API tools faq
paste
Advertisement
opexxx

mac_keychain_volatility

opexxx
Jul 18th, 2014
1,001
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 3.18 KB | None | 0 0
raw download clone embed print report
  1. $ python vol.py -f applemail.mem --profile=MacLion_10_7_3_AMDx64 mac_list_files > mail.files.txt
  2. Volatility Foundation Volatility Framework 2.4 (Beta)
  3.  
  4. $ grep login.keychain mail.files.txt
  5. 0xffffff800e4ef9b0 /Macintosh HD/Users/acase/Library/Keychains/login.keychain.sb-ad335571-h1adIf/..namedfork/rsrc
  6. 0xffffff800adb44d8 /Macintosh HD/Users/acase/Library/Keychains/login.keychain
  7.  
  8. $ python vol.py -f applemail.mem --profile=MacLion_10_7_3_AMDx64 mac_dump_file -q 0xffffff800adb44d8 -O login.keychain.0xffffff800adb44d8
  9. Volatility Foundation Volatility Framework 2.4 (Beta)
  10. Wrote 32768 bytes to login.keychain.0xffffff800adb44d8 from vnode at address ffffff800adb44d8
  11.  
  12.  
  13. $ python vol.py -f applemail.mem --profile=MacLion_10_7_3_AMDx64 mac_keychaindump
  14. Volatility Foundation Volatility Framework 2.4 (Beta)
  15. Possible Keys
  16. -------------
  17. 0000001022A4EE7CC9F7C56F7E54BA66BEC7E017FC070050
  18. E935983D94D5E995AC6A618203BA61FB53151F1BE672AFCB
  19. E935983D94D5E995AC6A618203BA61FB53151F1BE672AFCB
  20. 602FE30401000000E4ADD97B010000B0982FE30401000000
  21. E935983D94D5E995AC6A618203BA61FB53151F1BE672AFCB
  22. 000000000000000000000000000000000000000000000000
  23. 0E783B792E704C8F9D36D3A5810AA3B4B406E095CC13931C
  24. 0E783B792E704C8F9D36D3A5810AA3B4B406E095CC13931C
  25. E935983D94D5E995AC6A618203BA61FB53151F1BE672AFCB
  26. 923A8A18D2C26373FE4AD3E0FC5F398181424F9B7115CF10
  27. 5501B98B107204AE78511E0BD9B13E93C3C8EBD9660740FE
  28. 0B01D227FC0700907215D227FC0700D002001F1BE672AFCB
  29. 000000000000000000000000000000000000000000000000
  30. 0300000000000000000000000000000000000000C27F0000
  31.  
  32. $ python chainbreaker.py -i login.keychain.0xffffff800adb44d8 -k 0E783B792E704C8F9D36D3A5810AA3B4B406E095CC13931C | strings
  33. [+] Generic Password Record
  34.  [-] RecordSize : 0x000000d8
  35.  [-] Record Number : 0x00000000
  36.  [-] SECURE_STORAGE_GROUP(SSGP) Area : 0x0000002c
  37.  [-] Create DateTime: 20120321171408Z
  38.  [-] Last Modified DateTime: 20120321171408Z
  39.  [-] Description :
  40.  [-] Creator : aapl
  41.  [-] Type :
  42.  [-] PrintName : AppleID
  43.  [-] Alias :
  44.  [-] Account : xxxxx@yyyyyy.com
  45.  [-] Service : AppleID
  46.  [-] Password
  47. 00000000:  XX XX XX XX XX XX XX XX XX                       youwish!
  48. [+] Generic Password Record
  49.  [-] RecordSize : 0x000000e0
  50.  [-] Record Number : 0x00000003
  51.  [-] SECURE_STORAGE_GROUP(SSGP) Area : 0x00000024
  52.  [-] Create DateTime: 20140502022715Z
  53.  [-] Last Modified DateTime: 20140502022715Z
  54.  [-] Description :
  55.  [-] Creator :
  56.  [-] Type :
  57.  [-] PrintName : GnuPG
  58.  [-] Alias :
  59.  [-] Account : XXXXXXXXXXXXXXXXXXXXXX
  60.  [-] Service : GnuPG
  61.  [-] Password
  62. 00000000:  62 6F 6F 6D                                        boom
  63. [+] Internet Record
  64.  [-] RecordSize : 0x0000010c
  65.  [-] Record Number : 0x00000001
  66.  [-] SECURE_STORAGE_GROUP(SSGP) Area : 0x0000002c
  67.  [-] Create DateTime: 20140502014644Z
  68.  [-] Last Modified DateTime: 20140502014644Z
  69.  [-] Description :
  70.  [-] Comment :
  71.  [-] Creator :
  72.  [-] Type :
  73.  [-] PrintName : smtp.gmail.com
  74.  [-] Alias :
  75.  [-] Protected :
  76.  [-] Account : xxxxxxxxx@gmail.com
  77.  [-] SecurityDomain :
  78.  [-] Server : smtp.gmail.com
  79.  [-] Protocol Type : kSecProtocolTypeSMTP
  80.  [-] Auth Type : kSecAuthenticationTypeDefault
  81.  [-] Port : 587
  82.  [-] Path :
  83.  [-] Password
  84. 00000000:  61 6C 6C 41 642 79 33 32  33 33 32 33             allABy323323
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!