=Start=
缘由:
前几天想到的一个点,趁着休息的时候做了一下搜索测试,简单记录一下一些关键点方便后面有需要的时候参考。
正文:
参考解答:
security 命令是macOS系统中钥匙链和安全框架的命令行管理工具,(图形化工具为钥匙串访问(Keychain Access.app))。钥匙串(Keychain)实质上就是一个用于存放证书、密钥、密码等安全认证实体的仓库,在计算机中保存为一个.keychain的文件,默认存放在以下目录中:
- ~/Library/Keychains/
- /Library/Keychains/
# 常用 security 子命令及其功能说明
security list-keychains #显示或设置钥匙串搜索列表
security default-keychain #显示或设置默认的钥匙串
security login-keychain #显示或设置登录钥匙串
security dump-keychain #显示一个或多个钥匙串的内容
security set-keychain-settings #设置钥匙串配置
security set-keychain-password #设置钥匙串密码
security find-identity #查找认证实体(证书+私钥)
security find-identity -v #查找认证实体(证书+私钥),只显示有效的身份
security dump-trust-settings #显示信任设置的内容
security find-generic-password #Find a generic password item.
security find-internet-password #Find an internet password item.
security find-key #Find keys in the keychain
security find-certificate #Find a certificate item.
security find-identity #Find an identity (certificate + private key).NAME
security – Command line interface to keychains and Security framework
SYNOPSIS
security [-hilqv] [-p prompt] [command] [command_options] [command_args]
DESCRIPTION
A simple command line interface which lets you administer keychains, manipulate keys and certificates, and do just about anything the Security framework is capable of from the command line.
一个简单的命令行接口,它允许您管理钥匙链、操作密钥和证书,以及从命令行执行安全框架能够执行的任何操作。
By default security will execute the command supplied and report if anything went wrong.
If the -i or -p options are provided, security will enter interactive mode and allow the user to enter multiple commands on stdin. When EOF is read from stdin security will exit.
...
$ security -h
help Show all commands, or show usage for a command.
list-keychains Display or manipulate the keychain search list.
list-smartcards Display available smartcards.
default-keychain Display or set the default keychain.
login-keychain Display or set the login keychain.
create-keychain Create keychains and add them to the search list.
delete-keychain Delete keychains and remove them from the search list.
lock-keychain Lock the specified keychain.
unlock-keychain Unlock the specified keychain.
set-keychain-settings Set settings for a keychain.
set-keychain-password Set password for a keychain.
show-keychain-info Show the settings for keychain.
dump-keychain Dump the contents of one or more keychains.
create-keypair Create an asymmetric key pair.
add-generic-password Add a generic password item.
add-internet-password Add an internet password item.
add-certificates Add certificates to a keychain.
find-generic-password Find a generic password item.
delete-generic-password Delete a generic password item.
set-generic-password-partition-list Set the partition list of a generic password item.
find-internet-password Find an internet password item.
delete-internet-password Delete an internet password item.
set-internet-password-partition-list Set the partition list of a internet password item.
find-key Find keys in the keychain
set-key-partition-list Set the partition list of a key.
find-certificate Find a certificate item.
find-identity Find an identity (certificate + private key).
delete-certificate Delete a certificate from a keychain.
delete-identity Delete an identity (certificate + private key) from a keychain.
set-identity-preference Set the preferred identity to use for a service.
get-identity-preference Get the preferred identity to use for a service.
create-db Create a db using the DL.
export Export items from a keychain.
import Import items into a keychain.
export-smartcard Export items from a smartcard.
cms Encode or decode CMS messages.
install-mds Install (or re-install) the MDS database.
add-trusted-cert Add trusted certificate(s).
remove-trusted-cert Remove trusted certificate(s).
dump-trust-settings Display contents of trust settings.
user-trust-settings-enable Display or manipulate user-level trust settings.
trust-settings-export Export trust settings.
trust-settings-import Import trust settings.
verify-cert Verify certificate(s).
authorize Perform authorization operations.
authorizationdb Make changes to the authorization policy database.
execute-with-privileges Execute tool with privileges.
leaks Run /usr/bin/leaks on this process.
error Display a descriptive message for the given error code(s).
create-filevaultmaster-keychain Create a keychain containing a key pair for FileVault recovery use.
smartcards Enable, disable or list disabled smartcard tokens.
translocate-create Create a translocation point for the provided path
translocate-policy-check Check whether a path would be translocated.
translocate-status-check Check whether a path is translocated.
translocate-original-path Find the original path for a translocated path.
requirement-evaluate Evaluate a requirement against a cert chain.
$
$ security dump-trust-settings参考链接:
Where are digital certificates physically stored on a Mac OS X machine? #nice
https://superuser.com/questions/992167/where-are-digital-certificates-physically-stored-on-a-mac-os-x-machine
Keychain Access From Shell #nice
https://macromates.com/blog/2006/keychain-access-from-shell/
Keychain services
https://developer.apple.com/documentation/security/keychain_services
How to view certificate info without installing
https://apple.stackexchange.com/questions/165215/how-to-view-certificate-info-without-installing
How can I parse the certificate information output from the security command in Mac?
https://stackoverflow.com/questions/76378589/how-can-i-parse-the-certificate-information-output-from-the-security-command-in
macOS-security命令
https://www.cnblogs.com/Galesaur-wcy/p/17991221
用命令行管理iOS证书
https://blog.csdn.net/lizeyang/article/details/18419087
Mac Security工具使用总结
https://www.cnblogs.com/pixy/p/4817579.html
Enumerate all certificates in Mac Keychain and compare creation/expiry dates
https://stackoverflow.com/questions/40579726/enumerate-all-certificates-in-mac-keychain-and-compare-creation-expiry-dates
Enumerate certificates in Mac Keychain and check their expiry dates
https://superuser.com/questions/1145431/enumerate-certificates-in-mac-keychain-and-check-their-expiry-dates
security(1) [osx man page]
https://www.unix.com/man-page/osx/1/security/
openssl-x509, x509 – Certificate display and signing utility
https://www.openssl.org/docs/man1.0.2/man1/x509.html
How do I view the details of a digital certificate .cer file?
https://serverfault.com/questions/215606/how-do-i-view-the-details-of-a-digital-certificate-cer-file
How to view an application certificate on Mac OS.?
https://stackoverflow.com/questions/22925090/how-to-view-an-application-certificate-on-mac-os
How to dump the content of keychain from the shell?
https://apple.stackexchange.com/questions/184897/how-to-dump-the-content-of-keychain-from-the-shell
How do I script codesign to trust an imported keychain from the Mac command line
https://stackoverflow.com/questions/76214845/how-do-i-script-codesign-to-trust-an-imported-keychain-from-the-mac-command-line
Accessing keychain from Terminal?
https://discussions.apple.com/thread/1518945?sortBy=best
Get Keychain Passwords from Command Line
https://davidwalsh.name/keychain-command-line
wifi-password.sh
https://github.com/rauchg/wifi-password/blob/master/wifi-password.sh
=END=
《 “macOS系统中的security命令” 》 有 4 条评论
MACOS系统中最容易被窃取的7种数据
https://mp.weixin.qq.com/s/XQit_oy3n9_PSvx3NkxcnA
`
一直以来,macOS系统的最大特点之一就是较少受到恶意软件的困扰。研究数据显示:在过去5年中,严重困扰Windows终端用户的勒索软件攻击并未在Mac设备上大量重现,锁定Mac设备或数据并向其所有者勒索赎金的攻击模式目前还难以实现。
然而,窃取有价值的数据并以恶意的方式将其货币化,这种攻击策略在各个操作系统上都很常见。在macOS系统上,非法攻击者也同样在窃取会话cookie、Keychain(密钥串)、SSH密钥等信息,并通过广告软件或间谍软件等恶意进程违规收集数据。这些数据可以在各种地下论坛和暗网市场中销售,或者直接应用于各种网络攻击活动。
本文梳理总结了macOS系统中最容易被窃取的7种数据资产类型,以帮助安全运营人员更好地保护企业,并识别潜在的风险迹象。
01-会话cookie数据
02-用户的密码管理文件
03-用户登录密码信息
04-浏览器中的密码及相关数据
05-SSH密钥信息
06-macOS系统环境信息
07-粘贴板中的内容信息
# 防护建议
随着Mac电脑设备在企业生产和开发团队中越来越受欢迎,存储在Mac电脑上的数据对攻击者来说正变得越来越重要。企业要缓解各种类型的数据窃取攻击,首先需要部署一个完善的端点安全解决方案,它既可以快速识别并阻止恶意软件,也可以让安全团队看到设备上正在发生的事情。
此外,安全运营人员还应该定期监控试图访问密钥链、SSH和上面讨论的其他文件路径的进程。
最后,尽管macOS系统的TCC机制还有很多不完善的地方,但保持macOS系统的及时更新仍然至关重要,因为苹果公司会定期升级TCC框架,并修补研究人员报告的其他安全漏洞,降低MAC设备的使用风险。
`
macOS 上敏感文件的位置和有趣的守护进程
macOS Sensitive Locations & Interesting Daemons
https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations
`
Passwords
* Shadow Passwords
* Keychain Dump
* Keychaindump
* Keychaindump Overview
* chainbreaker
* kcpassword
Interesting Information in Databases
* Messages
* Notifications
* Notes
Preferences
System Notifications
* Darwin Notifications
* Distributed Notification Center
* Apple Push Notifications (APN)
User Notifications
`
Mac OS X 机器上的数字证书物理存储在哪里?
https://superuser.com/questions/992167/where-are-digital-certificates-physically-stored-on-a-mac-os-x-machine
`
Can someone tell me and maybe link to literature which describes it, where are the digital certificates storage location on Mac OS X? I know I could access the certificates with the “Keychain” application. But where are the certificates stored on the disk? Under Linux they are for example under /etc/ssl/certs but under Mac OS X they are no certificates in this folder.
谁能告诉我 Mac OS X 上数字证书的存储位置在哪里?我知道我可以用 “钥匙串 “应用程序访问证书。但磁盘上的证书存储在哪里呢?例如,在 Linux 下,证书存放在 /etc/ssl/certs 文件夹中,但在 Mac OS X 下,这个文件夹中没有证书。
I read something about that the certificates are stored in a “Keychain File?” Is this right? If yes, could someone explain me the technical details on it.
我读到过一些关于证书存储在 “钥匙串文件 “中的信息?是这样吗?如果是,谁能解释一下技术细节。
If someone has detailed literature of this stuff, would be helpfull to link them here. thanks!
如果有人有这方面的详细资料,请将其链接到这里!
==
Apple’s Mac OS X includes a built-in key and password manager, Keychain, which stores user passwords, user and server certificates, and keys.
苹果的 Mac OS X 包含一个内置的密钥和密码管理器–Keychain,用于存储用户密码、用户和服务器证书以及密钥。
# 钥匙串数据存储在哪里? Where is the Keychain data stored?
The keychain data is stored in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/.
钥匙串数据存储在:
~/Library/Keychains/
/Library/Keychains/
/Network/Library/Keychains/
中。
The first location is where my personal keychain is stored. To access their data, I need the Keychain Utility located in the Utilities folder in the Applications folder.
第一个位置是存储我的个人钥匙串的地方。要访问它们的数据,我需要使用应用程序文件夹下实用工具文件夹中的钥匙串实用工具。
I like using spotlight to access the Keychain Utility as it only takes a few keys to get there – click on the spotlight icon in the top right corner and type “keychain”. Spotlight is quick and will predict what you are looking for and get it on top of the search quickly, so you don’t even need to type the whole word. Once you open it, you have access to your Keychain.
我喜欢用 Spotlight 来访问钥匙串实用工具,因为只需几个键就能到达–点击右上角的 Spotlight 图标,然后输入 “keychain”(钥匙串)。Spotlight 的搜索速度很快,它能预测你要找的内容,并迅速将其显示在搜索结果的顶部,所以你甚至不需要键入整个单词。打开后,你就可以访问你的钥匙串了。
# 了解本地钥匙串文件 Understanding Local Keychain Files
I will briefly explain the purpose of the most important files in these directories.
我将简要说明这些目录中最重要文件的用途。
~/Library/Keychains/login.keychain-db – This keychain is created when your user account in Mac OS X is created and normally has its password synchronised with your login password. It is unlocked at login and locked a logout. This is where most of your passwords will end up in. Its password is changed when you change your login password or using the Keychain Access utility.
~/Library/Keychains/login.keychain-db – 该钥匙串是在创建 Mac OS X 用户账户时创建的,其密码通常与登录密码同步。登录时解锁,注销时锁定。你的大部分密码都会存放在这里。当你更改登录密码或使用钥匙串访问实用程序时,就可以更改它的密码。
~/Library/Keychains/${HARDWARE_UUID}/ – UUID stands for Universally Unique Identifier and this value is unique to your device. In the Keychain Access app, it appears as “Local Items” and is where your iCloud keychain is stored, when the service is enabled. The iCloud keychain service allows passwords and other types of data from it to be synchronised with your other Apple devices like you iPad, iPhone or another Mac. The only requirements are that all these devices are using the same Apple ID account, and the OS supports the iCloud keychain service (Mac OS X 10.9 and above, iOS 7.0.3 and above).
~/Library/Keychains/${HARDWARE_UUID}/ – UUID 代表通用唯一标识符,该值对您的设备而言是唯一的。在钥匙串访问应用中,该值显示为 “本地项目”,当启用该服务时,它就是您的 iCloud 钥匙串的存储位置。iCloud 钥匙串服务允许将其中的密码和其他类型的数据与其他苹果设备(如 iPad、iPhone 或其他 Mac)同步。唯一的要求是所有这些设备都使用同一个 Apple ID 账户,并且操作系统支持 iCloud 钥匙串服务(Mac OS X 10.9 及以上版本、iOS 7.0.3 及以上版本)。
/Library/Keychains/System.keychain – The System keychain stores items that are accessed by the OS and shared between users, for example, to allow everyone on the Mac to be able to connect to a WiFi network. Only administrators can change its content.
/Library/Keychains/System.keychain – 系统钥匙串存储操作系统访问和用户之间共享的项目,例如,允许 Mac 上的每个人都能连接到 WiFi 网络。只有管理员才能更改其内容。
/Library/Keychains/FileVaultMaster.keychain – This file is created by the system when FileVault encryption service is enabled on your Mac. The OS manages its content.
/Library/Keychains/FileVaultMaster.keychain – 当 Mac 启用 FileVault 加密服务时,系统会创建该文件。操作系统管理其内容。
/System/Library/Keychains/ – This is another location that can store loads of keychain files. Its content is managed by the system and other applications. Most of them will not appear in the Keychain Access utility however, all users benefit from it.
/System/Library/Keychains/ – 这是另一个可以存储大量钥匙串文件的位置。其内容由系统和其他应用程序管理。其中大部分文件不会出现在钥匙串访问实用程序中,但所有用户都会从中受益。
`
Understanding the Mac OS X Keychain
https://web.archive.org/web/20170722034344/http://amsys.co.uk/2015/02/understanding-mac-os-x-keychain/