Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update MASTG-TOOL-0056 with new Keychain-Dumper tool repo (by @NVISOSecurity) #3091

Merged
merged 3 commits into from
Dec 11, 2024
Merged

Update MASTG-TOOL-0056 with new Keychain-Dumper tool repo (by @NVISOSecurity) #3091

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0212fea
Update MASTG-TOOL-0056.md
TheDauntless Dec 11, 2024
c0256fd
Fix linting and url
TheDauntless Dec 11, 2024
f66daf8
Update tools/ios/MASTG-TOOL-0056.md
cpholguera Dec 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 36 additions & 7 deletions tools/ios/MASTG-TOOL-0056.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,46 @@
---
title: Keychain-Dumper
platform: ios
source: https://github.com/mechanico/Keychain-Dumper
source: https://github.com/ptoomey3/Keychain-Dumper
---

[Keychain-dumper](https://github.com/mechanico/Keychain-Dumper "keychain-dumper") is an iOS tool to check which keychain items are available to an attacker once an iOS device has been jailbroken. The easiest way to get the tool is to download the binary from its GitHub repo and run it from your device:
[Keychain-dumper](https://github.com/ptoomey3/Keychain-Dumper/releases "keychain-dumper") is an iOS tool to check which keychain items are available to an attacker once an iOS device has been jailbroken. In order to use the tool on modern versions of iOS, you need to follow a few steps. First, download the latest release from [the Keychain-Dumper releases page](https://github.com/ptoomey3/Keychain-Dumper/releases), and unzip the package. Next, download the [updateEntitlements.sh](https://raw.githubusercontent.com/ptoomey3/Keychain-Dumper/refs/heads/master/updateEntitlements.sh) script to the same directory. Modify the first line (`KEYCHAIN_DUMPER_FOLDER=/usr/bin`) to say `KEYCHAIN_DUMPER_FOLDER=/var/jb/usr/bin` to be compatible with rootless jailbreaks. If your device has a rooted jailbreak (e.g. palera1n) you can skip this step.

```bash
$ git clone https://github.com/ptoomey3/Keychain-Dumper
$ scp -P 2222 Keychain-Dumper/keychain_dumper root@localhost:/tmp/
$ ssh -p 2222 root@localhost
iPhone:~ root# chmod +x /tmp/keychain_dumper
iPhone:~ root# /tmp/keychain_dumper
# Copy over the binary to /var/jb/usr/bin/
scp keychain_dumper mobile@<deviceip>:/var/jb/usr/bin/

# Copy over the updateEntitlements.sh script
scp updateEntitlements.sh mobile@<deviceip>:/var/jb/usr/bin/

# SSH into the device
ssh mobile@<deviceip>

# Go to the /var/jb/tmp directory and switch to root
cd /var/jb/usr/bin & sudo su

# Add executable permissions to both files
chmod +x keychain_dumper
chmod +x updateEntitlements.sh

# Run updateEntitlements.sh
./updateEntitlements.sh

# Run keychain_dumper
/var/jb/tmp/keychain_dump -h
```

By default, the script will give keychain_dump all the required entitlements to analyze the KeyChain for all installed applications. To focus on a single application, you can remove all unnecessary requirements:

```bash
# Extract entitlements
ldid -e /var/jb/tmp/keychain_dump > ent.xml

# Remove all non-needed entitlements from the <array> segment
nano ent.xml

# Assign the entitlements again
ldid -Sent.xml /var/jb/tmp/keychain_dump
```

For usage instructions please refer to the [Keychain-dumper](https://github.com/mechanico/Keychain-Dumper "keychain-dumper") GitHub page.
Loading