macOS Sensitive Locations & Interesting Daemons
Last updated
Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Shadow password is stored with the user's configuration in plists located in /var/db/dslocal/nodes/Default/users/.
The following oneliner can be use to dump all the information about the users (including hash info):
or can be used to transform the hash to hashcat format.
An alternative one-liner which will dump creds of all non-service accounts in hashcat format -m 7100 (macOS PBKDF2-SHA512):
Another way to obtain the ShadowHashData of a user is by using dscl: sudo dscl . -read /Users/`whoami` ShadowHashData
This file is only used when the system id running in single-user mode (so not very frequently).
Note that when using the security binary to dump the passwords decrypted, several prompts will ask the user to allow this operation.
Keychaindump operates by targeting a specific process called securityd, described by Apple as a daemon for authorization and cryptographic operations, crucial for accessing the keychain. The extraction process involves identifying a Master Key derived from the user's login password. This key is essential for reading the keychain file. To locate the Master Key, keychaindump scans the memory heap of securityd using the vmmap command, looking for potential keys within areas flagged as MALLOC_TINY. The following command is used to inspect these memory locations:
After identifying potential master keys, keychaindump searches through the heaps for a specific pattern (0x0000000000000018) that indicates a candidate for the master key. Further steps, including deobfuscation, are required to utilize this key, as outlined in keychaindump's source code. Analysts focusing on this area should note that the crucial data for decrypting the keychain is stored within the memory of the securityd process. An example command to run keychaindump is:
Internet Passwords
Generic Passwords
Private Keys
Public Keys
X509 Certificates
Secure Notes
Appleshare Passwords
Without one of these methods of unlocking the Keychain, Chainbreaker will display all other available information.
If you know the users password you can use it to dump and decrypt keychains that belong to the user.
The kcpassword file is a file that holds the user’s login password, but only if the system owner has enabled automatic login. Therefore, the user will be automatically logged in without being asked for a password (which isn't very secure).
You can find the Notifications data in $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/
Most of the interesting information is going to be in blob. So you will need to extract that content and transform it to human readable or use strings. To access it you can do:
The users notes can be found in ~/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite
In macOS apps preferences are located in $HOME/Library/Preferences and in iOS they are in /var/mobile/Containers/Data/Application/<UUID>/Library/Preferences.
In macOS the cli tool defaults can be used to modify the Preferences file.
/usr/sbin/cfprefsd claims the XPC services com.apple.cfprefsd.daemon and com.apple.cfprefsd.agent and can be called to perform actions such as modify preferences.
The file /System/Library/OpenDirectory/permissions.plist contains permissions applied on node attributes and is protected by SIP.
This file grants permissions to specific users by UUID (and not uid) so they are able to access specific sensitive information like ShadowHashData, HeimdalSRPKey and KerberosKeys among others:
The main daemon for notifications is /usr/sbin/notifyd. In order to receive notifications, clients must register through the com.apple.system.notification_center Mach port (check them with sudo lsmp -p <pid notifyd>). The daemon is configurable with the file /etc/notify.conf.
The names used for notifications are unique reverse DNS notations and when a notification is sent to one of them, the client(s) that have indicated that can handle it will receive it.
It's possible to dump the current status (and see all the names) sending the signal SIGUSR2 to the notifyd process and reading the generated file: /var/run/notifyd_<pid>.status:
The Distributed Notification Center whose main binary is /usr/sbin/distnoted, is another way to send notifications. It exposes some XPC services and it performs some check to try to verify clients.
In this case, applications can register for topics. The client will generate a token contacting Apple's servers through apsd.
Then, providers, will have also generated a token and will be able to connect with Apple's servers to send messages to the clients. These messages will be locally received by apsd which will relay the notification to the application waiting for it.
The preferences are located in /Library/Preferences/com.apple.apsd.plist.
There is a local database of messages located in macOS in /Library/Application\ Support/ApplePushService/aps.db and in iOS in /var/mobile/Library/ApplePushService. It has 3 tables: incoming_messages, outgoing_messages and channel.
It's also possible to get information about the daemon and connections using:
These are notifications that the user should see in the screen:
CFUserNotification: These API provides a way to show in the screen a pop-up with a message.
The Bulletin Board: This shows in iOS a banner that disappears and will be stored in the Notification Center.
NSUserNotificationCenter: This is the iOS bulletin board in MacOS. The database with the notifications in located in /var/folders/<user temp>/0/com.apple.notificationcenter/db2/db
Based on this comment it looks like these tools aren't working anymore in Big Sur.
A tool named keychaindump has been developed to extract passwords from macOS keychains, but it faces limitations on newer macOS versions like Big Sur, as indicated in a . The use of keychaindump requires the attacker to gain access and escalate privileges to root. The tool exploits the fact that the keychain is unlocked by default upon user login for convenience, allowing applications to access it without requiring the user's password repeatedly. However, if a user opts to lock their keychain after each use, keychaindump becomes ineffective.
can be used to extract the following types of information from an OSX keychain in a forensically sound manner:
Hashed Keychain password, suitable for cracking with or
Given the keychain unlock password, a master key obtained using or , or an unlock file such as SystemKey, Chainbreaker will also provide plaintext passwords.
to perform a memory dump
The password is stored in the file /etc/kcpassword xored with the key 0x7D 0x89 0x52 0x23 0xD2 0xBC 0xDD 0xEA 0xA3 0xB9 0x1F. If the users password is longer than the key, the key will be reused.
This makes the password pretty easy to recover, for example using scripts like .
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.
