macCookiesπŸͺ

macCookies decrypt cookies stored in macOS browsers for pentesters. This tool is intended to be used with C2.

Installation

# install grepfiles
➜  ~ go install -v github.com/kawakatz/macCookies/cmd/[email protected]

Usage

Safari

  • FDA (including Finder automation permission) is required to access Cookies.binarycookies
  • Cookies.binarycookies is not encrypted
➜  ~ macCookies Safari ~/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies

Firefox

  • cookies.sqlite is not encrypted
➜  ~ macCookies Firefox ~/Library/Application\ Support/Firefox/Profiles/<profile>/cookies.sqlite

Google Chrome, Microsoft Edge, Slack Application, etc…

  • login-keychain password is required to decrypt login-keychain

# extract Chrome Safe Storage value
➜  ~ ./chainbreaker.py --dump-all login.keychain-db --password=<login-keychain password>
➜  ~ macCookies Chrome ~/Library/Application\ Support/Google/Chrome/Default/Cookies <Chrome Safe Storage>

Notes

If the victim had downloaded the app from the AppStore, files that store Cookies is located under ~/Library/Containers/<bundle id>/Data/Library/Application Support/ because the app must be sandboxed.

If you do not know the password for login-keychain, you can use macCookieStealer to retrieve cookies from chromium-based browsers.

There are also cases where it is possible to bypass keychain client validation by injecting the Dynamic Library into an older application, thereby taking the encryption key from the keychain. Since Google Chrome has long been built with the restrict flag, Dynamic Library injection is not possible and this technique is not effective.

Option

It is also possible to decrypt Cookies retrieved from Windows. In that case, use ChromiumKeyDump to retrieve the encryption key.

➜  ~ macCookies -win Chrome Cookies <encryption key>

References

GitHub

View Github