¿Bruteforce FileVault Encryption?

1

Últimamente he estado haciendo pruebas forenses y de penetración y espero que alguien pueda explicar qué son los datos a continuación y cómo podrían usarse para realizar ataques de fuerza bruta (hashcat) contra macbooks.

Más específicamente, ¿qué es "VEK Wrpd", "KEK Wrpd", "HMAC" y "PW Key"? ¿Y pueden usarse para reproducir la contraseña de FileVault si se adivina correctamente?

Utilicé apfs-fuse para volcar los datos:

$ ./apfs-fuse -d 16 /dev/sda2/ /path/to/mount

Device /dev/sda2 opened. Size is 250790436864
starting LoadKeybag
 all blocks verified
 header has type 6b657973
Volume macOS1 is encrypted.
Password hint: looking for key type 3 for volume 1342XXXX-XXXX-XXXX-XXXX-XXXXXXXX4251 in m_container_bag
Trying to load key bag from recs_block
starting LoadKeybag
 all blocks verified
 header has type 72656373
Password hint: looking for key type 4 for volume 1342XXXX-XXXX-XXXX-XXXX-XXXXXXXX4251 in recs_bag
Enter Password: 
GetVolumeKey: Dumping container keybag.
Dumping Keybag (keys)

Version :    2
Keys    :    2
Bytes   :       e0

Key 0:
UUID    : 1342XXXX-XXXX-XXXX-XXXX-XXXXXXXX4251
Type    :    3 [Keybag Ref]
Length  :   10
Unknown :        0

Block   :           7c1f57
Count   :                1

Key 1:
UUID    : 1342XXXX-XXXX-XXXX-XXXX-XXXXXXXX4251
Type    :    2 [VEK]
Length  :   7c
Unknown :        0

[Blob Header]
Unk 80  : 0
HMAC    : 106BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX9921
Salt    : 5493XXXXXXXX1F47

[VEK]
Unk 80  : 0
UUID    : 1342XXXX-XXXX-XXXX-XXXX-XXXXXXXX4251
Unk 82  :        0    1 9e b1
VEK Wrpd: 06391FA9XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX552582F2



GetVolumeKey: looking for key type 3 for volume 1342XXXX-XXXX-XXXX-XXXX-XXXXXXXX4251 in m_container_bag
 key found
 data size matches that of key_extent_t
Trying to load key bag from recs_block
starting LoadKeybag
 all blocks verified
 header has type 72656373
Volume key bag loaded successfully. Dumping contents.
Dumping Keybag (recs)

Version :    2
Keys    :    3
Bytes   :      220

Key 0:
UUID    : 257AXXXX-XXXX-XXXX-XXXX-XXXXXXXX7975
Type    :    3 [KEK]
Length  :   94
Unknown :        0

[Blob Header]
Unk 80  : 0
HMAC    : F047XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXF6A8
Salt    : 630CXXXXXXXX268

[KEK]
Unk 80  : 0
UUID    : 257AXXXX-XXXX-XXXX-XXXX-XXXXXXXX7975
Unk 82  :        0    2 9e b1
KEK Wrpd: BB7FXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX07F8
Iterat's: 100000
Salt    : 863CXXXXXXXXXXXXXXXXXXXXXXXX2F51


Key 1:
UUID    : CDF5XXXX-XXXX-XXXX-XXXX-XXXXXXXXE4CA
Type    :    3 [KEK]
Length  :   94
Unknown :        0

[Blob Header]
Unk 80  : 0
HMAC    : 5A2AXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXAEB8
Salt    : BFBFXXXXXXXX5FD6

[KEK]
Unk 80  : 0
UUID    : CDF5XXXX-XXXX-XXXX-XXXX-XXXXXXXXE4CA
Unk 82  :        0    2 9e b1
KEK Wrpd: 43A8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX5E07
Iterat's: 117590
Salt    : 8751XXXXXXXXXXXXXXXXXXXXXXXXB0DA


Key 2:
UUID    : EBC6XXXX-XXXX-XXXX-XXXX-XXXXXXXXECAC
Type    :    3 [KEK]
Length  :   94
Unknown :        0

[Blob Header]
Unk 80  : 0
HMAC    : 9F92XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX5706
Salt    : E363XXXXXXXXCC09

[KEK]
Unk 80  : 0
UUID    : EBC6XXXX-XXXX-XXXX-XXXX-XXXXXXXXECAC
Unk 82  :        0    2 9e b1
KEK Wrpd: CF35XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXEC04
Iterat's: 127270
Salt    : 3780XXXXXXXXXXXXXXXXXXXXXXXXA2E7



PW Key  : EE62XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX6AB5
KEK Wrpd: BB7FXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX07F8
KEK     : A60EXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX4D78
KEK IV  : F7ECXXXXXXXX202A

PW Key  : 6363XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX6191
KEK Wrpd: 43A8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX5E07
KEK     : EB9FXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXD6F9
KEK IV  : 5932XXXXXXXX4ACB

PW Key  : 6B62XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXEEFF
KEK Wrpd: CF35XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXEC04
KEK     : B579XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXAD90
KEK IV  : A3E7XXXXXXXXCA4F
    
pregunta user291375 07.06.2018 - 21:04

0 respuestas

Lea otras preguntas en las etiquetas