Decrypt Keychain.plist

In order to unwrap the encryption key, the correct passcode must be provided. While it’s incredibly easy for Apple to build a piece of software allowing the company to brute-force the passcodes, unwrap the encryption key and decrypt the keychain, the company publicly refuses to do so. For Safari, our tool converts the keychain.plist property list file to an XML document, parses the XML document to obtain each encrypted password, and supplies the encrypted password and that static 144-byte salt to the CryptUnprotectData function. Computerworld covers a range of technology topics, with a focus on these core areas of IT: Windows, Mobile, Apple/enterprise, Office and productivity suites, collaboration, web browsers. Or we can launch the keychain explorer and have a look at the. Read and decrypt keychain. Examining Mac OS X User & System Keychains. The password is protected by a simple XOR encryption and is easy to decrypt using a. I checked the Manifest.plist file and the 'password' denoted in the file, matches my backup password.

Part 1 of this series may be found here.
Part 2 of this series may be found here.
Part 3 of this series may be found here.
Part 4 of this series may be found here.

Safari

I must admit, I was pretty surprised by how hidden Apple made their security information. After years of hearing how horrible Safari is in terms of general security – their password security is actually pretty decent. unfortunately, it too is able to be hacked if you know what you’re doing.

Safari stores your usernames and passwords in a file called “keychain.plist” in the following folders:

Sorry Mac users, I don’t know where this is stored on a Mac… If someone wants to give me a Mac, I’ll be more than happy to research it for them… 🙂

The contents of this file are pseudo-encrypted because it’s stored in a “Binary Property List” file format which is an Apple format for storing binary data. If you just open the file it will look like garbage. However, Apple provides a tool called plutil.exe that can read this format and it’s actually provided with Safari in the following folders:

Run this program in DOS using the following commands:

This will convert the .plist file into an XML file. In the XML file, everything will be decoded except for your password which will be inside an tag called

The encrypted password is encoded using the BASE64 algorithm. Bizarrely enough, the original password data stored in the keychain.plist file is not encoded with BASE64. It is only encrypted to BASE64 when converting the .plist file into XML using the plutil program. In the .plist file, the password is encrypted using standard Windows Data Protection (DPAPI), which provides the known functions of CryptProtectData and CryptUnprotectData for encrypting / decrypting of data using your Windows authentication password. When using CryptProtectData, Safari uses a standard, static salt for all passwords which is also stored in the keychain.plist file.

So to actually decode the XML file, you must first decrypt the BASE64 encrypted data, then decrypt the Windows DPAPI encrypted data. Easy right?

BASE64 encryption can easily be broken with free code available online. From there, you need to figure out the salt to use with the Windows DPAPI CryptUnprotectData function.

For the curious, the salt generation algorithm and decryption functions are available in the Apple supplied CFNetwork.dll file which can be found in the following folders:

The salt data in the .plist file is 144 bytes long and ends with “com.apple.Safari”. Once you find the Salt in the .plist file, you can easily decrypt the passwords using the CryptUnprotectData function (available on the Microsoft MSDN website).

As you can see, Safari is much more complicated than other browsers but in the end, it’s just as easy for someone who knows what they are doing to hack.

Summary

I think that all the browsers fall short in one area or another. Firefox comes the closest but only if you enable a Master Password. IE9 has good security for Autocomplete data, but only if you do not store website history. Chrome fails in terms of protecting your usernames and passwords from any key loggers. Opera fails completely because it uses a known, static salt. Safari surprisingly enough provides decent security from someone who doesn’t know what they are doing but a true hacker should be able to decrypt your passwords with some patience.

My recommendation? Use Firefox, keep it updated and enable a strong Master Password. Again, I refer you to check out XKCD’s Password Strength cartoon for tips.

If you are looking for keychain backup plist, simply check out our links below :

1. decrypting iphone keychain from backups on windows

http://www.securitylearn.net/tag/decrypting-iphone-keychain-from-backups-on-windows/

2. Six Ways to Decrypt iPhone Passwords from the Keychain …

https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/

Dec 18, 2018 – Method 4: Extract Keychain from Encrypted iTunes Backups. If you have access to the iPhone, you can create a password-protected iTunes …

Decrypt

3. Keychain Explorer for Encrypted Backup – Elcomsoft Phone …

https://www.elcomsoft.com/help/en/eppb/keychain_explorer.html

Decrypt Keychain.plist

iTunes/iCloud backup. Manifest.plist. Keychain data downloaded from iCloud Keychain (EPB 9.50 and lower). iCloud_Keychain.xml. Keychain data downloaded …

Decrypt

4. Forensic analysis of iPhone backups – Exploit Database

https://www.exploit-db.com/docs/english/19767-forensic-analysis-of-ios5-iphone-backups.pdf

/System/Library/Backup/Domains.plist file on the iPhone. Domains.plist file … this value is computed from SHA-1(KeychainDomain-keychain-backup.plist).

5. View Keychain from encrypted IOS 8.2 backup? – Ask Different

https://apple.stackexchange.com/questions/190139/view-keychain-from-encrypted-ios-8-2-backup

Jun 4, 2015 – python keychain_tool.py -d 'PATH_TO_extract/KeychainDomain/keychain-backup.plist' 'PATH_TO_extract/Manifest.plist'.

6. Extracting ios 12.1 keychain data from a keychain-backup.plist …

Extracting ios 12.1 keychain data from a keychain-backup.plist file from computerforensics

Aug 20, 2019 – Is it possible to decrypt the keychain data from ios 12.1 from a keychain-backup.plist file? The phone was wiped so it was extracted from a recent …

7. iTunes Backup Extractor (via Manifest.plist) | Online Hash Crack

https://www.onlinehashcrack.com/tools-itunes-backup-hash-extractor.php

iTunes Backup Extractor (via Manifest.plist) – instantly. This page will extract the information needed from the Manifest.plist file to convert it to hashes compatible …

Decrypt

8. Decrypting keychain (iOS 11) · Issue #21 · dinosec/iphone …

https://github.com/dinosec/iphone-dataprotection/issues/21

Jul 28, 2017 – Cannot decrypt backup keybag. Wrong password ? I checked the Manifest.plist file and the 'password' denoted in the file, matches my backup …

9. Is a keychain password backed up b… | Apple Developer …

https://developer.apple.com/forums/thread/45940

The Encrypt Backup feature in iTunes locks and encodes your data. An encrypted iTunes backup includes certain information that other backups don’t: Your saved …

10. Hash Functions – Fileformat.info

http://www.fileformat.info/tool/hash.htm?text=KeychainDomain-keychain-backup.plist

Results. Original text, KeychainDomain-keychain-backup.plist. Original bytes, 4b6579636861696e446f6d61696e2d6b6579636861696e2d62… (length=36).

11. Keychain Explorer | Security Active Blog

Decrypt Iphone Keychain-backup.plist

http://blog.securityactive.co.uk/tag/keychain-explorer/

Decrypt Keychain-backup.plist

Sep 4, 2010 – Once its installed we need to get hold of our encrypted iPhone backup. So the main file we are looking for is the Manifest.plist file, however if …

12. Decrypt Keychain.plist – FC2

https://xsonarbunny.web.fc2.com/decrypt-keychainplist.html

Oct 25, 2017 – In iTunes backup, the iPhone Keychain sqlite database is stored as a Plist file. The Keychain file gets stored with …