macCookies

module

v1.0.4 Latest Latest Go to latest Published: Nov 9, 2024 License: MIT

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/kawakatz/macCookies

Links

Open Source Insights

README ¶

macCookies🍪

macCookies decrypt cookies stored in macOS browsers for pentesters.
This tool is intended to be used with C2.

2024/11/07: This tool can decrypt "v20" cookies with a valid masterkey and -win flag.

Installation

➜  ~ go install -v github.com/kawakatz/macCookies/cmd/macCookies@latest

Usage

Safari

FDA (including Finder automation permission) is required to access Cookies.binarycookies
Cookies.binarycookies is not encrypted

➜  ~ macCookies Safari ~/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies

Firefox

cookies.sqlite is not encrypted

➜  ~ macCookies Firefox ~/Library/Application\ Support/Firefox/Profiles/<profile>/cookies.sqlite

Google Chrome, Microsoft Edge, Slack Application, etc...

login-keychain password is required to decrypt login-keychain

# extract Chrome Safe Storage value
➜  ~ ./chainbreaker.py --dump-all login.keychain-db --password=<login-keychain password>
➜  ~ macCookies Chrome ~/Library/Application\ Support/Google/Chrome/Default/Cookies <Chrome Safe Storage>

Notes

If the victim had downloaded the app from the AppStore, files that store Cookies is located under ~/Library/Containers/<bundle id>/Data/Library/Application Support/ because the app must be sandboxed.

If you do not know the password for login-keychain, you can use macCookieStealer to retrieve cookies from chromium-based browsers.

There are also cases where it is possible to bypass keychain client validation by injecting the Dynamic Library into an older application, thereby taking the encryption key from the keychain. Since Google Chrome has long been built with the restrict flag, Dynamic Library injection is not possible and this technique is not effective.

Option

It is also possible to decrypt Cookies retrieved from Windows. In that case, use ChromiumKeyDump to retrieve a masterkey.
For "v20" cookies, you must use a different method to retrieve a masterkey.

➜  ~ macCookies -win Chrome Cookies <masterkey>

References

https://github.com/cixtor/binarycookies (MIT License)
decryption logic for Safari
https://github.com/moonD4rk/HackBrowserData (MIT License)
decryption logic for FIrefox, Google Chrome, Microsoft Edge, etc...

Directories ¶

Path	Synopsis
cmd
macCookies
pkg
decrypt
parser
types
utils

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL