Decrypt Keychain.plist

Decrypt Keychain.plist Mac
Decrypt Iphone Keychain-backup.plist

Jan 08, 2017 Read and decrypt keychain data. So the main file we are looking for is the Manifest.plist file. Or we can launch the keychain explorer and have a look at the. Read and decrypt keychain. IOS Application Hacking 3-days. Investigating Info.plist file. Steps to decrypt the iOS backup keychain database. Decrypting the iPhone keychain from backups. Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS. Keychain encrypts the stored passwords and credit card numbers with 256-bit AES, which is one of the most advanced encryption standards available. The facility also employs end-to-end encryption tech and works to provide a device with a unique key and passcode. Only the user is supposed to know the passcode used to access keychain. For Safari, our tool converts the keychain.plist property list file to an XML document, parses the XML document to obtain each encrypted password, and supplies the encrypted password and that static 144-byte salt to the CryptUnprotectData function.

Update 2020/01/29: I have since done a bit more work with this app and have found a way to bruteforce the PIN without keychain access. I also created a Python based decryptor script (instead of the C# one attached to this post). Rather than make them publicly available, please contact me and I will be happy to share the scripts with you. You can do so on the DFIR Discord or Twitter @forensicmike1.

It’s been a while since I posted anything, and I suppose that’s a natural part of having a blog. I decided not to force myself to procure content and instead wait until I had something I really wanted to write about. And so here we are! In this article I’m going to talk about a process brand new to me until a few days ago. This has been an absolute blast to learn about, although I will admit it was frustrating at times.

This article focuses more on the outcome of my research, without dwelling too much on exactly how I got there. I am however planning a follow-up post with a whole pile of lessons learned as I think there are a lot of gotchas and overall frustrations that could very possibly be skipped.

Why target this app specifically?

com.enchantedcloud.photovault or “Private Photo Vault” (hereafter PPV) has been the subject of security research before. In November 2015, a detailed breakdown was published by Michael Allen at IOActive and he found that the app didn’t actually encrypt anything! It’s security amounted to blocking users from seeing any media inside until the passcode had been entered and this was extremely easy to defeat. I figured revisiting this same app in 2019 could be fun/interesting just to see how far it has or hasn’t come since then.

Key Takeaways

Whether you consider this app secure or not depends on what kind of access you’ve got to various extraction methods. For examiners with filesystem type extractions (GrayKey / Cellebrite CAS / jailbroken devices), the security of PPV is trivial to defeat and I will demonstrate how below. For examiners obtaining logical type extractions (iTunes backup, UFED 4PC, Magnet ACQUIRE, etc.) decryption will be more challenging and further reversing work will be required. I do believe it is possible though.

PPV uses RNCryptor, an encryption library with implementations available in ObjectiveC, C#, JS etc. RNCryptor is open source and we can absolutely use that to our advantage. One thing RNCryptor doesn’t manage is key storage, and the developer of PPV has apparently decided to rely on the security of the iOS Keychain to store, well, everything we need to perform decryption.

The master key is stored in the keychain under “ppv_DateHash”. The plaintext PIN, which is a maximum 4 digits, is also stored in the keychain as “ppv_uuidHash1”.

Each encrypted media file (found with its original in the app’s sandbox at /Library/PPV_Pics/) is essentially a container. The first two bytes can be safely ignored, the next 16 bytes are the IV (Initialization Vector), and the remaining bytes are the cipher text with the exception of the last 32 bytes which are related to HMAC and can safely be ignored.

Once generated, the master encryption key never changes even if you change your PIN. This might seem like a poor design choice, but it’s actually how your iPhone works too and it can be quite secure as long as the master key is well protected. Secure Enclave makes sure that this key never sees the light of day but this is not true for keychain data.

Basic Outline of the Process / Tools Used

Locate and jailbreak test iOS device (I used Electra root for my test device, an iPhone 6S running iOS 11.2.1).
Installed PPV (target app) by sideloading with Cydia Impactor (app store works too).
Setup access over USB with ITNL (iTunnel) and obtained root access to device via SSH.

Installed and verified operation of frida-server on the device – I did this using Sileo but should be doable via Cydia as well.
Used frida-ios-dump by AloneMonkey to obtain decrypted binary of the target app (recommend Python 3.7)
Conducted static analysis of decrypted binary using Hopper . I had great success with searching for a value from the plist I believed to be associated to crypto. This app is not free but the trial is fully functional for 15 minutes – make sure you hurry! 🙂

With my newly discovered knowledge I fired up Frida with this little gem: ObjC Method Observer, an awesome codeshare script by mrmacete (@bezjaje) to snoop on iOS method invocations of a specific class on a live device. (I targetted LSLCrypt and RNCryptor classes on PPV)

Switched back and forth between Hopper and Frida console until I established a good idea of what was going on. The biggest breakthrough here was that the encryption key doesn’t change when you change the passcode, and that it is stored in keychain.plist

Studied the RNCryptor-objc github repo to develop an understanding of how this AES wrapper works.
Develop PoC in C# using the amazing LINQpad to decrypt media in PPV_Photos given the keychain.plist

Decryption PoC

This script is C# and was written in/for Linqpad, but could be adapted to a Visual Studio project very easily. It uses only native libraries. You will need to plugin your AES Key as base64 in the “USER CONFIGURATION REQUIRED” section 😀 ! I call this a PoC because it does zero error checking and may or may not work for you without tweaking.

I might throw together a GUI app to do this more easily if people would use it. DM me on Twitter or Discord and let me know if that sounds interesting/useful.

Acknowledgements

I’d like to thank the following people for their assistance on this research project:

Braden Thomas (@drspringfield) at Grayshift for his always spot-on advice and extensive depth of knowledge on all things iOS.
Ivan Rodriguez (@ivRodriguezCA) for his excellent blog and great advice.
@karate on DFIR Discord (Magnus RC3 Sweden) (@may_pol17) for his excellent guidance and urging to get Frida working.
Or Begam (@shloophen) from Cellebrite for reviewing my decryption PoC and spotting that final bug, connecting me with Ivan Rodriguez and generally being awesome.

WebBrowserPassView v2.11
Copyright (c) 2011 - 2021 Nir Sofer

Description

WebBrowserPassView is a password recovery tool that reveals the passwords stored by the following Web browsers:Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera.This tool can be used to recover your lost/forgotten password of any Website, including popular Web sites, likeFacebook, Yahoo, Google, and GMail, as long as the password is stored by your Web Browser.

After retrieving your lost passwords, you can save them into text/html/csv/xml file, by using the 'Save Selected Items' option (Ctrl+S).

System Requirements And Limitations

This utility works on any version of Windows, starting from Windows 2000, and up to Windows 10, including 64-bit systems.Older versions of Windows (Windows 98/ME) are not supported, because this utility is a Unicode application.
Currently, WebBrowserPassView cannot retrieve passwords from external hard-drive (Except of Firefox Web browser). Support for that might be added in future versions.
On Internet Explorer 7.0-9.0, the passwords are encrypted with the URL of the Web site, so WebBrowserPassView usesthe history file of Internet Explorer to decrypt the passwords. If you clear the history of Internet Explorer, WebBrowserPassViewwon't be able to decrypt the passwords.
On Google Chrome - passwords originally imported from Internet Explorer 7.0-9.0, cannot be decrypted.

Versions History

Version 2.11:
- Added new file type to save the passwords list: 'Firefox import/export csv file'. When you save the passwords in this file type, you can use the import feature of Firefox to import the saved passwords into Firefox: Import login data from a file
- In order to save the passwords as 'Firefox import/export csv file', simply select the items you want to save (or press Ctrl+A to select all passwords), press Ctrl+S (Save Selected Items), choose 'Firefox import/export csv file'from the file type combo-box, type the filename to save and then click the 'Save' button to save the file.
Version 2.10:
- Added support for Brave Web browser.
Version 2.07:
- Fixed to decrypt passwords of Firefox profile that uses both 3DES and AES-256.
Version 2.06:
- Fixed WebBrowserPassView to decrypt the new password encryption on Opera Web browser
Version 2.05:
- Added support for decrypting the encryption key of new Firefox profiles (AES-256 instead of 3DES).
Version 2.00:
- Added support for the new password encryption of Chromium / Chrome Web browsers, starting from version 80.
- Be aware that the 'Local State' file, located inside the 'User Data' folder, is needed for decrypting the passwords of Chrome 80 or later.
Version 1.94:
- Added new file format to export the passwords: Chrome CSV File. It's the same file format that Chrome Web browser exports the passwords from chrome://settings/passwords
Version 1.93:
- Added support for Chromium-Based Edge Web browser.
- The download zip file is now password-protected.
Version 1.92:
- Fixed bug: WebBrowserPassView could crash when decrypting empty passwords in Firefox.
- WebBrowserPassView now automatically detects the Waterfox Web browser.
Version 1.91:
- Fixed bug: WebBrowserPassView crashed when reading Firefox key file (key3.db) without a master key.
Version 1.90:
- Fixed WebBrowserPassView to work with Firefox 64-bit, and also WebBrowserPassView doesn't need anymore the installation of Firefox to decrypt the passwords.This change also fixes a crash problem occurred on some systems.
Version 1.86:
- Added 'Quick Filter' feature (View -> Use Quick Filter or Ctrl+Q). When it's turned on, you can type a string in the text-box added under the toolbar and WebBrowserPassView will instantly filter the passwords table, showing only lines that contain the string you typed.
Version 1.85:
- In 'Advanced Options' window, you can now specify the base profiles folder for Firefox and Chrome (e.g: E:Usersuser1AppDataRoamingMozillaFirefoxProfiles ) and WebBrowserPassViewwill scan all profiles stored under the specified folder.
Version 1.82:
- Added 'Filename' column (For Chrome and Firefox Web browsers).
Version 1.81:
- Added support for Vivaldi Web browser.
Version 1.80:
- Finally... Fixed a crash problem occurred on some Windows 10 systems (The problem occurred if you added Gmail or other email account into Windows 10 Mail application).Also, WebBrowserPassView now displays the modified time of IE10/IE11 items.
Version 1.75:
- You can now choose the desired encoding (ANSI, UTF-8, UTF-16) to save the csv/xml/text/html files. (Under the Options menu)
- Fixed problem with saving the KeePass csv file.
Version 1.70:
- WebBrowserPassView now automatically detect the passwords of Yandex Web browser.
Version 1.68:
- Another try to fix this mysterious Windows 10 crash problem, also added more debug info to /debugwin10
Version 1.67:
- Made another fix for Windows 10 crash problem...
Version 1.66:
- Made a small change in the password extraction of IE10/IE11/Microsoft Edge that hopefully will solve the crash problems occur on some Windows 10 systems.
- If you have Windows 10 and WebBrowserPassView still crashes, please run WebBrowserPassView with /debugwin10 parameter, run also the DebugView tool of SysInternals, and then send me the last 4 debug lines that appeared before the crash.
Version 1.65:
- Added 'Created Time' and 'Modified Time' columns (These columns are active only for Web browesers that provide this information).
Version 1.60:
- WebBrowserPassView now automatically detects the passwords of Portable Firefox if it's running in the background.
Version 1.58:
- Fixed WebBrowserPassView to display properly user name/password with non-English characters on Chrome Web browser.
Version 1.57:
- WebBrowserPassView now detects the profile folder of Chromium Web browser.
Version 1.56:
- Removed the command-line options that export the passwords to a file from the official version. A version of this tool with full command-line support will be posted on separated Web page.
Version 1.55:
- Added support for Firefox 32 (logins.json).
Version 1.50:
- Updated to work with the latest versions of Opera.
Version 1.46:
- Added secondary sorting support: You can now get a secondary sorting, by holding down the shift key while clicking the column header. Be aware that you only have to hold down the shift key when clicking the second/third/fourth column. To sort the first column you should not hold down the Shift key.
Version 1.45:
- Added support for SeaMonkey Web browser.
Version 1.43:
- Fixed to work with Firefox 22.
Version 1.42:
- Opera Web browser: Fixed to detect properly the passwords of login.live.com and probably other Web sites
Version 1.41:
- Improved the password decryption on IE10 / Windows 7.
Version 1.40:
- Added support for the passwords of Internet Explorer 10.
Version 1.37:
- WebBrowserPassView now reads the passwords from all profiles of Chrome Web browser.
Version 1.36:
- Fixed bug: WebBrowserPassView failed to work with master password of Firefox containing non-English characters.
Version 1.35:
- WebBrowserPassView now extracts the passwords from all profiles of Firefox Web browser and reads the profiles.ini file of Firefox to get the correct profile folders.
- Added 'Mark Odd/Even Rows' option, under the View menu. When it's turned on, the odd and even rows are displayed in different color, to make it easier to read a single line.
- Fixed issue: The properties dialog-box and other windows opened in the wrong monitor, on multi-monitors system.
Version 1.30:
- Add new command-line options: /LoadPasswordsIE , /LoadPasswordsFirefox , /LoadPasswordsChrome , /LoadPasswordsOpera , and more...
Version 1.26:
- Fixed bug: WebBrowserPassView failed to get the passwords of Firefox and Chrome, if the path of their password filecontained non-English characters.
Version 1.25:
- Added 'User Name Field' and 'Password Field' columns for Chrome, Firefox, and Opera Web browsers.
Version 1.20:
- Added 'Password Strength' column, which calculates the strength of the password and displays it as Very Weak, Weak, Medium, Strong, or Very Strong.
Version 1.15:
- Added support for Safari Web browser (passwords are decrypted from keychain.plist)
Version 1.12:
- WebBrowserPassView now automatically extracts the passwords of Chrome Canary.
Version 1.11:
- The passwords of Chrome Web browser are now displayed properly evenwhen the password file is locked by Chrome.
Version 1.10:
- Added option to choose the desired Opera password file (wand.dat).
- Imporved the detection of Opera password file (wand.dat).
Version 1.05:
- Added new options for Firefox passwords:Use a master password to decrypt the passwords, Load the passwords from the specifiedprofile folder, and the option to use the specified Firefox installation.
- Added option specify the profile folder (User Data) of Google Chrome (For example:C:Documents and SettingsAdministratorLocal SettingsApplication DataGoogleChromeUser DataDefault)
  Be aware that this feature only works if the profile was created by the current logged on user.Loading from external drive is not supported yet.
Version 1.00 - First release.

Using WebBrowserPassView

WebBrowserPassView doesn't require any installation process or additional DLL files.In order to start using it, simply run the executable file - WebBrowserPassView.exe

After running it, the main window of WebBrowserPassView displays the list of all Web browser passwords found in your system. You can select one or more passwords and then copy the list to the clipboard (Ctrl+C) or export them intotext/xml/html/csv file (Ctrl+S).

False Virus/Trojan Warning

WebBrowserPassView is a tool that retrieves secret passwords stored in your system, and thus your Antivirus may falsely detect this tool is infected with Trojan/Virus.Click here to read more about false alerts in Antivirus programs.

Command-Line Options

Notice: The save command-line options are disabled on the build you download from this Web page. You can find a package of password-recovery tools with full command-line support on thefollowing Web page: Windows Password Recovery Tools

/LoadPasswordsFirefox <0 | 1>

Specifies whether to load the passwords of Firefox Web browser. 0 = No, 1 = Yes.

/LoadPasswordsOpera <0 | 1>

Specifies whether to load the passwords of Opera Web browser. 0 = No, 1 = Yes.

/UseFirefoxProfileFolder <0 | 1>
/FirefoxProfileFolder <Folder>

Specifies the profile folder of Firefox to load, for example:
WebBrowserPassView.exe /UseFirefoxProfileFolder 1 /FirefoxProfileFolder 'C:Documents and SettingsadminApplication DataMozillaFirefoxProfiles7a2ttm2u.default'

/UseOperaPasswordFile <0 | 1>
/OperaPasswordFile <Password>

Specifies the master password of Opera, for example:
WebBrowserPassView.exe /UseOperaPasswordFile 1 /OperaPasswordFile 'Thgr55f6'

/stab <Filename>

Save the passwords list into a tab-delimited text file.

/stabular <Filename>

Save the passwords list into a tabular text file.

/sverhtml <Filename>

Save the passwords list into HTML file (Vertical).

/skeepass <Filename>

Save the passwords list into csv file that can be imported into KeePass Password Manager.

Examples:
WebBrowserPassView.exe /shtml 'f:temppasswords.html' /sort 2 /sort ~1
WebBrowserPassView.exe /shtml 'f:temppasswords.html' /sort 'Web Browser' /sort 'URL'

Run WebBrowserPassView with /savelangfile parameter:
WebBrowserPassView.exe /savelangfile
A file named WebBrowserPassView_lng.ini will be created in the folder of WebBrowserPassView utility.
Open the created language file in Notepad or in any other text editor.
Translate all string entries to the desired language.Optionally, you can also add your name and/or a link to your Web site. (TranslatorName and TranslatorURL values) If you add this information, it'll be used in the 'About' window.
After you finish the translation, Run WebBrowserPassView, and all translated strings will be loaded from the language file.
If you want to run WebBrowserPassView without the translation, simply rename the language file, or move it to another folder.

License

This utility is released as freeware. You are allowed to freely use it at your homeor in your company. However, you are not allowed to make profit from this software or tocharge your customers for recovering their passwords with this software, unless you got a permission from the software author.
You are also allowed to freely distribute this utility via floppy disk, CD-ROM, Internet, or in any other way, as long as you don't charge anything for this. If you distribute this utility, you must include all files inthe distribution package, without any modification !

Disclaimer

The software is provided 'AS IS' without any warranty, either expressed or implied,including, but not limited to, the implied warranties of merchantability and fitnessfor a particular purpose. The author will not be liable for any special, incidental,consequential or indirect damages due to loss of data or any other reason.