crowbarDMG – Version 1.0

Well here we are.  Finally, my very first full Cocoa program. One that does not come from a book.

crowbarDMG is a dictionary attack tool for DMG and Spareimage files for Macs.  It does require 10.5 Leopard.  It really wasn’t worth the trouble to redo things to work on Tiger.  It is completely free, so enjoy.  Be sure to read the included PDF readme file.  I address an issue if you use strings to pull out a dictionary from a disc image.  Some control characters need to be scrubbed else it will crash crowbarDMG.  Give it a shot if you need to recover a password for a dmg or filevault file.

*UPDATE* – Please make sure to run Check for Updates to obtain the latest build.  I have released v1.0.1 that implements garbage collection to help prevent memory leaks for long duration projects.

Thanks to Paul Figgiani for his patience in making GUI layout and improvement suggestions.

Thanks to Big Nerd Ranch for the fun bootcamp last October.  I would have never had the time to get up to speed on Xcode and ObjectiveC purely on my own.

Thanks as well to the following code and frameworks:

crowbarDMG – Download

66 Replies to “crowbarDMG – Version 1.0”

  1. Thank you for this app, I've been testing out a few .dmg crackers now.

    Yours is nice and lite weight to begin with. I would like to see full and multi cpu usage come to this app in the future as it currently runs @ 8% of one core. I understand this is something you're working on with finding something other than hdutil. Not sure what these guys are using but may be worth looking at the code :

    I hope this project flourishes. Any plans on releasing the source?

  2. Thanks I had not seen that code source. I was looking at using openciphers in the next version. Now I have two things to try. =)

    In this case the cpu utilization isn't a good measure. The bottleneck of a dictionary attack is the attempt on testing the password against the image. Thus why I need to look at something other than HDIutil as the password attempt method.

    I haven't made plans to just post the code for wide download. But to those to contact me directly I will provide it. You can just use the contact link on the right side of my site.

  3. I know the number of words and what 3 of the words are. will that help reduce the amount of time?

  4. crowbar just takes a text file dictionary file and runs through it. If you make your own file one “word” per line made of the combinations of the words you know then yes I imagine it would work through that fairly quickly.

  5. I cannot seam to get crowbar to open any of the dictionaries on my mac. Also what is the known extension for the password file?

  6. Dictionaries in a security tool sense are simply text files with one word per line. You can google “password word lists” for example. You can also see another post I made on using an automator to create a dictionary from various files.

    The crowbar apps are looking for .txt .pwd or no extension, but all must be plain text files with one password per line.

  7. Greetings. I have a dictionary with 200 passwords. Saved as .txt. Crowbar will only check 12/200 and skips others. Can not see pattern in skipped passwords. There are no non text strings such as %@ although % and @ can occur in a password such as passw@rd. Any thoughts? Thanks

  8. A guess would be you have a text file in windows end of line format. Have you made sure you ran the software update within crowbar to get the latest build?

  9. Yes, thanks. Have latest build. Tried saving as ASCII to remove any odd formats as well. Thanks.

  10. You are likely correct. I am using latest build. Here is how I generate files: Create columns is Excel, then combine as words. Copy the combined column, past in text edit, save as text file. Crowbar checks only 2-10 of the 169 entries. If I then manually delete all of the returns, making one long text string and manually separate into 169 entries and then save this as .txt, Crowbar checks all 169. Do you see an easier solution for removing the mystery character? Thanks

  11. I'm replicating your steps and seeing what sort of characters are getting in there that might be the issue. Then I can tell you a command to remove them.

  12. Two questions. 1. When you combine the columns are you using a third column with a concatenate formula then copying that? 2. When pasting into textedit on the mac side are you going into the menu under Format and hitting convert to plain text? THEN saving the file and using it for your dictionary?

  13. Greetings and thanks. 1). I concatenate columns with “=AH2&””&AI2&””&AK2” for example. 2. In Word, I use “paste special” and paste as the Excel column as “unformatted text”, “save as” “plain text”. In TextEdit I paste column and save as “Plain Text Unicode (UTF-8). I have tried viewing in a variety of ways to see the pesky mystery character…

  14. p.s. I would be happy to send example files of original then manually cleaned if that would be of help! Thanks.

  15. Sorry for letting the holidays tie me up. Here is your fix.

    Just have your dictionary file. and run this command
    cat original.txt | tr 'r' 'n'> cleaned.txt

    The way I saw what the issue was by doing cat -e original.txt
    It shows you the control-M which is the r

    That will replace the windows return line character with the mac friendly new line character. I had fixed crowbar to recognize what I had tested which is when both are present. What you are generating is only the windows return not both return+LF. I'll have to work up an update later. Till then you can just run that at a command line and it works. Or we can toss it inside an automator. See the automator linked in this post as an example.

  16. I know my password contained numbers…and I'm not quite sure how to program it to search numbers too? (Sorry, I consider myself to be computer savvy, but this type of programming is way over my head.)

  17. Hello,
    First of all, thank you for creating CrowbarDMG.

    I have a question somewhat related to CrowbarDMG:
    A friend of mine lost his password but remembers some part of it. I am looking to create permutations out of a series of words.
    i.e , if the password was made of words such as “i” + “lost” + “the” + “password”
    I am looking to generate all possible permutations of a list.
    I can then weed out with Excel and TextWrangler to reduce the size of the dictionary (length min-max, etc )

    Generating a full permutation out of a range of characters is not (time wise) feasible (~15^95 !!!!) but trying words permutation gives me a better chance and limit the improbable combination.
    I have tried online “Keywords exploder” but they do not permute fully.
    Any idea ?

    Second question is in relation to the speed, I have read that Crowbar should test about 130 pswd/ minute
    I have tried with both 128 and 256 AES, and on my machine, a MBP double core 2.66GHz + 4GB RAM, I am at 48 Pwsd / min average and the processes indicate CrowbarDMG @ 3% CPU only.
    Crowbar updated to the last V.

    Is this normal or I should look deeper?

    Thanks again for all your work and help


  18. Hello Georges,

    Thanks for the quick reply,
    Speed: Ok, I will then use multiple machines …

    “Keep in mind full permutation of a large list is a factorial operation. It gets HUGE fast.”
    Yes, I am aware of it. Unfortunately! Not only a “small” number of permuted words will reach HUGE number of strings, but on the top of that, as we speak words and not characters the space needed itself reach unrealistic numbers very fast, which return to the first issue: cracking time!

    I told my friend that, unless we can seriously reduce the number of “words”, our children would die trying. I mentioned to him a visit to a hypnotizer in the hope of trying to remember some of the words. As of today, 10 words fully permuted would take on average 198 years to crack.

    I’ll try and get back on this and you can test my permutation for me if you are interested.

    Cracking AES in blind mode is just a waste of electricity.
    I think that if a permuter was to be created , the goal of such permuter would be to be able to “optionize” the output and limit the junk.
    i.e length between x-xx char, or not generating string that contains certain strings generated by the permutation.
    i.e if the password of, let’s say 8 to 12 char long to recover was -possibly-composed of “I”+“love”+“you”+”!”
    It is reasonable to think that, the string “lovelovelove” is highly unlikely, as well as “!!!!!!!!”
    That is, if you remember some of the password.
    Otherwise it’s just torture …

  19. I have an application for that very purpose I have been working on. But I have not fixed mutlithreading and permutation code yet. So even if I gave you an early copy it won't help you yet. Keep in mind full permutation of a large list is a factorial operation. It gets HUGE fast. Which is why I haven't sorted out my own permutation code yet in my app under development. I have to decide some realistic limits for performance and to keep from blowing the app up. I'll try and get back on this and you can test my permutation for me if you are interested. In your case about how many words are you expecting to use?

    Yes crowbarDMG is slow because I am limited by system file level locks. I call the normal diskutil command associated with mounting dmg files. So there is no easy way to multithread that due to the file lock issue. I have some sample code of a project meant to speed that up but have not gotten into it yet.

  20. Hello, George!

    I'm trying to recover my photo album from a misplaced external harddrive. I had the album in a .sparsebundle archive to protect the contents, and now I cannot remember the password. I was trying to “remember” it with CrowbarDMG, but I'm having no luck. For the password, I usually prepend and append numbers/dates to a word associated with the file. I took the dict file on my Mac, and using TextWrangler, I prepended and appended every entry to “my” proper password format. No luck.

    Out of curiosity, I made a blank .sparsebundle with 128-AES encryption, and put a photo in it. No tick in the save to keychain, and then I unmounted the file. I created a new dictionary with only one entry, the correct password. I linked CrowbarDMG to the encrypted file and the new dictionary. The response: “Password Not Found,” and it checked two passwords. Does the app inherently check for a blank password is that the reason for 2 passwords checked?

    Thanks for any assistance and keep up the hard work!

  21. Can you confirm you are running the updated version of 1.0.3? But the application does generate one random garbage password to use to test if the image is already mounted. If it were mounted the diskutil command would return a success for any random password tested.

  22. I just repeated your test and got in just fine. I can only assume there is an issue with the text file you used for your test dictionary such as a control character that did not get filtered out.

    As to your need to generate a permutation dictionary, I followed you on twitter. DM me so we can communicate directly. You can try using an app I am not finished with yet to make the dictionary you need.

  23. Hi George,
    your app is really good.
    But… instead of a dictionary attack could be possible to realise a random data attack?
    I mean the possibility to select wich kind of data I want (numbers, upper or lower case, symbols) and set the range within to perform the attack .
    i.e. : I choose numbers, lower case and symbols with a range between 7 and 12, so the app tests every possible combination based on my choices.

  24. I actually am working on a different app to generate such complex or targeted dictionaries. Easier than trying to bolt it onto the crowbar apps. I am just needing to find time to sort out proper multithreading in the new app before I can release it.

  25. George,
    I appreciate this application.

    Question. I am trying to recover a password for a sparse disc image. I know part of the password. There is a word and then a dash. It’s the second part of the combination I can’t figure out. Is there a way to load that word or string of characters in? Then perform a search for the remaining characters?

  26. Hi Will, the crowbar apps simply accept and use a dictionary file and run through each complete password listed in the file. You have to build that file some other way. It sounds like you need to make a list of possible combinations of the final part and append all those combinations to the part you know. Then use that list with a tool like mine. How much do you know about the missing part? Length, etc.

  27. It keeps crashing on me while using a large password list. Any ideas?

    Also, and maybe this is a stupid question to ask, but do you have any plans on making it compatible with pooch clustering software? I’d imagine one could cut down on the time it takes to process all those passwords through parallel processing…

  28. It you are running into a crash please ensure you are on the latest build by running the auto update check. if you are still having an issue likely there is a control character embedded that I am not scrubbing on input from the file.

    No this cannot be clustered. This is a simple dictionary attack using the command to mount the disc image. It is not an attack on hashes or other data in the encryption itself that can be distributed mathematically.

  29. Sorry, I had given up. I’m now re motivated to try and find a way into this file. I know the first word and the dash…the second word or words I don’t know. I have a general idea of what I think it would be but don’t know exactly. Are you saying I would have to build this list myself? Why would I not just start trying passwords and marking them down.

  30. The source code would be useless on Ubuntu. I am using ObjectiveC and simply calling the disk utility to attempt to mount the image with the next password in the chosen dictionary. You can see an earlier blog post where I show the same thing in a shell script. The shell script would be more useful to you if you can mount OSX encrypted DMG files natively in Ubuntu.

  31. Hello sir, I had all my important utilities on one DMG file. I know the first part of the password is MM, mm, or mdm, and then a repeated series of 4 numbers. Is the numbers I don’t remember. Like mm149214921492. Is there a way to build a custom dictionary file with every combination of a few letters that are known and a series of numbers?

  32. Hi Matthew there sure is.  I see you did not use an email address but there is a link to your Facebook. I will send you further information there.

  33. Hello! Thanks for making CrowbarDMG first off – I tried John the Ripper – realized later it couldn’t do .dmg files.  next I tried vfcrack – and ended up getting the similar errors that you blogged about – ending up getting an “Abort trap” error.

    Anyways – I was wondering the same thing as Matthew – How can I create a dictionary with random numbers and files?
    Also – are you planning on updating the speed of crowbarDMG anytime soon? I split a dictionary into two 2.5MB .txt files and its reading ~52 words per min  – i’m running two crowbarDmg apps at the same time – therefore ~102min per min still seems slow…

    Thanks in advance!

  34. If you check the readme or previous posts you will find all I am doing is calling the command line utility built into OSX. Crowbar just makes it a smoother automation. Due to file locks while the login is being tried there is no real way I can speed it up.

    There are a number of tools out there that can generate dictionaries. Such as crunch in backtrack.

  35. Hi there, and thank you for this great appliaction.
    Can you send me your answer to Mathieu ? cause I have the same problem.
    My password is a combination with some numbers and leters , something like 4dihxex5dhjwac….but I did forget in which order I did it.

    Thank you in advance


  36. There are dictionary generation tools in Backtrack like Crunch. You could use it to make the dictionary output file then use that file in crowbar.

  37. hi george, you’re a life saver – almost ;-) i am a student who’s semester files are locked inside a sparsebundle, for which i forgot the password. i do remember the first half of it, and the second half should reside within a very narrow range. so, i need a way to generate a dictionary that can create these possible iterations. i noticed some discussion above about this, can you please let me in on the options? thanks very much, jg

  38. Success! (kinda…) I set your program to work on a sparsebundle and when I came back to it, I found it paused (because I stopped it, put my computer to sleep, woke it back up and thought I hadn’t restarted it), so I hit start absentmindedly. Nothing happened though, and the status told me “Password Already found for this Disc Image.” …but what was it? Where can I find the password? The disk isn’t mounted and I can’t find a readout in the console or anywhere that tells me what it was.


  39. Hi,

    I have create a sparsebundle whith unusual character like ∆, € or † in the password.
    CrowbarDMG fail to open it. My dictionary is a .txt

  40. a text file is not going to support those special characters and crowbar simply reads those in. You could look at the older blog post on the shell script I originally did. Perhaps you can modify that.

  41. Hello, I dont know how to create a dictionary for crowbarDMG, I know all the words I use to protect a DMG file, but I dont remember the order, anyone can help me please?

  42. Hi, I have a DMG file, and I cant remember the password, although I know all the possible words I use to encrypt the file. Anyone can help me to create the dictionary? I have tried but it isnt workging

  43. Hi, i cannot open crowbarDMG-v1.0.dmg, it said that “The following disk cannot be opened” and the reason is not recognized. What should i do??

  44. I’m having trouble using the program. For example what if I have specific words or number that I know are in the password. How do I include them?
    Thanks in advance.

  45. Hello, I have recently created a DMG file which worked fine with the password that I used on it. But the today when I use the same password, it doesn’t recognise the password. I know the password I used but tried is different combination. Is there a way to build a custom dictionary file with every combination of a few letters and numbers that are known for the password to make the process faster. Email address is

  46. I have several sparsebundles with similar passwords. Basically I use three words with different numbers and order for each sparsebundle. Couldn’t remember which combination I used for a backup and tried your app and it worked perfectly!!! :) Had to type out each combination, but much quicker than trying each combination by hand. Thanks a lot for the great app! Still works in 10.8!

  47. i have no idea how to use your crowbar software. Can you please guide me through in relation to the below problem I have.
    I have created a file image dmg on my mac and cant remember the password. I think it had the letters slt in but i don know if they were capitals or lower case.
    I would be extremely grateful if you are able to assist me in solving this.

    thank you

  48. hi sir i was using an android app called video locker to secure my
    important videos and in some day i sell my phone(galaxy note1) and copy
    all my internal memory to laptop where i found my videos in a folder
    called vl but i cant open them, then i found these videos encrypted
    with advanced 128 bit AES and even pwd was lost with my galaxy note1 so

    do you have any way to help me please

  49. hi sir i was using an android app called video locker to secure my
    important videos and in some day i sell my phone(galaxy note1) and copy
    all my internal memory to laptop where i found my videos in a folder
    called vl but i cant open them, then i found these videos encrypted
    with advanced 128 bit AES and even pwd was lost with my galaxy note1 so

    do you have any way to help me please

  50. Hello! Any chance this could be modified to use the hash (I assume that’s what it is) from diskutil coreStorage and be applied to an external FileVault drive rather than a DMG?

  51. What this does is call diskutil. You need to dig back to the old script based post. So no. I’m not a crypographer that can attack the encryption keys. This app was simply a learning project for xcode at the time. Doing the script you could attack a full disk rather than a dmg.

  52. what does it mean if the password is not able to be determined, what should i do next?

  53. Crowbar is just a dictionary attack tool. It only tries the list of words you feed it. You would need to generate a more extensive dictionary that may contain your password permutation. That is beyond the scope of my tools and assistance.

Comments are closed.