macCookies🍪
macCookies decrypt cookies stored in macOS browsers for pentesters. This tool is intended to be used with C2.
Installation
# install grepfiles
➜ ~ go install -v github.com/kawakatz/macCookies/cmd/macCookies@latest
Usage
Safari
- FDA (including Finder automation permission) is required to access Cookies.binarycookies
- Cookies.binarycookies is not encrypted
➜ ~ macCookies Safari ~/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies
Firefox
- cookies.sqlite is not encrypted
➜ ~ macCookies Firefox ~/Library/Application\ Support/Firefox/Profiles/<profile>/cookies.sqlite
Google Chrome, Microsoft Edge, Slack Application, etc…
- login-keychain password is required to decrypt login-keychain
# extract Chrome Safe Storage value
➜ ~ ./chainbreaker.py --dump-all login.keychain-db --password=<login-keychain password>
➜ ~ macCookies Chrome ~/Library/Application\ Support/Google/Chrome/Default/Cookies <Chrome Safe Storage>
Notes
If the victim had downloaded the app from the AppStore, files that store Cookies is located under ~/Library/Containers/<bundle id>/Data/Library/Application Support/ because the app must be sandboxed.
If you do not know the password for login-keychain, you can use macCookieStealer to retrieve cookies from chromium-based browsers.
There are also cases where it is possible to bypass keychain client validation by injecting the Dynamic Library into an older application, thereby taking the encryption key from the keychain. Since Google Chrome has long been built with the restrict flag, Dynamic Library injection is not possible and this technique is not effective.
Option
It is also possible to decrypt Cookies retrieved from Windows. In that case, use ChromiumKeyDump to retrieve the encryption key.
➜ ~ macCookies -win Chrome Cookies <encryption key>
References
- https://github.com/cixtor/binarycookies (MIT License) decryption logic for Safari
- https://github.com/moonD4rk/HackBrowserData (MIT License) decryption logic for FIrefox, Google Chrome, Microsoft Edge, etc…
