ptoomey3 / keychain-dumper Goto Github PK
View Code? Open in Web Editor NEWA tool to check which keychain items are available to an attacker once an iOS device has been jailbroken
License: BSD 3-Clause "New" or "Revised" License
A tool to check which keychain items are available to an attacker once an iOS device has been jailbroken
License: BSD 3-Clause "New" or "Revised" License
Trying to get a binary that works on iOS 11/12 , so followed the build steps, but it fails on 'make'
macOS 10.14.6
$ make
xcrun --sdk iphoneos --find gcc` -Os -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -arch armv7 -arch armv7s -arch arm64 -c main.m
main.m:67:10: error: 'launchPath' is unavailable: not available on iOS
task.launchPath = executablePath;
^
note:
'launchPath' has been explicitly marked unavailable here
@property (nullable, copy) NSString *launchPath
API_DEPRECATED_WITH_REPLACEMENT("executableU...
^
main.m:71:11: error: 'launch' is unavailable: not available on iOS
[task launch];
^```
```/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Foundation.framework/Versions/C/Headers/NSTask.h:78:1: note:
'launch' has been explicitly marked unavailable here
- (void)launch API_DEPRECATED_WITH_REPLACEMENT("launchAndReturnError:", macos(10.0, API_TO_B...
^
2 errors generated.
make: *** [main.o] Error 1```
keychain_dumper does not work anymore on my iPhoneSE with iOS 14. Following happened:
iPhone-von-MartinSE:/private/var/Keychains root# ./keychain_dumper -a
[INFO] No Generic Password Keychain items found.
[HINT] You should unlock your device!
[INFO] No Internet Password Keychain items found.
[HINT] You should unlock your device!
[INFO] No Identity Keychain items found.
[HINT] You should unlock your device!
[INFO] No Certificate Keychain items found.
[HINT] You should unlock your device!
[INFO] No Key Keychain items found.
[HINT] You should unlock your device!
iPhone-von-MartinSE:/private/var/Keychains root#
Although the device is unlocked, jailbroken (by checkra1n), and the keychain_dumper is executable. The command 'keychain_dumper -e' does work, but 'keychain_dumper -s' and entering a number causes the same result as above.
I run it on iOS7.1, rsa private key is work,but ECPrivateKey can not dump.
like this:
Key
---
Entitlement Group: ichat
Label: iMessage Signing Key
Application Label: <2a354b3f b9232e90 30974d5a 026f0a13 8e7e70cd>
Key Class: Private
Permanent Key: True
Key Size: 256
Effective Key Size: 256
For Encryption: False
For Decryption: True
For Key Derivation: True
For Signatures: True
For Signature Verification: False
For Key Wrapping: False
For Key Unwrapping: True
---------dict begin---------
encr:0
agrp:ichat
drve:1
vyrc:0
vrfy:0
priv:1
mdat:2015-05-24 22:36:10 +0000
modi:1
next:0
asen:0
sdat:2001-01-01 00:00:00 +0000
class:keys
type:73
v_Data:<047165f0 7a0ffd35 ebbe630e b88bc9ce e78678b1 854f5bf3 58848c3f f58d0c04 29079c76 85328170 de4c7243 27f6e6a0 d6484237 407b1a01 fa791b39 f25dd789 8601df78 72169171 47549158 ca154e84 f6667aa5 151f5a23 d4fe6789 f61f1f13 14>
bsiz:256
sens:0
wrap:0
tomb:0
v_Ref:<SecKeyRef curve type: kSecECCurveSecp256r1, algorithm id: 3, key type: ECPrivateKey, version: 2, block size: 256 bits, addr: 0x15d25f20>
sync:0
extr:1
cdat:2015-05-24 22:36:10 +0000
perm:1
pdmn:dku
sign:1
snrc:0
unwp:1
klbl:<2a354b3f b9232e90 30974d5a 026f0a13 8e7e70cd>
esiz:256
decr:1
kcls:1
atag:
edat:2001-01-01 00:00:00 +0000
labl:iMessage Signing Key
crtr:0
---------dict end-----------
Hi There,
This is Sameer, Pentester. Unable to dump the keychain data using keychain dumper as it always ends by saying No generic password keychain items found.
Device: iPhone 7
OS version: iOS 11.2.6
Jailbreak: Electra
./keychain_dumper
dyld: Library not loaded: /System/Library/Frameworks/UIKit.framework/UIKit
Referenced from: /private/var/root/./keychain_dumper
Reason: image not found
What is wrong?
I received an email from someone asking if I knew how to dump credentials from Google Authenticator, as the user was trying to move to a new phone and had a ton of TOTP codes stored. They noticed that the elements in Google Authenticator weren't accessible. They also mentioned that it appeared these elements had the "ThisDevice" protection class. The full list can be found on https://developer.apple.com/documentation/security/keychain_services/keychain_items/item_attribute_keys_and_values. It wasn't clear to me, but I'm guessing Google is using either kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
or kSecAttrAccessibleWhenUnlockedThisDeviceOnly
. I don't see why this would prevent access on the current device, but I'm also not at all familiar with the "ThisDevice" option. It has been a number of years, but I don't recall that being available however many years back when this tool was first written (it very well could have been and I've forgotten though).
I no longer have a jailbroken phone to test/debug this with. So, I was hoping some recent contributors might have more up to date info about this protection class and whether it is something that we an support or not. /cc @mechanico @0xln @vocaeq
./keychain_dumper
No Generic Password Keychain items found.
No Internet Password Keychain items found.
I followed your way, but when I codesigned keychain-dumper, there is an error, which is
cer2.cer: no identity found
I don't know why.
Can you help me.
Thank you very much.
It would be great to be able to script this, but at the moment -s requires user input. Is it possible to change a few of the user args to changes behaviour e.g
-l : list all entitlements (same as -s but don't ask for 'Select Entitlement Group by Number')
-g : dump all entitlements for the group from the numbered list above/ entitlement group ID/name
Complete process:
root# keychain_dumper -l
Entitlement Group [0]: 243LU875E5.com.example.Me
Entitlement Group [1]: 37CJY58B6M.org.Foo.Bar
Entitlement Group [2]: 3N5VQ668Y7.com.MyApp
root# keychain_dumper -g 2
[INFO] 5QRQZ3BQNM.com.MyApp selected.
I would attempt to have a go myself, but make
doesn't work for me, separate issue raised.
Dumper
Is there a specific version of the iPhone SDK this needs to be built with?
dyld: symbol '_objc_release_x19' not found, expected in '/usr/lib/libobjc.A.dylib', needed by '/private/var/tmp/./keychain_dumper'
Getting that error when attempting to to run after building using the latest xcode beta (with ios 16 sdk only). Will attempt using the 14.0.1 sdk, but thought it was worth an ask.
I used checkra1n to jailbreak the device (iphone 6), after that I ssh into the phone and when trying to execute the executable it spits out this error
dyld: Symbol not found: _objc_opt_new Referenced from: /private/var/tmp/./keychain_dumper (which was built for iOS 14.4) Expected in: dyld shared cache in /private/var/tmp/./keychain_dumper Abort trap: 6
Also am I supposed to transfer only the executable or the whole directory?
#cd /private/var/Keychains/
#chmod 777 /bin/keychain_dumper
#/bin/keychain_dumper > keychain-export.txt
dyld: Symbol not found: _objc_opt_new
Referenced from: /bin/keychain_dumper (which was built for iOS 13.5)
Expected in: /usr/lib/libobjc.A.dylib
in /bin/keychain_dumper
Abort trap: 6
The device info :
iOS 12.4
iPhone6
MacBook-Air.local 15.6.0 Darwin Kernel Version 15.6.0: root:xnu-3248.60.10~1/RELEASE_X86_64 x86_64
i386
I’ve been successfully dumping some keychain data in iOS 13 but in iOS 14 I’ve been unable to dump the data unfortunately with option -g it did not get me any data. From
The same specific application. Any advice on how I can make keychain dumper work on IOS 14?
kind regards
/*
* Copyright (c) 2011, Neohapsis, Inc.
* All rights reserved.
*
* Implementation by Patrick Toomey
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* - Redistributions of source code must retain the above copyright notice, this list
* of conditions and the following disclaimer.
* - Redistributions in binary form must reproduce the above copyright notice, this
* list of conditions and the following disclaimer in the documentation and/or
* other materials provided with the distribution.
* - Neither the name of Neohapsis nor the names of its contributors may be used to
* endorse or promote products derived from this software without specific prior
* written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
Source: https://github.com/ptoomey3/Keychain-Dumper/blob/master/main.m#L1
dyld: Symbol not found: _objc_opt_new
Referenced from: /bin/keychain_dumper (which was built for iOS 13.5)
Expected in: dyld shared cache
in /bin/keychain_dumper
Abort trap: 6
function getKeychainObjectsForSecClass
return nothing
The tool seems to work great, I was able to dump keychain on a iphone 5S / 7.1.2. However, when dumping identities, the actual private key does not seem to be dumped.
Example:
Key
---
Entitlement Group: com.apple.apsd
Label: APSClientIdentity
Application Label: <20byte identifier>
Key Class: Private
Permanent Key: True
Key Size: 1024
Effective Key Size: 1024
For Encryption: False
For Decryption: True
For Key Derivation: True
For Signatures: True
For Signature Verification: False
For Key Wrapping: False
For Key Unwrapping: True
Is it possible to extract the actual 128byte private key DATA also, or am I missing something?
I'm currently on an iPhone 4 with iOS 5.0.1
After executing the 'make' command I get the following:
/Users/Mike/Desktop/Key_Dump/toolchain/usr/bin/gcc -Os -Wimplicit -isysroot /Users/Mike/Desktop/Key_Dump/sdk -arch armv6 -c main.m
make: /Users/Mike/Desktop/Key_Dump/toolchain/usr/bin/gcc: No such file or directory
make: *** [main.o] Error 1
any idea why?
Hi,
I am wondering if it's only me (maybe a package I have installed that is causing this), but keychain_dumper is not finding items on iOS 13.5. It does not even prompt for a passcode when I run the tool.
# ./keychain_dumper -a
[INFO] No Generic Password Keychain items found.
[HINT] You should unlock your device!
[INFO] No Internet Password Keychain items found.
[HINT] You should unlock your device!
[INFO] No Identity Keychain items found.
[HINT] You should unlock your device!
[INFO] No Certificate Keychain items found.
[HINT] You should unlock your device!
[INFO] No Key Keychain items found.
[HINT] You should unlock your device!
# ls -l /private/var/Keychains/keychain-2.db
-rw-r--r-- 1 _securityd wheel 1732608 Jun 3 01:13 /private/var/Keychains/keychain-2.db
Tried it with:
Can someone please confirm/refute this?
Thanks!
This may be a problem with the unc0ver jailbreak (v3.0.0-b46) on iPhone 5s and not a bug in Keychain-Dumper, however trying to run a binary I compiled myself on iOS 12 I'm getting:
# ./keychain_dumper
Killed: 9
dmesg output:
Sandbox: bash(1243) System Policy: deny(1) process-exec* /private/var/root/keychain_dumperSandbox: hook..execve() killing keychain_dumper[pid=1243, uid=0]: (err=1) process-exec denied while updating labe
Hi Patrick,
I have my own device which it is passcode protected by global policy which I cannot turn off (field is grey out). I know my own code (8 digits minimum) but will your tool dump all the keychain if I run it when the phone is unlocked? I think even if the screen is unlocked, you will need the use passcode to dump the keychain, right? and the phone wont ask for the lock code in the screen I guess..
So could you add the possibility in the program of including a passcode?
Thanks a lot.I really liked your tool.
iphone7 ios13.5.1 checkra1n
showing this:
[INFO] No Generic Password Keychain items found.
[HINT] You should unlock your device!
[INFO] No Internet Password Keychain items found.
[HINT] You should unlock your device!
[INFO] No Identity Keychain items found.
[HINT] You should unlock your device!
[INFO] No Certificate Keychain items found.
[HINT] You should unlock your device!
[INFO] No Key Keychain items found.
[HINT] You should unlock your device!
Hello,
I am trying my best to figure out how to use your software on a BFU device (I have the code and all.. I just want to see if I can replicate what Elcomsoft has done with their EIFT) to dump out partial Keychain.
But I run in to the issue of not being allowed to copy stuff to the /usr/bin. Which is fair.
I also try to run sqlite3 straight in the shell, but get "bus error: 10". Have you any idea what I can do to fix that issue?
Google is not being helpful..
/LeGioN
What do i when an app is presenting this?
Label: (null)
Accessible Attribute: kSecAttrAccessibleWhenUnlocked, protection level 2 (default)
Application Label: <>
Application Tag: <xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Key Class: Public
Key Size: 0
Effective Key Size: 0
[INFO] Malformed key data detected. Check/Cleanup KeyChain manually.
Hi,
Can keychain items be accessed normally via this tool when the following SecAccessControlCreateFlags are set?
https://developer.apple.com/documentation/security/secaccesscontrolcreateflags
I tested it quickly and the answer is no (well, except for .userPresence, where a passcode is required), but want to be 100% sure if my test app was behaving correctly.
pretty much what the title says, tried doing it myself by filtering Strings with no success. Also, could someone point me to a nice ObjC tutorial/starting point? Thanks in advance.
Not really an issue - but it would be really awesome if the keychain dumper also lists the KeyChain Accessibility Constants.
Revert e35a0a6.
If they need a pre-built binary, create a pre-release and upload it there instead.
Resources:
How to Reproduce:
I uploaded keychaindumper through ssh.
./keychain_dumper
chmod +r /private/var/Keychains/keychain-2.db
Error:
Killed: 9
and i have tried other too , none works.
Please solve the issue.
Can this tool export the private key of the [Apple Iphone Device CA] certificate? thanks.
I'd like to set a global path for all output artifacts. Currently everything goes into ~/.needle/tmp/
I'd like to change that globally to the folder where i am storing all my assessment artifacts instead of having to set it on every module I enable.
Maybe this is possible and i missed it in the settings somewhere.
@ptoomey, As per the script "updateEntitlements.sh" I've fetched all the entitlements on the device and grant keychain-dumper with those entitlements. But, I couldn't dump the keychain information though.
iPhone 7 (Jailbroken device)
iOS version 13.3.1
Approach: 1
Approach: 2
It simply throws an output stating the following:
[INFO] No Generic Password Keychain items found.
[HINT} You should unlock your device!
[INFO] No Internet Password Keychain items found.
[HINT} You should unlock your device!
Request your assistance....
I get the following error on iOS3 on iphone 3 whe executing:
command:
ldid -S/var/tmp/entitlements.xml key_dumper.exe
error:
Error with ldid -S/var/tmp/entitlements.xml keychain_dumper
and then when I run
./key_dumper
I get the message killed.
I am using the binary and entitlements.xml updated from january 2012 update and both files have 777 permission
root# ./keychain_dumper -a > keychain_dump.log
Segmentation fault: 11
iPhone 8,1 iOS 9.1 Cydia64_1.1.28
cannot dump anything on iOS 13.5 :(
Can't run the program for some reason. It's killed right away with the message "Killed: 9" (no matter whether it's with the arg "-e" or not).
Access rights - 777, trying to run from /tmp. I've tried to compile it myself as well the binary attached.
I got that: (ios5 Iphone 4)
_assert(78:WIFEXITED(status))
Why?
Thanks
Will IOS 15 be supported?
Hi Patrick Toomey,
I have to say that your code was very helpful to me.
I downloaded your binary and ran it on IOS 6 on an iPad 3
where I needed to inspect some of my passwords.
Worked like a charm, although it was written for IOS 5!
I would like to send you my warmest thanks - I'm really grateful.
Keep up the good work.
cheers - chris
OSStatus error -34018 - client has neither application-identifier nor keychain-access-groups entitlements
With iOS 13.5.1, after updating the entitlements for each element we found in the keychain, we get the data still encrypted like so:
Internet Password
-----------------
Server: Manatee
Account: FD4F3030-750B-4DBE-B319-5F5A33A6088A
Entitlement Group: com.apple.security.ckks
Label: (null)
Accessible Attribute: kSecAttrAccessibleWhenUnlocked, protection level 2 (default)
Keychain Data: UY4cJvCwK1u/s7aXIRIZx7fB7XwXstFcxxxxxxxxxxxxxxxxLjKuz74kgSd3uqcgUPr/onJ7//uzA3B2FYiw==
Internet Password
-----------------
Server: Manatee
Account: 0D28927E-4722-4852-8D5C-0A64719A35DB
Entitlement Group: com.apple.security.ckks
Label: (null)
Accessible Attribute: kSecAttrAccessibleAfterFirstUnlock, protection level 1
Keychain Data: PJPkpXO1tlZEhU8VaMdyLTUAspjYpGk/CxxxxxxxxxxG8GfA/lVwF2gi3hKNo9lkQPl+X2rSb8w==
I've replaced some of the data with 'x' just to be extra safe exposing this informations
I want to got the keys from iphone4/ios7.1. Do I need to do like this ?
set env:
`
ln -s /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS7.1.sdk sdk
ln -s /Applications/Xcode.app/Contents/Developer toolchain
make
`
then, then result is:
In file included from main.m:31: In file included from /work/Keychain-Dumper-master/sdk/System/Library/Frameworks/UIKit.framework/Headers/UIKit.h:14: In file included from /work/Keychain-Dumper-master/sdk/System/Library/Frameworks/UIKit.framework/Headers/UIActivityViewController.h:9: In file included from /work/Keychain-Dumper-master/sdk/System/Library/Frameworks/UIKit.framework/Headers/UIViewController.h:10: In file included from /work/Keychain-Dumper-master/sdk/System/Library/Frameworks/UIKit.framework/Headers/UIApplication.h:13: /work/Keychain-Dumper-master/sdk/System/Library/Frameworks/UIKit.framework/Headers/UIDevice.h:33:1: error: use of empty enum }; ^ main.m:318:2: error: selector element type 'id *' is not a valid object for (id *kSecClassType in (NSArray *) arguments) { ^ ~~~~~~~~~~~~~~~~~~~~ 2 errors generated. make: *** [main.o] Error 1
Can i use keychain_dumper for keychain-2.db on OS X.
Thanks so much
I just upload "keychain_dumper" via SSH to my iPad 2(it's iPad 2,1) which is running iOS 5.1.1.
But once I try to run ./keychain_dumper,
It said that "Killed: 9"
Then I tried "ldid -S keychain_dumper" and then "./keychain_dumper", I still received a "Killed: 9".
I don't have a Mac, so it could be a diffcult thing for me to compile it by myself.
So If there is anyway to solve this problem?
I used "auto save password" option on safari (mail.google.com) but i can't get gmail password from Keychain-Dumper. I also get this problem with safari on OS X. I don't know why.
Can you explain to me, please.
@ptoomey3 thank you so much for KeyChain dumper. I love this tool.
Are there any hidden options for displaying the raw data of the KeyChain Data field? I cannot see ciphertext value when I run a dump. The field always appears as (null). I attached an example below.
It is an iOS app. The app performs an AES256 encrypt function before storing data within KeyChain. It looks like the Ciphertext is encoded using NSUTF8StringEncoding before persisting in KeyChain.
Service: com.monkey.zoo
Account: fYEzNKo3h0KXfgs2BmNy
Entitlement Group: FEY6Z943BR.*
Label: (null)
Generic Field: fYEzNKo3h0KXfgs2BmNy
Keychain Data: (null)
On my device have no such path.
Any one know this issue?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.