- A new piece of malware was a found: OSX.Keydnap. Interestingly, it turns out that this malware could be in some way related to some prominent Windows banking malware. The new Mac malware known as OSX.Keydnap installs via a new twist on an old theme. The 'dropper' comes in the form of a harmless document.
- CocoaBeans/KeychainDump at GitHub; dumpkeychain from EnCase App Central (Windows) See also: Breaking into the OS X keychain; Examining Mac OS X User & System Keychains; Convert OS X Keychain exported entries into logins for 1Password import at GitHub Gist.
- New open-source app extracts passwords stored in Mac OS X keychain Proof-of-concept Keychaindump extracts passwords for all logged-in users. Dan Goodin - Sep 6, 2012 3:04 pm UTC.
OSX.Keydnap is a MacOS X based Trojan horse that steals passwords from the iCloud Keychain[1] of the infected machine. It uses a dropper to establish a permanent backdoor while exploiting MacOS vulnerabilities and security features like Gatekeeper, iCloud Keychain and the file naming system. It was first detected in early July 2016 by ESET researchers, who also found it being distributed through a compromised version of Transmission Bit Torrent Client.[2]
Jul 08, 2016 This component, lifted by the developer from a GitHub repository called Keychaindump, then searches the Apple securityd's memory (.PDF) for the decryption key to the keychain.
Technical Details[edit]
Download and Installation[edit]
OSX.Keydnap is initially downloaded as a Zip archive. This archive contains a single Mach-O file and a Resource fork containing an icon for the executable file, which is typically a JPEG or text file image. Additionally, the dropper takes advantage of how OS X handles file extensions by putting a space behind the extension of the file name for example – as “keydnap.jpg ” instead of “keydnap.jpg”. Usually commonly seen icon images and names are used to exploit users' willingness to click on benign looking files. When the file is opened, the Mach-O executable runs by default in the Terminal instead of an image viewer like the user would expect.
This initial execution does three things. First, it downloads and executes the backdoor component. Second, it downloads and opens a decoy document to match what the dropper file is pretending to be. Finally, it quits the Terminal to cover up that it was ever open. The terminal is only opened momentarily.
Establishing the Backdoor Connection[edit]
Since the downloader is not persistent, the downloaded backdoor component spawns a process named 'icloudsyncd' that runs at all times. It also adds an entry to the LaunchAgents directory to survive reboots. The icloudsyncd process is used to communicate with a command & control server via an onion.to address, establishing the backdoor.[3]
It then attempts to capture passwords from the iCloud Keychain, using the proof-of-concept Keychaindump,[4] and transmits them back to the server. Keychaindump reads securityd’s memory and searches for the decryption key for the user’s keychain as described in “Keychain Analysis with Mac OS X Memory Forensics” by K. Lee and H. Koo.[5]
Gatekeeper Signing Workaround[edit]
Mac OS uses Gatekeeper to verify if an application is signed with a valid Apple Developer ID certificate preventing OSX.Keydnap from running. Further, even if the user does have Gatekeeper turned off, they will see a warning that the file is an application downloaded from the Internet giving the user an option to not execute the application. However, by packing OSX.Keydnap with a legitimate signing key as in the case of the compromised Transmission app, it successfully bypasses Gatekeeper protection.[2][3]
Keychaindump For Mac And Cheese
Detection and Removal[edit]
Activating Gatekeeper is an easy way to prevent accidental installation of OSX.Keydnap. If the user's Mac has Gatekeeper activated, the malicious file will not be executed and a warning will be displayed to the user. This is because the malicious Mach-O file is unsigned, which automatically triggers a warning in Gatekeeper.[3]
References[edit]
- ^Reed, Thomas (2016-07-13). 'Mac malware OSX.Keydnap steals keychain'. Malwarebytes. Retrieved 2016-11-20.
- ^ abResearch, ESET (2016-08-30). 'OSX/Keydnap spreads via signed Transmission application'. www.welivesecurity.com. ESET. Retrieved 2016-12-02.
- ^ abcLéveillé, Marc-Etienne (2016-07-06). 'New OSX/Keydnap malware is hungry for credentials'. www.welivesecurity.com. ESET. Retrieved 2016-11-20.
- ^Salonen, Juuso (2015-09-05). 'A proof-of-concept tool for reading OS X keychain passwords'. www.github.com. Retrieved 2016-12-02.
- ^Lee, Kyeongsik; Koo, Hyungjoon (2012-07-01). 'Keychain Analysis with Mac OS X Memory Forensics'(PDF). forensic.n0fate.com. Retrieved 2016-12-02.
Retrieved from 'https://en.wikipedia.org/w/index.php?title=OSX.Keydnap&oldid=880028654'
Some of the most valuable information stored in iPhone, iPod Touch, and iPad backups is keychains. This includes email account passwords, Wi-Fi passwords, and passwords you enter on the websites and in some other applications.
EPB is able to decrypt keychain data from password-protected backups (iOS 4 and later) if the backup password is known (or has been recovered using EPB for Windows). For iTunes backups that do not have the password set, as well as for iCloud backups, keychain can be decrypted only if the 'security key' is known. That key is unique for every device and is not available in the backup. It can be obtained from 32-bit devices (up to iPhone 5/5C) using the physical acquisition method, e.g. with Elcomsoft iOS Forensic Toolkit.
Keychaindump For Mac N
NOTE: Only the backups decrypted with EPB 3.0 or higher are supported. Decrypted backups must have the same file names as in iTunes backup , which is why it is recommended to not use the Restore original file names option when decrypting the backup.
You will need the following password/key to decrypt the keychain:
Backup Type | Required |
iCloud backup | Security Key |
iTunes (not encrypted) | Unlock puk code net10 phone. Security Key |
iTunes (decrypted by means of EPB) | Backup password |
iTunes (encrypted) | Backup password |
EPB also allows you to explore keychain data downloaded from iCloud Keychain (iCloud_Keychain.xml file) or iCloud synced data (icloud_synced.xml file).
With EPB, you can also explore the keychain dump downloaded via Elcomsoft iOS Forensic Toolkit. The downloaded file name is keychaindump.xml by default.
To explore the keychain, do the following:
1.In the Tools menu, select the Apple tab, and click Explore keychain.
2.Click Browse to navigate to the necessary file:
Source | File |
iTunes/iCloud backup | Manifest.plist |
Keychain data downloaded from iCloud Keychain (EPB 9.50 and lower) | iCloud_Keychain.xml |
Keychain data downloaded from iCloud synced data (EPB 9.60 and later) | icloud_synced.xml |
Keychain dump downloaded via Elcomsoft iOS Forensic Toolkit | keychaindump.xml |
NOTE: You can also drag-and-drop the Manifest.plist file to the Explore Keychain page.
NOTE: On macOS 10.14 and higher, you need to grant the Full Disk Access permission to EPB to have access to the default iTunes backups folder. For details, see Troubleshooting.
3.Select the file, and then click Continue.
4. Depending on whether the backup is encrypted or not, do one of the following:
▪For non-encrypted backups and iCloud backups, enter the Security key:
▪For encrypted backups, enter the password to the backup if you have already recovered it. Click the View button to display the password.
If you have not recovered it yet and you are using EPB on Windows OS, click Restore password to recover the password to the backup.
4. Click Explore to view the Keychain.
5. The passwords are stored in categories in the Keychain Explorer. Each category contains the following information:
Category | General Information for all categories | Category-Specific Information |
Apple IDs | oName: the source for which the data is saved in the keychain. oCreation date oModification date | oApple ID (Account) oPassword |
Wi-Fi accounts | oSSID (Account) oPassword | |
Mail accounts | oProtocol oAccount oPassword | |
Browser passwords | oAddress oAccount oPassword | |
Credit cards | oCard name oCardholder name oCard number oExpiration date | |
DSIDs & Tokens | oToken oDSID | |
Other | All available records that did not fit into any of the categories mentioned above. |
6. The information about passwords is displayed in the three views:
•Tree view: This view is displayed by default and can be selected by clicking the icon.
This view displays all keychain records (including not-encrypted records).
To hide non-decrypted data, select the Show only decrypted data check box. This option will leave you with only useful decrypted information while exploring encrypted backups.
To expand the required record, click the orange arrow next to it. Thus, you you will be able to view all information associated with it.
To expand all records, click Expand all.
To collapse all records, click Collapse all.
To mask passwords with asterisks, go to EPB Settings and select the Mask passwords in Explore keychain check box.
You can perform searches in the Keychain data by entering required expressions in the Search field and pressing Enter. The search results will be highlighted in yellow.
If there are several search results matching the entered expression, you can navigate between them by clicking the arrows in the Search field.
•Category view: This view is selected by clicking the icon.
It displays the keychain records sorted by category.
•Grid view: This view can be selected by clicking the icon.
To sort data in the grid, click the necessary column header.
Exporting data
You can export all keychain data or keychain data from a selected category.
To export the data displayed in a Tree view, do the following:
1. Select the Show checkboxes to select data for export option.
2. Select the check boxes next to the records you wish to export or click the Check All option to select all records.
3. Click Export Datain the upper right corner of the program window and then select one of the following options: All or Selected.
4. In the opened window, select the location to which the file must be saved.
Keychaindump For Mac Os
5. Click Save.
6. The default name for the exported file is keychain_export.xml.
To export the data displayed in the Categories or the Grid view, do the following:
1. Click Export Datain the upper right corner of the program window and then select one of the following options: All or Selected Category.
2. In the opened window, select the location to which the file must be saved and the format of the exported file in the Save as type drop-down list.
3. Click Save.
4. The default name for the file with all exported keychain data is keychain_export.xml.
The default name for the file with partially exported keychain data is keychain_export_<category_name>.xml or keychain_export_<category_name>.csv.
Creating dictionary
You can generate a dictionary from all passwords in the keychain, despite the selected category and view. The dictionary is a file in TXT format that can later be used as a dictionary for password recovery.
To create a dictionary, click Create dictionary in the upper right corner of the program window, select the location to which the file must be saved in the opened window, and then click Save.
The default name for the dictionary file is keychain_passwords.txt.