n0fate / ichainbreaker Goto Github PK

Hi,
Under which license is the code distributed?
You stated, that this proof-of-concept will be merged into chainbreaker which is licensed under GPLv2. Can I assume that the same license applies to this proof-of-concept as well?

Same as #5, just for 10.15 this time.

[*] macOS version is 10.15
[*] Keybag Header
 [*] versions : 4
 [*] type : System Keybag
 [*] wrap : Wrapped key after AES encrypted with device key
 [*] iteration count : 50000

assert A == 0xa6a6a6a6a6a6a6a6, "AESUnwrap: integrity check FAIL, wrong kek ? %x"%A
AssertionError: AESUnwrap: integrity check FAIL, wrong kek ? a0e23b64db0c.... 

DeviceKey Validation fails at AESUnwrap, even before comparing to sign.

Since the DeviceKey seems to be fine, I guess, the unwrapping changed
(AppleKeyStore.kext -> AppleKeyStore::device_key_init() code stayed the same)

rax = _uuid_parse(rax, &var_30);
if (rax == 0x0) {
    ccpbkdf2_hmac(_ccsha256_di(), 0x10, &var_30, 0x0, 0x0, 0xc350, 0x20, r14 + 0x118);
    *(int8_t *)AppleKeyStore::device_key_init()::device_key_initialized = 0x1;
}

I'm trying to export my local keychain using a known password. The export starts and seems to decrypt some items. But it then fails with the following traceback

$ python iChainbreaker.py -v 10.14 -p ~/Library/Keychains/FFAD682E-CA5B-4307-AB88-8F5B8A1247FC/ -x export.sqlite
...
 [-] CLAS : kSecAttrAccessibleAlwaysThisDeviceOnly 11
 [-] WRAP : AES encrypted with device key
 [-] KTYP : AES with GCM
 [-] Decrypted Key : 970c11...145f0
[*] Export DB Name : export.sqlite
Traceback (most recent call last):
  File "iChainbreaker.py", line 267, in <module>
    main()
  File "iChainbreaker.py", line 175, in main
    decrypted = item.decrypt_secret_data(key)
  File "iChainbreaker-master/itemv7.py", line 65, in decrypt_secret_data
    gcm = AES.new(key, AES.MODE_GCM, authenticated['SFInitializationVector'])
AttributeError: 'module' object has no attribute 'MODE_GCM'

I'm running Mojave 10.14.6

Commit 99e7ba1 broke the keychain parsing for me. The sequence does not contain components in the form of field-n.

Using the position instead fixed it for me.

I am using pyasn1 in version 0.4.2-1

In github.com/hah0Na/iChainbreaker @hah0Na implements iCloud keychain item version 7.
Any documentation available regarding version 7?
From which version of macOS is iCloud keychain version 7 incorporated?

On latest MacOs version 10.14 I received following error while running
$ iChainbreaker.py -p /Users/ssk/Library/Keychains/524D25E7-7C27-5FC0-XXXX-DBCF5BC6101E/ -k password -v 10.14

Error :-
Tool for iCloud Keychain Analysis by @n0fate
[] macOS version is 10.14
[] UUID : 524D25E7-7C27-5FC0-XXXX-DBCF5BC6101E
[] Keybag : /Users/ssk/Library/Keychains/524D25E7-7C27-5FC0-XXXX-DBCF5BC6101E/user.kb
[] iCloud Keychain File : /Users/ssk/Library/Keychains/524D25E7-7C27-5FC0-XXXX-DBCF5BC6101E/keychain-2.db
[+] Keybag Header
[-] versions : 5
[-] type : System Keybag
[-] uuid : ef0bd07c-a810-4463-XXXX-a740916acf21
[-] hmac key : 8e0022157161caedf64d64c5915013a1531debf4ce0f5998ddd71ce9740763a1442dcd85f1e17a21
[-] wrap : None
[-] salt : 4f9c4d7acbfa5d2b322df923149de87e43efb0f8
[-] iteration count : 100000
[-] Signature : 9252299d6a3ae69ae465d3d62af5d77ba50ed227
[] The Device key : f48eb94f96818d164ce992e998e5cdccbcb4569551b9284bc95d56b6c7b694be
[] Device Key validation : Pass
[*] The passcode key : 9d744b8d9220b146dedf64801b6b639854484878e3b940473798d4b27911b663
Traceback (most recent call last):
File "iChainbreaker.py", line 220, in
main()
File "iChainbreaker.py", line 133, in main
keybag.Decryption()
File "/Users/ssk/Downloads/iChainbreaker-master-2/keybag.py", line 180, in Decryption
unwrapped = AESUnwrap(self.passcodekey, data)
File "/Users/ssk/Downloads/iChainbreaker-master-2/crypto/aeswrap.py", line 33, in AESUnwrap
assert A == 0xa6a6a6a6a6a6a6a6, "AESUnwrap: integrity check FAIL, wrong kek ? %x"%A
AssertionError: AESUnwrap: integrity check FAIL, wrong kek ? 1dbc0b68e8b3fe39

Thanks..