UserFromCupertino

Q: recover forgotten password for sparse image

I created a encrypted sparse image a couple of years ago. I have since forgotten the password. How do I recover the password?

 

(OS X 10.10.5)

Thanks.

Posted on Jul 25, 2015 1:15 PM

Close

Q: recover forgotten password for sparse image

  • All replies
  • Helpful answers

  • by Kappy,

    Kappy Kappy Jul 25, 2015 1:24 PM in response to UserFromCupertino
    Level 10 (270,928 points)
    Desktops
    Jul 25, 2015 1:24 PM in response to UserFromCupertino

    You can't recover it. If you forgot it, then whatever is on the encrypted image is lost.

  • by UserFromCupertino,

    UserFromCupertino UserFromCupertino Jul 25, 2015 2:17 PM in response to Kappy
    Level 1 (0 points)
    Jul 25, 2015 2:17 PM in response to Kappy

    The internets tell me if you get the password hash out of some file,  you should be able to run a password hacker on it. Where would I find this password hash?

     

    Thanks

  • by Kappy,

    Kappy Kappy Jul 25, 2015 2:22 PM in response to UserFromCupertino
    Level 10 (270,928 points)
    Desktops
    Jul 25, 2015 2:22 PM in response to UserFromCupertino

    I have no idea. Try a Google search.

  • by MrHoffman,

    MrHoffman MrHoffman Jul 26, 2015 10:52 AM in response to UserFromCupertino
    Level 6 (15,627 points)
    Mac OS X
    Jul 26, 2015 10:52 AM in response to UserFromCupertino

    UserFromCupertino wrote:

     

    The internets tell me if you get the password hash out of some file,  you should be able to run a password hacker on it. Where would I find this password hash?

     

    Thanks

     

    There's no "hash out of some file" here.  That's fodder for TV shows and fiction and poorly-written crypto, but — short of a completely revolutionary cryptographic attack — that's just not something found with peer-reviewed and secure modern cryptography.

     

    If the password has been forgotten, then somebody will have to brute-force the encrypted disk, and — with a good password having been chosen — that might take a few decades.  Not kidding about that time horizon, either.  Might take quite a lot longer than decades, too. 

     

    With AES — which is what is used with most OS X disk images — there are no known viable attacks.   There is only brute-forcing.  And that effort might require — and I'm not making this up — billions of years for a good password, with present-day technology.

     

    If things were otherwise, the encryption would not be considered very secure.

  • by rccharles,

    rccharles rccharles Jul 27, 2015 1:47 PM in response to UserFromCupertino
    Level 6 (8,486 points)
    Classic Mac OS
    Jul 27, 2015 1:47 PM in response to UserFromCupertino

    If you kind of remember your style of making up passwords, you might be able to speed up the password attack.  There are professional recovery firms you could employ ...

     

    try http://www.drivesaversdatarecovery.com/

  • by UserFromCupertino,

    UserFromCupertino UserFromCupertino Jul 27, 2015 2:37 PM in response to rccharles
    Level 1 (0 points)
    Jul 27, 2015 2:37 PM in response to rccharles

    I use a few word combinations and uppercase/lowercase to create my passwords.  I want to be able to feed a password cracker this info and have it try all combinations.  Is there such a tool available?

  • by Tony T1,

    Tony T1 Tony T1 Jul 27, 2015 5:18 PM in response to UserFromCupertino
    Level 6 (9,249 points)
    Mac OS X
    Jul 27, 2015 5:18 PM in response to UserFromCupertino

    There are tools that will do a dictionary crack, but you'll only have luck if you used a weak password.

    LMGTFY: http://bfy.tw/11Io

  • by Roote,

    Roote Roote Jul 28, 2015 2:07 AM in response to UserFromCupertino
    Level 2 (417 points)
    Jul 28, 2015 2:07 AM in response to UserFromCupertino

    Make sure you protect your data before running any commands on the command line by having a recent backup, preferably Time Machine. Any commands you run you do so entirely at your own risk. Information provided is intended for the password recovery of your own property.

     

    The best chance to recover the password is if a simple/weak password was used or you recall most of the characters. For instance, you recall all the alphabetic characters and their position, but you don't recall the numerical digits you appended. As a simple example, you recall using "hogwild", but not the three digits that follow: "hogwild%%%", where %%% could be any sequence of three numerals 0-9. That means there are 10^3 = 1,000 possible passwords. If you don't remember any of the characters, it will become impossible quickly. Consider that an unknown all lowercase five character simple password has 26^5 = 11,881,376 possibilities. If all ninety-five ASCII printable characters were selected from - letters, digits, punctuation marks, and miscellaneous symbols, there are 95^5 = 7,737,809,375 possibilities.

     

    If you have a reasonable idea what the password is, you can use a dictionary or hybrid dictionary attack to try to recover it. The strategy is to perform efficient rather than exhaustive attempts to reduce time expense. For a dictionary attack, you need to craft a custom word list which prunes the number of possible candidates. For the word list, you can use a command line word list generator such as crunch. Download from http://sourceforge.net/projects/crunch-wordlist/. Using the scenario above, an example of basic syntax:

     

    crunch 10 10 -t hogwild%%% -o /path/to/wordlist.lst

     

    Where crunch is the command, the first 10 is the minimum length of the string, the second 10 is the maximum length of the string, -o specifies an output file, and the -t option specifies that only the % symbol will change so that numbers will be inserted in place of the % symbol, in this case 000-999. Use the command "man crunch" in Terminal for more info. A good resource that explains the options in detail is available at http://adaywithtape.blogspot.com.au/2011/05/creating-wordlists-with-crunch-v30.h tml.

    crunch2.png

    crunch3.png

     

    Once you have a word list, use can use it with a command line password recovery/cracking tool such as John the Ripper.

     

    1. Download the John the Ripper bleeding-jumbo zip from https://github.com/magnumripper/JohnTheRipper. This version has the necessary dmg2john.py file for DMGs. Drag to the Desktop. Unzip if not already unzipped.

     

    2. Read the README and INSTALL files located in the doc subfolder. Add a .txt extension if needed to read as a text file. Follow the directions to build. You'll need Xcode installed. It can be downloaded from the Mac App Store.

     

    3. Read FAQ, MODES, RULES, EXAMPLES, and README.Apple_DMG for usage.

     

    4. If you haven't already, in Terminal create your word list with crunch or use the options available in JtR. For John the Ripper, the list requires a .lst extension. You may want to use base passwords in your word list and let JtR provide mangling rules with the --rules option while using wordlist mode. There are many subtleties involved in wordlist rules and well worth looking at in detail. Read EXAMPLES and RULES for more info.

     

    5. In Terminal, run dmg2john.py on your password-locked DMG. An example of basic syntax:

     

    /path/to/dmg2john.py /path/to/your/DMG.dmg > /path/to/DMG.txt

     

    6. Run the John the Ripper executable (john), located in the run subfolder, on the hash file created by dmg2john.py (i.e. DMG.txt). An example of basic syntax:

     

    /path/to/john --wordlist=/path/to/your/wordlist.lst /path/to/DMG.text

    JtR.png

     

    You might consider splitting the workload across multiple CPU cores with the --fork=N option, where N is the number of cores. Read more in the OPTIONS file.

     

    If you prefer a GUI to the command line to run JtR, you can download a binary of Johnny from http://openwall.info/wiki/john/johnny.

    johhny001.png

    johhny002.png

     

    Article about a Web Security professional who forgot his password:

    https://blog.whitehatsec.com/cracking-aes-256-dmgs-and-epic-self-pwnage/

  • by Roote,

    Roote Roote Jul 28, 2015 2:36 AM in response to Roote
    Level 2 (417 points)
    Jul 28, 2015 2:36 AM in response to Roote

    Sample hash file generated by dmg2john.py:

    hash4.png

  • by Roote,

    Roote Roote Jul 28, 2015 4:39 PM in response to Roote
    Level 2 (417 points)
    Jul 28, 2015 4:39 PM in response to Roote

    After looking at the various JtR versions, it looks like both John the Ripper 1.8.0-jumbo-1 versions now contain dmg2john.py. So download any of the three. JtR 1.8.0-jumbo-1 versions can be found at http://www.openwall.com/john/.

  • by Roote,

    Roote Roote Jul 28, 2015 8:01 PM in response to Roote
    Level 2 (417 points)
    Jul 28, 2015 8:01 PM in response to Roote

    Although the Python script dmg2john.py works fine on Apple disk images (.dmg) and sparse images (.sparseimage), it hasn't been updated for sparse bundles (.sparsebundle). dmg2john is built into the john executable. Call the dmg2john symlink instead:

     

    /path/to/dmg2john /path/to/your/DMG.dmg > /path/to/DMG.txt


    dmg2john.png


    Therefore, just use the symlink  (/path/to/dmg2john) for all three types.

    dmg2john2.png