To understand why FileVault is so important to enable on a Mac, we hacked into the macOS (v10.8+) login with a couple of methods. This is a breakdown to replicate how we did it.
If you’re looking to replicate this, only do so on your own computer and at your computer’s risk. Again, these attacks are specific to macs unprotected by FileVault.
1 - Boot the computer into Recovery Mode (press Cmd+R while turning the computer on until you see the Apple logo).
2 - Navigate to Utilities > Terminal in the toolbar. This will open a CLI.
3 - Using the command:
$ resetpassword
…you’ll be prompted with a Reset Password window to select which disk you want to change the login password to. Set the new password (no old password needed).
Restart the computer to boot normally and log in with the new password.
But let’s say we don’t want to change the computer password– we just want to find what the current one is. For this method you’ll need a flash drive and a separate computer.
1 - A hash of the login password is held in a file accessible – again – from the terminal in Recovery Mode. This file is an information property list file (extension “.plist”) named after the target’s username. You can list the computer’s users with the following command:
$ ls /Volumes/Macintosh/Users
2 - The location of the .plist file varies by the macOS version. A quick way to search for it is with the command:
$ find / -name “username_example.plist”
3 - Mount your flash drive into the target computer. Open anew tab and copy the .plist file to the flash drive using the path we just found to the file:
$ cp /path/to/username_example.plist /Volumes/FLASH_DRIVE
4 - Unmount the flash drive from the target computer. You can do this in a terminal with the following command:
$ umount /Volumes/FLASH_DRIVE
…and mount the flash drive to your separate computer and transfer the .plist file to it.
5 - On your separate computer, open a terminal and converted the file to an XML format:
$cat username_example.plist | plutil -convert xml1 - -o - > plistInXML.plist
6 - Now that it’s in a human-readable file format, find the <data> tag under the element <key>ShadowHashData<key> :
This is where the password’s hash is. Copy this data (including the tailing “==”) into a separate text file (e.g. hashData.txt). Make sure there are no line breaks. It should all be on a single line.
7 - The data is currently in Base64. Converted it to binary:
$echo hashData.txt | base64 -d > hashData.bin
8 - When you open this binary file in the free IDE TextMate, it’s automatically converted into a human-readable ASCII format. Download TextMate and use it to open the .bin file.
9 - Find the entropy, iterations, and salt values under “SALTED-SHA512-PBKDF2” and put them in the following format (no spaces or line breaks). It should all be on a single line:
$ml$iterations$salt$entropy
Example:
$ml$40670$54EDFB112E7694AFABEA2E5F6D06E919FAA6479CCC34A6F3194F37320E09DC43$2B80...
This formatting of the PBKDF2-SHA512 hash will allow us to crack it in Hashcat! Go ahead and put it in a .txt file (e.g. hash.txt).
10 - Now all we have to do is crack it! Run a wordlist of your choice against the file with the formatted hash using Hashcat:
$ hashcat --hash-type 7100 hash.txt wordlist.txt
How long this takes depends on the password strength. Once cracked, you can take the password and log in to the target computer.
With FileVault disabled, these attacks allowed us to access everything in the target computer that doesn’t have further verification. The immediate defense against this attack is turning on FileVault. This is found in System Preferences under Security & Privacy > FileVault. FileVault might or might not be on by default depending on the Mac’s macOS version. By activating this, your hard drive is encrypted while logged out, creating a boundary to interact with its data (e.g. the .plist file) without logging in first.
However, there are ways to bypass FileVault through forensic techniques. This leaves the defense of your computer in the hands of your login password strength. Depending on its complexity, cracking it could take 5min,45min, or an unrealistic amount of time.
Make sure your Mac has FileVault turned on, keep your Mac within eyesight, and use a password worthy of protecting your files.
