Lock Picking the macOS Keychain

Presented at Objective by the Sea version 5.0 (2022), Oct. 7, 2022, 4:10 p.m. (25 minutes).

Apple's keychain on macOS is a prime target for real-world adversaries, red teamers, and penetration testers. Because of this, Apple applies a lot of protections to keychain items and access to them. \n\n This talk is a dive into how Apple protects macOS keychain items, how you can enumerate these protections, and how you can bypass some of them. We'll focus on operational use cases, some theory, and code samples. I will release two open-source projects for enumerating and dumping macOS keychain entries along with this talk.

Presenters:

• Cody Thomas - Senior Software Engineer at SpecterOps
  Cody Thomas is a red team operator and developer focusing on macOS and *nix devices. He created the initial Mac and Linux ATT&CK matrices while he was working on the Adversary Emulation team at MITRE. Cody has spoken at a few conferences and works on his open-source framework for Red Teaming called Mythic.

Links:

• https://objectivebythesea.org/v5/talks.html#Speaker_21
• https://infocon.org/cons/Objective by the Sea/Objective by the Sea 5 2023/Lock Picking the macOS Keychain - Cody Thomas.mp4
• https://www.youtube.com/watch?v=jKE1ZW33JpY

Similar Presentations:

• Black Hat USA 2017 / Intercepting iCloud Keychain
• Objective by the Sea version 4.0 (2021) / n-1 and n-2: Should we really trust in you?
• Objective by the Sea version 2.0 (2019) / KeySteal: A Vulnerability in Apple's Keychain