keychain_dumper does not dump all items.

[tghosth]

Issue

This is not so much an issue in needle as an issue in a binary it uses but I wanted it to be on record so that people are aware and to suggest using a different tool.

Expected behaviour

The keychain_dump.py module should dump all keychain items when run.

Actual behaviour

For some unknown reason, the keychain_dumper binary seems to dump some but not all keychain items. Specifically, I knew that an app I was testing stored the password in the keychain but it did not appear in the output of this module.

I then tried using the binary from here (source?) and it dumped a lot more items including the password I was looking for.

I don't have time now but I could try creating an updated version of the module which uses this different binary if you are interested?

Steps to reproduce

I am not sure yet what causes items to appear or not appear in the file but I just wanted to raise the issue. Unfortunately, for confidentiality reasons I cannot include the keychain outputs for comparison.

Environment

Workstation Operating System

Kali 2016.2

Python Version

2.7.12+

Python Packages (pip freeze)

root@kali:~/Work# pip freeze
Warning: cannot find svn location for chirp===daily-20160717
adns-python==1.2.1
AdvancedHTTPServer==2.0.5
alembic==0.8.7.dev0
anyjson==0.3.3
argcomplete==1.0.0
argh==0.26.1
attrs==16.0.0
backports-abc==0.4
backports.ssl-match-hostname==3.5.0.1
basemap==1.0.7
BBQSQL==1.0
BeautifulSoup==3.2.1
beautifulsoup4==4.5.1
blessings==1.6
BlindElephant==1.0
blinker==1.3
boltons==16.2.2
capstone==3.0.4
certifi==2016.2.28
cffi==1.7.0
chardet==2.3.0
Cheetah==2.4.4
## FIXME: could not find svn URL in dependency_links for this package:
chirp===daily-20160717
clamd==1.0.1
click==6.6
cluster==1.3.3
colorama==0.3.7
ConfigArgParse==0.10.0
configobj==5.0.6
configparser==3.3.0.post2
construct==2.5.2
couchdbkit==0.6.5
cryptography==1.5
cycler==0.10.0
d2to1==0.2.12
dap==2.2.6.7
darts.util.lru==0.5
decorator==4.0.6
defusedxml==0.4.1
dicttoxml==1.6.6
dissy==9
distorm3==3.3.4
dnspython==1.14.0
docutils==0.12
easygui==0.96
Elixir==0.7.1
enum34==1.1.6
esmre==0.3.1
feedparser==5.1.3
Flask==0.11.1
FormEncode==1.3.0
frida==7.3.5
funkload==1.16.1
fuse-python==0.2.1
future==0.15.2
futures==3.0.5
GeoIP==1.3.2
geoip2==2.2.0
geojson==1.3.1
gevent==1.1.1
gitdb==0.6.4
GitPython==2.0.5
greenlet==0.4.10
guess-language-spirit==0.5.2
h2==2.1.1
halberd==0.2.4
hpack==2.3.0
html2text==2016.5.29
html5lib==0.999
http-parser==0.8.3
httplib2==0.9.1
httpretty==0.8.14
hyperframe==3.2.0
icalendar==3.8
idna==2.1
impacket==0.9.13
ipaddr==2.1.11
ipaddress==1.0.16
IPy==0.83
ipython==2.4.1
itsdangerous==0.24
jdcal==1.0
Jinja2==2.8
jsonpickle==0.9.3
jsonrpclib==0.1.3
keepnote==0.7.8
killerbee==1.0
lxml==3.6.4
M2Crypto==0.24.0
Mako==1.0.4
Markdown==2.6.6
MarkupSafe==0.23
matplotlib==1.5.2rc2
maxminddb==1.2.1
mechanize==0.2.5
mercurial==3.8.4
metaconfig==0.1.4a1
mitmproxy==0.17.1
mockito==0.5.2
msgpack-python==0.4.8
mysqlclient==1.3.7
nassl==0.12
ndg-httpsclient==0.4.2
netaddr==0.7.18
NfSpy==1.0
nltk==3.2.1
numpy==1.11.1rc1
olefile==0.42.1
openpyxl==2.3.0
PAM==0.4.2
paramiko==2.0.0
passlib==1.6.5
Paste==2.0.3
PasteDeploy==1.5.2
PasteScript==1.7.5
pathtools==0.1.2
pcapy==0.10.8
pdfminer==20140328
pefile==2016.3.28
pexpect==4.2.0
phply==0.9.1
Pillow==3.3.0
pluginbase==0.4
ply==3.7
prettytable==0.7.2
prompt-toolkit==1.0.7
psutil==4.2.0
psycopg2==2.6.2
ptyprocess==0.5.1
py==1.4.31
pyasn1==0.1.9
pyasn1-modules==0.0.7
pybloomfiltermmap==0.3.15
pycparser==2.14
pycrypto==2.6.1
pycryptopp==0.6.0.1206569328141510525648634803928199668821045408958
pycurl==7.43.0
pydns==2.3.6
pyenchant==1.6.7
PyGithub==1.23.0
Pygments==2.1.3
pygobject==3.20.1
pyinotify==0.9.6
pylibemu==0.3.3
pymssql==1.0.2
pyOpenSSL==16.0.0
pyotp==2.1.1
pyparsing==2.1.8
pyPdf==1.13
PyPDF2==1.26.0
pyperclip==1.5.27
pyregfi==1.0.1.0
pyrit==0.4.0
pyscard==1.9.4
pyserial==3.1
pysnmp==4.3.2
pysnmp-apps==0.3.2
pysnmp-mibs==0.1.3
PySocks==1.5.7
pysqlite==2.7.0
pytest==2.9.2
python-apt==1.1.0b4
python-dateutil==2.4.2
python-debian==0.1.29
python-debianbts==2.6.1
python-editor==0.4
python-Levenshtein==0.12.0
python-ntlm==1.1.0
python-openid==2.2.5
python-pam==1.8.2
python-ptrace==0.7
pytz==2015.7
pyusb==1.0.0b2
PyX==0.12.1
pyxdg==0.25
PyYAML==3.11
qrcode==5.3
readline==6.2.4.1
reportbug==6.6.6
requests==2.10.0
restkit==4.2.2
rfidiot==1.0
roman==2.0.0
ruamel.ordereddict==0.4.9
scapy==2.3.2
scgi==1.13
scipy==0.18.0
service-identity==16.0.0
simplegeneric==0.8.1
simplejson==3.8.2
singledispatch==3.4.0.3
six==1.10.0
slowaes==0.1a1
smmap==0.9.0
smoke-zephyr==1.0.2
SOAPpy==0.12.22
socketpool==0.5.3
SQLAlchemy==1.0.14
sshtunnel==0.1.0
stopit==1.1.0
tblib==1.3.0
tcpwatch==1.3.1
Tempita==0.5.2
termcolor==1.1.0
tornado==4.4.1
Twisted==16.3.0
tzlocal==1.2.2
urllib3==1.15.1
urwid==1.3.1
uTidylib==0.3
vinetto==0.7b0
volatility==2.5
vulndb==0.0.19
wafw00f==0.9.3
wapiti==2.3.0
watchdog==0.8.3
wcwidth==0.1.7
webunit==1.3.10
Werkzeug==0.11.10
wfuzz==0.0.0
Whoosh==2.7.0
wstools==0.4.3
wxPython==3.0.2.0
wxPython-common==3.0.2.0
xdot==0.5
XlsxWriter==0.7.3
xmlbuilder==1.0
yara-python==3.5.0
zenmap==7.25b2
zim==0.65
zope.interface==4.2.0

Device iOS Version

9.2

[marco-lancini]

Hi @tghosth, we were aware of this issue and we were trying to investigate it. It would be awesome if you could submit a new version for this module which address this issue.

[tghosth]

Hi @marco-lancini, I couldn't resist...

See #37

[marco-lancini]

haha thanks a lot! I'll review it and merge it into master

[tghosth]

hi @marco-lancini I will have another stab at this but it may not be until a few days time so if you or someone else works on it in the meantime, please let me know, thanks :)

[tghosth]

hi @marco-lancini, updated version is now in PR #46