KeychainEditor is a CLI to interact with iOS's Keychain on a jailbroken iDevice. Keychain is a secure storage provided by the iOS to save client-side secrets/certificates onto the device. KeychainEditor is useful to dump/edit/delete a keychain item. The tool will greatly help pentesters and security researches alike who would want to poke at application's keychain usage during iOS APT (Application Penetration Test). It should be noted that the tool currently supports Generic Passwords (Genp) only. Support for Internet Passwords and Certificates will soon be added!
-
Support for iOS8+ and the new changes in Keychain.
-
A Minimal dump of the keychain, which only outputs AccountNames and ServiceNames.
- ./keychaineditor --action min-dump
- A search feature to limit the output to only what the user desired for. The search can be performed on Account, Service, AccessGroup or Accessibility values.
- ./keychaineditor --action dump --find "WhenUnlocked"
- Works with idb!
Note: Please check --help command for more options/examples.
-
To build the tool, Run 'make' in the current directory.
Note: You should have xcode command line tools installed for the toolchain. -
Creating Symlinks:
Always properly check that you have symlinks for 'sdk' and 'toolchain' in the current directory.
- To find the exact SDK installed on your machine, type the following command:
$ xcodebuild -showsdks - To get the actual path of the SDK:
$ xcrun -sdk iphoneos8.2 --show-sdk-path - For example, you should see something like this after you have created symlinks:
$ toolchain -> /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/
$ sdk -> /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS8.2.sdk
-
Make errors:
You may have a lower sdk version installed on your machine, and the makefile will not be able to find the exact path for the SDK installed. Follow the above steps to find the SDK installed and update it with the appropriate SDK version for the 'isysroot' flag. -
Error Code -34018:
The above error code is caused because you did not code sign the binary and did not provide the keychain access entitlements.
$ codesign -fs "YOUR_SELF_SIGNED_CERT" --entitlements entitlements.xml keychaineditor
- To get a list of certificates that are already available in your keychain to sign your binary, you can use the following command:
$ security find-identity -v -p codesigning