Support for Mac OS X

[jntme]

Does it not run on OS X yet?

[frdmn]

@bananatreedad It does, but it was made originally just for Linux / Windows application.

Would love to see some OS X applications as well :)

[jntme]

That would indeed be nice :)

[webben-de]

+1

[AlessandroZ]

I would love to do this for OS X but first of all I need a mac ;) (or to install a mac OS on a virtual machine) and more time. I have done this project on python to in order to be very flexible and to be built on many OS. So the core of the win / unix project (without modules) can be easily used for mac OS too. The main goal for OS X is to retrieve the keechain (which contains lots of passwords) and maybe Firefox because is already implemented. This could be a good start for the project.

So, if someone wants to do it, feel free to use my code and to improve the project. My main problem for me is the time. So right now is not my priority, however, an help could be useful to improve this project.

[iodbh]

I fixed the Mozilla module to work on Mac (two paths to change), could be a start for more Mac support. #100

[oskarstr]

Hey guys,

As you can see --> https://github.com/manwhoami/OSXChromeDecrypt/blob/master/chrome_passwords.py

works great with decrypting chrome passwords. The only downside to this is when it's invoking security find-generic-password -wa 'Chrome'" on line 6 it requires for the user to click on the security popup dialog "allow". Doesn't require admin access or entering root password. Using similar technique, with "security" command you can pretty much dump the whole keychain without a root account or password, the only issue is that for every item you're dumping you'll need to click on allow access. You can see more about the commands here --> https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html

There used to be a bug where you could read the root password from the memory (POC: https://github.com/juuso/keychaindump) but since El Capitan that's been fixed because they introduced SIP. That would definitely make things easier because you could just read the root password from the memory, and then dump decrypted keychain using that root password.

Unless there is some 0day somewhere, I think it's just a matter of figuring out how to automate the submission of 'allow' in the popup dialog when you try to access a keychain item. You can't control it with keyboard commands, unfortunately…

Oh, and there's also this --> https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/03tasks/tasks.html#//apple_ref/doc/uid/TP30000897-CH205-TP9

Use the SecKeychainSetUserInteractionAllowed function to enable or disable the automatic display of dialogs. When you call this function with a value of FALSE for the state parameter, any Keychain Services functions that ordinarily open dialogs instead return immediately with the result errSecInteractionRequired. You can use the SecKeychainGetStatus function to find out whether the keychain exists and is unlocked. You can then use the SecKeychainUnlock function to unlock the keychain, or the SecKeychainCreate function to create a new keychain, as necessary.

I haven't tried it, so not sure if it would work or not, but worth exploring.

[AlessandroZ]

I have installed a Mac OS VM with El Capitan to do my tests.

I have tried to dump the sudo password from memory using "keychaindump", but I confirm it does not work on this OS X version. I also tried "chainbreaker" with the sudo password but I couldn't manage to retrieve my safari passwords which are stored on the keychain.

All other well known method to retrieve passwords on Mac OS require an user interaction. I found lot of phishing technics to do it but on my tool, I don't want to use any interaction which could freeze the program until the user interact with it.

So right now, I don't know what to do. I will wait to get a better idea.

[iodbh]

I had good results with chainbreaker, so far it's the solution that extracted the most keychain passwords on my mac in the context of a lazagne module and without disabling SIP. The only issue with it is that it requires to provide a password. It's still valuable, since there's a chance the master password is being reused somewhere else where it's already recoverable.

[AlessandroZ]

@iodbh, could you confirm that you use the chainbreaker on the Captain version of Mac OS ? Could you retrieve Safari passwords ? And last question, are there stored on the following keychain file: "/Users//Library/Keychains/login.keychain" ?

Because on my system, using the user keychain, I got lots of information, but Safari passwords are not retrieved in plain text or not retrieved at all. I neither retrieve the login, neither the password.

That's why for now, I don't want to embed the tool without to be sure it works.

[iodbh]

Yeah, chainbreaker on El Capitan. It does not output the Safari passwords but it does find a lot of other passwords. I suspect Safari uses a different record format.

[barrett092]

for MacOS Sierra I get 'key3 file not found' as an error

[AlessandroZ]

I have done a Mac OS version and I released it today (only the source code is available).

There are 2 problems remaining:

• Safari passwords are not supported yet
• On Mac OS Sierra, the System keychain fails to be decrypted (so wifi passwords cannot be retrieved yet).

Please read the Mac Os part on the README before to use it.

Hope to correct these 2 problems soon.