Login/Register
Is there a quick and easy way to dump the contents of a MacOS X keychain?
Asked Answered
macosapplescriptkeychain
D

7

38

I'm looking for a way to dump (export) the contents of an OS X keychain into a file that I can easily process elsewhere, such as tab-delimited plaintext or something of the sort.

The Keychain Access app does not offer any such functionality, and getting a key's data involves opening each in turn, and having to type in the keychain's password to see the password stored with the key, every time.

After a bit of digging, I found somebody's solution by using AppleScript and the Keychain Scripting app to access keychains (can't link to individual post; scroll down about two thirds to the end of the page):

http://discussions.apple.com/thread.jspa?threadID=1398759

Using Keychain scripting, you can access all data fields of all the keys – including the plaintext password! – and it's fairly easy to dump this data into a text file etc. I've tested it and it works well.

However, this solution still involves having to confirm access to each key by clicking OK on a dialog. This is much better than having to type in the keychain's password every time, but it's still irritating. Furthermore, you have to confirm access twice for each key; once for Script Editor (or the script itself if it's running as an app) and once for Keychain Scripting. So, if you're processing a keychain with 100 keys, you have to manually click OK on 200 dialogs.

I'm now looking for a solution to get around this. I realize that as it's the purpose of keychains to safeguard the sensitive data and prevent precisely the kind of thing I'm trying to do, any such solution would probably involve some kind of hack.

I'd be very interested in your ideas!

Dormitory answered 4/4, 2009 at 13:37 Comment(0)
D
38

Allright, I'm stupid. There's a command-line tool called security that does just this (and lots of other actions on keychains).

An example usage:

security dump-keychain -d login.keychain

This will dump all the data in the login.keychain (the default keychain for a user) as plaintext, including the passwords. You still have to confirm access , but only once for each key, and it's much faster than (and doesn't throw weird errors when trying to access certain fields) using AppleScript. And it's no hack.

Without the -d option, it will dump all the fields except for the password.

The dumped data for a key looks like this (for an internet key; program keys and certificates have other fields, but the format is the same):

keychain: "/Users/<username>/Library/Keychains/login.keychain"
class: "inet"
attributes:
    0x00000007 <blob>="tech.slashdot.org (<username for this web login>)"
    0x00000008 <blob>=<NULL>
    "acct"<blob>="<username for this web login>"
    "atyp"<blob>="form"
    "cdat"<timedate>=0x32303038303432333038323730355A00  "20080423082705Z\000"
    "crtr"<uint32>=<NULL>
    "cusi"<sint32>=<NULL>
    "desc"<blob>="Kennwort des Web-Formulars"
    "icmt"<blob>="default"
    "invi"<sint32>=<NULL>
    "mdat"<timedate>=0x32303038303432333038323730355A00  "20080423082705Z\000"
    "nega"<sint32>=<NULL>
    "path"<blob>=<NULL>
    "port"<uint32>=0x00000000 
    "prot"<blob>=<NULL>
    "ptcl"<uint32>="http"
    "scrp"<sint32>=<NULL>
    "sdmn"<blob>=<NULL>
    "srvr"<blob>="tech.slashdot.org"
    "type"<uint32>=<NULL>
data:
"<the plaintext password for this key>"
Dormitory answered 4/4, 2009 at 15:27 Comment(3)
Is there any magic way to avoid clicking "Always Allow" once for each entry?Pilchard
@Pilchard You can find the AppleScript that will press the buttons for you here: apple.stackexchange.com/a/137336.Roop
For the iCloud keychain, which the (10.9.5) security tool doesn't see, you can copy everything from the iCloud keychain to a new keychain and still use this technique. (selfsuperinit.com/2014/01/20/…)Atp
G
15

Please read this: https://gist.github.com/rmondello/b933231b1fcc83a7db0b

Ignore:-----

I found a sollution to the "Always Allow" dialog in each key!

Just run the previous command with sudo.

sudo security dump-keychain -d login.keychain

This way you'll only need to enter your password two times. One on the Terminal to sudo and another to unlock the keychain! ;)

Have a nice day!

Gauntlett answered 6/1, 2012 at 13:56 Comment(3)
Does not seem to work, it still asks me to "allow/deny" each item. Maybe you had "always allowed" everything the first time you ran the command? The second time it would appear to have just magically worked (regardless of the sudo).Andradite
I just pressed allow 250 times.Putandtake
In High Sierra, running with sudo still prompts for password on every key. Copying from iCloud to a local keychain also requires the password for every key.Prothallus
E
0

Update, there is now a tool that does this nicely:

Keychaindump is a proof-of-concept tool for reading OS X keychain passwords as root. It hunts for unlocked keychain master keys located in the memory space of the securityd process, and uses them to decrypt keychain files.

Source: https://github.com/juuso/keychaindump

Eltonelucidate answered 1/10, 2015 at 21:40 Comment(1)
This git project is abandon-ware, last commit 6 years ago. Use at your own risk.Fidelafidelas
N
0

Actually I was just looking for the same: Modified applescript from github somebody posted. To be run in ScriptEditor and must be allowed in Preferences & Security.

set keychainPassword to "yourpasswordgoeshere"

tell application "System Events"
    repeat while exists (processes where name is "SecurityAgent")
        tell process "SecurityAgent"
            delay 0.1
            try
                set value of text field 1 of window 1 to keychainPassword
                click button "Allow" of window 1
            end try
        end tell
    end repeat
end tell

You must click each window separetly in order to activate them. For that I used tool "murgaa auto clicker" I had known from runescape many years ago (http://www.murgaa.com/auto-clicker-mac/ seems still active). You just set shortcut for autoclicking (eg. Command+R) and set timer to 10ms and it works like charm.

Noctule answered 2/8, 2018 at 17:57 Comment(1)
Your Apple Script code works great. It fills in the password and klicks all upcoming windows automatically. I don't know why you mention "murgaa auto clicker" though. No need for that. The Apple Script and the Terminal is all you need.Evangelistic
C
0

Keysafe

Keysafe reads and decrypts Apple Keychain files. Use Keysafe to securely access your passwords and credentials without a Mac.

I wrote a tool called Keysafe to extract the contents of Keychain files. The tool is available on Mac, Windows, and Linux.

Keysafe is not free; a licence is required to fully decrypt a Keychain. Without a licence the contents are still extracted but the decrypted values are partially redacted and secure notes are not post-processed into RTFD files.

If you have a Keychain that does not "just work" with Keysafe, please get in touch. The Keychain format is expansive and finding edge cases is always interesting.

Contretemps answered 17/4, 2022 at 18:12 Comment(0)
E
0

This works on macOS Sonoma 14.3.1.

It is simple and requires no third party apps.

  1. Open Terminal and enter:

    open "/System/Applications/Utilities/Script Editor.app"

    This opens the Script Editor.

    (Alternatively open Script Editor from "Applications" directory in the GUI)

  2. Click on the "New Document" button.

  3. I've pasted the code from rojikada's answer. Make sure to use your own keychain password instead of mySecretPass.

    set keychainPassword to "mySecretPass"

tell application "System Events"
    repeat while exists (processes where name is "SecurityAgent")
        tell process "SecurityAgent"
            delay 0.1
            try
                set value of text field 1 of window 1 to keychainPassword
                click button "Allow" of window 1
            end try
        end tell
    end repeat
end tell

  4. To export your login.keychain to the textfile login.keychain.txt on your Desktop, enter this in Terminal:

    security dump-keychain -d login.keychain > Desktop/login.keychain.txt

    -d is an option of the dump-keychain command and means "Dump (decrypted) data of items".

    The > redirects the output into the textfile.

    Press Enter to start the command.

    Now the "Security Agent" window will ask for the password. enter image description here

  5. In Script Editor, press the Play button to Run the Script. enter image description here

  6. You may have to enable "Accessibility" for Script Editor in the "Privacy & Security" Settings. enter image description here

  7. Now the Script should enter the password and klick "Allow" on every the "Security Agent" window. Depending on how many items you have in your keychain this should take a few seconds or minutes. During this time, your computer is busy.

FYI

To include the "access control list of items" you can use the -a option which combined with the -d option looks like this:

security dump-keychain -ad login.keychain > Desktop/login.keychain.txt

-a means "Dump access control list of items".

In this example it adds the "access: 5 entries" section after the password (data) to the output:

[...]
keychain: "/Users/drakeseven/Library/Keychains/login.keychain-db"
version: 512
class: "inet"
attributes:
    0x00000007 <blob>="192.168.1.10"
    [...]
    "srvr"<blob>="192.168.1.10"
    "type"<uint32>=<NULL>
data:
"mySuperSecretP4ssword"
access: 5 entries
    entry 0:
        [...]
    entry 1:
        [...]
        don't-require-password
        description: 192.168.1.10
        applications (1):
            0: /Applications/Transmit.app (OK)
                [...]

This shows me that the Transmit ftp client is allowed to access this password without prompting the keychain password. enter image description here

Evangelistic answered 22/4 at 12:37 Comment(0)
H
-3

I found solution for not clicking "Allow" multiple times

sudo su
security dump-keychain -d /Users/YourUsername/Library/Keychains/login.keychain
Haaf answered 18/2, 2015 at 20:0 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.