Dump keychain items?

[a3rosol]

What is your question?
Is there a way to dump the ios keychains?
If yes, how can I execute it?

If no, could you add this feature?

[enty8080]

@a3rosol There is no such feature at the moment, but I will add it.

[rpwnage]

I'm pretty sure this will get far more complicated than you might think. Keychain items in their decrypted and readable state are not easily accessible at all.

Might read this and this

[enty8080]

@rpwnage If you have any ideas on how to implement such functionality you are free to contribute. I tried to reach you on Twitter, but your DM is closed.

[rpwnage]

DM's are open again, feel free to contact me there. I'll look around here in the meantime.

[enty8080]

@rpwnage Okay, thank you very much. I saw you were working on EggShell which performs the same thing as SeaShell but for older devices. I tried to make SeaShell more advanced and developer-friendly. However, I have not posted any docs yet. You can also visit this page - Pwny iOS API, it is the implant (payload) that controls the device (it's more advanced and complex than the EggSgell's implant through, so docs would be essential). You may also take a look at the blog post here - SeaShell Framework.

[rpwnage]

Will take a look at this soon 👍 Yes, EggShell was nice to have, but as you‘ve said, it‘s been outdated for some time. I was planning in rewriting EggShell any time soon, but I think that won’t necessary then!

[enty8080]

@rpwnage Yeah. Problem with EggShell is not only that it does not support newer versions but also that it was poorly designed from the beginning. I was doing a research and analysed the code of both client side (esplios payload) and server side (EggShell). I found multiple ways code could be enhanced. It was better to create a new project from scratch though. What about the payload, it lacks important features. It can't be extended and has no exact negotiation policy.

Pwny, meanwhile, uses TLV to communicate with server. This way of communication ensures that each packet reaches the destination without any losses. esplios sends terminator after the data to make sure that all data was sent, which is not a good solution and might lead to data loss (why not send size of data first?). Moreover, Pwny has libev integrated. It is a powerful C library for asynchronous I/O which allows Pwny to not read socket in loop, but wait for the event occur and read only then. This enhanced efficiency and resource utilisation. Also, Pwny can be easily extended, you can add new functions to it (/api) without modifying main code (/src). I will continue working on documenting Pwny and since there are lots of C code, I hope to make it understandable.

I guess one of the main advantages of SeaShell is that its payload can work in non-jailbroken environment. All you need to have is CoreTrust bypass.

[rpwnage]

I might already have a solution handy to decrypting the keychain .db now that I think about it again. If you want to further discuss implementing it, you can always message me on twitter. My DMs are open again.

[enty8080]

@rpwnage I DMed you in Twitter

[joyas11]

@rpwnage I DMed you in Twitter

any updates? can it be implemented

[enty8080]

@joyas11 Probably yes, however I am still waiting for update from @rpwnage on this issue