### Run Chainbreaker as a Module Source: https://github.com/n0fate/chainbreaker/blob/master/README.md Execute Chainbreaker from the command line after installation. This command allows for the use of input arguments. ```bash $ python -m chainbreaker ``` -------------------------------- ### ChainBreaker Runtime Command Example Source: https://github.com/n0fate/chainbreaker/blob/master/README.md This snippet demonstrates the command-line execution of ChainBreaker to crack a keychain password. It specifies the password, the keychain file, and shows the resulting MD5 and SHA256 hashes of the keychain. ```bash chainbreaker.py --password=TestPassword -a test_keychain.keychain ``` -------------------------------- ### Chainbreaker CLI Help Source: https://github.com/n0fate/chainbreaker/blob/master/README.md Displays the help message for the chainbreaker script, outlining all available commands and options for interacting with macOS keychains. ```bash $ python -m chainbreaker --help usage: chainbreaker.py [-h] [--dump-all] [--dump-keychain-password-hash] [--dump-generic-passwords] [--dump-internet-passwords] [--dump-appleshare-passwords] [--dump-private-keys] [--dump-public-keys] [--dump-x509-certificates] [--export-keychain-password-hash] [--export-generic-passwords] [--export-internet-passwords] [--export-appleshare-passwords] [--export-private-keys] [--export-public-keys] [--export-x509-certificates] [--export-all] [--check-unlock-options] [--password-prompt] [--password PASSWORD] [--key-prompt] [--key KEY] [--unlock-file UNLOCK_FILE] [--output OUTPUT] [-d] keychain Dump items stored in an OSX Keychain positional arguments: keychain Location of the keychain file to parse optional arguments: -h, --help show this help message and exit Dump Actions: --dump-all, -a Dump records to the console window. --dump-keychain-password-hash Dump the keychain password hash in a format suitable for hashcat or John The Ripper --dump-generic-passwords Dump all generic passwords --dump-internet-passwords Dump all internet passwords --dump-appleshare-passwords Dump all appleshare passwords --dump-private-keys Dump all private keys --dump-public-keys Dump all public keys --dump-x509-certificates Dump all X509 certificates Export Actions: Export records to files. Save location is CWD, but can be overridden with --output / -o --export-keychain-password-hash Save the keychain password hash to disk --export-generic-passwords Save all generic passwords to disk --export-internet-passwords Save all internet passwords to disk --export-appleshare-passwords Save all appleshare passwords to disk --export-private-keys Save private keys to disk --export-public-keys Save public keys to disk --export-x509-certificates Save X509 certificates to disk --export-all, -e Save records to disk Misc. Actions: --check-unlock-options, -c Only check to see if the provided unlock options work. Exits 0 on success, 1 on failure. Unlock Options: --password-prompt, -p Prompt for a password to use in unlocking the keychain --password PASSWORD Unlock the keychain with a password, provided on the terminal.Caution: This is insecure and you should likely use--password-prompt instead --key-prompt, -k Prompt for a key to use in unlocking the keychain --key KEY Unlock the keychain with a key, provided via argument.Caution: This is insecure and you should likely use --key-prompt instead --unlock-file UNLOCK_FILE Unlock the keychain with a key file Output Options: --output OUTPUT, -o OUTPUT Directory to output exported records to. -d, --debug Print debug information ``` -------------------------------- ### Crack Keychain Password Hash with hashcat Source: https://github.com/n0fate/chainbreaker/blob/master/README.md After obtaining the hash, use hashcat with the appropriate mode (-m 23100) and a dictionary file to attempt cracking. The --keep-guessing flag is recommended due to potential hash collisions. ```bash > hashcat.exe -m 23100 --keep-guessing hashes.txt dictionary.txt hashcat (v6.1.1) starting... [...] Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable optimizers applied: * Zero-Byte * Single-Hash * Single-Salt * Slow-Hash-SIMD-LOOP [...] $keychain$*7255a69abe21a28e1d2967265c9bba9c9bf4daf1*28dcfa41552db4eb*9dbb91712bb6a38f46e1b4335c334d444eb0c451e51fa02183eafe05c35310d76014bc04b699d420d8487d4452d067e5:TestPassword Session..........: hashcat Status...........: Cracked Hash.Name........: Apple Keychain Hash.Target......: $keychain$*7255a69abe21a28e1d2967265c9bba9c9bf4daf1...d067e5 [...] ``` -------------------------------- ### Run Chainbreaker to Dump Keychain Data Source: https://github.com/n0fate/chainbreaker/blob/master/README.md Execute Chainbreaker from the command line to process a specified keychain file and output the extracted data. This command initiates the extraction and display of all password types found within the keychain. ```bash python -m chainbreaker -pa test_keychain.keychain -o output ``` ```text 2020-11-12 15:58:18,925 - INFO - 2020-11-12 15:58:18,925 - INFO - Keychain: test_keychain.keychain 2020-11-12 15:58:18,925 - INFO - Keychain MD5: eb3abc06c22afa388ca522ea5aa032fc 2020-11-12 15:58:18,925 - INFO - Keychain 256: 2d76f564ac24fa6a8a22adb6d5cb9b430032785b1ba3effa8ddea38222008441 2020-11-12 15:58:18,925 - INFO - Dump Start: 2020-11-12 15:58:18.925479 2020-11-12 15:58:19,245 - INFO - 1 Keychain Password Hash 2020-11-12 15:58:19,245 - INFO - $keychain$*7255a69abe21a28e1d2967265c9bba9c9bf4daf1*28dcfa41552db4eb*9dbb91712bb6a38f46e1b4335c334d444eb0c451e51fa02183eafe05c35310d76014bc04b699d420d8487d4452d067e5 2020-11-12 15:58:19,245 - INFO - 2020-11-12 15:58:19,245 - INFO - 2 Generic Passwords 2020-11-12 15:58:20,306 - INFO - [+] Generic Password Record 2020-11-12 15:58:20,306 - INFO - [-] Create DateTime: 2020-10-13 23:01:17 2020-11-12 15:58:20,306 - INFO - [-] Last Modified DateTime: 2020-10-13 23:01:17 2020-11-12 15:58:20,306 - INFO - [-] Description: secure note 2020-11-12 15:58:20,306 - INFO - [-] Creator: 2020-11-12 15:58:20,306 - INFO - [-] Type: note 2020-11-12 15:58:20,307 - INFO - [-] Print Name: Test Secure Note 2020-11-12 15:58:20,307 - INFO - [-] Alias: 2020-11-12 15:58:20,307 - INFO - [-] Account: 2020-11-12 15:58:20,307 - INFO - [-] Service: Test Secure Note 2020-11-12 15:58:20,307 - INFO - [-] Base64 Encoded Password: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxLjAiPgo8ZGljdD4KCTxrZXk+Tk9URTwva2V5PgoJPHN0cmluZz5UaGlzIGlzIGEgdGVzdCBzZWN1cmUgbm90ZS4gSSBkb27igJl0IGtub3cgdGhhdCBDaGFpbmJyZWFrZXIgd2lsbCBiZSBhYmxlIHRvIHNlZSBpdOKApjwvc3RyaW5nPgoJPGtleT5SVEZEPC9rZXk+Cgk8ZGF0YT4KCWNuUm1aQUFBQUFBREFBQUFBZ0FBQUFjQUFBQlVXRlF1Y25SbUFRQUFBQzdUQVFBQUt3QUFBQUVBQUFETEFRQUFlMXh5CglkR1l4WEdGdWMybGNZVzV6YVdOd1p6RXlOVEpjWTI5amIyRnlkR1l5TlRFekNseGpiMk52WVhSbGVIUnpZMkZzYVc1bgoJTUZ4amIyTnZZWEJzWVhSbWIzSnRNSHRjWm05dWRIUmliRnhtTUZ4bWJtbHNYR1pqYUdGeWMyVjBNQ0JJWld4MlpYUnAKCVkyRk9aWFZsTFV4cFoyaDBPMzBLZTF4amIyeHZjblJpYkR0Y2NtVmtNalUxWEdkeVpXVnVNalUxWEdKc2RXVXlOVFU3CglYSEpsWkRCY1ozSmxaVzR3WEdKc2RXVXdPMzBLZTF3cVhHVjRjR0Z1WkdWa1kyOXNiM0owWW13N08xeGpjM055WjJKYwoJWXpCY1l6QmNZekJjWTI1aGJXVWdkR1Y0ZEVOdmJHOXlPMzBLWEhCaGNtUmNkSGcxTmpCY2RIZ3hNVEl3WEhSNE1UWTQKCU1GeDBlREl5TkRCY2RIZ3lPREF3WEhSNE16TTJNRngwZURNNU1qQmNkSGcwTkRnd1hIUjROVEEwTUZ4MGVEVTJNREJjCglkSGcyTVRZd1hIUjROamN5TUZ4d1lYSmthWEp1WVhSMWNtRnNYSEJoY25ScFoyaDBaVzVtWVdOMGIzSXdDZ3BjWmpCYwoJWm5NeU5pQmNZMll5SUZSb2FYTWdhWE1nWVNCMFpYTjBJSE5sWTNWeVpTQnViM1JsTGlCSklHUnZibHduT1RKMElHdHUKCWIzY2dkR2hoZENCRGFHRnBibUp5WldGclpYSWdkMmxzYkNCaVpTQmhZbXhsSUhSdklITmxaU0JwZEZ3bk9EVjlBUUFBCglBQ01BQUFBQkFBQUFCd0FBQUZSWVZDNXlkR1lRQUFBQXZUR0dYN1lCQUFBQUFBQUFBQUFBQUE9PQoJPC9kYXRhPgo8L2RpY3Q+CjwvcGxpc3Q+Cg== 2020-11-12 15:58:20,307 - INFO - 2020-11-12 15:58:20,307 - INFO - 2020-11-12 15:58:20,331 - INFO - [+] Generic Password Record 2020-11-12 15:58:20,331 - INFO - [-] Create DateTime: 2020-09-24 23:34:14 2020-11-12 15:58:20,331 - INFO - [-] Last Modified DateTime: 2020-09-29 21:54:55 2020-11-12 15:58:20,331 - INFO - [-] Description: 2020-11-12 15:58:20,332 - INFO - [-] Creator: 2020-11-12 15:58:20,332 - INFO - [-] Type: 2020-11-12 15:58:20,332 - INFO - [-] Print Name: Stored Test Password 2020-11-12 15:58:20,332 - INFO - [-] Alias: 2020-11-12 15:58:20,332 - INFO - [-] Account: TestUser 2020-11-12 15:58:20,332 - INFO - [-] Service: Stored Test Password 2020-11-12 15:58:20,332 - INFO - [-] Password: TestPasswordValue123! 2020-11-12 15:58:20,332 - INFO - 2020-11-12 15:58:20,332 - INFO - 2020-11-12 15:58:20,332 - INFO - 1 Internet Passwords 2020-11-12 15:58:20,356 - INFO - [+] Internet Record 2020-11-12 15:58:20,356 - INFO - [-] Create DateTime: 2020-09-29 22:21:51 2020-11-12 15:58:20,356 - INFO - [-] Last Modified DateTime: 2020-09-29 22:21:51 2020-11-12 15:58:20,356 - INFO - [-] Description: 2020-11-12 15:58:20,356 - INFO - [-] Comment: 2020-11-12 15:58:20,356 - INFO - [-] Creator: 2020-11-12 15:58:20,356 - INFO - [-] Type: 2020-11-12 15:58:20,356 - INFO - [-] PrintName: example.com 2020-11-12 15:58:20,356 - INFO - [-] Alias: 2020-11-12 15:58:20,357 - INFO - [-] Protected: 2020-11-12 15:58:20,357 - INFO - [-] Account: TestUsername 2020-11-12 15:58:20,357 - INFO - [-] SecurityDomain: 2020-11-12 15:58:20,357 - INFO - [-] Server: example.com 2020-11-12 15:58:20,357 - INFO - [-] Protocol Type: kSecProtocolTypeHTTPS 2020-11-12 15:58:20,357 - INFO - [-] Auth Type: kSecAuthenticationTypeDefault 2020-11-12 15:58:20,357 - INFO - [-] Port: 0 2020-11-12 15:58:20,357 - INFO - [-] Path: 2020-11-12 15:58:20,357 - INFO - [-] Password: TestPassword123! 2020-11-12 15:58:20,357 - INFO - 2020-11-12 15:58:20,357 - INFO - ``` -------------------------------- ### Extract Keychain Files from Memory Images Source: https://github.com/n0fate/chainbreaker/blob/master/README.md Use Volofax to extract keychain files and master key candidates from memory images. This command initiates the search process within the specified memory file. ```bash $ python vol.py -i ~/Desktop/show/macosxml.mem -o keychaindump [+] Find MALLOC_TINY heap range (guess) [-] range 0x7fef03400000-0x7fef03500000 [...] [-] range 0x7fef04900000-0x7fef04a00000 [*] Search for keys in range 0x7fef03400000-0x7fef03500000 complete. master key candidates : 0 [...] [*] Search for keys in range 0x7fef04900000-0x7fef04a00000 complete. master key candidates : 6 [*] master key candidate: 26C80BE3346E720DAA10620F2C9C8AD726CFCE2B818942F9 [...] [*] master key candidate: 903C49F0FE0700C0133749F0FE0700404158544D00000000 ``` -------------------------------- ### ChainBreaker Keychain Dump Summary Source: https://github.com/n0fate/chainbreaker/blob/master/README.md This log output summarizes the data extracted from a keychain file by ChainBreaker. It lists the counts of various password types, keys, and certificates found. ```log 2020-11-12 15:58:20,358 - INFO - Keychain: test_keychain.keychain 2020-11-12 15:58:20,358 - INFO - Keychain MD5: eb3abc06c22afa388ca522ea5aa032fc 2020-11-12 15:58:20,358 - INFO - Keychain 256: 2d76f564ac24fa6a8a22adb6d5cb9b430032785b1ba3effa8ddea38222008441 2020-11-12 15:58:20,358 - INFO - Dump Start: 2020-11-12 15:58:18.925479 2020-11-12 15:58:20,358 - INFO - Dump Summary: 2020-11-12 15:58:20,358 - INFO - 1 Keychain Password Hash 2020-11-12 15:58:20,358 - INFO - 2 Generic Passwords 2020-11-12 15:58:20,358 - INFO - 1 Internet Passwords 2020-11-12 15:58:20,358 - INFO - 0 Appleshare Passwords 2020-11-12 15:58:20,358 - INFO - 0 Private Keys 2020-11-12 15:58:20,359 - INFO - 0 Public Keys 2020-11-12 15:58:20,359 - INFO - 1 x509 Certificates 2020-11-12 15:58:20,359 - INFO - Dump End: 2020-11-12 15:58:20.358259 ``` -------------------------------- ### Extract Keychain Password Hash Source: https://github.com/n0fate/chainbreaker/blob/master/README.md Use this command to dump the password hash from a keychain file. This hash can then be used with cracking tools. ```bash $ ./chainbreaker.py --dump-keychain-password-hash ./test_keychain.keychain Keychain Password Hash $keychain$*7255a69abe21a28e1d2967265c9bba9c9bf4daf1*28dcfa41552db4eb*9dbb91712bb6a38f46e1b4335c334d444eb0c451e51fa02183eafe05c35310d76014bc04b699d420d8487d4452d067e5 ``` -------------------------------- ### Decrypt Keychain with Master Key Candidate Source: https://github.com/n0fate/chainbreaker/blob/master/README.md Once a master key candidate is identified from memory analysis, use it with Chainbreaker to decrypt the keychain file. ```bash $ ./chainbreaker.py --key 26C80BE3346E720DAA10620F2C9C8AD726CFCE2B818942F9 ./test_keychain.keychain ``` -------------------------------- ### Extracting X509 Certificate from Keychain Source: https://github.com/n0fate/chainbreaker/blob/master/README.md This snippet shows the log output when ChainBreaker identifies and extracts an X509 certificate. It includes the certificate's name and its full PEM-encoded content. ```log 2020-11-12 15:58:20,357 - INFO - 1 x509 Certificates 2020-11-12 15:58:20,357 - INFO - [+] X509 Certificate 2020-11-12 15:58:20,357 - INFO - [-] Print Name: Apple Root CA 2020-11-12 15:58:20,358 - INFO - [-] Certificate: MIIEuzCCA6OgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJVUzETMBEGA1UEChMKQXBwbGUgSW5jLjEmMCQGA1UECxMdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNVBAMTDUFwcGxlIFJvb3QgQ0EwHhcNMDYwNDI1MjE0MDM2WhcNMzUwMjA5MjE0MDM2WjBiMQswCQYDVQQGEwJVUzETMBEGA1UEChMKQXBwbGUgSW5jLjEmMCQGA1UECxMdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNVBAMTDUFwcGxlIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkkakJH5HbHkdQ6wXtXnmELes2oldMVeyLGYne+Uts9QerIjAC6Bg++FAJ039BqJj50cpmnCRrEdCju+QbKsMflZ56DKRHi1vUFjczy8QPTc4UadHJGXL1XQ7Vf1+b8iUDulWPTV0N8WQ1IxVLFVkds5T39pyez1C6wVhQZ48ItCD3y6wsIG9wtj8BMIy3Q88PnT3zK0koGsj+zrW5DtleHNbLPbU6rfQPDgCSC7EhFi501TwN22IWq6NxkkdTVcGvL0Gz+PvjcM3mo0xFfh9Ma1CWQYnEdGILEINBhzOKgbEwWOxaBDKMaLOPHd5lc/9nXmW8Sdh2nzMUZaF3lMktAgMBAAGjggF6MIIBdjAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUK9BpR5R2Cf70a40uQKb3R01/CF4wHwYDVR0jBBgwFoAUK9BpR5R2Cf70a40uQKb3R01/CF4wggERBgNVHSAEggEIMIIBBDCCAQAGCSqGSIb3Y2QFATCB8jAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cuYXBwbGUuY29tL2FwcGxlY2EvMIHDBggrBgEFBQcCAjCBthqBs1JlbGlhbmNlIG9uIHRoaXMgY2VydGlmaWNhdGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0YW5jZSBvZiB0aGUgdGhlbiBhcHBsaWNhYmxlIHN0YW5kYXJkIHRlcm1zIGFuZCBjb25kaXRpb25zIG9mIHVzZSwgY2VydGlmaWNhdGlvbiBwb2xpY3kgYW5kIGNlcnRpZmljYXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4MA0GCSqGSIb3DQEBBQUAA4IBAQBcNplMLXi37Yyb3PN3m/J20ncwT8EfhYOFG5k9RzfyqZtAjizUsZAS2L70c5vu0mQPy3lPNNiiPvl4/2vIB+x9OYOLUyDTOMSxv5pPCmv/K/xZpwUJfBdAVhEedNO3iyM7R6PVbyTi69G3cN8PReEnyvFteO3ntRcXqNx+IjXKJdXZD9Zr1KIkIxH3oayPc4FgxhtbCS+SsvhESPBgOJ4V9T0mZyCKM2r3DYLP3uujL/lTaltkwGMzd/c6ByxW69oPIQ7aunMZT7XZNn/Bh1XZp5m5MkL72NVxnn6hUrcbvZNCJBIqxw8dtk2cXmPIS4AXUKqK1drk/NAJBzewdXUh ``` -------------------------------- ### Import and Use Chainbreaker in a Python Script Source: https://github.com/n0fate/chainbreaker/blob/master/README.md Import the Chainbreaker library into your Python scripts to programmatically access keychain data. Instantiate the Chainbreaker class with the keychain file path and an optional unlock password. ```python import chainbreaker keychain = chainbreaker.Chainbreaker('path/to/keychain/file/login.keychain', unlock_password='SecretPasswordHere') ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.