeared that Apple used a 4096 byte sectors in the partition table. (Read this issue on GitHub for more details)

Finally, apfs-fuse got updated and it got forked.
You'll find a working "APFS-hash-extractor" (named apfs2hashcat) on this Github: https://github.com/Banaanhangwagen/apfs2hashcat

The readme explains also the reason of multiple extracted hashes.

Happy cracking!
Reply
#2
Very cool, good job
Reply
#3
Hello,
i tried the Linux-tool (apfs2hashcat) to extract the hash for hashcat but get an error on the "make" command.

Code:
linux@MSI:/mnt/d/0_Work/apfs2hashcat$ git submodule init
linux@MSI:/mnt/d/0_Work/apfs2hashcat$ git submodule update
linux@MSI:/mnt/d/0_Work/apfs2hashcat$ cd build
linux@MSI:/mnt/d/0_Work/apfs2hashcat/build$ cmake ..
-- Configuring done
-- Generating done
-- Build files have been written to: /mnt/d/0_Work/apfs2hashcat/build
linux@MSI:/mnt/d/0_Work/apfs2hashcat/build$ make
[ 16%] Built target lzfse
[ 81%] Built target apfs
[ 87%] Built target apfs-dump
[ 89%] Building CXX object CMakeFiles/apfs-fuse.dir/apfsfuse/ApfsFuse.cpp.o
/mnt/d/0_Work/apfs2hashcat/apfsfuse/ApfsFuse.cpp:31:10: fatal error: fuse3/fuse.h: No such file or directory
#include <fuse3/fuse.h>
          ^~~~~~~~~~~~~~
compilation terminated.
CMakeFiles/apfs-fuse.dir/build.make:62: recipe for target 'CMakeFiles/apfs-fuse.dir/apfsfuse/ApfsFuse.cpp.o' failed
make[2]: *** [CMakeFiles/apfs-fuse.dir/apfsfuse/ApfsFuse.cpp.o] Error 1
CMakeFiles/Makefile2:143: recipe for target 'CMakeFiles/apfs-fuse.dir/all' failed
make[1]: *** [CMakeFiles/apfs-fuse.dir/all] Error 2
Makefile:83: recipe for target 'all' failed
make: *** [all] Error 2
linux@MSI:/mnt/d/0_Work/apfs2hashcat/build$   


Is it possible to convert the EncryptedRoot.plist.wipekey manual to the hashcat needed format ?
(i still copied it to my workfolder)


edit:// I´m using Windos-Subsystem-Linux Ubuntu 18.04 LTS
Reply
#4
Code:
sudo apt install libfuse3-dev
Reply
#5
(05-18-2020, 10:19 AM)philsmd Wrote:
Code:
sudo apt install libfuse3-dev

linux@MSI:/mnt/d/0_Work/apfs2hashcat/build$ sudo apt install libfuse3-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package libfuse3-dev


Isn´t there an easy way to convert the EncryptedRoot.plist.wipekey to the hashcat-format by myselfe ?
Reply
#6
normally you would need to do everything that the extraction tool needs to do. so it could turn out to be more complicated than you might think (but of course there are exceptions to this as always) .

Why don't you just use a normal ubuntu operating system

Try searching for the include file with:
Code:
sudo apt-file search fuse.h | grep 'fuse3/fuse.h'

and after that you install the package that is returned (in my case it was libfuse3-dev , but it could also be slightly different, e.g. libfuse-dev, but I think the non-3 version is not providing the fuse3 headers)
Reply
#7
Wink 
(05-18-2020, 02:08 PM)philsmd Wrote: normally you would need to do everything that the extraction tool needs to do. so it could turn out to be more complicated than you might think (but of course there are exceptions to this as always) .

Why don't you just use a normal ubuntu operating system

Try searching for the include file with:
Code:
sudo apt-file search fuse.h | grep 'fuse3/fuse.h'

and after that you install the package that is returned (in my case it was libfuse3-dev , but it could also be slightly different, e.g. libfuse-dev, but I think the non-3 version is not providing the fuse3 headers)

Normaly i only use win-10 because the other tools i use are only for Win os.
WSL i a neice and fast way to manipulate or have an look at huge password files.

Now i testet to make the file with ccmake (and disabled Fuse) no it compiles and work.
..i still have to test if the cracking will work so i can go on with an not-known-pw Smile

edit:// cracked,.... very nice, thanks for your support Smile
Reply
#8
I couldn´t find some benchmarks so here are my results:


Brute-Force
Quote:hashcat -O -w4 -a3 -m 18300 $fvde$2$16$011xxxxxxxxxxxxxxxxxxxxxxxxDBF832 ?a?a?a?a?a?a?a
hashcat (v5.1.0-1707-ged893e86) starting...

./OpenCL/m18300-optimized.cl: Optimized kernel requested but not needed - falling back to pure kernel
* Device #3: CUDA SDK Toolkit installation NOT detected.
            CUDA SDK Toolkit installation required for proper device support and utilization
            Falling back to OpenCL Runtime

* Device #3: WARNING! Kernel exec timeout is not disabled.
            This may cause "CL_OUT_OF_RESOURCES" or related errors.
            To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL API (OpenCL 2.1 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #1: Intel(R) UHD Graphics 630, 6448/6512 MB (3256 MB allocatable), 24MCU
* Device #2: Intel(R) Core(TM) i7-9700K CPU @ 3.60GHz, skipped

OpenCL API (OpenCL 1.2 CUDA 10.2.150) - Platform #2 [NVIDIA Corporation]
========================================================================
* Device #3: GeForce RTX 2080 Ti, 9216/11264 MB (2816 MB allocatable), 68MCU

./OpenCL/m18300-optimized.cl: Optimized kernel requested but not needed - falling back to pure kernel
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1281 MB

[s]tatus [p]ause [b ]ypass [c]heckpoint [q]uit =>

Session..........: hashcat
Status...........: Running
Hash.Name........: Apple File System (APFS)
Hash.Target......: $fvde$2$16$0116dee7b6423661b841af2afcd7bbfb$137650$...dbf832
Time.Started.....: Mon May 18 19:01:51 2020 (3 secs)
Time.Estimated...: Tue Sep 11 01:42:17 2114 (94 years, 114 days)
Guess.Mask.......: ?a?a?a?a?a?a?a [7]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      230 H/s (390.93ms) @ Accel:512 Loops:128 Thr:8 Vec:1
Speed.#3.........:    23234 H/s (354.38ms) @ Accel:32 Loops:512 Thr:1024 Vec:1
Speed.#*.........:    23464 H/s
Recovered........: 0/1 (0.00%) Digests
Progress.........: 0/69833729609375 (0.00%)
Rejected.........: 0/0 (0.00%)
Restore.Point....: 0/735091890625 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:768-896
Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:3584-4096
Candidates.#1....: sarieri -> s+(0000
Candidates.#3....: s#UIERI -> s$+::/1
Hardware.Mon.#1..: N/A
Hardware.Mon.#3..: Temp: 35c Fan: 29% Util:100% Core:1845MHz Mem:6800MHz Bus:1

[s]tatus [p]ause ypass [c]heckpoint [q]uit =>


[b]Wordlist
Quote:hashcat -O -w4 -a0 -m 18300 $fvde$2$16$xxxxxxxxxx558FD0064DD70CAD0DBF832 rockyou.txt
hashcat (v5.1.0-1707-ged893e86) starting...

./OpenCL/m18300-optimized.cl: Optimized kernel requested but not needed - falling back to pure kernel
* Device #3: CUDA SDK Toolkit installation NOT detected.
            CUDA SDK Toolkit installation required for proper device support and utilization
            Falling back to OpenCL Runtime

* Device #3: WARNING! Kernel exec timeout is not disabled.
            This may cause "CL_OUT_OF_RESOURCES" or related errors.
            To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL API (OpenCL 2.1 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #1: Intel(R) UHD Graphics 630, 6448/6512 MB (3256 MB allocatable), 24MCU
* Device #2: Intel(R) Core(TM) i7-9700K CPU @ 3.60GHz, skipped

OpenCL API (OpenCL 1.2 CUDA 10.2.150) - Platform #2 [NVIDIA Corporation]
========================================================================
* Device #3: GeForce RTX 2080 Ti, 9216/11264 MB (2816 MB allocatable), 68MCU

./OpenCL/m18300-optimized.cl: Optimized kernel requested but not needed - falling back to pure kernel
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1281 MB

Dictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 1 sec

[s]tatus [p]ause [b ]ypass [c]heckpoint [q]uit =>

Session..........: hashcat
Status...........: Running
Hash.Name........: Apple File System (APFS)
Hash.Target......: $fvde$2$16$0116dee7b6423661b841af2afcd7bbfb$137650$...dbf832
Time.Started.....: Mon May 18 19:06:43 2020 (5 secs)
Time.Estimated...: Mon May 18 19:17:26 2020 (10 mins, 38 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      231 H/s (390.87ms) @ Accel:512 Loops:128 Thr:8 Vec:1
Speed.#3.........:    22265 H/s (366.79ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1
Speed.#*.........:    22535 H/s
Recovered........: 0/1 (0.00%) Digests
Progress.........: 0/14344384 (0.00%)
Rejected.........: 0/0 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1664-1792
Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:15360-16384
Candidates.#1....: 123456 -> Dominic1
Candidates.#3....: Detroit -> toalhitas
Hardware.Mon.#1..: N/A
Hardware.Mon.#3..: Temp: 59c Fan: 31% Util:100% Core:1785MHz Mem:6800MHz Bus:1

[s]tatus [p]ause [b ]ypass [c]heckpoint [q]uit =>
[/b][/b]
Reply
#9
Are there any methods for extracting the has from 10.15? Looking for that for a non-T2 Mac w/out the PW and FV2
Reply
#10
Sure, just read the first post of this thread...
Reply