Experts Blog

MacOS password recovery on a disk with FileVault 2 encryption
Fortalice Solutions

MacOS password recovery on a disk with FileVault 2 encryption

What can you do if a user forgets their password for MacOS, but remembers a partial password or a list of possible passwords? In this scenario, there is no saved recovery key in MDM nor in iCloud.

We’re sharing this thread in case it helps someone else. Note that this is not original research, but rather a collection of information.

Here is what works in 2021:

Step 1:  

Download the liveboot Kali Linux from:  

https://kali.org/get-kali/#kali-live

Write it to USB using instructions from:

https://kali.org/docs/usb/live-usb-install-with-mac/

Step 2:  

On the MacOS with the password issue, boot with the USB stick that has Kali Live on it.To get into the boot menu, hold in the Option (⌥) or Alt key while powering on the machine

(See https://support.apple.com/en-us/HT201255 for more details on that)

Step 3:  

Follow the instructions on

https://github.com/Banaanhangwagen/apfs2hashcat

Note: This worked with no modifications on Kali 2021.2 - thanks to @Banaanhangwagen on Twitter for updating and modifying @DhiruKholia's apfs2john tool, based on Simon Gander's apfs-fuse drivers!

Step 4:

Grab the formatted hashes, put them in a file called hashes.txt.

Put a list of passwords the user thinks they might have used in guesses.txt.

Step 5:

This is where you start cracking!

First, run it through hashcat and test the user's password guesses as-is. Maybe you'll get lucky! We didn't.

hashcat -O -w4 -a 0 -m 18300 hashes.txt guesses.txt

Step 7:

Next, try a variation where the password guesses are slightly modified, for instance try using the hashcat "toggles" rules:

hashcat -O -w4 -a 0 -m 18300 hashes.txt guesses.txt -r /usr/share/hashcat/rules/toggles1.rule

With some luck and hashcat variations, that might do the trick. In our case, we got lucky and the toggles1.rule was all we needed. There are many toggles rules packaged with hashcat and, of course, countless ways to attack this problem, such as standard dictionary attacks, etc.

There are many good tutorials on how to use hashcat with rules out there, but if you want to get started and read more, we feel these two writeups are good ones for beginners:

https://www.4armed.com/blog/hashcat-rule-based-attack/

https://www.root101.net/Recovering-Hashes-without-Dozens-of-GPUs

Epilogue

This is a good reminder that even with file encryption enabled, a weak password can let an intruder in to your machine. Make this a little harder with a firmware password: https://support.apple.com/en-us/HT204455  

Also: back up your recovery keys in a safe place so you never need to use these steps!