Skip to content

A tool to check which keychain items are available to an attacker once an iOS device has been jailbroken

Notifications You must be signed in to change notification settings

bmmcginty/Keychain-Dumper

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Keychain Dumper

Usage

All that should be needed to use keychain_dumper is the binary that is checked in to the Keychain-Dumper Git repository. This binary has been signed with a self-signed certificate with a "wildcard" entitlement that should grant keychain_dumper access to all Keychain items that would have been granted had the tool been signed with each individual entitlement. If you either don't trust this binary or are having trouble dumping Keychain items using the below steps, you may can build the tool from source and manually sign the appropriate entitlments into your build of the keychain_dumper binary.

As an aside, the following directions assume the target device has already been jailbroken.

Upload keychain_dumper to a directory of your choice on the target device (I have used /tmp during testing). Also, once uploaded, be sure to validate that keychain_dumper is executable (chmod +x ./keychain_dumper if it isn't) and validate that /private/var/Keychains/keychain-2.db is world readable (chmod +r /private/var/Keychains/keychain-2.db if it isn't).

If you are using the binary from Git you can attempt to dump all of the accessible password Keychain entries by simply running the tool with now flags

./keychain_dumper

Some keychain entries are available regardless of whether the iOS is locked or not, while other entries will only be accessible if the iOS device is unlocked (i.e. a user has entered their pin). If no Keychain entries are displayed, or if you don't want to trust the provided binary, you may need to rerun the tool after building the application from source. Please see the Build section below for details on how to build and sign the application.

By default keychain_dumper only dumps "Generic" and "Internet" passwords. This is generally what you are interested in, as most application passwords are stored as "Generic" or "Internet" passwords. However, you can also pass optional flags to dump additional information from the Keychain. If you run keychain_dumper with the -h option you will get the following usage string:

Usage: keychain_dumper [-e]|[-h]|[-agnick]
<no flags>: Dump Password Keychain Items (Generic Password, Internet Passwords)
-a: Dump All Keychain Items (Generic Passwords, Internet Passwords, Identities, Certificates, and Keys)
-e: Dump Entitlements
-g: Dump Generic Passwords
-n: Dump Internet Passwords
-i: Dump Identities
-c: Dump Certificates
-k: Dump Keys

By default passing no option flags is equivalent to running keychain_dumper with the -gn flags set. The other flags largely allow you to dump additional information related to certificates that are installed on the device.

Building

Create a Self-Signed Certificate

Open up the Keychain Access app located in /Applications/Utilties/Keychain Access

From the application menu open Keychain Access -> Certificate Assistant -> Create a Certificate

Enter a name for the certificate, and make note of this name, as you will need it later when you sign Keychain Dumper. Make sure the Identity Type is “Self Signed Root” and the Certificate Type is “Code Signing”. You don’t need to check the “Let me override defaults” unless you want to change other properties on the certificate (name, email, etc).

Build It

In order to build Keychain Dumper you must first create two symbolic links to the appropriate iOS SDK directories. At the time the tool was developed the iOS 5.0 SDK was current and you may need to update the target directories based on the current SDK that is installed.

ln -s /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS5.0.sdk/ sdk
ln -s /Developer/Platforms/iPhoneOS.platform/Developer toolchain

Once you have created the symbolic links your directory structure should look similar to:

-rwxr-xr-x  1 anonymous  staff  1184 Jan 20 08:44 Makefile
-rw-r--r--  1 anonymous  staff  2504 Jan 24 13:31 README.md
-rw-r--r--  1 anonymous  staff   269 Jan 24 11:27 entitlements.xml
-rw-r--r--  1 anonymous  staff  8525 Jan 18 14:49 main.m
lrwxr-xr-x  1 anonymous  staff    70 Jan 18 14:50 sdk -> /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS5.0.sdk/
lrwxr-xr-x  1 anonymous  staff    48 Jan 18 14:50 toolchain -> /Developer/Platforms/iPhoneOS.platform/Developer

You should now be able to compile the project using the included makefile.

make

If all goes well you should have a binary keychain_dumper placed in the same directory as all of the other project files.

Sign It

Using the entitlements.xml file found in the Keychain-Dumper Git repository, sign the binary. The below certificate was named "Test Cert 1", but you should subsitute the name you used during the certificate creation step above.

codesign -fs "Test Cert 1" --entitlements entitlements.xml keychain_dumper

You should now be able to follow the directions specified in the Usage section above. If you don't want to use the wildcard entitlment file that is provided, you can also sign specific entitlements into the binary. Using the unsigned Keychain Dumper you can get a list of entitelments that exist on your specific iOS device by using the -e flag. For example, you can run Keychain Dumper as follows:

./keychain_dumper -e > /var/tmp/entitlements.xml

The resulting file can be used in place of the included entitlements.xml file.

Contact & Help

If you find a bug you can open an issue.

About

A tool to check which keychain items are available to an attacker once an iOS device has been jailbroken

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Objective-C 90.8%
  • Shell 9.2%