n0fate
commented
6 years ago So I cannot understand why "Keychain Access" manage to do it ?
The key stored on /var/db/SystemKey of System Keychain is loaded on to the physical memory when OS is booted. The Keychain Access can decrypt system keychain info though the key on physical memory. It is most like sudo.
Another thing, does user have user key (such as the system key stored on /private/var/db/SystemKey) and where I can find it?
- I don't know what process or kext is stored it. So the keychaindump module of volafox use a pattern matching in kernel memory area on memory. I recommend you to read article as following: Breaking into the OS X Keychain written by juuso salonen
AlessandroZ
@n0fate, I have a question that I cannot understand.
When you open the keychain using the "Keychain Access" applicaton on a Mac, you could unlock all keychains (in my case, I have "Login", "Local Items" and "System") using your system password (of course I assume you do not change the password of the keychain after the creation).
However, using chainbreaker, I could decrypt the user keychain using the password system account, however it does not work when I try to decrypt the system keychain (whereas using the "Keychain Access" application, it works).
At contrary, it's the same problem to decrypt the system keychain, it works using the system key but this key does not work to decrypt the user keychain.
So I cannot understand why "Keychain Access" manage to do it ?
Another thing, does user have user key (such as the system key stored on
/private/var/db/SystemKey) and where I can find it? When I see your Readme, you manage with volafox to retrieve multiple master keys from memory:And then you decrypt the user keychain using one of these key:
So I guess that there are a system key and a user key stored in two different places and both keychains are encrypted using these two different keys.
I tried to understand by myself without success so if you could help to understand this behaviour it would be awesome.
Thanks for your time !