Discussion:
[john-users] Filevault2 volume without password
George Still
2018-08-26 08:54:00 UTC
Permalink
I'm trying to mount a disk image encrypted volume in my forensic case.
I don't know the password, so I can't extract hash from the raw image.
Is there a way to bruteforce the image using GPU?

I'm using a self made bash script that uses libfvde (with -p option) and a
wordlist, but it is very slow.

Thanks
magnum
2018-08-26 16:18:14 UTC
Permalink
Post by George Still
I'm trying to mount a disk image encrypted volume in my forensic case.
I don't know the password, so I can't extract hash from the raw image.
You typically extract some data from the (unmounted) partition or file
that holds the encrypted image and then run dmg2john on that, producing
a "hash". You can also run dmg2john et. al. directly against the image
file or partition. In this case you already have an image file so you
should just run something like:

$ cd path/to/john/run
$ ./dmg2john /path/to/your/image.file > image_hash
$ ./john -format:dmg-opencl image_hash (...)

Please note that for best results you should use a jumbo version no
older than, let's say, this year - and preferably a really fresh one
from GitHub sources.

magnum
CRO
2018-08-26 17:43:08 UTC
Permalink
Thanks magnum.
Post by magnum
Post by George Still
I'm trying to mount a disk image encrypted volume in my forensic case.
I don't know the password, so I can't extract hash from the raw image.
You typically extract some data from the (unmounted) partition or file
that holds the encrypted image and then run dmg2john on that, producing
a "hash".
How? I extracted EncryptedRoot.plist.wipekey following the Wiki
https://github.com/libyal/libfvde/wiki/Mounting

You can also run dmg2john et. al. directly against the image
Post by magnum
file or partition. In this case you already have an image file so you
$ cd path/to/john/run
$ ./dmg2john /path/to/your/image.file > image_hash
$ ./john -format:dmg-opencl image_hash (...)
I have not a .dmg image. I have a raw image:

# mmls image.raw
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors

Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Safety Table
001: ------- 0000000000 0000000039 0000000040 Unallocated
002: Meta 0000000001 0000000001 0000000001 GPT Header
003: Meta 0000000002 0000000033 0000000032 Partition Table
004: 000 0000000040 0000409639 0000409600 EFI System Partition
005: 001 0000409640 0488965175 0488555536 No title
006: 002 0488965176 0490234711 0001269536 Recovery HD
007: ------- 0490234712 0490234751 0000000040 Unallocated

dmg2john works with .dmg files
magnum
2018-08-27 06:40:53 UTC
Permalink
Post by magnum
You can also run dmg2john et. al. directly against the image
Post by magnum
file or partition. In this case you already have an image file so you
$ cd path/to/john/run
$ ./dmg2john /path/to/your/image.file > image_hash
$ ./john -format:dmg-opencl image_hash (...)
# mmls image.raw
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors
      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Safety Table
001:  -------   0000000000   0000000039   0000000040   Unallocated
002:  Meta      0000000001   0000000001   0000000001   GPT Header
003:  Meta      0000000002   0000000033   0000000032   Partition Table
004:  000       0000000040   0000409639   0000409600   EFI System Partition
005:  001       0000409640   0488965175   0488555536   No title
006:  002       0488965176   0490234711   0001269536   Recovery HD
007:  -------   0490234712   0490234751   0000000040   Unallocated
dmg2john works with .dmg files
Perhaps we should add an offset option to dmg2john. I would try
something like:

$ dd if=image.raw of=partition.dd bs=512 skip=409640 count=10
$ dmg2john partition.dd > hash

Admittedly I'm on thin ice here and also I'm not sure how much is needed
for count. Hopefully Dhiru or someone can fill in the blanks.

magnum
CRO
2018-08-27 07:08:40 UTC
Permalink
Post by magnum
dd if=image.raw of=partition.dd bs=512 skip=409640 count=10
I'm not sure, but I think that should be:

# dd if=image.raw of=partition.dd bs=512 skip=409639 count=488555536
Dhiru Kholia
2018-08-27 07:28:44 UTC
Permalink
Hi,

Use instructions from https://github.com/kholia/fvde2john/blob/master/README.

You need to build and use https://github.com/kholia/fvde2john.

Dhiru
CRO
2018-08-27 07:35:03 UTC
Permalink
Post by Dhiru Kholia
Hi,
Use instructions from https://github.com/kholia/fvde2john/blob/master/README.
Thanks Dhiru.

$ sudo fvdetools/fvdeinfo -p dummy /dev/mapper/loop2p1
fvdeinfo needs the password
Dhiru Kholia
2018-08-27 07:39:15 UTC
Permalink
Post by CRO
Post by Dhiru Kholia
Use instructions from
https://github.com/kholia/fvde2john/blob/master/README.
$ sudo fvdetools/fvdeinfo -p dummy /dev/mapper/loop2p1
fvdeinfo needs the password
You need to build and use https://github.com/kholia/fvde2john.

Use a dummy / fake password.

Dhiru
CRO
2018-08-27 08:25:02 UTC
Permalink
Post by Dhiru Kholia
Use a dummy / fake password.
Ah! Nice, dummy is a fake password. But now I'm locked on this issue:
https://github.com/libyal/libfvde/issues/36

libfvalue_utf8_string_with_index_copy_to_integer: unsupported character
value: 0x78 at index: 1
CRO
2018-08-27 07:29:47 UTC
Permalink
Post by magnum
$ dd if=image.raw of=partition.dd bs=512 skip=409640 count=10
$ dmg2john partition.dd > hash
According http://www.sleuthkit.org/informer/sleuthkit-informer-12.txt
the command should be:
# dd if=image.raw of=partition.dd bs=512 skip=409640 count=488555536
CRO
2018-08-28 11:04:42 UTC
Permalink
Summary

------------------
-- dmg2john way --
------------------
# mmls image.raw
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors

Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Safety Table
001: ------- 0000000000 0000000039 0000000040 Unallocated
002: Meta 0000000001 0000000001 0000000001 GPT Header
003: Meta 0000000002 0000000033 0000000032 Partition Table
004: 000 0000000040 0000409639 0000409600 EFI System
Partition
005: 001 0000409640 0488965175 0488555536 No title
006: 002 0488965176 0490234711 0001269536 Recovery HD
007: ------- 0490234712 0490234751 0000000040 Unallocated

# dd if=image.raw of=partition.dd bs=512 skip=409640 count=488555536

# fdisk -l partition.dd
Disk partition.dd: 233 GiB, 250140434432 bytes, 488555536 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

# dmg2john partition.dd
partition.dd is not an encrypted DMG file!


-------------------
-- fvde2john way --
-------------------
# fvdeinfo -v -p fake /dev/mapper/loop0p2
fvdeinfo 20180821

Unable to open: /dev/mapper/loop0p2.
libfvalue_utf8_string_with_index_copy_to_integer: unsupported character
value: 0x78 at index: 1.
libfvalue_utf8_string_copy_to_integer: unable to copy UTF-8 string to
integer value.
libfplist_property_get_value_integer: unable to convert value to integer.
libfvde_encrypted_metadata_read_type_0x001a: unable to retrieve logical
volume size.
libfvde_encrypted_metadata_read: unable to read metadata block type 0x001a.
libfvde_volume_open_read: unable to read primary encrypted metadata.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.


Issue reported here: https://github.com/libyal/libfvde/issues/36
Dhiru Kholia
2018-08-28 11:22:57 UTC
Permalink
Post by CRO
# fvdeinfo -v -p fake /dev/mapper/loop0p2
fvdeinfo 20180821
Unable to open: /dev/mapper/loop0p2.
libfvalue_utf8_string_with_index_copy_to_integer: unsupported character
value: 0x78 at index: 1.
libfvalue_utf8_string_copy_to_integer: unable to copy UTF-8 string to
integer value.
...
Issue reported here: https://github.com/libyal/libfvde/issues/36
Do you have a reproducer? Can you please create a small disk image
which exhibits this problem?

Thanks,
Dhiru
CRO
2018-08-28 15:00:21 UTC
Permalink
Post by Dhiru Kholia
Do you have a reproducer? Can you please create a small disk image
which exhibits this problem?
Thanks,
Dhiru
I used my image, but I have same error with fvde2john test image:
https://github.com/kholia/fvde2john/blob/master/fvde-1.raw.tar.xz
Dhiru Kholia
2018-08-28 15:29:25 UTC
Permalink
Post by CRO
Post by Dhiru Kholia
Do you have a reproducer? Can you please create a small disk image
which exhibits this problem?
https://github.com/kholia/fvde2john/blob/master/fvde-1.raw.tar.xz
I can't reproduce the problem with commit 6e51e19e,

$ sudo kpartx -v -a fvde-1.raw
add map loop0p1 (253:3): 0 1048496 linear 7:0 40

$ sudo fvdetools/fvdeinfo -p dummy /dev/mapper/loop0p1
fvdeinfo 20180108

$fvde$1$16$e7eebaabacaffe04dd33d22fd09e30e5$41000$e9acbb4bc6dafb74aadb72c576fecf69c2ad45ccd4776d76
$fvde$1$16$e7eebaabacaffe04dd33d22fd09e30e5$41000$e9acbb4bc6dafb74aadb72c576fecf69c2ad45ccd4776d76

Paste the steps you are following exactly.

Give us a way to reproduce this problem on our end, and it will be likely fixed.

Dhiru
CRO
2018-08-28 16:32:14 UTC
Permalink
Post by Dhiru Kholia
Paste the steps you are following exactly.
Give us a way to reproduce this problem on our end, and it will be likely fixed.
Thank you. I am on a ESXI virtual machine

# uname -r
4.15.0-kali2-amd64

# git clone https://github.com/libyal/libfvde.git
# cd libfvde
# ./synclibs.sh
# ./autogen.sh
# ./configure
# make
# cd fvdetools
# wget https://github.com/kholia/fvde2john/raw/master/fvde-1.raw.tar.xz
# tar -xvf fvde-1.raw.tar.xz
# kpartx -v -a fvde-1.raw
add map loop0p1 (254:0): 0 1048496 linear 7:0 40
# ./fvdeinfo -p dummy /dev/mapper/loop0p1
fvdeinfo 20180821

Unable to open: /dev/mapper/loop0p1.
libfvalue_utf8_string_with_index_copy_to_integer: unsupported character
value: 0x78 at index: 1.
libfvalue_utf8_string_copy_to_integer: unable to copy UTF-8 string to
integer value.
libfplist_property_get_value_integer: unable to convert value to integer.
libfvde_encrypted_metadata_read_type_0x001a: unable to retrieve logical
volume size.
libfvde_encrypted_metadata_read: unable to read metadata block type 0x001a.
libfvde_volume_open_read: unable to read primary encrypted metadata.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.
Dhiru Kholia
2018-08-29 02:00:12 UTC
Permalink
Post by CRO
Post by Dhiru Kholia
Paste the steps you are following exactly.
Give us a way to reproduce this problem on our end, and it will be likely fixed.
# uname -r
4.15.0-kali2-amd64
# git clone https://github.com/libyal/libfvde.git
Replace this with,

git clone https://github.com/kholia/fvde2john.git

You need to build and use https://github.com/kholia/fvde2john

This is the third time I have said this in this email thread.

PS: Don't run things as root user when you don't have to.

Dhiru
CRO
2018-08-29 06:56:09 UTC
Permalink
Post by Dhiru Kholia
This is the third time I have said this in this email thread.
I know but tried different way. Anyway:

# git clone https://github.com/kholia/fvde2john.git
# cd fvde2john
# ./configure
# make
# tar -xJf fvde-1.raw.tar.xz
# kpartx -v -a fvde-1.raw
# fvdetools/fvdeinfo -p dummy /dev/mapper/loop1p1
fvdeinfo 20180108

Unable to open: /dev/mapper/loop1p1.
libfvalue_utf8_string_with_index_copy_to_integer: unsupported character
value: 0x78 at index: 1.
libfvalue_utf8_string_copy_to_integer: unable to copy UTF-8 string to
integer value.
libfplist_property_get_value_integer: unable to convert value to integer.
libfvde_encrypted_metadata_read_type_0x001a: unable to retrieve logical
volume size.
libfvde_encrypted_metadata_read: unable to read metadata block type 0x001a.
libfvde_volume_open_read: unable to read primary encrypted metadata.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.
Post by Dhiru Kholia
PS: Don't run things as root user when you don't have to.
Don't worry. It is a test (virtual) machine
CRO
2018-08-29 07:17:00 UTC
Permalink
------------
-- Update --
------------

On another machine this way works :) on fvde-1.raw

$ uname -a
Linux developer 4.15.0-33-generic #36-Ubuntu SMP Wed Aug 15 16:00:05 UTC
2018 x86_64 x86_64 x86_64 GNU/Linux


The bad is that my raw image gives me error :(

$ sudo kpartx -v -a /media/hard-disk/image.raw
add map loop2p1 (253:1): 0 409600 linear 7:3 40
add map loop2p2 (253:2): 0 488555536 linear 7:3 409640
add map loop2p3 (253:3): 0 1269536 linear 7:3 488965176

...
Device Start End Sectors Size Type
/dev/loop2p1 40 409639 409600 200M EFI System
/dev/loop2p2 409640 488965175 488555536 233G Apple Core storage
/dev/loop2p3 488965176 490234711 1269536 619.9M Apple boot
...

$ sudo fvdetools/fvdeinfo -p dummy /dev/mapper/loop2p2
fvdeinfo 20180108

Unable to unlock keys.
Dhiru Kholia
2018-08-29 09:52:13 UTC
Permalink
Post by CRO
-- Update --
On another machine this way works :) on fvde-1.raw
Does this mean that Kali Linux is somehow broken in some subtle way?
Post by CRO
The bad is that my raw image gives me error :(
$ sudo kpartx -v -a /media/hard-disk/image.raw
add map loop2p1 (253:1): 0 409600 linear 7:3 40
add map loop2p2 (253:2): 0 488555536 linear 7:3 409640
add map loop2p3 (253:3): 0 1269536 linear 7:3 488965176
...
Device Start End Sectors Size Type
/dev/loop2p1 40 409639 409600 200M EFI System
/dev/loop2p2 409640 488965175 488555536 233G Apple Core storage
/dev/loop2p3 488965176 490234711 1269536 619.9M Apple boot
...
$ sudo fvdetools/fvdeinfo -p dummy /dev/mapper/loop2p2
fvdeinfo 20180108
Unable to unlock keys.
Shouldn't the above command be something like the following?

sudo fvdetools/fvdeinfo -e Encrypted.plist.wipekey -p dummy /dev/mapper/loop2p2

I haven't tried the "Encrypted.plist.wipekey" stuff myself yet.

Dhiru
CRO
2018-08-29 16:33:07 UTC
Permalink
Post by Dhiru Kholia
Does this mean that Kali Linux is somehow broken in some subtle way?
Maybe. I don't know
Post by Dhiru Kholia
Shouldn't the above command be something like the following?
sudo fvdetools/fvdeinfo -e Encrypted.plist.wipekey -p dummy /dev/mapper/loop2p2
$ sudo fvdetools/fvdeinfo -e EncryptedRoot.plist.wipekey -p dummy
/dev/mapper/loop2p2
fvdeinfo 20180108

$fvde$1$16$73d49f736090a65.........45c3e49ae34c12
Unable to open: /dev/mapper/loop2p2.
libfvde_encryption_context_plist_get_passphrase_wrapped_kek: unable to
retrieve PassphraseWrappedKEKStruct sub property.
libfvde_encrypted_metadata_get_volume_master_key: unable to retrieve
passphrase wrapped KEK: 1 from encryption context plist.
libfvde_volume_open_read_keys_from_encrypted_metadata: unable to
retrieve volume master key from encrypted metadata.
libfvde_volume_open_read: unable to read keys from primary encrypted
metadata.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.


Is $fvde$1$16$73d49f736090a65.........45c3e49ae34c12 the hash?

If yes, BINGO! Thank you!
Are "normal" errors after the hash?
Why used EncryptedRoot.plist.wipekey?
Dhiru Kholia
2018-08-30 11:57:49 UTC
Permalink
Post by CRO
$ sudo fvdetools/fvdeinfo -e EncryptedRoot.plist.wipekey -p dummy
$fvde$1$16$73d49f736090a65.........45c3e49ae34c12
Is $fvde$1$16$73d49f736090a65.........45c3e49ae34c12 the hash?
If yes, BINGO! Thank you!
Seems like it.

As usual, create and crack a test hash using a known password to
validate your tools, steps, etc.
Post by CRO
Are "normal" errors after the hash?
Why used EncryptedRoot.plist.wipekey?
It seems that EncryptedRoot.plist.wipekey stuff is required for
encrypted "system disk" but not for external encrypted disks.

Overall, if there is a EncryptedRoot.plist.wipekey file on the
Recovery partition, then I guess you need to use it.

https://github.com/libyal/libfvde/issues/35 (EncryptedRoot... missing
on encrypted external device) is relevant here.

Also see http://az4n6.blogspot.com/2016/07/mounting-and-reimaging-encrypted.html.

Dhiru
CRO
2018-08-30 16:01:11 UTC
Permalink
Post by Dhiru Kholia
It seems that EncryptedRoot.plist.wipekey stuff is required for
encrypted "system disk" but not for external encrypted disks.
Yes. https://github.com/libyal/libfvde/wiki/Mounting
Post by Dhiru Kholia
Also see http://az4n6.blogspot.com/2016/07/mounting-and-reimaging-encrypted.html.
I know this (very interesting) link. But i need to try to bruteforce the
hash because I haven't the recovery key or the password.

Thanks for all, my work can be start. It is a criminal forensic macbook
image, so I hope to break it :)

Loading...