Command line tool for performing brute-force attacks on encrypted HFS+ drives. A Mac is required to run.
$ brew tap evanwieland/homebrew-brute
$ brew install brute$ git clone https://github.com/evanwieland/brute && cd brute
$ export PATH="$PATH:/path/to/dir"
$ chmod +x bruteCrunch and GNU Parallel are requirements that will also need to be installed manually.
$ sudo brute [drive uuid] [crunch arguments]IMPORTANT: sudo is required to run Brute. This is due to the
diskutil coreStorage unlockVolumecommand being used. If sudo is not used, only 100 attempts to unlock the drive can be made and the machine will need to be restarted.
To get your drive UUID, mount the drive and run:
$ diskutil listThe UUID will have the format: ########-####-####-####-############
Brute uses Crunch to generate a wordlist. You can learn more on how to set the crunch arguments by reading this tutorial or the Crunch man page.
Below demonstrates unlocking a drive with the password "fun". Obviously, this is an idealized attack and would usually take many, many more attempts.
$ sudo brute 8A2B552D-1E7F-4089-AA1E-0B709C05D21F 3 3 nfu
Crunch will now generate the following amount of data: 108 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 27
[1] nnn
[2] nnf
[3] nnu
[4] nfn
[5] nff
[6] nfu
[7] nun
[8] nuf
[9] nuu
[10] fnn
[11] fnf
[12] fnu
[13] ffn
[14] fff
parallel: This job succeeded:
cast 16
[15] ffu
[16] fun
[MATCH] fun
[17] fuf
[18] fuu
[19] unn
************************
Password found: fun
************************To help reduce I/O overhead and wear and tear on the encrypted drive, it is possible to clone the drive to the local drive in order to perform the attack. The steps are as follows:
-
Mount the encrypted drive drive.
-
Run
$ diskutil listto get the drive identifier. -
Clone the drive by running
$ sudo dd if=/dev/disk<YOUR_DRIVE_ID> of=Desktop/victim.dmg bs=2048 conv=sync,notrunc. -
To eject the encrypted drive, run
$ diskutil eject /dev/disk<YOUR_DRIVE_ID>. -
Mount the cloned drive by running
$ hdiutil attach -noverify -nomount ~/Desktop/victim.dmg.
- Crunch is used for generating wordlists.
- GNU Parallel is used for task parallelization.
If you would like to contribute, submit an issue and/or send a PR.
MIT License
Copyright (c) 2021 Evan Wieland
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.