Git Product home page Git Product logo

chainbreaker's Introduction

This branch contains a quick patch for chainbreaker to dump non-exportable keys on High Sierra, see README-keydump.txt for more details. Original README goes below.

chainbreaker

The chainbreaker can extract user credential in a Keychain file with Master Key or user password in forensically sound manner. Master Key candidates can be extracted from volafox or volatility keychaindump module.

Supported OS

Snow Leopard, Lion, Mountain Lion, Mavericks, Yosemite, El Capitan, (High) Sierra

Target Keychain file

  • User Keychain(~/Users/[username]/Library/Keychains/login.keychain) : It has user id/password about installed application, ssh/vpn, mail, contacts, calendar and so on. It has key for call history decryption too.
  • System Keychain(/Library/Keychains/System.keychain) : It has WiFi password registered by local machine and several certifications and public/private keys. (Detailed Info : http://forensic.n0fate.com/2014/09/system-keychain-analysis/)

How to use:

If you have only keychain file and password, command as follow:

$ python chainbreaker.py 
usage: chainbreaker.py [-h] -f FILE (-k KEY | -p PASSWORD)
chainbreaker.py: error: argument -f/--file is required

If you have memory image, you can extract master key candidates using volafox project. The volafox, memory forensic toolit for Mac OS X has been written in Python as a cross platform open source project. Of course, you can dump it using volatility.

$ python volafox.py -i [memory image] -o keychaindump
....
....
$ python chainbreaker.py -f [keychain file] -k [master key]

Example

$ python vol.py -i ~/Desktop/show/macosxml.mem -o keychaindump

[+] Find MALLOC_TINY heap range (guess)
 [-] range 0x7fef03400000-0x7fef03500000
 [-] range 0x7fef03500000-0x7fef03600000
 [-] range 0x7fef03600000-0x7fef03700000
 [-] range 0x7fef04800000-0x7fef04900000
 [-] range 0x7fef04900000-0x7fef04a00000

[*] Search for keys in range 0x7fef03400000-0x7fef03500000 complete. master key candidates : 0
[*] Search for keys in range 0x7fef03500000-0x7fef03600000 complete. master key candidates : 0
[*] Search for keys in range 0x7fef03600000-0x7fef03700000 complete. master key candidates : 0
[*] Search for keys in range 0x7fef04800000-0x7fef04900000 complete. master key candidates : 0
[*] Search for keys in range 0x7fef04900000-0x7fef04a00000 complete. master key candidates : 6

[*] master key candidate: 78006A6CC504140E077D62D39F30DBBAFC5BDF5995039974
[*] master key candidate: 26C80BE3346E720DAA10620F2C9C8AD726CFCE2B818942F9
[*] master key candidate: 2DD97A4ED361F492C01FFF84962307D7B82343B94595726E
[*] master key candidate: 21BB87A2EB24FD663A0AC95E16BEEBF7728036994C0EEC19
[*] master key candidate: 05556393141766259F62053793F62098D21176BAAA540927
[*] master key candidate: 903C49F0FE0700C0133749F0FE0700404158544D00000000
$ python chainbreaker.py -h
usage: chainbreaker.py [-h] -f FILE (-k KEY | -p PASSWORD)

Tool for OS X Keychain Analysis by @n0fate

optional arguments:
  -h, --help            show this help message and exit
  -f FILE, --file FILE  Keychain file(*.keychain)
  -k KEY, --key KEY     Masterkey candidate
  -p PASSWORD, --password PASSWORD
                        User Password 
$ python chainbreaker.py -f ~/Desktop/show/login.keychain -k 26C80BE3346E720DAA10620F2C9C8AD726CFCE2B818942F9
 [-] DB Key
00000000:  05 55 63 93 14 17 66 25  9F 62 05 37 93 F6 20 98  .Uc...f%.b.7.. .
00000010:  D2 11 76 BA AA 54 09 27                                                   ..v..T.'
[+] Symmetric Key Table: 0x00006488
[+] Generic Password: 0x0000dea4
[+] Generic Password Record
 [-] RecordSize : 0x000000fc
 [-] Record Number : 0x00000000
 [-] SECURE_STORAGE_GROUP(SSGP) Area : 0x0000004c
 [-] Create DateTime: 20130318062355Z
 [-] Last Modified DateTime: 20130318062355Z
 [-] Description : 
 [-] Creator : 
 [-] Type : 
 [-] PrintName : ***********@gmail.com
 [-] Alias : 
 [-] Account : 1688945386
 [-] Service : iCloud
 [-] Password
00000000:  ** ** ** ** ** ** ** **  ** ** ** ** ** ** ** **  ****************
00000010:  7A ** 69 ** 50 ** 51 36  ** ** ** 48 32 61 31 66  ****************
00000020:  ** 49 ** 73 ** 62 ** 79  79 41 6F 3D              **********=

<snip>

[+] Internet Record
 [-] RecordSize : 0x0000014c
 [-] Record Number : 0x00000005
 [-] SECURE_STORAGE_GROUP(SSGP) Area : 0x0000002c
 [-] Create DateTime: 20130318065146Z
 [-] Last Modified DateTime: 20130318065146Z
 [-] Description : Web form password
 [-] Comment : default
 [-] Creator : 
 [-] Type : 
 [-] PrintName : www.facebook.com (***********@gmail.com)
 [-] Alias : 
 [-] Protected : 
 [-] Account : ***********@gmail.com
 [-] SecurityDomain : 
 [-] Server : www.facebook.com
 [-] Protocol Type : kSecProtocolTypeHTTPS
 [-] Auth Type : kSecAuthenticationTypeHTMLForm
 [-] Port : 0
 [-] Path : 
 [-] Password
00000000:  ** ** ** ** ** ** ** **  ** ** ** **              ************

If you have memory image only, you can dump a keychain file on it and decrypt keychain contents as link

Contacts

chainbreaker was written by n0fate E-Mail address can be found from source code.

License

GNU GPL v2

chainbreaker's People

Contributors

abbbe avatar n0fate avatar ve6yeq avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.