Installation • Usage • References
macCookies decrypt cookies stored in macOS browsers for pentesters.
This tool is intended to be used with C2.
2024/11/07: This tool can decrypt "v20" cookies with a valid masterkey and -win flag.
➜ ~ go install -v github.com/kawakatz/macCookies/cmd/macCookies@latest- FDA (including Finder automation permission) is required to access Cookies.binarycookies
- Cookies.binarycookies is not encrypted
➜ ~ macCookies Safari ~/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies- cookies.sqlite is not encrypted
➜ ~ macCookies Firefox ~/Library/Application\ Support/Firefox/Profiles/<profile>/cookies.sqlite- login-keychain password is required to decrypt login-keychain
# extract Chrome Safe Storage value
➜ ~ ./chainbreaker.py --dump-all login.keychain-db --password=<login-keychain password>
➜ ~ macCookies Chrome ~/Library/Application\ Support/Google/Chrome/Default/Cookies <Chrome Safe Storage>If the victim had downloaded the app from the AppStore, files that store Cookies is located under ~/Library/Containers/<bundle id>/Data/Library/Application Support/ because the app must be sandboxed.
If you do not know the password for login-keychain, you can use macCookieStealer to retrieve cookies from chromium-based browsers.
There are also cases where it is possible to bypass keychain client validation by injecting the Dynamic Library into an older application, thereby taking the encryption key from the keychain. Since Google Chrome has long been built with the restrict flag, Dynamic Library injection is not possible and this technique is not effective.
It is also possible to decrypt Cookies retrieved from Windows.
In that case, use ChromiumKeyDump to retrieve a masterkey.
For "v20" cookies, you must use a different method to retrieve a masterkey.
➜ ~ macCookies -win Chrome Cookies <masterkey>The tool can also output in a format that can be imported by StorageAce, a Google Chrome extension.
➜ ~ macCookies -storageace Chrome Cookies <Chrome Safe Storage>- https://github.com/cixtor/binarycookies (MIT License)
decryption logic for Safari - https://github.com/moonD4rk/HackBrowserData (MIT License)
decryption logic for FIrefox, Google Chrome, Microsoft Edge, etc...