±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 33132
New Yesterday: 0 Visitors: 134

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Newish iCloud (and other Mac OSX) auth tokens decryption

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Newish iCloud (and other Mac OSX) auth tokens decryption

Post Posted: Sun Nov 06, 2016 12:19 pm

Maybe of use:
github.com/manwhoami/M...kenDecrypt


MMeTokenDecrypt

This program decrypts / extracts all authorization tokens on macOS / OS X / OSX. No user authentication is needed, due to the flawed way in which macOS authorizes keychain access.

Authorization tokens are stored in /Users/*/Library/Application Support/iCloud/Accounts/DSID where DSID is Apple's backend identifier for each iCloud account in their system.

This DSID file is encrypted with AES-128 CBC and an empty intialization vector (IV). The decryption key for this file is stored in the User's keychain, under the service name entry iCloud, with the name being the primary email address associated with an iCloud account.

This decryption key is decoded in base64, and then used as the message in a standard MD5 Hmac. The problem is, the key to the Hmac is buried deep in the internals of MacOS. This key is a 44 character long string of random letters that is necessary to decrypt the DSID file. This key is included in the source code of this repository, and as far as I know, has been published no where else on the internet.

Significance

The only software that performs a similar function is the forensics grade "Elcomsoft Phone Breaker". MMeTokenDecrypt allows any developer to incorporate the decryption of iCloud authorization files into their projects, open sourced.

Apple needs to redesign the way that keychain information is requested. Because this program forks a security subprocess, which is an Apple signed binary, the user is not alerted to the potential dangerous nature of the keychain request dialog. Additionally, an attacker can repeatedly present the user with the keychain dialog, until the user accepts the keychain request, because Apple does not put a timeout on the "deny" attempts. This allows for trivial compromization of iCloud authorization tokens, which can be used to access almost every iCloud service, including iOS backups, iCloud Contacts, iCloud Drive, iCloud Photo Library, Find my Friends, and Find my iPhone (see my other repositories).


Essentially:

#Constant key used for hashing Hmac on all versions of MacOS.
#this is the secret to the decryption!
#/System/Library/PrivateFrameworks/AOSKit.framework/Versions/A/AOSKit yields the following subroutine
#KeychainAccountStorage _generateKeyFromData:
#that uses the below key that calls CCHmac to generate a Hmac that serves as the decryption key
key = "t9s\"lx^awe.580Gj%'ld+0LG<#9xa?>vb)-fkwb92[}"


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Newish iCloud (and other Mac OSX) auth tokens decryption

Post Posted: Sun Nov 06, 2016 4:51 pm

Did you math the Hmac to proof yourself?

key = "t9s\"lx^awe.580Gj%'ld+0LG<#9xa?>vb)-fkwb92[}"  

RolfGutmann
Senior Member
 
 
  

Re: Newish iCloud (and other Mac OSX) auth tokens decryption

Post Posted: Sun Nov 06, 2016 4:59 pm

Tiny piece of infos for non-cryptos to put into perspective the MMeToken

blog.digital-forensics...dpapi.html  

RolfGutmann
Senior Member
 
 
  

Re: Newish iCloud (and other Mac OSX) auth tokens decryption

Post Posted: Sun Nov 06, 2016 5:02 pm

- RolfGutmann
Did you math the Hmac to proof yourself?

I am personally very much proved Wink , but in this case I have no connection to the posted tool/site, no intention to "proof" anything, and only provided a link to a new thing.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Newish iCloud (and other Mac OSX) auth tokens decryption

Post Posted: Sun Nov 06, 2016 5:07 pm

I did recognize how top proved you are - Compliment!  

RolfGutmann
Senior Member
 
 

Page 1 of 1