macCookies decrypt cookies stored in macOS browsers for pentesters.
This tool is intended to be used with C2.
➜ ~ go install -v github.com/kawakatz/macCookies/cmd/macCookies@latest- FDA (including Finder automation permission) is required to access Cookies.binarycookies
- Cookies.binarycookies is not encrypted
➜ ~ macCookies Safari ~/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies- cookies.sqlite is not encrypted
➜ ~ macCookies Firefox ~/Library/Application\ Support/Firefox/Profiles/<profile>/cookies.sqlite- login-keychain password is required to decrypt login-keychain
# extract Chrome Safe Storage value
➜ ~ ./chainbreaker.py --dump-all login.keychain-db --password=<login-keychain password>
➜ ~ macCookies Chrome ~/Library/Application\ Support/Google/Chrome/Default/Cookies <Chrome Safe Storage>If the victim had downloaded the app from the AppStore, files that store Cookies is located under ~/Library/Containers/<bundle id>/Data/Library/Application Support/ because the app must be sandboxed.
If you do not know the password for login-keychain, you can use macCookieStealer to retrieve cookies from chromium-based browsers.
There are also cases where it is possible to bypass keychain client validation by injecting the Dynamic Library into an older application, thereby taking the encryption key from the keychain. Since Google Chrome has long been built with the restrict flag, Dynamic Library injection is not possible and this technique is not effective.
It is also possible to decrypt Cookies retrieved from Windows. In that case, use ChromiumKeyDump to retrieve the encryption key.
➜ ~ macCookies -win Chrome Cookies <encryption key>- https://github.com/cixtor/binarycookies (MIT License)
decryption logic for Safari - https://github.com/moonD4rk/HackBrowserData (MIT License)
decryption logic for FIrefox, Google Chrome, Microsoft Edge, etc...