Can AppleScript be used to brute force a FileVault drive where the password is lost?

I make a terrible mistake. I totally lost my paper with the secret password for my encrypted external GUID hard drive. This external drive contains many pictures but also some works documents very usefull. So it would be very interesting for me to get through this password.

I can remember maybe 50% of my password.I calculated that with the known part of my password I will have a maximum of 250 000 possible combination. A program like crunch could do the list of all the combination but I think it is not the most difficult part of this mission.

I have to build a small program to fill the dialog box and trying all the 250 000 combination. I already tried to do this with Apple Script but I didn’t found the command to fill in the combination in the dialog box “Enter a password to unlock the disk”. This dialog box appear when we plug the disk to the mac.

Does somebody know well applescript to helping me to interact with this unlocker disk dialog box? Or maybe somebody have an other solution to unlock it without applescript?

If somebody is interested to helping me I will be very grateful.

As a proof of concept, I formatted a USB Thumb-drive using a GUID Partition Map and formatted it Mac OS Extended (Journaled) naming it "Encrypted".

Then in Finder, I selected the disk named "Encrypted" and control-clicked selecting Encrypt "Encrypted"..., while setting its password to "password".

When it was done encrypting, using Terminal, I ascertained the UUID I'd need to use with the diskutil command in my script with the following command: diskutil cs list

I wanted the UUID of the Logical Volume where it showed Volume Name: Encrypted and in this case it showed it as:

Logical Volume 1BFD0C99-1A67-4DC2-A0F4-199B2AE635B0

Here's the output of diskutil cs list, so as to see from what I drew the UUID.

$ diskutil cs list
CoreStorage logical volume groups (1 found)
|
+-- Logical Volume Group 3D8D6165-909C-4C55-8C0B-811AC4856773
    =========================================================
    Name:         Encrypted
    Status:       Online
    Size:         15270830080 B (15.3 GB)
    Free Space:   16777216 B (16.8 MB)
    |
    +-< Physical Volume 1E6C582B-5822-4986-9F41-164DE662FCE1
    |   ----------------------------------------------------
    |   Index:    0
    |   Disk:     disk2s2
    |   Status:   Online
    |   Size:     15270830080 B (15.3 GB)
    |
    +-> Logical Volume Family 6D7E4DCE-D7C5-4383-BF88-9E2DB9A52E14
        ----------------------------------------------------------
        Encryption Status:       Unlocked
        Encryption Type:         AES-XTS
        Conversion Status:       Complete
        Conversion Direction:    -none-
        Has Encrypted Extents:   Yes
        Fully Secure:            Yes
        Passphrase Required:     Yes
        |
        +-> Logical Volume 1BFD0C99-1A67-4DC2-A0F4-199B2AE635B0
            ---------------------------------------------------
            Disk:               disk3
            Status:             Online
            Size (Total):       14935281664 B (14.9 GB)
            Size (Converted):   -none-
            Revertible:         Yes (unlock and decryption required)
            LV Name:            Encrypted
            Volume Name:        Encrypted
            Content Hint:       Apple_HFS
$ 

With now having the correct UUID, I created my bash script in Terminal:

touch unlock
open unlock

I then added the following code:

#!/bin/bash

if [[ ! -z $1 ]]; then
    while read -r line; do
        printf "   Testing: $line \n"
        diskutil coreStorage unlockVolume 1BFD0C99-1A67-4DC2-A0F4-199B2AE635B0 -passphrase "$line" 2>/dev/null
            if [[ $? -eq 0 ]]; then
                printf "\n   The correct password is: $line \n\n"
                exit 0
            fi
    done < "$1"
else
    printf "\n   Missing Dictionary File!...\n\n   Syntax: ./unlock dictionary.txt\n\n"
    exit 1
fi

Note: Replace the UUID above with the UUID of the Logical Volume of your encrypted drive.

I saved and closed the script named "unlock" and made it executable using:

chmod u+x unlock

I then created a dictionary file, touch dictionary.txt and populated the file. Of course in your case, you'd use as you mentioned the program named crunch to create your dictionary file(s).

I then ejected and remove the USB Thumb-drive from my system.

I then plugged in the USB Thumb-drive and when the "Enter a password to unlock the disk "Encrypted"." dialog box appeared, I clicked the Cancel button.

Now I was ready to unlock it using the bash script and dictionary.txt file from Terminal.

To show what I put in the dictionary.txt file:

$ cat dictionary.txt
p
pa
pass
passw
password
passwo
passwor
$ 

Here's the output of: ./unlock dictionary.txt

$ ./unlock dictionary.txt
   Testing: p 
Started CoreStorage operation
   Testing: pa 
Started CoreStorage operation
   Testing: pass 
Started CoreStorage operation
   Testing: passw 
Started CoreStorage operation
   Testing: password 
Started CoreStorage operation
Logical Volume successfully unlocked
Logical Volume successfully attached as disk3
Logical Volume successfully mounted as /Volumes/Encrypted
Core Storage disk: disk3
Finished CoreStorage operation

   The correct password is: password 

$

As you can see it tried what was in the dictionary.txt file up until if found the correct password and when the correct password was tested it unlocked and mounted the disk, prints out what the correct password was and exits the script.

The reason for printing out all passwords, is so if you need to stop the script you can then remove the tried passwords from the dictionary.txt file before starting again.

Note: It is important that before running the bash script you have first freshly plugged in the drive and clicked the Cancel button, then run the script.

First of all, huge thank you to user3439894 for the awesome answer provided. This is absolutely what I needed. I did however encounter an issue completing these steps using encrypted APFS volumes, but I found a solution.

I'm using encrypted APFS volumes with macOS Big Sur. I encountered an issue running diskutil cs list as it returns "No CoreStorage logical volume groups found" in Terminal, even when an encrypted APFS volume is mounted. As a result, I wasn't able to obtain the necessary UUID of the encrypted APFS volume I wanted to target.

To resolve this issue, I instead ran diskutil list in Terminal which returned the following:

/dev/disk3 (synthesized):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      APFS Container Scheme -                      +5.0 TB     disk3
                                 Physical Store disk2s2
   1:                APFS Volume ⁨MY_DRIVE                3.9 TB     disk3s1

Once I located the correct identifier for MY_DRIVE (in this case: disk3s1), I substituted diskutil coreStorage unlockVolume 1BFD0C99-1A67-4DC2-A0F4-199B2AE635B0 -passphrase "$line" 2>/dev/null in user3439894's code with the following:

diskutil apfs unlockVolume disk3s1 -passphrase "$line" 2>/dev/null

Please note that the disk identifier may change over time as volumes are mounted, unmounted, etc. You may need to run diskutil list periodically to ensure you have the correct identifier for the volume you want to target.

Everything else user3439894 provided was the same for me and worked perfectly.