macOS Sensitive Locations & Interesting Daemons

Passwords

Shadow Passwords

Shadow password is stored with the user's configuration in plists located in /var/db/dslocal/nodes/Default/users/. The following oneliner can be use to dump all the information about the users (including hash info):

for l in /var/db/dslocal/nodes/Default/users/*; do if [ -r "$l" ];then echo "$l"; defaults read "$l"; fi; done

Scripts like this one or this one can be used to transform the hash to hashcat format.

An alternative one-liner which will dump creds of all non-service accounts in hashcat format -m 7100 (macOS PBKDF2-SHA512):

sudo bash -c 'for i in $(find /var/db/dslocal/nodes/Default/users -type f -regex "[^_]*"); do plutil -extract name.0 raw $i | awk "{printf \$0\":\$ml\$\"}"; for j in {iterations,salt,entropy}; do l=$(k=$(plutil -extract ShadowHashData.0 raw $i) && base64 -d <<< $k | plutil -extract SALTED-SHA512-PBKDF2.$j raw -); if [[ $j == iterations ]]; then echo -n $l; else base64 -d <<< $l | xxd -p -c 0 | awk "{printf \"$\"\$0}"; fi; done; echo ""; done'

Another way to obtain the ShadowHashData of a user is by using dscl: sudo dscl . -read /Users/`whoami` ShadowHashData

/etc/master.passwd

This file is only used when the system id running in single-user mode (so not very frequently).

Keychain Dump

Note that when using the security binary to dump the passwords decrypted, several prompts will ask the user to allow this operation.

#security
security dump-trust-settings [-s] [-d] #List certificates
security list-keychains #List keychain dbs
security list-smartcards #List smartcards
security dump-keychain | grep -A 5 "keychain" | grep -v "version" #List keychains entries
security dump-keychain -d #Dump all the info, included secrets (the user will be asked for his password, even if root)

Keychaindump

Keychaindump Overview

A tool named keychaindump has been developed to extract passwords from macOS keychains, but it faces limitations on newer macOS versions like Big Sur, as indicated in a discussion. The use of keychaindump requires the attacker to gain access and escalate privileges to root. The tool exploits the fact that the keychain is unlocked by default upon user login for convenience, allowing applications to access it without requiring the user's password repeatedly. However, if a user opts to lock their keychain after each use, keychaindump becomes ineffective.

Keychaindump operates by targeting a specific process called securityd, described by Apple as a daemon for authorization and cryptographic operations, crucial for accessing the keychain. The extraction process involves identifying a Master Key derived from the user's login password. This key is essential for reading the keychain file. To locate the Master Key, keychaindump scans the memory heap of securityd using the vmmap command, looking for potential keys within areas flagged as MALLOC_TINY. The following command is used to inspect these memory locations:

sudo vmmap <securityd PID> | grep MALLOC_TINY

After identifying potential master keys, keychaindump searches through the heaps for a specific pattern (0x0000000000000018) that indicates a candidate for the master key. Further steps, including deobfuscation, are required to utilize this key, as outlined in keychaindump's source code. Analysts focusing on this area should note that the crucial data for decrypting the keychain is stored within the memory of the securityd process. An example command to run keychaindump is:

sudo ./keychaindump

chainbreaker

Chainbreaker can be used to extract the following types of information from an OSX keychain in a forensically sound manner:

• Hashed Keychain password, suitable for cracking with hashcat or John the Ripper

• Internet Passwords

• Generic Passwords

• Private Keys

• Public Keys

• X509 Certificates

• Secure Notes

• Appleshare Passwords

Given the keychain unlock password, a master key obtained using volafox or volatility, or an unlock file such as SystemKey, Chainbreaker will also provide plaintext passwords.

Without one of these methods of unlocking the Keychain, Chainbreaker will display all other available information.

Dump keychain keys

#Dump all keys of the keychain (without the passwords)
python2.7 chainbreaker.py --dump-all /Library/Keychains/System.keychain

Dump keychain keys (with passwords) with SystemKey

# First, get the keychain decryption key
# To get this decryption key you need to be root and SIP must be disabled
hexdump -s 8 -n 24 -e '1/1 "%.2x"' /var/db/SystemKey && echo
## Use the previous key to decrypt the passwords
python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain

Dump keychain keys (with passwords) cracking the hash

# Get the keychain hash
python2.7 chainbreaker.py --dump-keychain-password-hash /Library/Keychains/System.keychain
# Crack it with hashcat
hashcat.exe -m 23100 --keep-guessing hashes.txt dictionary.txt
# Use the key to decrypt the passwords
python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain

Dump keychain keys (with passwords) with memory dump

Follow these steps to perform a memory dump

#Use volafox (https://github.com/n0fate/volafox) to extract possible keychain passwords
# Unformtunately volafox isn't working with the latest versions of MacOS
python vol.py -i ~/Desktop/show/macosxml.mem -o keychaindump

#Try to extract the passwords using the extracted keychain passwords
python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain

Dump keychain keys (with passwords) using users password

If you know the users password you can use it to dump and decrypt keychains that belong to the user.

#Prompt to ask for the password
python2.7 chainbreaker.py --dump-all --password-prompt /Users/<username>/Library/Keychains/login.keychain-db

kcpassword

The kcpassword file is a file that holds the user’s login password, but only if the system owner has enabled automatic login. Therefore, the user will be automatically logged in without being asked for a password (which isn't very secure).

The password is stored in the file /etc/kcpassword xored with the key 0x7D 0x89 0x52 0x23 0xD2 0xBC 0xDD 0xEA 0xA3 0xB9 0x1F. If the users password is longer than the key, the key will be reused. This makes the password pretty easy to recover, for example using scripts like this one.

Interesting Information in Databases

Messages

sqlite3 $HOME/Library/Messages/chat.db .tables
sqlite3 $HOME/Library/Messages/chat.db 'select * from message'
sqlite3 $HOME/Library/Messages/chat.db 'select * from attachment'
sqlite3 $HOME/Library/Messages/chat.db 'select * from deleted_messages'
sqlite3 $HOME/Suggestions/snippets.db 'select * from emailSnippets'

Notifications

You can find the Notifications data in $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/

Most of the interesting information is going to be in blob. So you will need to extract that content and transform it to human readable or use strings. To access it you can do:

cd $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/
strings $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/db2/db | grep -i -A4 slack

Notes

The users notes can be found in ~/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite

sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite .tables

#To dump it in a readable format:
for i in $(sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite "select Z_PK from ZICNOTEDATA;"); do sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite "select writefile('body1.gz.z', ZDATA) from ZICNOTEDATA where Z_PK = '$i';"; zcat body1.gz.Z ; done

Preferences

In macOS apps preferences are located in $HOME/Library/Preferences and in iOS they are in /var/mobile/Containers/Data/Application/<UUID>/Library/Preferences.

In macOS the cli tool defaults can be used to modify the Preferences file.

/usr/sbin/cfprefsd claims the XPC services com.apple.cfprefsd.daemon and com.apple.cfprefsd.agent and can be called to perform actions such as modify preferences.

OpenDirectory permissions.plist

The file /System/Library/OpenDirectory/permissions.plist contains permissions applied on node attributes and is protected by SIP. This file grants permissions to specific users by UUID (and not uid) so they are able to access specific sensitive information like ShadowHashData, HeimdalSRPKey and KerberosKeys among others:

[...]
<key>dsRecTypeStandard:Computers</key>
<dict>
	<key>dsAttrTypeNative:ShadowHashData</key>
	<array>
		<dict>
			<!-- allow wheel even though it's implicit -->
			<key>uuid</key>
			<string>ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000000</string>
			<key>permissions</key>
			<array>
				<string>readattr</string>
				<string>writeattr</string>
			</array>
		</dict>
	</array>
	<key>dsAttrTypeNative:KerberosKeys</key>
	<array>
		<dict>
			<!-- allow wheel even though it's implicit -->
			<key>uuid</key>
			<string>ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000000</string>
			<key>permissions</key>
			<array>
				<string>readattr</string>
				<string>writeattr</string>
			</array>
		</dict>
	</array>
[...]

System Notifications

Darwin Notifications

The main daemon for notifications is /usr/sbin/notifyd. In order to receive notifications, clients must register through the com.apple.system.notification_center Mach port (check them with sudo lsmp -p <pid notifyd>). The daemon is configurable with the file /etc/notify.conf.

The names used for notifications are unique reverse DNS notations and when a notification is sent to one of them, the client(s) that have indicated that can handle it will receive it.

It's possible to dump the current status (and see all the names) sending the signal SIGUSR2 to the notifyd process and reading the generated file: /var/run/notifyd_<pid>.status:

ps -ef | grep -i notifyd
    0   376     1   0 15Mar24 ??        27:40.97 /usr/sbin/notifyd

sudo kill -USR2 376

cat /var/run/notifyd_376.status 
[...]
pid: 94379   memory 5   plain 0   port 0   file 0   signal 0   event 0   common 10
  memory: com.apple.system.timezone
  common: com.apple.analyticsd.running
  common: com.apple.CFPreferences._domainsChangedExternally
  common: com.apple.security.octagon.joined-with-bottle
[...]

Distributed Notification Center

The Distributed Notification Center whose main binary is /usr/sbin/distnoted, is another way to send notifications. It exposes some XPC services and it performs some check to try to verify clients.

Apple Push Notifications (APN)

In this case, applications can register for topics. The client will generate a token contacting Apple's servers through apsd. Then, providers, will have also generated a token and will be able to connect with Apple's servers to send messages to the clients. These messages will be locally received by apsd which will relay the notification to the application waiting for it.

The preferences are located in /Library/Preferences/com.apple.apsd.plist.

There is a local database of messages located in macOS in /Library/Application\ Support/ApplePushService/aps.db and in iOS in /var/mobile/Library/ApplePushService. It has 3 tables: incoming_messages, outgoing_messages and channel.

sudo sqlite3 /Library/Application\ Support/ApplePushService/aps.db

It's also possible to get information about the daemon and connections using:

/System/Library/PrivateFrameworks/ApplePushService.framework/apsctl status

User Notifications

These are notifications that the user should see in the screen:

• CFUserNotification: These API provides a way to show in the screen a pop-up with a message.

• The Bulletin Board: This shows in iOS a banner that disappears and will be stored in the Notification Center.

• NSUserNotificationCenter: This is the iOS bulletin board in MacOS. The database with the notifications in located in /var/folders/<user temp>/0/com.apple.notificationcenter/db2/db