Open Explorer1092 opened 6 years ago
my os x version : 10.12.6
I have exactly the same issue using the same mac os version. It works very well decrypting the user keychain but the system keychain fails. I have done my test using the same password on both keychain.
The following condition fails because my value of pad is equal to 188. I have tried to debug the problem without success.
However, thanks for your great work !
@AlessandroZ Did you try the 24bytes System Key on macOS? It's stored on '/private/var/db/SystemKey'
I have tried. my os x version : 10.13.1 @n0fate
MBP:run kevin$ sudo hexdump -e '16/1 "%02x" ""' -s 8 -n 24 /private/var/db/SystemKey |xargs python -c 'import sys;print sys.argv[1].upper()'
Password:
1C7F6F3340C29050C826B6B29EB507F3770BAE942E6D0CEE
MBP:chainbreaker-master kevin$ python chainbreaker.py -f /Library/Keychains/System.keychain -k 1C7F6F3340C29050C826B6B29EB507F3770BAE942E6D0CEE
[-] DB Key
00000000: 00 .
[+] Symmetric Key Table: 0x00007968
Traceback (most recent call last):
File "chainbreaker.py", line 968, in <module>
main()
File "chainbreaker.py", line 779, in main
passwd = keychain.KeyblobDecryption(ciphertext, iv, dbkey)
File "chainbreaker.py", line 599, in KeyblobDecryption
plain = kcdecrypt(dbkey, magicCmsIV, encryptedblob)
File "chainbreaker.py", line 696, in kcdecrypt
cipher = triple_des(key, CBC, iv)
On 10.12.6, doing exactly what @Explorer1092 did sudo hexdump -e '16/1 "%02x" ""' -s 8 -n 24 /private/var/db/SystemKey |xargs python -c 'import sys;print sys.argv[1].upper()'
it works for me.
The system keychain is well decrypted. It's weird that it failed on newer version. I will try to upgrade later, to check again.
Thanks a lot !
@AlessandroZ Thank you.
@Explorer1092 I will check it asap ;-)
@Explorer1092 It seems to be the DB Key decryption failed. It's occurred when the master key is invalid. I modified some code for stability(?). I will comment it when I find some bug on my code.
Hi, just to let you know, I have updated my system and I have tried chainbreaker using your last commit and it worked very well for me.
Here is my Mac OS version:
Mac OS High Sierra
Version: 10.13.1
I won't have access to a Mac anymore, that's why I did a last try :). The issue has been fixed for me. Thanks for your work.
Have a nice day.
@AlessandroZ Thank you. I don't know why the issue of @Explorer1092 is occurred. I can't solve problem until @Explorer1092 send keychain file to me. ;-( It's security(and privacy) issue. So I can not request your keychain file.
@n0fate do you have a email?i can send the example keychain file to you.
@Explorer1092 I got your email. but you didn't attach a SystemKey file.
/var/db/SystemKey
is a "blob" not just the raw key. I have added support for it in #6
I have merged @ve6yeq 's code.
MBP:chainbreaker-master kevin$ python chainbreaker.py -f /Library/Keychains/System.keychain -k 2fc651f52eca28b3bd66890c35528e95fa802e52fa4d6079 [-] DB Key 00000000: 00 . [+] Symmetric Key Table: 0x00007968 Traceback (most recent call last): File "chainbreaker.py", line 970, in
main()
File "chainbreaker.py", line 781, in main
passwd = keychain.KeyblobDecryption(ciphertext, iv, dbkey)
File "chainbreaker.py", line 599, in KeyblobDecryption
plain = kcdecrypt(dbkey, magicCmsIV, encryptedblob)
File "chainbreaker.py", line 696, in kcdecrypt
cipher = triple_des(key, CBC, iv)
File "/Users/kevin/Downloads/chainbreaker-master/pyDes.py", line 524, in init
self.setKey(key)
File "/Users/kevin/Downloads/chainbreaker-master/pyDes.py", line 537, in setKey
raise ValueError("Invalid triple DES key size. Key must be either 16 or 24 bytes long")
ValueError: Invalid triple DES key size. Key must be either 16 or 24 bytes long