What can you do if a user forgets their password for MacOS, but remembers a partial password or a list of possible passwords? In this scenario, there is no saved recovery key in MDM nor in iCloud.
We’re sharing this thread in case it helps someone else. Note that this is not original research, but rather a collection of information.
Here is what works in 2021:
Step 1:
Download the liveboot Kali Linux from:
https://kali.org/get-kali/#kali-live
Write it to USB using instructions from:
https://kali.org/docs/usb/live-usb-install-with-mac/
Step 2:
On the MacOS with the password issue, boot with the USB stick that has Kali Live on it.To get into the boot menu, hold in the Option (⌥) or Alt key while powering on the machine
(See https://support.apple.com/en-us/HT201255 for more details on that)
Step 3:
Follow the instructions on
https://github.com/Banaanhangwagen/apfs2hashcat
Note: This worked with no modifications on Kali 2021.2 - thanks to @Banaanhangwagen on Twitter for updating and modifying @DhiruKholia's apfs2john tool, based on Simon Gander's apfs-fuse drivers!
Step 4:
Grab the formatted hashes, put them in a file called hashes.txt.
Put a list of passwords the user thinks they might have used in guesses.txt.
Step 5:
This is where you start cracking!
First, run it through hashcat and test the user's password guesses as-is. Maybe you'll get lucky! We didn't.
hashcat -O -w4 -a 0 -m 18300 hashes.txt guesses.txt
Step 7:
Next, try a variation where the password guesses are slightly modified, for instance try using the hashcat "toggles" rules:
hashcat -O -w4 -a 0 -m 18300 hashes.txt guesses.txt -r /usr/share/hashcat/rules/toggles1.rule
With some luck and hashcat variations, that might do the trick. In our case, we got lucky and the toggles1.rule was all we needed. There are many toggles rules packaged with hashcat and, of course, countless ways to attack this problem, such as standard dictionary attacks, etc.
There are many good tutorials on how to use hashcat with rules out there, but if you want to get started and read more, we feel these two writeups are good ones for beginners:
https://www.4armed.com/blog/hashcat-rule-based-attack/
https://www.root101.net/Recovering-Hashes-without-Dozens-of-GPUs
Epilogue
This is a good reminder that even with file encryption enabled, a weak password can let an intruder in to your machine. Make this a little harder with a firmware password: https://support.apple.com/en-us/HT204455
Also: back up your recovery keys in a safe place so you never need to use these steps!
US: 877.487.8160
watchmen@fortalicesolutions.com
EMEA: 0800.824.7030
emea@fortalicesolutions.co.uk
