{"id":27594,"date":"2017-01-26T17:27:07","date_gmt":"2017-01-26T10:27:07","guid":{"rendered":"http:\/\/deepquest.code511.com\/blog\/?p=27594"},"modified":"2017-01-26T02:45:51","modified_gmt":"2017-01-25T19:45:51","slug":"mac-os-x-keychain-breaker","status":"publish","type":"post","link":"https:\/\/deepquest.code511.com\/blog\/2017\/01\/mac-os-x-keychain-breaker\/","title":{"rendered":"Mac OS X Keychain Breaker"},"content":{"rendered":"<p>The chainbreaker can extract user credential in a Keychain file with Master Key or user password in forensically sound manner. Master Key candidates can be extracted from\u00a0<a href=\"https:\/\/github.com\/n0fate\/volafox\">volafox<\/a>\u00a0or\u00a0<a href=\"https:\/\/github.com\/volatilityfoundation\/volatility\">volatility<\/a>\u00a0keychaindump module.<\/p>\n<p><!--more--><\/p>\n<h2>Supported OS<\/h2>\n<p>Snow Leopard, Lion, Mountain Lion, Mavericks, Yosemite, El Capitan(Beta)<\/p>\n<h2><a id=\"user-content-target-keychain-file\" class=\"anchor\" href=\"https:\/\/github.com\/n0fate\/chainbreaker#target-keychain-file\"><\/a>Target Keychain file<\/h2>\n<ul>\n<li>User Keychain(~\/Users\/[username]\/Library\/Keychains\/login.keychain) : It has user id\/password about installed application, ssh\/vpn, mail, contacts, calendar and so on. It has key for call history decryption too.<\/li>\n<li>System Keychain(\/Library\/Keychains\/System.keychain) : It has WiFi password registered by local machine and several certifications and public\/private keys. (Detailed Info :\u00a0<a href=\"http:\/\/forensic.n0fate.com\/2014\/09\/system-keychain-analysis\/\">http:\/\/forensic.n0fate.com\/2014\/09\/system-keychain-analysis\/<\/a>)<\/li>\n<\/ul>\n<h2><a id=\"user-content-how-to-use\" class=\"anchor\" href=\"https:\/\/github.com\/n0fate\/chainbreaker#how-to-use\"><\/a>How to use:<\/h2>\n<p>If you have only keychain file and password, command as follow:<\/p>\n<pre><code>$ python chainbreaker.py \r\nusage: chainbreaker.py [-h] -f FILE (-k KEY | -p PASSWORD)\r\nchainbreaker.py: error: argument -f\/--file is required\r\n<\/code><\/pre>\n<p>If you have memory image, you can extract master key candidates using volafox project. The volafox, memory forensic toolit for Mac OS X has been written in Python as a cross platform open source project. Of course, you can dump it using volatility.<\/p>\n<pre><code>$ python volafox.py -i [memory image] -o keychaindump\r\n....\r\n....\r\n$ python chainbreaker.py -f [keychain file] -k [master key]\r\n<\/code><\/pre>\n<h2><a id=\"user-content-example\" class=\"anchor\" href=\"https:\/\/github.com\/n0fate\/chainbreaker#example\"><\/a>Example<\/h2>\n<pre><code>$ python vol.py -i ~\/Desktop\/show\/macosxml.mem -o keychaindump\r\n\r\n[+] Find MALLOC_TINY heap range (guess)\r\n [-] range 0x7fef03400000-0x7fef03500000\r\n [-] range 0x7fef03500000-0x7fef03600000\r\n [-] range 0x7fef03600000-0x7fef03700000\r\n [-] range 0x7fef04800000-0x7fef04900000\r\n [-] range 0x7fef04900000-0x7fef04a00000\r\n\r\n[*] Search for keys in range 0x7fef03400000-0x7fef03500000 complete. master key candidates : 0\r\n[*] Search for keys in range 0x7fef03500000-0x7fef03600000 complete. master key candidates : 0\r\n[*] Search for keys in range 0x7fef03600000-0x7fef03700000 complete. master key candidates : 0\r\n[*] Search for keys in range 0x7fef04800000-0x7fef04900000 complete. master key candidates : 0\r\n[*] Search for keys in range 0x7fef04900000-0x7fef04a00000 complete. master key candidates : 6\r\n\r\n[*] master key candidate: 78006A6CC504140E077D62D39F30DBBAFC5BDF5995039974\r\n[*] master key candidate: 26C80BE3346E720DAA10620F2C9C8AD726CFCE2B818942F9\r\n[*] master key candidate: 2DD97A4ED361F492C01FFF84962307D7B82343B94595726E\r\n[*] master key candidate: 21BB87A2EB24FD663A0AC95E16BEEBF7728036994C0EEC19\r\n[*] master key candidate: 05556393141766259F62053793F62098D21176BAAA540927\r\n[*] master key candidate: 903C49F0FE0700C0133749F0FE0700404158544D00000000\r\n$ python chainbreaker.py -h\r\nusage: chainbreaker.py [-h] -f FILE (-k KEY | -p PASSWORD)\r\n\r\nTool for OS X Keychain Analysis by @n0fate\r\n\r\noptional arguments:\r\n  -h, --help            show this help message and exit\r\n  -f FILE, --file FILE  Keychain file(*.keychain)\r\n  -k KEY, --key KEY     Masterkey candidate\r\n  -p PASSWORD, --password PASSWORD\r\n                        User Password \r\n$ python chainbreaker.py -f ~\/Desktop\/show\/login.keychain -k 26C80BE3346E720DAA10620F2C9C8AD726CFCE2B818942F9\r\n [-] DB Key\r\n00000000:  05 55 63 93 14 17 66 25  9F 62 05 37 93 F6 20 98  .Uc...f%.b.7.. .\r\n00000010:  D2 11 76 BA AA 54 09 27                                                   ..v..T.'\r\n[+] Symmetric Key Table: 0x00006488\r\n[+] Generic Password: 0x0000dea4\r\n[+] Generic Password Record\r\n [-] RecordSize : 0x000000fc\r\n [-] Record Number : 0x00000000\r\n [-] SECURE_STORAGE_GROUP(SSGP) Area : 0x0000004c\r\n [-] Create DateTime: 20130318062355Z\r\n [-] Last Modified DateTime: 20130318062355Z\r\n [-] Description : \r\n [-] Creator : \r\n [-] Type : \r\n [-] PrintName : ***********@gmail.com\r\n [-] Alias : \r\n [-] Account : 1688945386\r\n [-] Service : iCloud\r\n [-] Password\r\n00000000:  ** ** ** ** ** ** ** **  ** ** ** ** ** ** ** **  ****************\r\n00000010:  7A ** 69 ** 50 ** 51 36  ** ** ** 48 32 61 31 66  ****************\r\n00000020:  ** 49 ** 73 ** 62 ** 79  79 41 6F 3D              **********=\r\n\r\n&lt;snip&gt;\r\n\r\n[+] Internet Record\r\n [-] RecordSize : 0x0000014c\r\n [-] Record Number : 0x00000005\r\n [-] SECURE_STORAGE_GROUP(SSGP) Area : 0x0000002c\r\n [-] Create DateTime: 20130318065146Z\r\n [-] Last Modified DateTime: 20130318065146Z\r\n [-] Description : Web form password\r\n [-] Comment : default\r\n [-] Creator : \r\n [-] Type : \r\n [-] PrintName : www.facebook.com (***********@gmail.com)\r\n [-] Alias : \r\n [-] Protected : \r\n [-] Account : ***********@gmail.com\r\n [-] SecurityDomain : \r\n [-] Server : www.facebook.com\r\n [-] Protocol Type : kSecProtocolTypeHTTPS\r\n [-] Auth Type : kSecAuthenticationTypeHTMLForm\r\n [-] Port : 0\r\n [-] Path : \r\n [-] Password\r\n00000000:  ** ** ** ** ** ** ** **  ** ** ** **              ************\r\n\r\nDownload: <a href=\"https:\/\/github.com\/n0fate\/chainbreaker\">chainbreaker<\/a><\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>The chainbreaker can extract user credential in a Keychain file with Master Key or user password in forensically sound manner. Master Key candidates can be extracted from\u00a0volafox\u00a0or\u00a0volatility\u00a0keychaindump module.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4,8,139],"tags":[2868,2891,19],"class_list":["post-27594","post","type-post","status-publish","format-standard","hentry","category-apple","category-osx-security-tools","category-tools","tag-apple","tag-keychain","tag-osx"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4bBYZ-7b4","_links":{"self":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/27594","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/comments?post=27594"}],"version-history":[{"count":1,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/27594\/revisions"}],"predecessor-version":[{"id":27595,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/27594\/revisions\/27595"}],"wp:attachment":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/media?parent=27594"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/categories?post=27594"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/tags?post=27594"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}