n0fate / chainbreaker Goto Github PK
View Code? Open in Web Editor NEWMac OS X Keychain Forensic Tool
License: GNU General Public License v2.0
Mac OS X Keychain Forensic Tool
License: GNU General Public License v2.0
Monterey 12.2.1
~/projects/chainbreaker master ./chainbreaker.py -p -o ~/cert/ --export-private-keys /Library/Keychains/System.keychain
Unlock Password:
2022-02-23 14:45:53,858 - INFO -
ChainBreaker 2 - https://github.com/gaddie-3/chainbreaker
2022-02-23 14:45:53,858 - INFO - Runtime Command: ./chainbreaker.py -p -o /Users/XXX/cert/ --export-private-keys /Library/Keychains/System.keychain
2022-02-23 14:45:53,858 - INFO - Keychain: /Library/Keychains/System.keychain
2022-02-23 14:45:53,858 - INFO - Keychain MD5: dcbe47b235cf7fbe6d478b908f2db39e
2022-02-23 14:45:53,858 - INFO - Keychain 256: fb2b63894837680590f21b8ade98340b2a2f283e20324d963fcab49c794bf16d
2022-02-23 14:45:53,858 - INFO - Dump Start: 2022-02-23 14:45:53.858162
- private_key_offset2022-02-23 14:45:53,888 - WARNING - 23632
private_key_offset2022-02-23 14:45:53,888 - WARNING - 23632
private_key_offset2022-02-23 14:45:53,888 - WARNING - 23632
private_key_offset2022-02-23 14:45:53,889 - WARNING - 23632
2022-02-23 14:45:53,889 - INFO - 0 Private Keys
2022-02-23 14:45:53,889 - INFO -
ChainBreaker 2 - https://github.com/gaddie-3/chainbreaker
2022-02-23 14:45:53,889 - INFO - Runtime Command: ./chainbreaker.py -p -o /Users/XXX/cert/ --export-private-keys /Library/Keychains/System.keychain
2022-02-23 14:45:53,889 - INFO - Keychain: /Library/Keychains/System.keychain
2022-02-23 14:45:53,889 - INFO - Keychain MD5: dcbe47b235cf7fbe6d478b908f2db39e
2022-02-23 14:45:53,889 - INFO - Keychain 256: fb2b63894837680590f21b8ade98340b2a2f283e20324d963fcab49c794bf16d
2022-02-23 14:45:53,889 - INFO - Dump Start: 2022-02-23 14:45:53.858162
2022-02-23 14:45:53,889 - INFO - Dump Summary:
2022-02-23 14:45:53,889 - INFO - 0 Private Keys
2022-02-23 14:45:53,889 - INFO - Dump End: 2022-02-23 14:45:53.889181
Traceback (most recent call last):
File "chainbreaker.py", line 27, in
from hexdump import hexdump
ImportError: No module named hexdump
yes python and pip are installed I tried to figure this out but no luck
First and foremost, I would like to say a huge thank you for supporting the chain breaker to application I do have a question regarding its execution. I am trying to dump all of my Wi-Fi SSIDs and passwords into a CSV file. It was wondering what the command should look like to do that. I know the system.keychain location, as well as the system key password, thank you again.
...and I don't have the suspect's password, and the system isn't live (it's just a disk dump)?
Will this tool have any chance of breaking the keychain? Could you give more detail on how?
Hi can you help me, I can't find the macosxml.mem and memory image.
Had a play with this today and it did a good job of pulling out data from a System.keychain file. I needed to add parentheses to all of the 'print' lines first, though.
chainbreaker.zip
I'm using this repo https://github.com/nkraetzschmar/chainbreaker.
I can export the private keys from one of my Mac(Big Sur 11.6.1), but it not work with my another Mac(11.6.2).
I run command and got the results.
command:
sudo python2.7 chainbreaker.py --dump-private-keys /Library/Keychains/System.keychain --unlock-file /var/db/SystemKey
2022-02-24 18:00:54,172 - INFO - Dump Start: 2022-02-24 18:00:54.172610
2022-02-24 18:00:54,173 - INFO - 5 Private Keys
2022-02-24 18:00:54,173 - INFO - [+] Private Key
2022-02-24 18:00:54,173 - INFO - [-] Print Name: imported private key
2022-02-24 18:00:54,173 - INFO - [-] Key Class: CSSM_KEYCLASS_PRIVATE_KEY
2022-02-24 18:00:54,173 - INFO - [-] Key Type: CSSM_ALGID_RSA
2022-02-24 18:00:54,173 - INFO - [-] Key Size: 2048
2022-02-24 18:00:54,173 - INFO - [-] Effective Key Size: 2048
2022-02-24 18:00:54,173 - INFO - [-] CSSM Type: Core CSP (local space)
2022-02-24 18:00:54,174 - INFO - [-] Base64 Encoded PrivateKey: [Invalid Password / Keychain Locked]
...
When I run this command, I got this result
systemkeychain -vt
Testing system unlock of /Library/Keychains/System.keychain
(If you are prompted for a passphrase, cancel)
System unlock is working
Check out the code and do some simple prints, I found the ciphertext
in function _find_wrapping_key
is an empty string.
I know nothing at python, I hope someone can help look at this problem, thanks~
Hey! I'm trying to use this to dump my own internet passwords, I'm running into a crash while parsing the _APPL_DB_HEADER
. here's my invocation, and the output:
./chainbreaker.py --dump-internet-passwords --password=<somepassword> -a ~/Library/Keychains/53955E52-7540-58CB-93DD-008F838B7EAD/keychain-2.db
2021-06-24 08:36:09,080 - INFO -
ChainBreaker 2 - https://github.com/gaddie-3/chainbreaker
2021-06-24 08:36:09,081 - INFO - Runtime Command: ./chainbreaker.py --dump-internet-passwords --password=<somepassword> -a /Users/asb/Library/Keychains/53955E52-7540-58CB-93DD-008F838B7EAD/keychain-2.db
2021-06-24 08:36:09,081 - INFO - Keychain: /Users/asb/Library/Keychains/53955E52-7540-58CB-93DD-008F838B7EAD/keychain-2.db
2021-06-24 08:36:09,081 - INFO - Keychain MD5: 56c8eaa212f0f26f5b4616d2b96ff739
2021-06-24 08:36:09,081 - INFO - Keychain 256: f2824d498f1eaa89385a03c11f14bb4bd5c1a923fdb39d7eac6ed916588437a0
2021-06-24 08:36:09,081 - INFO - Dump Start: 2021-06-24 08:36:09.080976
Traceback (most recent call last):
File "./chainbreaker.py", line 1277, in <module>
unlock_file=args.unlock_file)
File "./chainbreaker.py", line 71, in __init__
self.filepath = filepath
File "./chainbreaker.py", line 568, in filepath
self._read_keychain_to_buffer()
File "./chainbreaker.py", line 169, in _read_keychain_to_buffer
self.schema_info, self.table_list = self._get_schema_info(self.header.SchemaOffset)
File "./chainbreaker.py", line 205, in _get_schema_info
schema_info = _APPL_DB_SCHEMA(self.kc_buffer[offset:offset + _APPL_DB_SCHEMA.STRUCT.size])
File "/Users/asb/Developer/chainbreaker/schema.py", line 332, in __init__
(self.SchemaSize, self.TableCount) = _APPL_DB_SCHEMA.STRUCT.unpack(buffer)
struct.error: unpack requires a string argument of length 8
the offset being used to index into the self.kc_buffer
is massive, and it looks like the buffer passed into _APPL_DB_SCHEMA.STRUCT.unpack(buffer)
is empty.
I'm running macOS 11.2.3 (20D91), is this something you've run into before? could you help me debug this?
sudo python chainbreaker.py --unlock-file ./SystemKey -a -e /Library/Keychains/System.keychain
...
2022-02-23 17:55:10,160 - INFO - Dump Start: 2022-02-23 17:55:10.159697
private_key_offset2022-02-23 17:55:10,625 - WARNING - 23596
private_key_offset2022-02-23 17:55:10,625 - WARNING - 23596
private_key_offset2022-02-23 17:55:10,625 - WARNING - 23596
private_key_offset2022-02-23 17:55:10,625 - WARNING - 23596
2022-02-23 17:55:10,625 - WARNING - [!] Public Key Table is not available
...
Is Monterey(12.2.1) not support yet?
Python 2 is deprecated and is being removed from macOS in the immediate future starting with version 12.3.
Please update chainbreaker to work under Python 3.x
how?
python2.7 chainbreaker.py -p --dump-private-keys "/Users/xxx/Library/Keychains/login.keychain-db"
...
WARING - [!] Private Key Table is not available
INFO - 0 Private Keys
...
Is this a Big Sur issue?
@n0fate, I have a question that I cannot understand.
When you open the keychain using the "Keychain Access" applicaton on a Mac, you could unlock all keychains (in my case, I have "Login", "Local Items" and "System") using your system password (of course I assume you do not change the password of the keychain after the creation).
However, using chainbreaker, I could decrypt the user keychain using the password system account, however it does not work when I try to decrypt the system keychain (whereas using the "Keychain Access" application, it works).
At contrary, it's the same problem to decrypt the system keychain, it works using the system key but this key does not work to decrypt the user keychain.
So I cannot understand why "Keychain Access" manage to do it ?
Another thing, does user have user key (such as the system key stored on /private/var/db/SystemKey
) and where I can find it? When I see your Readme, you manage with volafox to retrieve multiple master keys from memory:
[*] master key candidate: 78006A6CC504140E077D62D39F30DBBAFC5BDF5995039974
[*] master key candidate: 26C80BE3346E720DAA10620F2C9C8AD726CFCE2B818942F9
[*] master key candidate: 2DD97A4ED361F492C01FFF84962307D7B82343B94595726E
And then you decrypt the user keychain using one of these key:
python chainbreaker.py -f ~/Desktop/show/login.keychain -k 26C80BE3346E720DAA10620F2C9C8AD726CFCE2B818942F9
So I guess that there are a system key and a user key stored in two different places and both keychains are encrypted using these two different keys.
I tried to understand by myself without success so if you could help to understand this behaviour it would be awesome.
Thanks for your time !
Lines 551 & 553 of chainbreaker.py (getAppleshareRecord function) utilize the '_INTERNET_PW_HEADER' class for parsing the Apple Share records instead of the appropriate '_APPLE_SHARE_HEADER' class.
I noticed that the the _INTERNET_PW_HEADER class has no field 'Volume' and the getAppleshareRecord function attempts to use this in 'RecordMeta.Volume', while the _APPLE_SHARE_HEADER class does in fact have that field. I believe it's probably a simple oversight from copy/pasting but could be wrong...
If you'd like, I can make the small changes and perform a pull request to merge them in. Just let me know!
Hi.
Is there any way to dump passkeys?
According to About the security of passkeys they're supposed to be somewhere in the iCloud Keychain, but I haven't found anything similar to passkey by issuing the:
python -m chainbreaker --dump-public-keys ~/Library/Keychains/login.keychain-db
If you want to reproduce and create sample passkey, I would recommend YubiKey's demo site.
Note: need to use Safari on macOS to create syncable passkey.
MBP:chainbreaker-master kevin$ python chainbreaker.py -f /Library/Keychains/System.keychain -k 2fc651f52eca28b3bd66890c35528e95fa802e52fa4d6079
[-] DB Key
00000000: 00 .
[+] Symmetric Key Table: 0x00007968
Traceback (most recent call last):
File "chainbreaker.py", line 970, in
main()
File "chainbreaker.py", line 781, in main
passwd = keychain.KeyblobDecryption(ciphertext, iv, dbkey)
File "chainbreaker.py", line 599, in KeyblobDecryption
plain = kcdecrypt(dbkey, magicCmsIV, encryptedblob)
File "chainbreaker.py", line 696, in kcdecrypt
cipher = triple_des(key, CBC, iv)
File "/Users/kevin/Downloads/chainbreaker-master/pyDes.py", line 524, in init
self.setKey(key)
File "/Users/kevin/Downloads/chainbreaker-master/pyDes.py", line 537, in setKey
raise ValueError("Invalid triple DES key size. Key must be either 16 or 24 bytes long")
ValueError: Invalid triple DES key size. Key must be either 16 or 24 bytes long
I have a similar problem, https://security.stackexchange.com/questions/64323/export-non-extractable-private-key-from-keychain-on-os-x
The difference is that my device is M1 Pro, macOS 13.1, and I have tried many things with no success, including 'chainbreaker'.
So, I want to ask, do you support the above situation?
title, no longer working on Ventura Mac OS
Working if ran from console or unix executable / However when built into Application Bundle Fails with the following issue:
File "chainbreaker/__init__.py", line 111, in __init__
File "chainbreaker/__init__.py", line 634, in unlock_password
File "chainbreaker/__init__.py", line 388, in _generate_master_key
AttributeError: 'NoneType' object has no attribute 'Salt'
Just to let you know that README-keydump.txt
is missing the pyopenssl
requirement, should be cool to have a proper requirements.txt
though.
Anyway thanks for the tool !
One question. Where are the Local Items' passwords stored is macOS? I assumed they are stored in the Keychain since the passwords are available when I open the Keychain app. Chainbreaker will pull the login items, but not the Local Items, which contains the passwords to websites stored in the Internet Browsers. I need to pull that information as well. See photo below. Thank you!
Originally posted by VladUZH April 23, 2024
Hi. Getting this error when trying to execute the code. I understand that it is connected to the circular import but don't know how to fix the problem. Any help would be appreciated.
(.conda) (base) vlpetrov@Vladimirs-MacBook-Pro chainbreaker-1 % python -m chainbreaker -pa login.keychain-db -o output
/Users/vlpetrov/Documents/Programming/chainbreaker-1/.conda/bin/python: Error while finding module specification for 'chainbreaker.main' (ImportError: cannot import name 'args_control' from partially initialized module 'chainbreaker' (most likely due to a circular import) (/Users/vlpetrov/Documents/Programming/chainbreaker-1/chainbreaker/init.py))
Hello there,
I have an issue attempting to open the login.keychain-db
mbp:chainbreaker admin$ python2 chainbreaker.py -f login.keychain-db -p ********
Traceback (most recent call last):
File "chainbreaker.py", line 35, in <module>
from validator import Validator
File "/Users/admin/chainbreaker/validator.py", line 2, in <module>
from Crypto.Util import asn1
ImportError: No module named Crypto.Util
mbp:chainbreaker admin$
Yes I know the keychain database is to be grabbed from User's library, I just made a local copy of it.
For what it's worth, I am running MacOS 10.15.3 (Catalina)
Any idea how to debug this?
Thanks
Edit: made the output cleaner
how can i get Web form password?
When I try to extract my WiFi passwords I get the follow error, any ideas on how to fix it?
sh-3.2# python3 chainbreaker.py -k -o /Users/me/Downloads/keychain-export/ --export-all /Library/Keychains/System.keychain --unlock-file /private/var/db/SystemKey
Unlock Key:
Traceback (most recent call last):
File "/Users/me/chainbreaker/chainbreaker.py", line 1256, in
keychain_md5 = hashlib.md5(args.keychain).hexdigest()
^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: Strings must be encoded before hashing
I used the hexdump command to gey the key but does not seem to work "hexdump -s 8 -n 24 -e '1/1 "%.2x"' /path/to/SystemKey && echo"
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.