search

n0fate / chainbreaker

Mac OS X Keychain Forensic Tool
GNU General Public License v2.0
816 stars 157 forks source link

Private key export from macOS Monterey system keychain fails with [Invalid Password / Keychain Locked] #25

Closed ericfitz closed 2 years ago

ericfitz commented 2 years ago

Monterey 12.2.1

~/projects/chainbreaker master ./chainbreaker.py -p -o ~/cert/ --export-private-keys /Library/Keychains/System.keychain
Unlock Password:
2022-02-23 14:45:53,858 - INFO -

ChainBreaker 2 - https://github.com/gaddie-3/chainbreaker

2022-02-23 14:45:53,858 - INFO - Runtime Command: ./chainbreaker.py -p -o /Users/XXX/cert/ --export-private-keys /Library/Keychains/System.keychain
2022-02-23 14:45:53,858 - INFO - Keychain: /Library/Keychains/System.keychain
2022-02-23 14:45:53,858 - INFO - Keychain MD5: dcbe47b235cf7fbe6d478b908f2db39e
2022-02-23 14:45:53,858 - INFO - Keychain 256: fb2b63894837680590f21b8ade98340b2a2f283e20324d963fcab49c794bf16d
2022-02-23 14:45:53,858 - INFO - Dump Start: 2022-02-23 14:45:53.858162
- private_key_offset2022-02-23 14:45:53,888 - WARNING - 23632
private_key_offset2022-02-23 14:45:53,888 - WARNING - 23632
private_key_offset2022-02-23 14:45:53,888 - WARNING - 23632
private_key_offset2022-02-23 14:45:53,889 - WARNING - 23632
2022-02-23 14:45:53,889 - INFO - 0 Private Keys
2022-02-23 14:45:53,889 - INFO -

ChainBreaker 2 - https://github.com/gaddie-3/chainbreaker

2022-02-23 14:45:53,889 - INFO - Runtime Command: ./chainbreaker.py -p -o /Users/XXX/cert/ --export-private-keys /Library/Keychains/System.keychain
2022-02-23 14:45:53,889 - INFO - Keychain: /Library/Keychains/System.keychain
2022-02-23 14:45:53,889 - INFO - Keychain MD5: dcbe47b235cf7fbe6d478b908f2db39e
2022-02-23 14:45:53,889 - INFO - Keychain 256: fb2b63894837680590f21b8ade98340b2a2f283e20324d963fcab49c794bf16d
2022-02-23 14:45:53,889 - INFO - Dump Start: 2022-02-23 14:45:53.858162
2022-02-23 14:45:53,889 - INFO - Dump Summary:
2022-02-23 14:45:53,889 - INFO -    0 Private Keys
2022-02-23 14:45:53,889 - INFO - Dump End: 2022-02-23 14:45:53.889181
zangse commented 2 years ago

Maybe you can try this version? This library has been updated recently. https://github.com/nkraetzschmar/chainbreaker

ericfitz commented 2 years ago

Thank you for the suggestion. I tried this, specifically I added these lines to _get_base_address (~line 556), in addition to the existing conditionals, in accordance with https://github.com/nkraetzschmar/chainbreaker/commit/75c52d1adf6e1931b7027bba98b43a1d2d946812

        if table_name >= 0x4000 and table_name < 0x5000:
            table_name = 15
        if table_name >= 0x5000 and table_name < 0x6000:
            table_name = 16

The error is now gone, but this still fails to export private keys from Mojave's system keychain, with either a password or using an unlock file while the keychain is unlocked. The export seems to work but when I examine the key file that is written, it contains the text "[Invalid Password / Keychain Locked]".

ericfitz commented 2 years ago

I put a $100 bounty up on this issue: https://app.bountysource.com/issues/105707095-private-key-export-from-macos-monterey-system-keychain-fails-with-invalid-password-keychain-locked

zangse commented 2 years ago

Hi @ericfitz, Have you tried it with SystemKey?

 ./chainbreaker.py -p -o ~/cert/ --export-private-keys /Library/Keychains/System.keychain --unlock-file /var/db/SystemKey
ericfitz commented 2 years ago

Yes, I did try that before I updated the issue. I ran both with and without sudo. Here's the error I got: IOError: [Errno 1] Operation not permitted: '/var/db/SystemKey'

zangse commented 2 years ago

Yes, I did try that before I updated the issue. I ran both with and without sudo. Here's the error I got: IOError: [Errno 1] Operation not permitted: '/var/db/SystemKey'

Hi @ericfitz, in this case, you should disable Macos SIP first. https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection

ericfitz commented 2 years ago

That did the trick.