{"id":30,"date":"2015-06-11T17:09:22","date_gmt":"2015-06-11T09:09:22","guid":{"rendered":"http:\/\/blog.md5.red\/?p=30"},"modified":"2015-12-24T01:16:14","modified_gmt":"2015-12-23T17:16:14","slug":"ios-keychain%e7%a0%b4%e8%a7%a3","status":"publish","type":"post","link":"https:\/\/blog.md5.red\/?p=30","title":{"rendered":"IOS keychain\u7834\u89e3"},"content":{"rendered":"

\"\u5c4f\u5e55\u5feb\u7167<\/a><\/p>\n

\u5e26\u5bc6\u7801\u4f7f\u7528iTunes\u6240\u505a\u7684\u5907\u4efd\u5e26\u6709keychain\u6587\u4ef6\uff0c\u5728\u77e5\u9053\u5bc6\u7801\u7684\u60c5\u51b5\u4e0b\u53ef\u4ee5\u89e3\u5bc6\uff0c\u4f7f\u7528\u6536\u8d39\u7684UFED\u3001Oxygen\u7b49\u53ef\u4ee5\u89e3\u6790\uff0c\u5f00\u6e90\u7684\u4f7f\u7528iphone-dataprotection<\/a>\u53ef\u4ee5\u505a\uff0c\u8fd9\u5957\u4ee3\u7801\u80fd\u591f\u89e3\u6790\u52a0\u5bc6itunes\u5907\u4efd\u6587\u4ef6\uff0c\u4ee5\u53ca\u89e3\u6790keychain\u6587\u4ef6\u3002<\/p>\n

 <\/p>\n

\u53c2\u8003\uff1a<\/p>\n

http:\/\/code.google.com\/p\/iphone-dataprotection\/<\/a><\/p>\n

http:\/\/www.securitylearn.net\/2012\/05\/03\/decrypting-the-iphone-keychain-from-backups<\/a><\/p>\n

Steps to decrypt the backup Keychain (Mac OS X):<\/p>\n

    \n
  1. Go to iTunes backup folder. Default location is -~\/Library\/Application Support\/MobileSync\/Backup\/<\/li>\n
  2. \u2028Rename the file 51a4616e576dd33cd2abadfea874eb8ff246bf0e to keychain-backup.plist.<\/li>\n
  3. Extract key 0\u00d7835 by following my previous blog post \u2013 Extracting AES keys from iPhone.<\/li>\n
  4. Download & install mercurial. Researchers at sogeti developed tools to decrypt the keychain files. Grab the tools by running the below command on Mac OS X terminal.\uff08sudo easy_install mercurial,\u00a0mercurial\u662f\u8f83\u4e3a\u6d41\u884c\u7684\u5206\u5e03\u5f0f\u7248\u672c\u63a7\u5236\u5de5\u5177\uff0c\u7528hg\u547d\u4ee4\u540c\u6b65\uff09<\/li>\n<\/ol>\n

    \u8fd0\u884c\u00a0hg clone https:\/\/code.google.com\/p\/iphone-dataprotection\/<\/p>\n

    5. Install python dependencies.<\/p>\n

    sudo easy_install M2crypto construct progressbar setuptools<\/p>\n

    sudo ARCHFLAGS='-arch i386 -arch x86_64' easy_install pycrypto<\/p>\n

    M2Crypto<\/em>\u00a0\u662f\u4e00\u4e2a Python \u8bed\u8a00\u5bf9 OpenSSL \u7684\u5c01\u88c5,\u652f\u6301\u5305\u62ec RSA\u3001DSA\u3001DH\u3001HMACs\u3001\u6d88\u606f\u6458\u8981\u3001\u5bf9\u79f0\u52a0\u5bc6\u5982 AES,\u4ee5\u53ca\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u7aef\u7684 SSL \u529f\u80fd\u3002\u5b89\u88c5\u4e4b\u524d\u9700\u8981\u5148\u88c5Xcode(gcc),swig,pcre\u3002<\/p>\n

    6. Navigate to iphone-dataprotection folder and run keychain_tool.py by supplying keychain-backup.plist path and the backup folder path.<\/p>\n

    cd iphone-dataprotection<\/p>\n

    python python_scripts\/keychain_tool.py \u00a0~\/Library\/Application Support\/MobileSync\/Backup\/[UDID]\/keychain-backup.plist \u00a0 ~\/Library\/Application Support\/MobileSync\/Backup\/[UDID]\/Manifest.plist<\/p>\n

    7. The script prompts for key 0\u00d7835. key in the value obtained in step 2. keychain-tool.py automatically decrypts the backup keychain content and displays it on the terminal.<\/p>\n

    In iTunes backup, the iPhone Keychain sqlite database\u00a0is stored as a Plist file. The Keychain file gets stored with\u00a051a4616e576dd33cd2abadfea874eb8ff246bf0e\u00a0<\/em>file\u00a0name in the iTunes backup folder.<\/p>\n

    Keychain data stored in the backup is encrypted using a hardware generated key \u2013 key 0\u00d7835. So renaming the file\u00a051a4616e576dd33cd2abadfea874eb8ff246bf0e\u00a0<\/em>to keychain-backup.plist and\u00a0editing\u00a0with a plist editor opens the file but does not display the data in it.<\/p>\n

    Steps to decrypt the backup Keychain (Mac OS X):
    \n<\/strong>1. Go to iTunes backup folder. Default location is -~\/Library\/Application Support\/MobileSync\/Backup\/
    \n2. Rename the file\u00a051a4616e576dd33cd2abadfea874eb8ff246bf0e<\/em>\u00a0to keychain-backup.plist.
    \n3. Extract key 0\u00d7835 by following my previous blog post \u2013\u00a0    Extracting AES keys from iPhone<\/a>.
    \n4.\u00a0Download & install\u00a0    mercurial<\/a>. Researchers at sogeti developed tools to decrypt the keychain files. Grab the tools by running the below command on Mac OS X terminal.<\/p>\n

    hg clone\u00a0https:\/\/code.google.com\/p\/iphone-dataprotection\/<\/a><\/p>\n

    5. Install python dependencies.<\/p>\n

     <\/p>\n

    sudo easy_install M2crypto construct progressbar setuptools<\/p>\n

    sudo ARCHFLAGS='-arch i386 -arch x86_64' easy_install pycrypto<\/p>\n

    6. Navigate to\u00a0iphone-dataprotection<\/em>\u00a0folder and run\u00a0keychain_tool.py<\/em>\u00a0by supplying keychain-backup.plist path and the backup folder path.\u00a0<\/em><\/p>\n

     <\/p>\n

    cd iphone-dataprotection<\/p>\n

    python python_scripts\/keychain_tool.py\u00a0 ~\/Library\/Application Support\/MobileSync\/Backup\/[UDID]\/keychain-backup.plist\u00a0\u00a0 ~\/Library\/Application Support\/MobileSync\/Backup\/[UDID]\/Manifest.plist<\/p>\n

    7. The script prompts for key 0\u00d7835. key in the value obtained in step 2.\u00a0keychain-tool.py\u00a0<\/em>automatically decrypts the backup keychain content and displays it on the terminal.<\/p>\n


    \nSteps to decrypt the backup Keychain (Windows 7):
    \n<\/strong>1. Go to iTunes backup folder. Default location is -\u00a0C:\\Users\\[user name]\\AppData\\Roaming\\Apple Computer\\MobileSync\\Backup\\
    \n2. Rename the file\u00a051a4616e576dd33cd2abadfea874eb8ff246bf0e<\/em>\u00a0to keychain-backup.plist.
    \n3. Extract key 0\u00d7835 by following my previous blog post -\u00a0    Extracting AES keys from iPhone<\/a>.
    \n4.\u00a0Download & install\u00a0    mercurial<\/a>. Researchers at sogeti developed tools to decrypt the keychain files. Grab the tools by running the below command from windows command prompt. It creates\u00a0iphone-dataprotection<\/em>\u00a0folder in the current directory.<\/p>\n

    hg clone\u00a0https:\/\/code.google.com\/p\/iphone-dataprotection\/<\/a><\/p>\n

    5. Download and install\u00a0Python 2.6<\/a>\u00a0in C:\\Python26<\/em>\u00a0folder.
    \n6. Add\u00a0C:\\Python26<\/em>\u00a0to system PATH environment variable.
    \n7. Install windows\u00a0    openSSL<\/a>.
    \n8. Install python dependencies -\u00a0    setuptools<\/a>,\u00a0M2Crypto<\/a>,\u00a0pycrypto<\/a>\u00a0&\u00a0pyqt
    \n<\/a>9.\u00a0Download\u00a0    progressbar-2.3.rar<\/a>\u00a0and extract it to c:\\ drive. From command prompt navigate to\u00a0c:\\progressbar-2.3<\/em>\u00a0and type the below command.<\/p>\n

     <\/p>\n

    cd progressbar-2.3<\/p>\n

    python setup.py install<\/p>\n

    10. Download\u00a0construct-2.06.rar<\/a>\u00a0and extract it to c:\\ drive. From command prompt navigate to\u00a0c:\\construct-2.06<\/em>\u00a0folder and type the below command.<\/p>\n

    cd construct-2.06<\/p>\n

    python setup.py install<\/p>\n

    11. From command prompt, navigate to\u00a0iphone-dataprotection<\/em>\u00a0folder and run\u00a0keychain_tool.py<\/em>\u00a0by supplying keychain-backup.plist path and the backup folder path.\u00a0<\/em><\/p>\n

     <\/p>\n

    cd iphone-dataprotection<\/p>\n

    python python_scripts\/keychain_tool.py\u00a0 C:\\Users\\[user name]\\AppData\\Roaming\\Apple Computer\\MobileSync\\Backup\\[UDID]\\keychain-backup.plist C:\\Users\\[user name]\\AppData\\Roaming\\Apple Computer\\MobileSync\\Backup\\[UDID]\\Manifest.plist<\/p>\n

    * In the above command replace [user name] & [UDID] with appropriate values.<\/p>\n

    12. The script prompts for key 0\u00d7835. key in the value obtained in step 2.\u00a0keychain-tool.py\u00a0<\/em>automatically decrypts the backup keychain content and displays it on the command prompt.<\/p>\n

    Note:<\/strong>\u00a0keychain in the iTunes encrypted backup is stored encrypted with iTunes password. So while decrypting the keychain from iTunes encrypted backups, enter the backup password instead of key 0\u00d7835.<\/p>\n

    More detailed video demonstration is available at \u2013\u00a0iPhone\u00a0forensics \u2013 Analysis of iOS 5 backups: video<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

    \u5e26\u5bc6\u7801\u4f7f\u7528iTunes\u6240\u505a\u7684\u5907\u4efd\u5e26\u6709keychain\u6587\u4ef6\uff0c\u5728\u77e5\u9053\u5bc6\u7801\u7684\u60c5\u51b5\u4e0b\u53ef\u4ee5\u89e3\u5bc6\uff0c\u4f7f\u7528\u6536\u8d39\u7684UFED\u3001Ox ...<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[11,32,10],"class_list":["post-30","post","type-post","status-publish","format-standard","hentry","category-4","tag-ios","tag-keychain","tag-mac"],"_links":{"self":[{"href":"https:\/\/blog.md5.red\/index.php?rest_route=\/wp\/v2\/posts\/30","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.md5.red\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.md5.red\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.md5.red\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.md5.red\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=30"}],"version-history":[{"count":5,"href":"https:\/\/blog.md5.red\/index.php?rest_route=\/wp\/v2\/posts\/30\/revisions"}],"predecessor-version":[{"id":166,"href":"https:\/\/blog.md5.red\/index.php?rest_route=\/wp\/v2\/posts\/30\/revisions\/166"}],"wp:attachment":[{"href":"https:\/\/blog.md5.red\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=30"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.md5.red\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=30"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.md5.red\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=30"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}