Skip to content

Chick3nman/apfsextract

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.github/workflows
.github/workflows
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
main.go
main.go
 
 

Repository files navigation

APFSExtract

Extract APFS FileVault encryption hashes directly from a Mac in Recovery mode without disk imaging or disk removal.

Produces $fvde$ hashes compatible with hashcat modes 16700 (AES-128) and 18300 (AES-256).

How it works

  1. Reads the APFS container superblock to locate the encrypted keybag
  2. Decrypts the container keybag using AES-XTS with the container UUID
  3. Follows volume unlock record pointers to each volume's keybag
  4. Decrypts volume keybags using AES-XTS with the volume UUID
  5. Parses KEK blobs (TLV-encoded) to extract salt, PBKDF2 iterations, and wrapped KEK
  6. Outputs hashcat-compatible $fvde$ hashes

APFSextract also resolves volume names, extracts password hints when present, and warns if a hash belongs to a recovery key (which won't yield the user password).

Quick start

  1. Download apfsextract-darwin-amd64 from the latest release
  2. Format a USB stick as exFAT
  3. Copy the binary to the USB and rename it to apfsextract

Building from source

Requires Go 1.23+. Cross-compile for macOS from any OS:

GOOS=darwin GOARCH=amd64 go build -o apfsextract .

The compiled binary has zero dependencies.

Usage

  1. Plug the USB into the target Mac
  2. Power on and hold Cmd+R to boot into Recovery mode
  3. From the menu bar: Utilities > Terminal
  4. Run:
chmod +x /Volumes/YOURUSB/apfsextract
/Volumes/YOURUSB/apfsextract

The tool will:

  • List APFS containers and let you select one (or auto-select if there's only one)
  • Display discovered volumes with names and encryption status
  • Extract all $fvde$ hashes
  • Write extracted_hashes.txt and extraction_report.txt back to the USB

You can also specify the device directly:

/Volumes/YOURUSB/apfsextract /dev/disk0s2

Cracking

Transfer extracted_hashes.txt to your cracking machine:

# AES-128 ($fvde$1)
hashcat -m 16700 extracted_hashes.txt <wordlist>

# AES-256 ($fvde$2)
hashcat -m 18300 extracted_hashes.txt <wordlist>

Supported hardware

  • Intel Macs with APFS FileVault encryption (macOS High Sierra 10.13+)
  • The target Mac must have a Recovery partition (standard on all Macs shipping with OS X 10.7+)

This tool does not support T2/Apple Silicon Macs where the encryption key is bound to the Secure Enclave.

Credits

Based on the APFS keybag structures documented in:

About

Extract APFS FileVault hashes directly from a Mac in Recovery mode for cracking with hashcat

Resources

Readme

License

MIT license
Activity

Stars

5 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v1.0.0 Latest
May 20, 2026

Packages

 
 
 

Contributors

Languages