Decrypt iOS Keychai...
 
Notifications
Clear all

Decrypt iOS Keychain

4 Posts
4 Users
0 Likes
2,266 Views
(@mshibo)
Posts: 34
Eminent Member
Topic starter
 

Well, I've been using Elcomsoft to deal with iOS encrypted backups but lately, it doesn't do good work as it can't get even 80% of the passwords and they are still shown encrypted.
So, my question is, what other tool or way to decrypt those passwords?

 
Posted : 23/06/2018 12:41 pm
(@hsif_cisnerof)
Posts: 2
New Member
 

Just to confirm, are you taking about decrypting encrypted iTunes backups on a computer or are you talking about decrypting a keychain recorded from an acquisition of a mobile device? How are you using Elcomsoft? What data are you using to decrypt the files? How are you generating the wordlists?

If talking about encrypted iTunes backups, I come across these quite often at work and I have only failed to decrypt one (I've managed to decrypt the other 100+) by finding passwords on the source device (the laptop). Some suggestions to identify passwords-

- Firefox Profile - I've had quite a lot of success with using passwords from here to decrypt an iTunes backup
- If the source device is a Macbook, have a look at the login.keychain. EnCase7 allows you to decrypt the data of this or there is a great free CLI tool called 'dumpkeychain' which will process the login.keychain.
- Data breach dumps freely available online - you can search these for an email address for the owner of the device and then try and passwords against this
- Use Magnet Forensics free tool, Wordlist Generator. You do need to have AXIOM to use this though. This will create a dictionary that you can then import into Elcomsoft

 
Posted : 27/06/2018 3:24 pm
(@v-katalov)
Posts: 52
Trusted Member
 

Well, I've been using Elcomsoft to deal with iOS encrypted backups but lately, it doesn't do good work as it can't get even 80% of the passwords and they are still shown encrypted.
So, my question is, what other tool or way to decrypt those passwords?

The problem is that keychain items may have different security attributes. Some of them are encrypted using backup password only – and we get them all (and there is no other software that can get more, it is simply not technically possible). The other records use stronger encryption, based on the unique hardware key that is *not* available in backup and can be obtained only from the device itself (though there are meny problems here, too).

We recently published the article describing all the methods of keychain extraction and decryption.

https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/

 
Posted : 18/02/2019 7:15 am
(@hommy0)
Posts: 98
Trusted Member
 

- If the source device is a Macbook, have a look at the login.keychain. EnCase7 allows you to decrypt the data of this or there is a great free CLI tool called 'dumpkeychain' which will process the login.keychain.

As well as having dumpkeychain, depending on the version of EnCase 7 you are using, both EnCase 7 and EnCase 8 can decrypt the login keychain. This is actioned by treating it as a compound file (Right Click -> Entries -> View File Structure) supply the users login password (or other password they have used to protect the login keychain)

The contents can then be viewed by clicking on the entry.

 
Posted : 18/02/2019 9:08 am
Share: