Recentemente ho iniziato a fare analisi forensi e test di penetrazione e spero che qualcuno possa spiegare quali sono i seguenti dati e come potrebbe essere utilizzato per eseguire attacchi bruteforce (hashcat) contro i macbook.
Più in particolare, che cos'è "VEK Wrpd", "KEK Wrpd", "HMAC" e "PW Key"? E possono essere usati per riprodurre la password di FileVault se è stata indovinata correttamente?
Ho usato apfs-fuse per scaricare i dati:
$ ./apfs-fuse -d 16 /dev/sda2/ /path/to/mount
Device /dev/sda2 opened. Size is 250790436864
starting LoadKeybag
all blocks verified
header has type 6b657973
Volume macOS1 is encrypted.
Password hint: looking for key type 3 for volume 1342XXXX-XXXX-XXXX-XXXX-XXXXXXXX4251 in m_container_bag
Trying to load key bag from recs_block
starting LoadKeybag
all blocks verified
header has type 72656373
Password hint: looking for key type 4 for volume 1342XXXX-XXXX-XXXX-XXXX-XXXXXXXX4251 in recs_bag
Enter Password:
GetVolumeKey: Dumping container keybag.
Dumping Keybag (keys)
Version : 2
Keys : 2
Bytes : e0
Key 0:
UUID : 1342XXXX-XXXX-XXXX-XXXX-XXXXXXXX4251
Type : 3 [Keybag Ref]
Length : 10
Unknown : 0
Block : 7c1f57
Count : 1
Key 1:
UUID : 1342XXXX-XXXX-XXXX-XXXX-XXXXXXXX4251
Type : 2 [VEK]
Length : 7c
Unknown : 0
[Blob Header]
Unk 80 : 0
HMAC : 106BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX9921
Salt : 5493XXXXXXXX1F47
[VEK]
Unk 80 : 0
UUID : 1342XXXX-XXXX-XXXX-XXXX-XXXXXXXX4251
Unk 82 : 0 1 9e b1
VEK Wrpd: 06391FA9XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX552582F2
GetVolumeKey: looking for key type 3 for volume 1342XXXX-XXXX-XXXX-XXXX-XXXXXXXX4251 in m_container_bag
key found
data size matches that of key_extent_t
Trying to load key bag from recs_block
starting LoadKeybag
all blocks verified
header has type 72656373
Volume key bag loaded successfully. Dumping contents.
Dumping Keybag (recs)
Version : 2
Keys : 3
Bytes : 220
Key 0:
UUID : 257AXXXX-XXXX-XXXX-XXXX-XXXXXXXX7975
Type : 3 [KEK]
Length : 94
Unknown : 0
[Blob Header]
Unk 80 : 0
HMAC : F047XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXF6A8
Salt : 630CXXXXXXXX268
[KEK]
Unk 80 : 0
UUID : 257AXXXX-XXXX-XXXX-XXXX-XXXXXXXX7975
Unk 82 : 0 2 9e b1
KEK Wrpd: BB7FXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX07F8
Iterat's: 100000
Salt : 863CXXXXXXXXXXXXXXXXXXXXXXXX2F51
Key 1:
UUID : CDF5XXXX-XXXX-XXXX-XXXX-XXXXXXXXE4CA
Type : 3 [KEK]
Length : 94
Unknown : 0
[Blob Header]
Unk 80 : 0
HMAC : 5A2AXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXAEB8
Salt : BFBFXXXXXXXX5FD6
[KEK]
Unk 80 : 0
UUID : CDF5XXXX-XXXX-XXXX-XXXX-XXXXXXXXE4CA
Unk 82 : 0 2 9e b1
KEK Wrpd: 43A8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX5E07
Iterat's: 117590
Salt : 8751XXXXXXXXXXXXXXXXXXXXXXXXB0DA
Key 2:
UUID : EBC6XXXX-XXXX-XXXX-XXXX-XXXXXXXXECAC
Type : 3 [KEK]
Length : 94
Unknown : 0
[Blob Header]
Unk 80 : 0
HMAC : 9F92XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX5706
Salt : E363XXXXXXXXCC09
[KEK]
Unk 80 : 0
UUID : EBC6XXXX-XXXX-XXXX-XXXX-XXXXXXXXECAC
Unk 82 : 0 2 9e b1
KEK Wrpd: CF35XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXEC04
Iterat's: 127270
Salt : 3780XXXXXXXXXXXXXXXXXXXXXXXXA2E7
PW Key : EE62XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX6AB5
KEK Wrpd: BB7FXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX07F8
KEK : A60EXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX4D78
KEK IV : F7ECXXXXXXXX202A
PW Key : 6363XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX6191
KEK Wrpd: 43A8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX5E07
KEK : EB9FXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXD6F9
KEK IV : 5932XXXXXXXX4ACB
PW Key : 6B62XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXEEFF
KEK Wrpd: CF35XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXEC04
KEK : B579XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXAD90
KEK IV : A3E7XXXXXXXXCA4F