Skip to content

A CLI to interact with iOS's keychain on a jailbroken device to dump/edit/delete a keychain item.

Notifications You must be signed in to change notification settings

XMB5/keychaineditor

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

differences from NitinJami/keychaineditor

  • keychaineditor/usr/lib has updated dylibs from /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift/iphoneos
  • libswiftCoreFoundation.dylib added
  • thinned dylibs lipo -thin arm64 lib.dylib -output lib.dylib
  • added entitlements (not sure which ones are needed)
  • changed signing process to use codesign instead of ldid
  • merge Base64 encoding pull request
  • add setuid and platformize patch from the Electra Cydia fork

warning

You must change the codesigning identity in sign.sh from iPhone Developer: [email protected] (P3YZJ8Q6SH) to an identity on your local keychain.

keychaineditor

KeychainEditor is a CLI to interact with iOS's Keychain on a jailbroken iDevice. Keychain is a secure storage provided by the iOS to save client-side secrets/certificates onto the device. KeychainEditor is useful to dump/edit/delete a keychain item. The tool will greatly help pentesters and security researches alike who would want to poke at application's keychain usage during iOS APT (Application Penetration Test). It should be noted that the tool currently supports Generic Passwords (Genp) only and can decode the new constrainsts applied on an item.

Talk

For more information on the journey in decoding the SecAccessControl flags.

Slides: bsides_ROC_2016-04-23.pdf

Video: Exploring SecAccessControl Obj in iOS 9 Keychain

Features

  1. Support for iOS8+ and the new changes in Keychain. Completely re-written in Swift.

  2. Can now dump the actual kSecAttrAccessControl constraints used on a keychain item. (https://developer.apple.com/reference/security/secaccesscontrolcreateflags)

  3. A search feature to limit the output to only what the user desired for. The search can be performed on Account, Service, AccessGroup or Accessibility values.

  • ./keychaineditor -f "WhenUnlocked"
  1. While updating the data for a keychain item using the Edit (-e) command. You can either pass a STRING or base64 encoded values for complex data.

  2. Works with idb!

Note: Please check --help command for more options/examples.

Usage

Attention: command line arguments have been changed for simplicity.

USAGE: keychaineditor [commands]
Commands Description
  -v     version
  -f     Search. Requires a query string as the second argument.
  -e     Edit. Requires --account STRING --service STRING [--agroup STRING] --data (STRING or Base64)
  -d     Delete. Requires --account STRING --service STRING [--agroup STRING]
NOTES:
 * Account and Service names are used to uniquely identify a item. An optional AccessGroup can also be passed to identify the item.
 * If there is no Account name pass an empty string.
 * Search is from the following group {Account, Service, AccessGroup, Protection} and is case in-sensitive.
EXAMPLES:
 * To Dump entire keychain: $ keychaineditor
 * Limit dump by searching: $ keychaineditor -f "test"
 * Edit a keychain item:    $ keychaineditor -e --account "TestAccount" --service "TestService" --data "TestData"
 * Delete a keychain item:  $ keychaineditor -d --account "TestAccount" --service "TestService"

Installation

Recommended approach is to install using the dpkg command. SCP the .deb file into the device and run the following command:

dpkg -i keychaineditor.deb

To Un-install:

dpkg -r com.nitin.keychaineditor

Note: For manual installation, iOS devices do not come with Swift Runtime dylibs. You need to manually copy them to the device with the binary. The required frameworks are included in the repository.

Build Notes

To build the tool, Run 'make' in the current directory. The final outcome will be a .deb package.

Note: You should have xcode command line tools installed for the toolchain.

Note: You should also have ldid and dpkg-deb (can be instaled via Homebrew).

The tool is currently only built for 64-bit architectures. However, it is very easy to build for 32-bit arch as well. Just modify the ARCH_FLAGS and TARGET in Makefile with corresponding 32-bit arch values.

ARCH_FLAGS      =  -arch armv7s
TARGET          =  -target armv7s-apple-ios9

About

A CLI to interact with iOS's keychain on a jailbroken device to dump/edit/delete a keychain item.

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages

  • C 41.3%
  • Swift 37.4%
  • C++ 15.2%
  • Makefile 4.8%
  • Other 1.3%