From 0212fea639fbe4f7f9fa415b0bd97fce55e5aca5 Mon Sep 17 00:00:00 2001 From: Jeroen Beckers Date: Wed, 11 Dec 2024 13:21:32 +0100 Subject: [PATCH 1/3] Update MASTG-TOOL-0056.md Updated keychain_dumper to be usable on rootless jb --- tools/ios/MASTG-TOOL-0056.md | 41 ++++++++++++++++++++++++++++++------ 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/tools/ios/MASTG-TOOL-0056.md b/tools/ios/MASTG-TOOL-0056.md index 747c1d303e..dbb6cf3e81 100644 --- a/tools/ios/MASTG-TOOL-0056.md +++ b/tools/ios/MASTG-TOOL-0056.md @@ -4,14 +4,43 @@ platform: ios source: https://github.com/mechanico/Keychain-Dumper --- -[Keychain-dumper](https://github.com/mechanico/Keychain-Dumper "keychain-dumper") is an iOS tool to check which keychain items are available to an attacker once an iOS device has been jailbroken. The easiest way to get the tool is to download the binary from its GitHub repo and run it from your device: +[Keychain-dumper](https://github.com/mechanico/Keychain-Dumper "keychain-dumper") is an iOS tool to check which keychain items are available to an attacker once an iOS device has been jailbroken. In order to use the tool on modern versions of iOS, you need to follow a few steps. First, download the latest release from https://github.com/ptoomey3/Keychain-Dumper/releases, and unzip the package. Next, download the [updateEntitlements.sh](https://raw.githubusercontent.com/ptoomey3/Keychain-Dumper/refs/heads/master/updateEntitlements.sh) script to the same directory. Modify the first line (`KEYCHAIN_DUMPER_FOLDER=/usr/bin`) to say `KEYCHAIN_DUMPER_FOLDER=/var/jb/usr/bin` to be compatible with rootless jailbreaks. If your device has a rooted jailbreak (e.g. palera1n) you can skip this step. ```bash -$ git clone https://github.com/ptoomey3/Keychain-Dumper -$ scp -P 2222 Keychain-Dumper/keychain_dumper root@localhost:/tmp/ -$ ssh -p 2222 root@localhost -iPhone:~ root# chmod +x /tmp/keychain_dumper -iPhone:~ root# /tmp/keychain_dumper +# Copy over the binary to /var/jb/usr/bin/ +scp keychain_dumper mobile@:/var/jb/usr/bin/ + +# Copy over the updateEntitlements.sh script +scp updateEntitlements.sh mobile@:/var/jb/usr/bin/ + +# SSH into the device +ssh mobile@ + +# Go to the /var/jb/tmp directory and switch to root +cd /var/jb/usr/bin & sudo su + +# Add executable permissions to both files +chmod +x keychain_dumper +chmod +x updateEntitlements.sh + +# Run updateEntitlements.sh +./updateEntitlements.sh + +# Run keychain_dumper +/var/jb/tmp/keychain_dump -h +``` + +By default, the script will give keychain_dump all the required entitlements to analyze the KeyChain for all installed applications. To focus on a single application, you can remove all unnecessary requirements: + +``` +# Extract entitlements +ldid -e /var/jb/tmp/keychain_dump > ent.xml + +# Remove all non-needed entitlements from the segment +nano ent.xml + +# Assign the entitlements again +ldid -Sent.xml /var/jb/tmp/keychain_dump ``` For usage instructions please refer to the [Keychain-dumper](https://github.com/mechanico/Keychain-Dumper "keychain-dumper") GitHub page. From c0256fda746b115c83e0c07b2b2f7f4f507b9aca Mon Sep 17 00:00:00 2001 From: Jeroen Beckers Date: Wed, 11 Dec 2024 13:24:39 +0100 Subject: [PATCH 2/3] Fix linting and url --- tools/ios/MASTG-TOOL-0056.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/ios/MASTG-TOOL-0056.md b/tools/ios/MASTG-TOOL-0056.md index dbb6cf3e81..bfc691b8cc 100644 --- a/tools/ios/MASTG-TOOL-0056.md +++ b/tools/ios/MASTG-TOOL-0056.md @@ -1,10 +1,10 @@ --- title: Keychain-Dumper platform: ios -source: https://github.com/mechanico/Keychain-Dumper +source: https://github.com/ptoomey3/Keychain-Dumper/releases --- -[Keychain-dumper](https://github.com/mechanico/Keychain-Dumper "keychain-dumper") is an iOS tool to check which keychain items are available to an attacker once an iOS device has been jailbroken. In order to use the tool on modern versions of iOS, you need to follow a few steps. First, download the latest release from https://github.com/ptoomey3/Keychain-Dumper/releases, and unzip the package. Next, download the [updateEntitlements.sh](https://raw.githubusercontent.com/ptoomey3/Keychain-Dumper/refs/heads/master/updateEntitlements.sh) script to the same directory. Modify the first line (`KEYCHAIN_DUMPER_FOLDER=/usr/bin`) to say `KEYCHAIN_DUMPER_FOLDER=/var/jb/usr/bin` to be compatible with rootless jailbreaks. If your device has a rooted jailbreak (e.g. palera1n) you can skip this step. +[Keychain-dumper](https://github.com/ptoomey3/Keychain-Dumper/releases "keychain-dumper") is an iOS tool to check which keychain items are available to an attacker once an iOS device has been jailbroken. In order to use the tool on modern versions of iOS, you need to follow a few steps. First, download the latest release from [the Keychain-Dumper releases page](https://github.com/ptoomey3/Keychain-Dumper/releases), and unzip the package. Next, download the [updateEntitlements.sh](https://raw.githubusercontent.com/ptoomey3/Keychain-Dumper/refs/heads/master/updateEntitlements.sh) script to the same directory. Modify the first line (`KEYCHAIN_DUMPER_FOLDER=/usr/bin`) to say `KEYCHAIN_DUMPER_FOLDER=/var/jb/usr/bin` to be compatible with rootless jailbreaks. If your device has a rooted jailbreak (e.g. palera1n) you can skip this step. ```bash # Copy over the binary to /var/jb/usr/bin/ @@ -32,7 +32,7 @@ chmod +x updateEntitlements.sh By default, the script will give keychain_dump all the required entitlements to analyze the KeyChain for all installed applications. To focus on a single application, you can remove all unnecessary requirements: -``` +```bash # Extract entitlements ldid -e /var/jb/tmp/keychain_dump > ent.xml From f66daf8dc76993e87f196de02596f98d8fea6464 Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Wed, 11 Dec 2024 13:35:00 +0100 Subject: [PATCH 3/3] Update tools/ios/MASTG-TOOL-0056.md --- tools/ios/MASTG-TOOL-0056.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ios/MASTG-TOOL-0056.md b/tools/ios/MASTG-TOOL-0056.md index bfc691b8cc..6404d6b2a4 100644 --- a/tools/ios/MASTG-TOOL-0056.md +++ b/tools/ios/MASTG-TOOL-0056.md @@ -1,7 +1,7 @@ --- title: Keychain-Dumper platform: ios -source: https://github.com/ptoomey3/Keychain-Dumper/releases +source: https://github.com/ptoomey3/Keychain-Dumper --- [Keychain-dumper](https://github.com/ptoomey3/Keychain-Dumper/releases "keychain-dumper") is an iOS tool to check which keychain items are available to an attacker once an iOS device has been jailbroken. In order to use the tool on modern versions of iOS, you need to follow a few steps. First, download the latest release from [the Keychain-Dumper releases page](https://github.com/ptoomey3/Keychain-Dumper/releases), and unzip the package. Next, download the [updateEntitlements.sh](https://raw.githubusercontent.com/ptoomey3/Keychain-Dumper/refs/heads/master/updateEntitlements.sh) script to the same directory. Modify the first line (`KEYCHAIN_DUMPER_FOLDER=/usr/bin`) to say `KEYCHAIN_DUMPER_FOLDER=/var/jb/usr/bin` to be compatible with rootless jailbreaks. If your device has a rooted jailbreak (e.g. palera1n) you can skip this step.