assistance dmg2john.py RE: encrypted / unmounted dmg partitions

Discussion:

Shia Aaron Lloyd Fisher

2013-09-12 19:09:09 UTC

Hello,

First Question; Situation:

1.) I encrypted a partition on my MAC OS X 10.7.5 internal Hard Drive.
the other partition contains the startup and is not encrypted
2.) I cannot seem to authenticate my password (leads me to think I fat
thumbed)
:. I cannot remember my password
3.) per the internet's advice I have looked into dmg2john and am attempting
to run dmg2john.py against my forgotten drive

PROBLEM:
If it is not mounted, it displays no logical path, I can only see the
identifier name. What syntax should I use in Terminal to run dmg2john.py
agains my dmg stored in "Apple_CoreStorage 150.2 GB disk0s4"?

I appreciate any type of support, even if it is just helping me rewrite the
question, as I cannot be sure my terminology is accurate.

Thanks fam!

--
SFisher
*"Semper Fidelis: Always Faithful"*

magnum

2013-09-12 19:30:47 UTC

Permalink

Post by Shia Aaron Lloyd Fisher
If it is not mounted, it displays no logical path, I can only see the
identifier name. What syntax should I use in Terminal to run dmg2john.py
agains my dmg stored in "Apple_CoreStorage 150.2 GB disk0s4"?

I've only tried this on disk images, not partitions. I guess it should be something like this:

$ sudo ./dmg2john.py /dev/disk0s4

...but trying that on my gear, it doesn't seem to work. Not sure if this is some functionality lacking in dmg2john. We'll try fixing that quickly if so.

Hopefully Dhiru will chime in. BTW Dhiru, why do I have a dmg2john symlinked to john, as well as a dmg2john.py?

magnum

Solar Designer

2013-09-12 19:40:33 UTC

Permalink

Post by magnum
BTW Dhiru, why do I have a dmg2john symlinked to john, as well as a dmg2john.py?

I can answer this for Dhiru since I was involved in the decision-making.

This is how it should be. We have two implementations: one in C (linked
into the "john" binary, hence the symlink to "john"), the other in
Python. The C implementation is usable on any system where JtR is
built, without a dependency on Python (but this requires either a C
compiler or a binary build of JtR). The Python implementation does not
require a build of JtR, so it is more convenient to run on a Mac in
cases where the actual password cracking is to be performed on another
machine (e.g., on a Linux box with GPUs). The Python implementation is
especially handy when offering DMG password recovery as a service
(whether paid or free).

Alexander

Dhiru Kholia

2013-09-12 20:03:57 UTC

Permalink

Mac OS X 10.7.5 uses FileVault 2 for whole disk encryption which we
don't support at the moment. I am not a Mac user so the previous
statement needs to be confirmed.

We are (still) working on supporting FileVault 2 technology and JtR will
be able to crack it at some point :-)

In the meanwhile, here are some tips,

1. Try to remember the password and write down whatever you can remember
about the password (length, general structure, base words, etc).

2. Try to build a script around the "diskutil" command to do the
brute-forcing of your encrypted container (JtR can be used as
password generator for this script).

"diskutil corestorage list" should give you the UUID of the Logical
Volume.

"diskutil corestorage unlockVolume <UUID> -stdinpassphrase" command
can be used to mount a brute-force attack. Hopefully, Mac OS won't
wipe out your partition after N number of attempts ;)

3. I have read about using FileVaultMaster recovery keychain to unlock
the encrypted volume but I don't know anything about this method.

See http://tinyurl.com/CoreStorageAttacks for more information.

...

Hi Joachim,

Do you have some tips on solving this problem?

--
Dhiru