Knowledge Base : How to brute force crack a MacOS disk image

This receipe shows how to brute-force open a MacOSX disk image with encryption set if you cannot remember the password any more.

The approach also works with sparseimage files using AES 128 or 256 bit encryption, as used by MaxOS Sierra 10.12.

Prerequisite is that you do have an idea about what the password may look like, if you can guess most of it’s text elements, but something was added or you cannot remember the exact password any more.

A situation like this:

MotherShip:~ akira$ hdiutil attach -readonly -nomount Desktop/Secrets.sparsebundle
Enter password to access "Secrets.sparsebundle": 
hdiutil: attach failed - Authentication error

In this case, you can use John The Ripper to brute-force the disk images hash value via a wordlist and rules.

Install John

First you need to install “John the Ripper” (JtR). Best suited is the precompiled MacOS version.

Linux versions available with apt for Debian lack the latest patches necessary for Sparseimage files.

Get the password hash

There is a tool “dmg2john” included in the MacOS distribution, which also runs for Sparseimage files.

MotherShip:~ akira$ run/dmg2john ~/Desktop/Secrets.sparsebundle > Secrets.hash
filepath = /Users/akira/Desktop/Secrets.sparsebundle path_length = 45
/Users/akira/Desktop/Secrets.sparsebundle/token (DMG v2) successfully parsed, iterations count 243902

The image passwords AES hash is now laid down for JtR in the Secrets.hash file as text:

MotherShip:JtR akira$ cat Secrets.hash 

Provide a wordlist

Assemble a suggestion list for your cracking attempt as a text file. The words that may be part of the password – or any words used by the image owner that could be assembled – can just be written down line after line.

Run the cracker

Just run JtR. No additional configuration needed.

MotherShip:JtR akira$ run/john --wordlist=Words/words.lst --rules:All Secrets.hash
Warning: detected hash type "dmg", but the string is also recognized as "dmg-opencl"
Use the "--format=dmg-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (dmg, Apple DMG [PBKDF2-SHA1 256/256 AVX2 8x 3DES/AES])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
welcome1 (/Users/akira/Desktop/Secrets.sparsebundle/bands/0)
1g 0:01:24:20 DONE (2017-09-18 18:27) 0.000197g/s 213.6p/s 213.6c/s 213.6C/s welcome..changeme
Use the "--show" option to display all of the cracked passwords reliably
Session completed

In this case, obviously, “welcome1” has been the password. You can mount the image file now.

You can of course also use a real brute force approach like: “run/john Secrets.hash” without your own wordlist and just permutate through the character base, but given sufficient password complexity that might be a lengthy approach, fortunately.

See also: Password Cracking AES-256 DMGs and Epic Self-Pwnage