search

cedowens / SwiftBelt

A macOS enumeration tool inspired by harmjoy's Windows-based Seatbelt enumeration tool. Author: Cedric Owens
BSD 3-Clause "New" or "Revised" License
317 stars 36 forks source link

Safari Database Enumeration #4

Open Ne0nd0g opened 4 years ago

Ne0nd0g commented 4 years ago

SwiftBelt does not enumerate the Safari database when /Applications/Safari.app/Contents/MacOS/Safari is not running on macOS 10.15.5. 

zeroCool$ ps aux | grep -i safari
zeroCool          1228   0.0  0.8  4341064  17736   ??  S     7:25AM   0:01.67 /System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
zeroCool          1224   0.0  0.5  4317712   9848   ??  S     7:25AM   0:00.07 /Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
zeroCool          1216   0.0  0.5  4314568   9624   ??  S     7:25AM   0:00.14 /System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
zeroCool           825   0.0  0.6  4315148  12048   ??  S     7:12AM   0:00.67 /Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariBookmarksSyncAgent
zeroCool          1407   0.0  0.0  4268268    676 s001  S+    8:01AM   0:00.00 grep -i safari
zeroCool$ ./SwiftBelt -BrowserHistory
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 _______  _     _  ___   _______  _______  _______  _______  ___      _______
|       || | _ | ||   | |       ||       ||  _    ||       ||   |    |       |
|  _____|| || || ||   | |    ___||_     _|| |_|   ||    ___||   |    |_     _|
| |_____ |       ||   | |   |___   |   |  |       ||   |___ |   |      |   |
|_____  ||       ||   | |    ___|  |   |  |  _   | |    ___||   |___   |   |
 _____| ||   _   ||   | |   |      |   |  | |_|   ||   |___ |       |  |   |
|_______||__| |__||___| |___|      |___|  |_______||_______||_______|  |___|

SwiftBelt: A MacOS enumerator similar to @harmjoy's Seatbelt. Does not use any command line utilities
author: @cedowens
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

##########################################
==>Browser History Info:

***************Quarantine History Results for user zeroCool***************
Date: 1989-06-05 14:26:31 | App: com.apple.Safari | File: https://raw.githubusercontent.com/cedowens/SwiftBelt/master/SwiftBelt | OriginURL: 
Date: 1989-06-05 14:31:55 | App: com.google.Chrome | File: https://raw.githubusercontent.com/cedowens/SwiftBelt/master/SwiftBelt | OriginURL: https://github.com/cedowens/SwiftBelt/blob/master/SwiftBelt
Date: 1989-06-05 15:00:49 | App: com.apple.Safari | File: https://raw.githubusercontent.com/cedowens/SwiftBelt/master/SwiftBelt | OriginURL: https://github.com/cedowens/SwiftBelt/blob/master/SwiftBelt

***************Safari history results for user zeroCool***************
[-] Could not open the Safari History.db file for user zeroCool

I killed all of the running processes one by one and the results stayed the same:

zeroCool$ ps aux | grep -i safari
zeroCool          1432   0.0  0.0  4278064    284 s001  R+    8:05AM   0:00.00 grep -i safari
zeroCool$ ./SwiftBelt -BrowserHistory
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 _______  _     _  ___   _______  _______  _______  _______  ___      _______
|       || | _ | ||   | |       ||       ||  _    ||       ||   |    |       |
|  _____|| || || ||   | |    ___||_     _|| |_|   ||    ___||   |    |_     _|
| |_____ |       ||   | |   |___   |   |  |       ||   |___ |   |      |   |
|_____  ||       ||   | |    ___|  |   |  |  _   | |    ___||   |___   |   |
 _____| ||   _   ||   | |   |      |   |  | |_|   ||   |___ |       |  |   |
|_______||__| |__||___| |___|      |___|  |_______||_______||_______|  |___|

SwiftBelt: A MacOS enumerator similar to @harmjoy's Seatbelt. Does not use any command line utilities
author: @cedowens
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

##########################################
==>Browser History Info:

***************Quarantine History Results for user zeroCool***************
Date: 1989-06-05 14:26:31 | App: com.apple.Safari | File: https://raw.githubusercontent.com/cedowens/SwiftBelt/master/SwiftBelt | OriginURL: 
Date: 1989-06-05 14:31:55 | App: com.google.Chrome | File: https://raw.githubusercontent.com/cedowens/SwiftBelt/master/SwiftBelt | OriginURL: https://github.com/cedowens/SwiftBelt/blob/master/SwiftBelt
Date: 1989-06-05 15:00:49 | App: com.apple.Safari | File: https://raw.githubusercontent.com/cedowens/SwiftBelt/master/SwiftBelt | OriginURL: https://github.com/cedowens/SwiftBelt/blob/master/SwiftBelt

***************Safari history results for user zeroCool***************
[-] Could not open the Safari History.db file for user zeroCool
cedowens commented 4 years ago

Thanks for reporting. I have not been able to replicate this issue...on my test systems I have been able to pull Safari history even when it is running. I will continue to investigate and test on more systems to see if I can troubleshoot the issue you encountered.