Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Lost sparseimage passphrase

20 views
Skip to first unread message

The Dubious Khelair

unread,
Jul 7, 2012, 11:41:11 PM7/7/12
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have a couple of hard drives sitting here that have archives of photos
that I really need to retrieve for my family from back in the day.
Unfortunately my home directory(s) are sitting in an encrypted
'sparseimage' format on my several flavors of *NIX. I need to find a
way to brute force the encryption (just the passphrase, of course)
because I've tried every frigging passphrase that I use and combinations
thereof and none are working. Unfortunately I'm not even able to find
where the [potentially salted] password hash is at.

Two different old dead laptops have their drives in this condition for
me. Can anybody offer a pointer as to where I can at least find the
hash so that I can start some cores crackin' at this?

Anything y'all might be able to offer in assistance is very much
appreciated; I had an encrypted home directory on my laptop while I was
in the army where I was drinking a little bit much (hence the laptop
breaking as well as the passphrase being lost), and those machines had a
lot of archived photos from my history as well. This is all very
important to me right now as I've only now gotten in touch with my
biological family after 34 years with an adoptive family and I want to
be able to show them bits of my life that are stored on there.

Thanks in advance for anything you can help with on this!

- -Damo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (OpenBSD)

iQIcBAEBAgAGBQJP+P5eAAoJECqJ6HQbyBt4jMoP/0lGlnVrA18KjSNsGMB+IaFH
UGUovh1kbzu5DFjHh0r8aXE26j+uxJ7tuCxgl3GmvBc2xK5XOxZrIX9vaKTy/+DZ
PgO94XbFqvPKHqXa6g5JfgK5ByWpr0WJZabRQm3dUuU2AnZzRSYgg1MPj8jF1BFn
uSvdhXO4L9EDC7e/1H60j+G3Ah+zx590vRlofOxfZavGYeWruAaH36knnA/vgjlQ
XniRX88Z6etKWiSLbED+E+y8YTJskexVEkOmcNTiCGhr+T/bowMfM3YQVAFc0bU/
hwp+L2hM0H1svut4Vr1En8tSFaWnlhevAia+97eQ9crTM9AOGOGYYidgcR+EkjND
Ra/bj4bGGgpDiGy64d5J1kV9bcFSCce2DmlsxuyXr5mbhv2FgXosqc5sdRUGY+Km
pD1CJeG0WSbKfyTNMVpjiErkufD/Ia8QL0V2jftnQRwXTM6Pxe1BPedGm8SF4jCl
z5e6Sl1WocyZVaSiQzll2TA2DA/DzThnpDopzZdk+3Lw1SotgCX9+ySod9z4i2x5
KcAMQi0CsSG2ImgGARDPlwTMMXTu2v4zTBD52P0WbWEzJFWVCs2szf9w/8VlmQO1
RCI6KjeTRyFIcJdL09oKpM3siLUTu3BSIExoJrBzUu+TsY5q8qrtavHpbGXJtUeT
Mws6ShknaHCuovEAhhK7
=ZA8S
-----END PGP SIGNATURE-----
Message has been deleted

nospam

unread,
Jul 8, 2012, 3:32:42 AM7/8/12
to
In article <jtavgn$g2t$1...@dont-email.me>, The Dubious Khelair
<khe...@contract.gateway.2wire.net> wrote:

> I have a couple of hard drives sitting here that have archives of photos
> that I really need to retrieve for my family from back in the day.
> Unfortunately my home directory(s) are sitting in an encrypted
> 'sparseimage' format on my several flavors of *NIX. I need to find a
> way to brute force the encryption (just the passphrase, of course)
> because I've tried every frigging passphrase that I use and combinations
> thereof and none are working. Unfortunately I'm not even able to find
> where the [potentially salted] password hash is at.

you might be able to do a dictionary attack if your passphrase was in
the dictionary. otherwise, you're pretty much screwed.

Wes Groleau

unread,
Jul 8, 2012, 9:51:42 PM7/8/12
to
On 07-08-2012 02:38, Michael Vilain wrote:
> There's no real easy way to do this. If you can guess the passphrase,
> then the content is gone. That assumes you don't know anyone in the
> security community that can crack the file.

Tell the NSA you think there are pictures of terrorists in it.

--
Wes Groleau

“There are more people worthy of blame
than there is blame to go around."



Wes Groleau

unread,
Jul 8, 2012, 10:00:09 PM7/8/12
to
On 07-08-2012 03:32, nospam wrote:
> you might be able to do a dictionary attack if your passphrase was in
> the dictionary. otherwise, you're pretty much screwed.

PassPHRASE, so it would be

for WORD1 in $(cat dictionary); do
<command> $WORD1
for WORD2 in $(cat dictionary); do
<command> $WORD1 $WORD2
for WORD3 in $(cat dictionary); do
<command> $WORD1 $WORD2
# etc.
done
done
done

Then there's the problem that the dictionary might contain "speak" but
not "spoken" or "be" but not was, is, are, were, etc.

And there could be punctuation....

--
Wes Groleau

“There ain't nothin' in this world that's worth being a snot over.”
— Larry Wall



bi...@mix.com

unread,
Jul 9, 2012, 12:23:00 AM7/9/12
to
The Dubious Khelair <khe...@contract.gateway.2wire.net> wrote:

> Can anybody offer a pointer as to where I can at least find the
> hash so that I can start some cores crackin' at this?

It may exist, but I haven't seen much documentation on this part
of Apple's filesystem. I'd suggest creating an encrypted image,
then changing its pass phrase, then comparing the two to perhaps
get a clue about where the hash lives. Or at least begins...

You could ask here -

https://lists.apple.com/mailman/listinfo/filesystem-dev

Or dig though this -

https://lists.apple.com/archives/Filesystem-dev

Apple's search doesn't work very well (if at all) so you
should use Google for that -

http://www.google.com/search?q=encrypted%20disk%20image%20site%3Alists.apple.com

Where you'll get hits like this -

http://lists.apple.com/archives/fed-talk/2007/Apr/msg00177.html

which cites -

http://www.macworld.com/article/1057591/maclockpick.html

The link to MacLockPick in this MacWorld article has changed -

http://preview.tinyurl.com/6mlyccn

I wish you good luck...!

Billy Y..
--
sub #'9+1 ,r0 ; convert ascii byte
add #9.+1 ,r0 ; to an integer
bcc 20$ ; not a number

The Dubious Khelair

unread,
Jul 10, 2012, 6:45:29 AM7/10/12
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thank you for pretty much the only constructive response that I've
gotten on this issue so far. Of course none of the idiots hashing on me
about why I was encrypting this stuff knew that I was in the army and
that the partition that was encrypted contained data that could have
been used against myself and/or other people at the time (not in there
now and I hate the whole agenda of the U.S. government in general and
have since before the army [joined just to see what was up with the war
in iraq, primarily, and to find out moar about 9/11] so I don't give an
flying eff right now), so there was a good reason to have that data
encrypted.

Anyway, I have saved your article and after I get off of work I will be
checking out the links that you've sent. Here, also, is a link that
I've found that seems to directly reference being able to find out the
passphrase for the account, which is the same one used for the
sparseimage encryption scheme, pull it out of the different files since
it's not stored in a standard UNIX passwd/shadow format, stick it into
something like that, and use a program called 'John the Ripper' (or
various other ones) to brute force it since a dictionary attack wouldn't
work against my very secure 40+ character passphrase. Plus it can be
done in a clustered environment so CPU time isn't quite as limiting as
it could be. Once again, the idiots failed to read for content; I
pointed out very specifically that I was looking for the passphrase to
be broken, not to analyze and decrypt the raw sparseimage itself. Of
course that's secure encryption and would be far too rough to handle
especially for someone as uneducated in the encryption algorithms as
myself.

Thanks for the help, bro. Much appreciated.

(Here's the link I was referencing:
http://crucialsecurityblog.harris.com/2011/03/30/4/)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (OpenBSD)

iQIcBAEBAgAGBQJP/ATQAAoJECqJ6HQbyBt4BKAP+wV7tcRzr7e85AitzXhso53T
a3IHUioxDolnmwAuTo3uzSK/bWa16uF9nrsS35R+JlHHjw/8oiSbCRsv75VPMV7y
UpIxifPuE3z3QAPcxdw76YcxzWogf4rRMSATLwGnA83YFc7YA+jHa7lM0oou3e0g
zN7kbsSgSkdJl4Nd2Ta7sUqtMzaOIwTO6O98Coy5vVWtyLCLtbLfz1FXMT0SE+pn
hMIKfSwizmvu/X5WBzVwOXz4ECvZM+wojadaF75wcjiDEPUSfVRY6mIfU612OeFk
ivK9BZp2AF5peVD4yXwXl36t4VX7gANTJ9fwT9furjmEkM8nM+sUJPrzolQsdA7g
ZDI3deq2ZGjycwjT7p4XRamFieIARTR1mUCh07imaksfD4ROMpLqjT7+bHWwZTj+
+zcD/dIZIo+Hc0MBZjH4Pnrv9i3yzQTmo8+ZdcViYM6BWJhaEjwn9rvF1I3Wv2uB
YfIFrlNxkRkT8+3D5Y65UGwC3JFDWMzo2geGY21KgyaqKhK/JX+5ukC/7CiO/+Ng
6XX4y14vIfIhNuRUCKbDj2qpM/g8wTMUV8gsmQF6Wb2AMMQrkzU9YISxGOx3gz+P
8Nx3eOyQ/do3depLNoHuyfy1kAs1Mpb/SskT4/rNHoy8SEwTrCYBDUk8XlbZF/k+
z6uR8xxvqEAlkO6/ZETg
=jGnY
-----END PGP SIGNATURE-----

bi...@mix.com

unread,
Jul 12, 2012, 12:22:35 PM7/12/12
to
In comp.sys.mac.system The Dubious Khelair <khe...@contract.gateway.2wire.net> wrote:

> (Here's the link I was referencing:
> http://crucialsecurityblog.harris.com/2011/03/30/4/)

Lots of good info here, thanks! I have saved a copy, along
with the page on hashes it links to, just in case...

Here's some interesting reading on the difference between a
cryptographic hash and a password storage hash -

http://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/

the essence of which is the time to crack a cryptographic hash
is much shorter, because the hash function has to complete much
faster. There's likely some glimmer of hope for recovering your
disk image here...

The Dubious Khelair

unread,
Jul 13, 2012, 6:42:33 AM7/13/12
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Outstanding, and thank you for the added information. Just started a
new job so I haven't had a lot of time to be working on this more, but
hopefully this weekend I can get everything up and running on it. :)

- -Damo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (OpenBSD)

iQIcBAEBAgAGBQJP//iGAAoJECqJ6HQbyBt4wm0P/1Z/7oMVNaMC44MFosf7rOTa
Dntvhb8EAxoCYbKVZNHcqqTD6NaXTa8Q7ROiKWJWefQTZkfyoGjBk32lDohACan/
W4OdmS6XmLzEm9EEa7eEicMk5f7859TKtIXsta4Y7dTPU6SQfWi4u53Cq+bdcvxB
/at+nBJGu3C9KsIWRrMe3eDg3/b/XmueeVeI+HHj/Q3aZhuZYpAskzCSm4Vj9Fp8
fpSchIUEtZo8BGcFE4dLTDkbrglE3z/A7CEhZUUGith//F0BFpOi+mOgwEKtwoIy
p9m91xGHTjEaiuDWtrWUK16akDMNuInnCnPNkkZAUXRonQQa8Zy+MNIUOExe9kAI
oXrqaLQoIFXa+jPgLuMtlv2B+Db1CIGhn/Zo0HAMzrb9QhhRtaCzlHt3rXxCr+13
wPQW2Ro/Ib2k0+EJ9rF2bCeB6lEPqeCKPD4FkCclmqYJ79lZbr2YWfwy0M11Mnjq
mKk3DYV1kprVYClZ2HBJ3tnohaRc5zYuXbVKNGl2ggsz9kjyI1ZaUAUoSKCrCot/
dhSjR9SYOEHtEKHLSFzlEWLV+k54iYnN4NRMENikf7Rlw2w8AOZiAQUjEo+P31KK
CeMjmGJfkL+uz8iuTr8Md4Ry/PwNZZ5lVSAxEhU0PHQ957yOxHVgTdZmGe74vZ3S
AidF8N3AbFsBmW7NHr4O
=OF+M
-----END PGP SIGNATURE-----
0 new messages