OSX Lion Filevault v2 – Dictionary Attack

I was curious if I could script a dictionary attack against one of the OSX Lion File Vault v2 encrypted external drives. If you haven’t done it. You need to be on Lion. Grab a spare USB storage stick. Make sure to backup any data from the device first. Encrypting the device by the book will erase and destroy the existing contents.

  1. Go into “Disk Utility”
  2. Plug in the desired USB storage stick
  3. Click on the device in the list
  4. Click on the Erase tab
  5. Pull down the Format box and choose one of the Encrypted options like: Mac OS Extended (Journaled, Encrypted)
  6. Click Erase
  7. When prompted provide a desired password.

Now that you have setup an encrypted device you can use that to test this process.

  1. First eject the usb device
  2. Unplug it
  3. Plug it back in
  4. Click cancel and do not enter the passphrase

Now onto the rest of the process.

Each encrypted volume gets a unique identifier. You need to know this ID to put into the script we will use to loop through our password dictionary. Go to a terminal session and issue the following command.

diskutil coreStorage list

We can see the volume ID of our device. In our below example the ID is B75621A3-C3F5-40B4-A441-37ECA3F4CD14 Copy that ID.

Create the below script file. Use VI in terminal or your favorite editor of choice. Replace the DEVICEIDHERE from the script with the ID from your device. Save the script and then make sure to make the script executable using chmod +x on the script file.

Now make yourself a password text file named test.txt with several passwords in it. Include the actual password. Make sure to fix the path to the text.txt file appropriately in the for line from the script.

Fire off the script and you should see your attached device mount when it hits the actual password from the list.

There you go. Just edit in the appropriate device ID and repeat as needed.

5 Replies to “OSX Lion Filevault v2 – Dictionary Attack”

  1. Has anyone examined the format of the ‘Recovery Key’ which is generated by FileVault2?
    It appears to always consist of 24 uppercase and numeric characters.  Knowing that is probably not of much use, but if other consistent characteristics can be determined it may reduce the search search effort.

  2. I’m not sure if this helps, but…

    Go to http://www.macworld.com/article/162999/2011/10/complete_guide_to_filevault_2_in_lion.html
    Scroll down to the Section, “Using a Recovery Key”.

  3. That only helps if someone recorded the recovery key or saved it with Apple when they setup the FDE. Most folks are working on older encrypted storage or didn’t keep access to the key.

  4. Im trying to use the script, but getting an error in applescript editor on ‘for’ which states “expected end of line, etc. but found parameter name.”

    Please advise

Comments are closed.