How to dump the content of keychain from the shell?
I'm testing the following command-line in the Terminal:
sudo security dump-keychain -d login.keychain
which I'd like to use to save all my passwords into a file.
However when I run it, it keep asking me for each item if I want to allow the access, despite I'm selecting 'Always Allow'.
Is there any workaround?
Solution 1:
There is Keychaindump tool written by Juuso Salonen which is a proof-of-concept tool for reading OS X keychain passwords as root.
Basic usage:
$ sudo ./keychaindump ~/Library/Keychains/login.keychain
Example output:
$ sudo ./keychaindump
[*] Searching process 15 heap range 0x7fa809400000-0x7fa809500000
[*] Searching process 15 heap range 0x7fa809500000-0x7fa809600000
[*] Searching process 15 heap range 0x7fa809600000-0x7fa809700000
[*] Searching process 15 heap range 0x7fa80a900000-0x7fa80ac00000
[*] Found 17 master key candidates
[*] Trying to decrypt wrapping key in /Users/juusosalonen/Library/Keychains/login.keychain
[*] Trying master key candidate: b49ad51a672bd4be55a4eb4efdb90b242a5f262ba80a95df
[*] Trying master key candidate: 22b8aa80fa0700605f53994940fcfe9acc44eb1f4587f1ac
[*] Trying master key candidate: 1d7aa80fa0700f002005043210074b877579996d09b70000
[*] Trying master key candidate: 88edbaf22819a8eeb8e9b75120c0775de8a4d7da842d4a4a
[+] Found master key: 88edbaf22819a8eeb8e9b75120c0775de8a4d7da842d4a4a
[+] Found wrapping key: e9acc39947f1996df940fceb1f458ac74b877579f54409b7
xxxxxxx:192.168.1.1:xxxxxxx
[email protected]:login.facebook.com:xxxxxxx
[email protected]:smtp.google.com:xxxxxxx
[email protected]:imap.google.com:xxxxxxx
xxxxxxx:twitter.com:xxxxxxx
[email protected]:www.google.com:xxxxxxx
xxxxxxx:imap.gmail.com:xxxxxxx
...
Other tools:
- CocoaBeans/KeychainDump at GitHub
-
dumpkeychain
from EnCase App Central (Windows)
See also:
- Breaking into the OS X keychain
- Examining Mac OS X User & System Keychains
- Convert OS X Keychain exported entries into logins for 1Password import at GitHub Gist
Solution 2:
This is simple job for AppleScript. First off make sure you're redirecting the standard output to a file by doing sudo security dump-keychain -d login.keychain > ~/Desktop/loginKeychain.txt
. Before doing this command open up Script Editor, it should be in /Applications/Utilities/
then paste this:
tell application "System Events"
repeat while exists (processes where name is "SecurityAgent")
tell process "SecurityAgent"
click button "Allow" of window 1
end tell
delay 0.2
end repeat
end tell
Now start the dump command, then click the Play button at the top of the Script Editor. This should press the buttons.
The Allow Always gives the permission to access keychain item forever, but it's only applied on one item at a time. I would stick with clicked Allow so someone else cannot access it in future without your permission.