Jamf Nation Community

ammonsc · ‎09-14-2017

I do not think what I want to do is possible but I want to see if you guys know for sure. I have read a TON of Rich Trouton's stuff on FileVault 2 and I have a feeling here is where I am stuck.

A colleague here at work has a Mac that is encrypted, running 10.12.6, and only has his account on it. We have been challenged to see if we can get into it (without erasing the drive) and install the management and other "agents" on it.

I cannot use the Restore partition and "resetpassword" command as I do not have his password or AppleID.

In the past you were able to remove a file that would allow you to run through the startup of a Mac again and just create a new Administrator account. Does that exist anymore? I do not need access to his account or files the challenge is strictly to get privileges to install the agents.

Any ideas?

Cornoir · ‎09-14-2017

.ApleSetupDone is the file that resets the Apple Setup Assistant:

http://www.theinstructional.com/guides/how-to-re-run-the-os-x-setup-assistant

mm2270 · ‎09-14-2017

I don't think deleting the .AppleSetupDone file is going to allow you to get into the Mac past FileVault though. That would seem like a pretty major security flaw if it did. The way FileVault works is the main HD is not allowed to unlock to boot from until a valid FV2 user enters their password, or something like the Recovery key is used to similarly unlock the drive.
Just about any special boot mode you can think of (Recovery, SUM, etc) is going to be restricted from accessing the main boot partition when FileVault is on. So deleting the AppleSetupDone file isn't going to get you where you want to be with this.

alw2186 · ‎09-14-2017

The short answer (from my perspective) is you can't - this is exactly what Filevault is intended to prevent. If you could give us some more background on the situation, perhaps we could find an organizational or other strategy that could help.

Is this just a situation where someone left the company and you need to get at the data on their laptop?

ammonsc · ‎09-15-2017

No, it is a security exercise. We wanted to see if it can be done. I do not think it can. Which is good. I may try to go the route of a Hak5 Rubber Ducky but that is unlikely to work even if the user is logged in but the screen is locked.

ammonsc · ‎09-15-2017

Hak5 Rubber Ducky

mm2270 · ‎09-15-2017

That Rubber Ducky thing isn't going to work, for all the same reasons as mentioned above. It won't be able to inject any keyboard commands or payloads if the Mac is not fully booted up past the FileVault login screen. The main "Macintosh HD" boot partition is still locked and inaccessible to writes in that state.
It might work if the device is booted into the account, and the screen is just locked, as in a screensaver running, but I'm not even sure of that.

alw2186 · ‎09-20-2017

If its a desktop machine that uses an external keyboard, as opposed to a laptop, my only idea would be some kind of USB hardware device that would connect between the keyboard and computer, that would keylog the user's input while they type their password at the EFI pre-boot screen.

That wouldn't really be 'breaking' filevault, but essentially working around it.

There have been previously discovered and disclosed vulnerabilities (since patched) that could do this that you might want check out if you're interested. Check out Thunderstrike:

https://www.wired.com/2015/08/researchers-create-first-firmware-worm-attacks-macs/

Also, looks like a more recent one, patched as of 10.12.2

http://www.idownloadblog.com/2016/12/19/macos-sierra-10-12-2-fixed-vulnerability-that-let-attackers-obtain-disk-encryption-password/

Jamf Nation Community

Challenge Accepted (now I need help...)