Retrieving OSx Keychain passwords

Question

I have a computer forensics style osx login.keychain file that I am trying to find the passwords from.

I have a very weak mac which I used crowbarkc on to try and brute force but the horsepower is just not there .... Is there any other way to get the information locked within? preferably using a linux or windows crack (as I have very powerful or ec2 available with those)

score 9 · Answer 1 · answered Nov 25 '10 at 15:08

9

The other possibility to gain keychain content is the $5 wrench. Or, as it's known in the UK, the 50p chocolate bar.

answered Nov 25 '10 at 15:08

2

That was my initial plan... but he has been deceased ... not likely to talk – MarkKGreenway Nov 26 '10 at 04:08
Then you're left with a technology option only, I agree. – Nov 26 '10 at 07:49
1

Or, psychological analysis, if you knew him - i.e. try to figure out what passwords he would have chosen. A "personality dictionary", if you will. – AviD Nov 26 '10 at 08:16
2

@Avid: I bet it's "joshua" ;-) – Nov 26 '10 at 09:03
3

Heh. Actually, though most of that movie is pretty bogus, that part is actually spot on - knowing the guy really does make it incredibly much easier to "guess" the correct password, this works much more often than you might think. – AviD Nov 28 '10 at 13:36

score 3 · Answer 2 · answered Jan 26 '11 at 23:24

3

Try osx-keychain-brute from Potaru. It runs on OS X but it's way faster then crowbarkc. http://potaru.org

answered Jan 26 '11 at 23:24

1

I have been trying and trying to get it to run but I install go through the wizard and then open terminal type osx-keychain-brute and then I get command not found ... searching for osx-keychain-brute just gives me the downloaded dmg – MarkKGreenway Feb 07 '11 at 19:15

score 2 · Answer 3 · answered Nov 19 '10 at 17:59

2

Brute force or knowing the password are the only two (currently known) ways to retrieve the plain text.

answered Nov 19 '10 at 17:59

What kind of encryption is it ? – MarkKGreenway Nov 19 '10 at 19:03
I think, off the top of my head, that it's AES. The code to implement the CSSM storage is open source, anyway. Go to http://www.open source.apple.com – Nov 19 '10 at 20:20
I think you mean http://opensource.apple.com/ – Douglas Leeder Nov 20 '10 at 10:19
@Douglas: thanks. In my defence they must have changed that in the last couple of years (I originally typed www dot opensource dot... which my iPad helpfully "corrected") – Nov 20 '10 at 11:22

score 1 · Answer 4 · answered Feb 02 '13 at 19:05

1

As explained in this message, the community-enhanced version of John the Ripper (beginning with 1.7.9-jumbo-6) should support Keychain files, and it runs on most Unix-like systems (e.g. Linux).

answered Feb 02 '13 at 19:05

Thomas Pornin

320,799
57
780
949

score 1 · Answer 5 · answered May 04 '11 at 10:44

Rather than using brute force, why not using a series of word lists (dictionary attack).

I have never used it but it seems as if John the Ripper would solve most of your problems

The pre-built packages with integrated word lists should make short work of the keychain(osx or linux pacgages available)..

You also have his entire hard drive to come up with relevant information that might be combined and tested against the key.

Note: if the guy or gal was paranoid enough then they will use a long password that will never be tested using your bruteforce approach.

score 1 · Accepted Answer · answered Nov 06 '13 at 22:47

1

Actually just ran crowbarkc with the right library of passwords.

Found it within an hour

Password was : << REDACTED>> just kidding.

answered Nov 06 '13 at 22:47

MarkKGreenway

181
1
6

score 1 · Answer 7 · answered Nov 26 '10 at 07:51

1

Maybe you don't need to retrieve the plain text? Your mark's computer may be configured such that:

the user logs in automatically
the login keychain is automatically unlocked

This is actually the default scenario. In this case, you can use - but not see - any of the saved passwords.

answered Nov 26 '10 at 07:51

1

Woud love that to be the case but I had to unlock the computer get some files off (in which i trashed the login pw) – MarkKGreenway Nov 29 '10 at 21:11

score 0 · Answer 8 · edited Nov 06 '13 at 20:05

First change the password in single user mode:

/sbin/mount -uw /
passwd (short name of the user)

You can also crack the password. To do this, download and install keychaindump. Install by copying the zip file to the home folder of the user whose password you are trying to crack. Log in to the account you want to check the keychain. Open terminal and use this command:

sudo ./keychaindump ~/Library/Keychain/login.keychain

and it will list all the passwords.

Retrieving OSx Keychain passwords

8 Answers8

Linked