Hashcat - APFS – FileVault 2 - Looking for assurances!
#1
Hi,

I’m currently working a case where a dd/raw image of a MacBook pro has been acquired and where the FileVault 2 key needs decrypting in order that a forensic analysis of the data on the disk can be undertaken.

I should say that I believe that I have recovered a valid key from the APFS volume encrypted with FileVault 2 and that hashcat is currently attempting to crack the key.

However, in accordance with good forensic practice I was looking for some form of dual verification and thought that this could simply be achieved by validating the recovered hash using john (jtr). Unfortunately, john doesn’t recognise the hash as being valid and I’m now trying to work out why? And what the reason for the anomaly is!
 
Set out below are most of the steps I have taken together with their results.

Using mmls against the  raw image I get:
 
      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Safety Table
001:  -------   0000000000   0000000005   0000000006   Unallocated
002:  Meta      0000000001   0000000001   0000000001   GPT Header
003:  Meta      0000000002   0000000005   0000000004   Partition Table
004:  000       0000000006   0000076805   0000076800   EFI System Partition
005:  001       0000076806   0122138126   0122061321   NoName – (apfs-partition)
006:  -------   0122138127   0244190645   0122052519   Unallocated
 
Apfs-quick-dump abridged out:
 
Device /xxxx/xxxxt/xxxxx/xxxx.img opened. Size is 500277788672
Info: Found valid GPT partition table on main device. Dumping first APFS partition.
Found more recent xid 2478513 than superblock 0 contained (2409434).
starting LoadKeybag
all blocks verified
starting LoadKeybag
all blocks verified
Volume Macintosh HD is encrypted.
starting LoadKeybag
all blocks verified
Enter Password:
Dumping Keybag (keys)
 

 
[KEK]
Unk 80  : 0
UUID    : 40541C3D-8F1C-4704-9F8D-3EAF241D90F4
Unk 82  : 00000002 0002 78 169
KEK Wrpd: 3BD8CCACD8A191443F0F7F91EACA443C8056198E166A249900000000000000000000000000000000
Iterat's: 190883
Salt    : 275A81922F7B21E8FAD9130F395D8D33
 ….
Having removed the padding and concatenated the salt, iteration and hash I was left with:
$fvde$1$16$275A81922F7B21E8FAD9130F395D8D33$190883$3BD8CCACD8A191443F0F7F91EACA443C8056198E166A2499.

Running apfs2hashcat produces the same output/ hash result and as can be seen from the following, hashcat seems to accept the hash as valid and attempts to crack the hash.

Status...........: Running
Hash.Name........: FileVault 2
Hash.Target......: $fvde$1$16$275a81922f7b21e8fad9130f395d8d33$190883$...6a2499
Guess.Base.......: File (/mnt/aa_passwd_to_use/allpsswd)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     4185 H/s (11.63ms) @ Accel:128 Loops:32 Thr:64 Vec:1
Speed.#2.........:     4111 H/s (11.85ms) @ Accel:128 Loops:32 Thr:64 Vec:1
Speed.#*.........:     8296 H/s
Recovered........: 0/1 (0.00%) Digests
Progress.........: 0/48637534 (0.00%)
Rejected.........: 0/0 (0.00%)
Restore.Point....: 0/48637534 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:45728-45760
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:45024-45056
Hardware.Mon.#1..: Temp: 47c Fan: 26% Core:1366MHz Mem:2000MHz Bus:0
Hardware.Mon.#2..: Temp: 52c Fan: 26% Core:1326MHz Mem:2000MHz Bus:0
 
I should also mention that I have grabbed a number of example filevault2 hashes from other posts and tried these in both hashcat, john and various ‘hash identifier programmes’.

None of the hash identifiers recognise any of the hashes and john only recognises some. Hashcat recognises all of them!

I have also noticed that some of the hashes, extracted, including mine are one character longer than some of the others. All salts and iterations are the same length.

As a consequnece, I’m now wondering whether the shorter hashes recognised by john, relate to filevault2 hashes acquired, prior to the deployment of APFS and this could be the reason for the anomaly. At present, I have no way of either testing or confirming this theory.

The only other alternative I can come up with, is that I’ve made a complete Horlicks of things and hashcat is doing it’s best to decrypt an invalid hash!

If anyone can shed any light on this it would be much appreciated.

Finally, I should also add that I have recovered other information, which is being used to create dedicated wordlist(s), rules etc, so as to reduce the keyspace as part of this exercise and that any crcaking in earnest will be taking place on a bigger rig.

I simply want to try and understand why hashcat recognises the hash created and john doesn’t.
 
Thanks in advance
 
25512
Reply
#2
If I understand it correctly, you have an APFS which is encrypted with Filevault2.
In order to extract the hash, you used apfs2hashcat, which gave you $fvde$1$...

Note that the hash mentions $1$, which means the Filevault was originally from HFS+-filesystem. An original APFS-filevault would have $fvde$2$...

Also, the hash you extracted has a different iterations count, namely 190883, in stead of the "default" 20000. This explains your question why your hash is one char longer.

Imho, JtR isn't compatible with variable iterations, and Hashcat is. But that is a guess.
Other smarter people will confirm this or not.
Reply
#3
Hi,

I'm trying to get the FileVault2-Hash of a 2020 MacBook Air with macOS 10.11. How you acquire the image?
I Use a second MacBook and the DUT in the Target disk mode:

sudo dd if=/dev/disk2 of=/path/to/filevault_image.dd conv = noerr, sync

But there is not a "Recovery HD" partition. I get only a readable "preboot" partition.

Under /preboot/<UUID>/System/Library/Caches/com.apple.corestorage/ i find the EncryptedRoot.plist.wipekey

Under /preboot/<UUID>/var/db/ i get three files:
AdminUserRecoveryInfo.plist
CryptoUserInfo.plist
secureaccesstoken.plist

It's possible with these files to get the FileVault2-Hash and Recover the FileVault2-Password?
This MacBook has a T2 chip, but I think FileVault2 is turned on manually, because when I start the MacBook, after one minute I get the hint, to restart into Password Recovery Mode

With the fvdetools compiled under macOS 10.15 and the "EncryptedRoot.plist.wipekey" I get the unsupported storage signature error.
Have you some ideas for me?
Reply
#4
1) Are you sure that it's a 2020 Macbook Air with the old 10.11 (from 2015) on it ? Sounds not impossible but it's a little bit weird, no?
2) To be sure, please mention the model number as found on the back. With this number you can check online if the laptop is equipped with T2 or not.
3) What filesystem does it have ? Since you are talking about 'EncryptedRoot.plist.wipekey', I assume it's HFS. Since you are talking about T2, it will be APFS. What is it now ?
4) If you successfully connect your laptop with TDM, make sure to identify the correct disk to image with 'diskutil cs list' (again: assumings it's HFS) for apfs use: 'diskutil apfs list'.
5) Did you follow this guide in order to recover the hash ? (note: you won't need to attach an image here, TDM does it automatically)
and 6) in the future, please do not hijack existing posts, but simply create a new one
Reply
#5
I'm sorry, this is my mistake. 
1) Yes, brand new MacBook Air with Intel CPU. I mean macOS 11 and not OS X 10.11. My bad.
2) Yes, this MacBook Air has a T2 chip.
3) It is an APFS filesystem. For the first dump I use Macquisiton 2020.1 and opened the raw file inside X-Ways Forensics. I think the first dump was corrupted. I make a new one inside macOS 10.15 over TDM.
4) I need to dd dump with no error,sync the physical drive (disk2), right? Or I need the synthesized (disk3) one?
5) Yes, i build Frome source but at fvdetools/fvdeinfo i get the "unsupported storage signature" error. Same in The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) Linux (5.9) as in macOS 10.15
6) I'm sorry, I don't want to hijack his post. For me was this the same topic.

Here the output of diskutil apfs list
Code:
(snip)
+-- Container disk3 XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    ====================================================
    APFS Container Reference:    disk3
    Size (Capacity Ceiling):      250685575168 B (250.7 GB)
    Capacity In Use By Volumes:  87167000576 B (87.2 GB) (34.8% used)
    Capacity Not Allocated:      163518574592 B (163.5 GB) (65.2% free)
    |
    +-< Physical Store disk2s2 XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    |  -----------------------------------------------------------
    |  APFS Physical Store Disk:  disk2s2
    |  Size:                      250685575168 B (250.7 GB)
    |
    +-> Volume disk3s1 XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    |  ---------------------------------------------------
    |  APFS Volume Disk (Role):  disk3s1 (System)
    |  Name:                      Macintosh HD (Case-insensitive)
    |  Mount Point:              Not Mounted
    |  Capacity Consumed:        10965684224 B (11.0 GB)
    |  FileVault:                Yes (Locked)
    |
    +-> Volume disk3s2 XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    |  ---------------------------------------------------
    |  APFS Volume Disk (Role):  disk3s2 (Data)
    |  Name:                      Macintosh HD - Data (Case-insensitive)
    |  Mount Point:              Not Mounted
    |  Capacity Consumed:        72217112576 B (72.2 GB)
    |  FileVault:                Yes (Locked)
    |
    +-> Volume disk3s3 XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    |  ---------------------------------------------------
    |  APFS Volume Disk (Role):  disk3s3 (Preboot)
    |  Name:                      Preboot (Case-insensitive)
    |  Mount Point:              Not Mounted
    |  Capacity Consumed:        82440192 B (82.4 MB)
    |  FileVault:                No
    |
    +-> Volume disk3s4 XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    |  ---------------------------------------------------
    |  APFS Volume Disk (Role):  disk3s4 (Recovery)
    |  Name:                      Recovery (Case-insensitive)
    |  Mount Point:              Not Mounted
    |  Capacity Consumed:        542101504 B (542.1 MB)
    |  FileVault:                No
    |
    +-> Volume disk3s5 XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
        ---------------------------------------------------
        APFS Volume Disk (Role):  disk3s5 (VM)
        Name:                      VM (Case-insensitive)
        Mount Point:              Not Mounted
        Capacity Consumed:        3221245952 B (3.2 GB)
        FileVault:                No (Encrypted at rest)

Attampts to image :
1. try
Code:
dd if=/dev/disk2 of=disk.dd conv=noerror,sync
2. try
Code:
dd if=/dev/disk3 of=/disk.dd conv=noerror,sync bs=4m

Both times i get "Initialization of KeyManager failed."
See this issue in the upstream repro of apfs-fuse:
https://github.com/sgan81/apfs-fuse/issues/133

I think, apfs-fuse don't handle the 4k block size very well. I'm currently analyze the source of apfs-fuse to get an idea, what kind of error causes the "Initialization of KeyManager failed." error massage.

On macOS 10.15.5 i build https://github.com/kholia/fvde2john and get the same error:
Code:
sudo ./bin/apfs-dump-quick /dev/disk3 hash.txt
st_mode = 24864
Sector count = 61202533
Sector size  = 4096
Device /dev/disk3 opened. Size is 250685575168
starting LoadKeybag
Initialization of KeyManager failed.
Unable to init container.
Reply
#6
1) and 2) ok

3) and 4) In order to avoid further headache, you need to take your image with a mac.
Since you have access to Macquisition, boot your host with it, and connect the guest with TDM to this host. It will appear as "disk2 - Target Disk Mode - Thunderbolt".
Since this disk is encrypted with T2, you do not need to image this one, but the "virtual APFS container disk3".

5) finally, the image you just took should be encrypted with APFS Filevault; follow these steps to extract the hash (and not fvdetools)
Reply
#7
This doesn't work. I get the same Initialization of KeyManager failed error.
I try this with Banaanhangwagen's apfs2hashcat and also with sgan81's apfs-fuse.
What kind of image i chose?
I select Raw DD. Now in Macquisition i need to input the password or Recovery Key to image the whole disk3.

Here are the compile log of Banaanhangwagen's apfs2hashcat :
Code:
cmake ..
-- The C compiler identification is GNU 10.2.0
-- The CXX compiler identification is GNU 10.2.0
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /usr/bin/cc - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: /usr/bin/c++ - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring done
-- Generating done
-- Build files have been written to: /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/apfs2hashcat/build
Code:
make
Scanning dependencies of target lzfse
[  2%] Building C object CMakeFiles/lzfse.dir/3rdparty/lzfse/src/lzfse_decode.c.o
In file included from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_internal.h:30,
                from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_decode.c:25:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_fse.h: In function ‘fse_check_freq’:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_fse.h:564:21: warning: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘const long unsigned int’} [-Wsign-compare]
  564 |  for (int i = 0; i < table_size; i++) {
      |                    ^
[  4%] Building C object CMakeFiles/lzfse.dir/3rdparty/lzfse/src/lzfse_decode_base.c.o
In file included from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_internal.h:30,
                from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_decode_base.c:22:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_fse.h: In function ‘fse_check_freq’:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_fse.h:564:21: warning: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘const long unsigned int’} [-Wsign-compare]
  564 |  for (int i = 0; i < table_size; i++) {
      |                    ^
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_decode_base.c: In function ‘lzfse_decode_lmd’:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_decode_base.c:240:30: warning: comparison of integer expressions of different signedness: ‘size_t’ {aka ‘long unsigned int’} and ‘int32_t’ {aka ‘int’} [-Wsign-compare]
  240 |        for (size_t i = 0; i < M; i++)
      |                              ^
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_decode_base.c:256:30: warning: comparison of integer expressions of different signedness: ‘size_t’ {aka ‘long unsigned int’} and ‘int32_t’ {aka ‘int’} [-Wsign-compare]
  256 |        for (size_t i = 0; i < L; i++)
      |                              ^
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_decode_base.c:268:30: warning: comparison of integer expressions of different signedness: ‘size_t’ {aka ‘long unsigned int’} and ‘ptrdiff_t’ {aka ‘long int’} [-Wsign-compare]
  268 |        for (size_t i = 0; i < remaining_bytes; i++)
      |                              ^
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_decode_base.c:280:30: warning: comparison of integer expressions of different signedness: ‘size_t’ {aka ‘long unsigned int’} and ‘int32_t’ {aka ‘int’} [-Wsign-compare]
  280 |        for (size_t i = 0; i < M; i++)
      |                              ^
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_decode_base.c:294:30: warning: comparison of integer expressions of different signedness: ‘size_t’ {aka ‘long unsigned int’} and ‘ptrdiff_t’ {aka ‘long int’} [-Wsign-compare]
  294 |        for (size_t i = 0; i < remaining_bytes; i++)
      |                              ^
[  6%] Building C object CMakeFiles/lzfse.dir/3rdparty/lzfse/src/lzfse_encode.c.o
In file included from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_internal.h:30,
                from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_encode.c:25:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_fse.h: In function ‘fse_check_freq’:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_fse.h:564:21: warning: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘const long unsigned int’} [-Wsign-compare]
  564 |  for (int i = 0; i < table_size; i++) {
      |                    ^
[  8%] Building C object CMakeFiles/lzfse.dir/3rdparty/lzfse/src/lzfse_encode_base.c.o
In file included from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_internal.h:30,
                from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_encode_base.c:24:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_fse.h: In function ‘fse_check_freq’:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_fse.h:564:21: warning: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘const long unsigned int’} [-Wsign-compare]
  564 |  for (int i = 0; i < table_size; i++) {
      |                    ^
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_encode_base.c: In function ‘setField’:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_encode_base.c:36:61: warning: unused parameter ‘nbits’ [-Wunused-parameter]
  36 | static inline uint64_t setField(uint32_t v, int offset, int nbits) {
      |                                                        ~~~~^~~~~
[ 10%] Building C object CMakeFiles/lzfse.dir/3rdparty/lzfse/src/lzfse_fse.c.o
In file included from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_internal.h:30,
                from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_fse.c:22:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_fse.h: In function ‘fse_check_freq’:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_fse.h:564:21: warning: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘const long unsigned int’} [-Wsign-compare]
  564 |  for (int i = 0; i < table_size; i++) {
      |                    ^
[ 12%] Building C object CMakeFiles/lzfse.dir/3rdparty/lzfse/src/lzvn_decode_base.c.o
In file included from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_internal.h:30,
                from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzvn_decode_base.h:29,
                from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzvn_decode_base.c:24:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_fse.h: In function ‘fse_check_freq’:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_fse.h:564:21: warning: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘const long unsigned int’} [-Wsign-compare]
  564 |  for (int i = 0; i < table_size; i++) {
      |                    ^
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzvn_decode_base.c: In function ‘lzvn_decode’:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzvn_decode_base.c:431:9: warning: comparison of integer expressions of different signedness: ‘size_t’ {aka ‘long unsigned int’} and ‘long int’ [-Wsign-compare]
  431 |  if (D > dst_ptr - state->dst_begin || D == 0)
      |        ^
[ 14%] Building C object CMakeFiles/lzfse.dir/3rdparty/lzfse/src/lzvn_encode_base.c.o
In file included from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_internal.h:30,
                from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzvn_encode_base.h:27,
                from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzvn_encode_base.c:24:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_fse.h: In function ‘fse_check_freq’:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_fse.h:564:21: warning: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘const long unsigned int’} [-Wsign-compare]
  564 |  for (int i = 0; i < table_size; i++) {
      |                    ^
[ 16%] Linking C static library liblzfse.a
[ 16%] Built target lzfse
Scanning dependencies of target apfs
[ 18%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/Aes.cpp.o
[ 20%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/AesXts.cpp.o
[ 22%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/ApfsContainer.cpp.o
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/ApfsContainer.cpp: In member function ‘void ApfsContainer::dump(BlockDumper&)’:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/ApfsContainer.cpp:391:9: warning: unused variable ‘k’ [-Wunused-variable]
  391 |  size_t k;
      |        ^
[ 25%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/ApfsDir.cpp.o
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/ApfsDir.cpp: In member function ‘bool ApfsDir::ListDirectory(std::vector<ApfsDir::DirRec>&, uint64_t)’:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/ApfsDir.cpp:330:14: warning: array subscript 0 is outside array bounds of ‘uint8_t [0]’ {aka ‘unsigned char [0]’} [-Warray-bounds]
  330 |  key->name[0] = 0;
      |  ~~~~~~~~~~~^
In file included from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/ApfsDir.h:25,
                from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/ApfsDir.cpp:27:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/DiskStruct.h:482:10: note: while referencing ‘j_drec_key_t::name’
  482 |  uint8_t name[0];
      |          ^~~~
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/ApfsDir.cpp:321:14: warning: array subscript 0 is outside array bounds of ‘uint8_t [0]’ {aka ‘unsigned char [0]’} [-Warray-bounds]
  321 |  key->name[0] = 0;
      |  ~~~~~~~~~~~^
In file included from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/ApfsDir.h:25,
                from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/ApfsDir.cpp:27:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/DiskStruct.h:488:10: note: while referencing ‘j_drec_hashed_key_t::name’
  488 |  uint8_t name[0];
      |          ^~~~
[ 27%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/ApfsNodeMapper.cpp.o
[ 29%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/ApfsNodeMapperBTree.cpp.o
[ 31%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/ApfsVolume.cpp.o
[ 33%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/BlockDumper.cpp.o
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/BlockDumper.cpp: In member function ‘void BlockDumper::DumpBTEntry_FusionMT(const void*, size_t, const void*, size_t, bool)’:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/BlockDumper.cpp:1171:68: warning: unused parameter ‘key_len’ [-Wunused-parameter]
1171 | void BlockDumper::DumpBTEntry_FusionMT(const void* key_ptr, size_t key_len, const void* val_ptr, size_t val_len, bool index)
      |                                                            ~~~~~~~^~~~~~~
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/BlockDumper.cpp:1171:105: warning: unused parameter ‘val_len’ [-Wunused-parameter]
1171 | void BlockDumper::DumpBTEntry_FusionMT(const void* key_ptr, size_t key_len, const void* val_ptr, size_t val_len, bool index)
      |                                                                                                  ~~~~~~~^~~~~~~
[ 35%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/BTree.cpp.o
[ 37%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/CheckPointMap.cpp.o
[ 39%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/Crc32.cpp.o
[ 41%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/Crypto.cpp.o
[ 43%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/Decmpfs.cpp.o
[ 45%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/Des.cpp.o
[ 47%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/Device.cpp.o
[ 50%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/DeviceDMG.cpp.o
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/DeviceDMG.cpp: In member function ‘bool DeviceDMG::ProcessHeaderRsrc(uint64_t, uint64_t)’:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/DeviceDMG.cpp:458:44: warning: unused parameter ‘off’ [-Wunused-parameter]
  458 | bool DeviceDMG::ProcessHeaderRsrc(uint64_t off, uint64_t size)
      |                                  ~~~~~~~~~^~~
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/DeviceDMG.cpp:458:58: warning: unused parameter ‘size’ [-Wunused-parameter]
  458 | bool DeviceDMG::ProcessHeaderRsrc(uint64_t off, uint64_t size)
      |                                                ~~~~~~~~~^~~~
[ 52%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/DeviceLinux.cpp.o
[ 54%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/DeviceMac.cpp.o
[ 56%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/DeviceSparseImage.cpp.o
[ 58%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/DeviceWinFile.cpp.o
[ 60%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/DeviceWinPhys.cpp.o
[ 62%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/DiskImageFile.cpp.o
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/DiskImageFile.cpp: In member function ‘bool DiskImageFile::SetupEncryptionV1()’:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/DiskImageFile.cpp:254:11: warning: variable ‘total_size’ set but not used [-Wunused-but-set-variable]
  254 |  uint64_t total_size;
      |          ^~~~~~~~~~
[ 64%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/GptPartitionMap.cpp.o
[ 66%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/KeyMgmt.cpp.o
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/KeyMgmt.cpp: In member function ‘void Keybag::dump(std::ostream&, Keybag*, const unsigned char (&)[16])’:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/KeyMgmt.cpp:280:14: warning: variable ‘typestr’ set but not used [-Wunused-but-set-variable]
  280 |  const char *typestr;
      |              ^~~~~~~
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/KeyMgmt.cpp: In member function ‘bool KeyManager::GetVolumeKey(uint8_t*, const unsigned char (&)[16], const char*)’:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/KeyMgmt.cpp:578:2: warning: ‘ke_recs’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  578 |  if (!ke_recs)
      |  ^~
[ 68%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/PList.cpp.o
[ 70%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/Sha1.cpp.o
[ 72%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/Sha256.cpp.o
[ 75%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/TripleDes.cpp.o
[ 77%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/Util.cpp.o
In file included from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_internal.h:30,
                from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzvn_decode_base.h:29,
                from /media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsLib/Util.cpp:41:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_fse.h: In function ‘int fse_check_freq(const uint16_t*, size_t, size_t)’:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/3rdparty/lzfse/src/lzfse_fse.h:564:21: warning: comparison of integer expressions of different signedness: ‘int’ and ‘const size_t’ {aka ‘const long unsigned int’} [-Wsign-compare]
  564 |  for (int i = 0; i < table_size; i++) {
      |                  ~~^~~~~~~~~~~~
[ 79%] Building CXX object CMakeFiles/apfs.dir/ApfsLib/Unicode.cpp.o
[ 81%] Linking CXX static library libapfs.a
[ 81%] Built target apfs
Scanning dependencies of target apfsutil
[ 83%] Building CXX object CMakeFiles/apfsutil.dir/ApfsUtil/ApfsUtil.cpp.o
[ 85%] Linking CXX executable apfsutil
[ 85%] Built target apfsutil
Scanning dependencies of target apfs-fuse
[ 87%] Building CXX object CMakeFiles/apfs-fuse.dir/apfsfuse/ApfsFuse.cpp.o
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/apfsfuse/ApfsFuse.cpp: In function ‘int apfs_parse_fuse_opt(void*, const char*, int, fuse_args*)’:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/apfsfuse/ApfsFuse.cpp:667:38: warning: unused parameter ‘data’ [-Wunused-parameter]
  667 | static int apfs_parse_fuse_opt(void *data, const char *arg, int key, struct fuse_args* outargs)
      |                                ~~~~~~^~~~
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/apfsfuse/ApfsFuse.cpp:667:88: warning: unused parameter ‘outargs’ [-Wunused-parameter]
  667 | static int apfs_parse_fuse_opt(void *data, const char *arg, int key, struct fuse_args* outargs)
      |                                                                      ~~~~~~~~~~~~~~~~~~^~~~~~~
[ 89%] Linking CXX executable apfs-fuse
[ 89%] Built target apfs-fuse
Scanning dependencies of target apfs-dump-quick
[ 91%] Building CXX object CMakeFiles/apfs-dump-quick.dir/ApfsDumpQuick/ApfsDumpQuick.cpp.o
[ 93%] Linking CXX executable apfs-dump-quick
[ 93%] Built target apfs-dump-quick
Scanning dependencies of target apfs-dump
[ 95%] Building CXX object CMakeFiles/apfs-dump.dir/ApfsDump/Dumper.cpp.o
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsDump/Dumper.cpp: In member function ‘bool Dumper::DumpContainer(std::ostream&)’:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsDump/Dumper.cpp:129:11: warning: variable ‘block_size’ set but not used [-Wunused-but-set-variable]
  129 |  uint32_t block_size;
      |          ^~~~~~~~~~
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsDump/Dumper.cpp:131:11: warning: variable ‘chunks_per_cib’ set but not used [-Wunused-but-set-variable]
  131 |  uint32_t chunks_per_cib;
      |          ^~~~~~~~~~~~~~
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsDump/Dumper.cpp:132:11: warning: variable ‘cibs_per_cab’ set but not used [-Wunused-but-set-variable]
  132 |  uint32_t cibs_per_cab;
      |          ^~~~~~~~~~~~
[ 97%] Building CXX object CMakeFiles/apfs-dump.dir/ApfsDump/Apfs.cpp.o
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsDump/Apfs.cpp: In function ‘int main(int, const char**)’:
/media/The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)/DeLOCK/apfs2hashcat/ApfsDump/Apfs.cpp:406:8: warning: ‘%s’ directive argument is null [-Wformat-overflow=]
  406 |  printf("main: %s\n", name_dev_main);
      |  ~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[100%] Linking CXX executable apfs-dump
[100%] Built target apfs-dump
And here the Error:
Code:
sudo ./build/apfs-dump-quick /disk3.dmg hash.txt
starting LoadKeybag
Initialization of KeyManager failed.
Unable to init container.

sgan81's apfs-fuse give a little more info:
Code:
sudo ./apfs-dump-quick disk3.dmg hash.txt
Mounting xid different from NXSB at 0 (xid = 52985). xid = 52985
Mounting xid 52985
omap: oid=55190 xid=52985 flags=0 size=0 paddr=55190
omap: oid=1029 xid=52985 flags=0 size=0 paddr=1029
starting LoadKeybag @ 6a0471
Initialization of KeyManager failed.
Unable to init container.

With gdb I get the following Info:
Code:
"/disk3.dmg" is not a core dump: file format not recognized

The EncryptedRoot.plist file is encrypted using AES-XTS. The Key1 is on the main volume header/CoreStorage Header. My first goal is, to get the key1 out of the CoreStorage Header. Key2 must be 128bit of zeros.

The Output of mmls
Code:
mmls disk2.dmg
[/font][/size]
GUID Partition Table (EFI)

Offset Sector: 0

Units are in 4096-byte sectors



      Slot      Start        End          Length      Description

000:  Meta      0000000000  0000000000  0000000001  Safety Table

001:  -------  0000000000  0000000005  0000000006  Unallocated

002:  Meta      0000000001  0000000001  0000000001  GPT Header

003:  Meta      0000000002  0000000005  0000000004  Partition Table

004:  000      0000000006  0000076805  0000076800  EFI System Partition

005:  001      0000076806  0061279338  0061202533 

006:  -------  0061279339  0061279343  0000000005  Unallocated
[size=large][font=monospace]

And the fresh dd of the synthesized disk. I make this image under macOS with dd, because Maquisition need a Password to create the image.
Code:
mmls disk3.dmg

Cannot determine partition type
Reply