What can you do if a user forgets their password for MacOS, but remembers a partial password or a list of possible passwords? In this scenario, there is no saved recovery key in MDM nor in iCloud.
We’re sharing this thread in case it helps someone else. Note that this is not original research, but rather a collection of information.
Here is what works in 2021:
Download the liveboot Kali Linux from:
Write it to USB using instructions from:
On the MacOS with the password issue, boot with the USB stick that has Kali Live on it.To get into the boot menu, hold in the Option (⌥) or Alt key while powering on the machine
(See https://support.apple.com/en-us/HT201255 for more details on that)
Follow the instructions on
Note: This worked with no modifications on Kali 2021.2 - thanks to @Banaanhangwagen on Twitter for updating and modifying @DhiruKholia's apfs2john tool, based on Simon Gander's apfs-fuse drivers!
Grab the formatted hashes, put them in a file called hashes.txt.
Put a list of passwords the user thinks they might have used in guesses.txt.
This is where you start cracking!
First, run it through hashcat and test the user's password guesses as-is. Maybe you'll get lucky! We didn't.
hashcat -O -w4 -a 0 -m 18300 hashes.txt guesses.txt
Next, try a variation where the password guesses are slightly modified, for instance try using the hashcat "toggles" rules:
hashcat -O -w4 -a 0 -m 18300 hashes.txt guesses.txt -r /usr/share/hashcat/rules/toggles1.rule
With some luck and hashcat variations, that might do the trick. In our case, we got lucky and the toggles1.rule was all we needed. There are many toggles rules packaged with hashcat and, of course, countless ways to attack this problem, such as standard dictionary attacks, etc.
There are many good tutorials on how to use hashcat with rules out there, but if you want to get started and read more, we feel these two writeups are good ones for beginners:
This is a good reminder that even with file encryption enabled, a weak password can let an intruder in to your machine. Make this a little harder with a firmware password: https://support.apple.com/en-us/HT204455
Also: back up your recovery keys in a safe place so you never need to use these steps!
Silicon Valley Bank (SVB) was shuttered early this month and had its deposits seized in the largest U.S. bank failure since the 2008 financial crisis. Although it may seem like SVB’s collapse will only impact its direct customers and depositors, it is far more complicated. Like vultures to roadkill, cyber scammers often wait to exploit and target victims after tragedy strikes, or bad news arises. A perfect storm of stress, uncertainty, and urgency for customers and vendors alike during this time can impair someone’s judgement when they click links and open emails they otherwise would ignore or delete. Fortalice has outlined a few different ways cybercriminals social engineer their victims during times of extreme distress and insecurity.