Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Forgotten password is leading to baldness!


  • Please log in to reply
17 replies to this topic

#1 GWWXX

GWWXX

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 22 June 2016 - 04:39 PM

Hi.

I'm hoping you all can help, or set me off in a better direction!

I have a MacBook Air that I've recently unpacked (from a box.. Moving house) and have forgotten the password for.

Two things:
1. FileVault is on
2. My Apple ID has been deactivated / unlinked (same problem on another MacBook (but I have the PW for that one) so that's another thread!)

So I have an encrypted HD that I cannot access. Software version is usually asked for.. It's not capitan- probably Yosemite, perhaps earlier (mountain lion?). I'm not a Mac fan boy, and most of my computing knowledge is PC based.

What I've done so far:
CMD+R - fails - encrypted (e.g resetpassword)
CmD +S - fails - encrypted - doesn't work full stop
CMD+T - fails to mount on my Mac/Pc - need password (got the thunder to thunder cable for this very reason!)
AppleID - fails - doesn't give me the option, and can't connect to wifi, can't turn on machine past login screen, only have one username, no guest account
Recovery mode - this was so long ago can't remember why it failed, but it did.. No recovery key perhaps. (It was the first thing I tried).

After extensive googling, I came across Passware Forensic edition, which claims to be able to do this in hours, but to do that I need to access / clone the HD - which I can't do/find out how to do. And it's very expensive - pretty much the cost of a new laptop!

I have at my disposal:
A win7 gaming desktop (I mention gaming as have 2xGPU in SLI - if I have to go down the Linux/hack/crack route of pain.
Another MacBook Air (if there's a dumb ass Mac to Mac thing I'm missing)
Belligerence, stubbornness, and a 'I'm going to do this of it kills me' can do attitude.
Above average tech skills, but no coding skills - I.e I can use terminal/Linux command line, but have no real idea what the words mean - I copy from a tech tutorial .

Questions:

Is there a way I can 'hack' this myself (I've got a vague idea of parts of the password, so it won't be totally years and years of brute force) - if so - how can I set this up?

Is there a way I can clone/copy the HD (I've tried ccc4 in order to use Passware, but that's failing as I can't access the machine remotely, and I can't seem to mount the target HD either).

Any other options??

I would really appreciate any time / help you can offer on this!

Thanks.

BC AdBot (Login to Remove)

 


#2 Viper_Security

Viper_Security

  • Members
  • 816 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:08:21 PM

Posted 22 June 2016 - 04:45 PM

Hm, see if this gives you any luck,

Reset Admin Password Using The Terminal

 

You can reset the password by printing out (or writing down) and carefully following these steps.

 

First, find the short name of the admin user on the machine. The easiest way of doing this is by looking at what the directory is called in the Users folder.

 

Now, start in Single-User Mode. (command+option+F1 on most) It should boot into a command line.

 

Enter these exact lines. Press RETURN after each.

 

mount -uw /

ifconfig lo0 up

cd /var/db/netinfo

netinfod -s local

 

Now you'll need that short name. Enter "passwd", a space, and the short name of the admin. For example, if the admin was rather prosaically called "imadmin", you would enter "passwd imadmin".

 

The computer will now prompt you to change the password for "lmadmin" (or whatever the short name was). Go ahead and enter a new password.

 

Now, enter:

 

sync

reboot

 

 

 

As for the Cloning have you tried Acronis?


Edited by Viper_Security, 22 June 2016 - 04:46 PM.

    IT Auditor & Security Professional

hQBT2G3.png


#3 GWWXX

GWWXX
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 22 June 2016 - 05:06 PM

Thanks - but I cannot enter into single user mode - I'm told this is because HD is encrypted

#4 Viper_Security

Viper_Security

  • Members
  • 816 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:08:21 PM

Posted 22 June 2016 - 05:13 PM

If you know the password, you can go into open firmware and disable the lock. Otherwise, there is a procedure to override it: You need to change the amount of RAM in the machine (either add memory or remove existing memory in the expansion slot), and IMMEDIATELY, i.e. the first time booting after changing the RAM, reset the PRAM three times in a row. That means it needs to chime three times after the power-on chime. Once you've done this, you should no longer see the lock. It's Apple's "top secret" way to bypass an open firmware password.

 

To reset PRAM the key combo is Command+Option+PR

 

 

PRAM= Parameter Random Access Memory


Edited by Viper_Security, 22 June 2016 - 05:15 PM.

    IT Auditor & Security Professional

hQBT2G3.png


#5 GWWXX

GWWXX
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 22 June 2016 - 05:23 PM

Likewise Acronis - just downloaded and tried - I think the issue is that I cannot see the Target HD on either network or wired.

 

I have a feeling the only solution is to remove the HD and use a physical connector. 

 

 

Just seen the update.. I don't (think) I have a firmware PW, this is the HD / login password. If this is the 'firmware' PW I will amazon prime some new RAM now ^^


Edited by GWWXX, 22 June 2016 - 05:25 PM.


#6 Buddyme2

Buddyme2

  • Members
  • 693 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 23 June 2016 - 05:39 AM

OS X Mavericks: If you forget your login password and FileVault is on

What to Do If You Forget Your Mac's Password

Recover Your Apple ID

 

 

 


Edited by Buddyme2, 23 June 2016 - 05:39 AM.


#7 GWWXX

GWWXX
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 23 June 2016 - 11:07 AM

So basically, I don't have the recovery key, and I don't have the password, and I don't > didn't use iCloud. (Current machine I'm adding this option now!).

Since yesterday evening I've tried a lot of combinations manually - alas a result of being a smart arse is now coming back to bite me in the aforementioned.

So my question is: how to get the hard drive readable by another machine so I can run some programme like hashcat to try the combinations of my password?

I can remove the physical drive, but what do I then connect it to?! M

Edited by GWWXX, 23 June 2016 - 11:09 AM.


#8 Captain_Chicken

Captain_Chicken

  • BC Advisor
  • 1,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:21 PM

Posted 23 June 2016 - 11:50 AM

What type of encryption is this? AES, RSA or how many bits?


Computer Collection:

Spoiler

Spoiler

Spoiler

Spoiler

#9 GWWXX

GWWXX
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 23 June 2016 - 12:07 PM

FileVault 2 which I think is aes128

#10 Captain_Chicken

Captain_Chicken

  • BC Advisor
  • 1,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:21 PM

Posted 23 June 2016 - 12:36 PM

https://www.google.com/search?ei=hxxsV7bDHYPt-QGtrp3IAQ&q=how+long+to+crack+aes+128&oq=how+lonaes128&gs_l=mobile-gws-serp.1.0.0i7i10i30.4106.5942.0.6639.7.7.0.0.0.0.161.765.5j2.7.0....0...1c.1j4.64.mobile-gws-serp..0.7.760...0i13.xDXPLHwJry8

You will not be able to force it anytime soon. You may try other methods, but please be aware of the forum rules.

http://www.bleepingcomputer.com/forum-rules/

No subject matter will be allowed whose purpose is to defeat existing copyright or security measures. If a user persists and/or the activity is obviously illegal the staff reserves the right to remove such content and/or ban the user. This would also mean encouraging the use or continued use of pirated software is not permitted, and subject to the same consequences.

Computer Collection:

Spoiler

Spoiler

Spoiler

Spoiler

#11 GWWXX

GWWXX
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 23 June 2016 - 12:44 PM

Thanks, as I have previously noted; I already have part of the password, so it's 4-5 numbers only which should take an hour or two.

It is my laptop, and I'm using legally purchasable and usable products, to access my own data, so with respect to forum rules, I don't believe it's applicable.

I don't have my recovery key, and apple can't / won't help, so instead of manually typing in my PW 10000 times, I really only want to use a machine to automate it ...

#12 Viper_Security

Viper_Security

  • Members
  • 816 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:08:21 PM

Posted 23 June 2016 - 02:37 PM

Likewise Acronis - just downloaded and tried - I think the issue is that I cannot see the Target HD on either network or wired.

 

I have a feeling the only solution is to remove the HD and use a physical connector. 

 

 

Just seen the update.. I don't (think) I have a firmware PW, this is the HD / login password. If this is the 'firmware' PW I will amazon prime some new RAM now ^^

The way you can tell is if the lock screen comes up after booting and that's the first thing you see (roughly 4-10 seconds after power on) the firmware lock will be grey with an arrow pointing right. if it's not a firmware password let us know, the normal log in screen should have an apple on it instead of the padlock type thing.


    IT Auditor & Security Professional

hQBT2G3.png


#13 Viper_Security

Viper_Security

  • Members
  • 816 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:08:21 PM

Posted 23 June 2016 - 02:42 PM

Thanks, as I have previously noted; I already have part of the password, so it's 4-5 numbers only which should take an hour or two.

It is my laptop, and I'm using legally purchasable and usable products, to access my own data, so with respect to forum rules, I don't believe it's applicable.

I don't have my recovery key, and apple can't / won't help, so instead of manually typing in my PW 10000 times, I really only want to use a machine to automate it ...

Agreed, there is no editing of proprietary software(s) in this help attempt, if you own the laptop and bought the OSX you are free to do with it what you like, no pirating is going on, Acronis and the programs mention herein are free with the OPTION to buy.


    IT Auditor & Security Professional

hQBT2G3.png


#14 GWWXX

GWWXX
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 23 June 2016 - 02:44 PM

It isn't firmware - no firmware password added.

I can get into the disk utility, but still can attach anything to the Mac to copy or dd the drive... Man this is such a nightmare!

I figured the easiest option was just to take out the HD, but I got conned at maplin and they sold me 6star screwdrivers not 5...

Life just shouldn't be this difficult!!

#15 Viper_Security

Viper_Security

  • Members
  • 816 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:08:21 PM

Posted 23 June 2016 - 02:48 PM

It isn't firmware - no firmware password added.

I can get into the disk utility, but still can attach anything to the Mac to copy or dd the drive... Man this is such a nightmare!

I figured the easiest option was just to take out the HD, but I got conned at maplin and they sold me 6star screwdrivers not 5...

Life just shouldn't be this difficult!!

Okay, IF availble try using a different accoutn on the same computer (unless yours is the only one)

 

 

Reset using the Reset Password assistant (FileVault must be on)

If FileVault is turned on, you might be able to reset your password using the Reset Password assistant:

  1. Wait up to a minute at the login screen, until you see a message saying that you can use the power button on your Mac to shut down and start up again in Recovery OS. If you don't see this message, FileVault isn't on.
  2. Press and hold the power button until your Mac turns off.
  3. Press the power button again to turn on your Mac.
  4. When the Reset Password window appears, follow the onscreen instructions to create a new password.
    If you need to connect to Wi-Fi, move your pointer to the top of the screen and use the Wi-Fi menu yosemite-disconnected_icon-public.png to connect. To exit without resetting your password, choose Apple menu > Restart.
  5. When done, click Restart.
  6. If you were able to reset your password with the Reset Password assistant, log in to your account using your new password.
  7. Create a new login keychain.

 

 

 

Create a new login keychain

After resetting your password and logging back in to your account, you might see an alert that the system was unable to unlock your login keychain. This is expected, because the passwords for your user account and login keychain no longer match. Just click the Create New Keychain button.

If you didn't see an alert about your login keychain, or you see other messages asking for your old password, reset your keychain manually:

  1. Open Keychain Access, which is in the Utilities folder of your Applications folder. 
  2. Choose Preferences from the Keychain Access menu, then click the Reset My Default Keychain button in the preferences window. After you enter your new password, Keychain Access creates an empty login keychain with no password. Click OK to confirm.

    If you don't see a Reset My Default keychain button, close the preferences window and select the “login” keychain from the left side of the Keychain Access window. Press the Delete key, then click Delete References.
     
  3. Choose Log Out from the Apple menu to return to the login screen.
  4. Log in to your account using your new password. Your account password and login keychain password now match again.

divider.png

 

 

 

you can create a Recovery USB drive too -> http://support.apple.com/kb/HT4848

 

 

 

i hope this gets you somewhere :)


Edited by Viper_Security, 23 June 2016 - 02:55 PM.

    IT Auditor & Security Professional

hQBT2G3.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users