mattrubin
Extracting tokens from encrypted backup
Hi,
I'm trying to extract token secrets from encrypted backup.
I've managed to extract authenticator.plist, which contains multiple entries that resemble base64, but do not decode into valid utf-8.
Here's the steps that got me there:
- Create local encrypted backup of your device, as specified in https://support.apple.com/en-us/HT205220
- use https://github.com/jsharkey13/iphone_backup_decrypt (you will find backups in
~/Library/Application Support/MobileSync/Backup/ - Specify the passphrase
- extract
Library/Preferences/me.mattrubin.authenticator.plistusingextract_file - Convert the plist from binary to xml using
plutil -convert xml1 <plist file>
I've noticed that all the secret entries fit the Z2VucXXXXXXXXXXXXXXXXXXXXXX= pattern.
Is it possible to decode it further? I suppose it would represent the Token object, serialized
Looking at https://github.com/mattrubin/OneTimePassword/blob/66f284e22c170ffcc2c9dcf055a1efeb260c766d/Sources/PersistentToken.swift#L31-L35 maybe this is not a feasible approach.
https://github.com/dunhamsteve/ios is a bit more ergonomic, and allows dumping keychain file
Now I'm missing a way to import dumped ascii keychain into macos keychain store, to then query stuff as specified in https://github.com/mattrubin/Authenticator/issues/383#issuecomment-995348508
I've managed to decode the url, by base64-decoding the "gena" field from irestore's dumpkeys output, into otpauth://totp/<skipped>algorithm=SHA1&digits=6&issuer=<skipped>&duration=30. There's no secret in this decoded url :<