导出钥匙串
Answers:
这只是关于如何我一个很多年前做的,这是该脚本更新约塞米蒂10.11.5 -但我没有测试它。
脚本将钥匙串中的每个项目保存为文本:
security dump-keychain -d login.keychain > keychain.txt第二个AppleScript项,当从KeyChain中读取该项时,单击第一个脚本触发的“允许”按钮。
[编辑:2016年7月]这已更新至10.11.5注意,因为有些人报告说它们以0.2的延迟锁定了他们的Mac,我将脚本限制为一次只能处理200个结果,因此如果您有1050个钥匙串项,您需要在ScriptEditor中运行该脚本6次,还必须允许在以下安全性偏好设置的“辅助功能”部分中启用ScriptEditor:
tell application "System Events" set maxAttemptsToClick to 200 repeat while exists (processes where name is "SecurityAgent") if maxAttemptsToClick = 0 then exit repeat set maxAttemptsToClick to maxAttemptsToClick - 1 tell process "SecurityAgent" try click button 2 of window 1 on error keystroke " " end try end tell delay 0.2 end repeat end tell
然后上面的链接 / 优胜美地更新也有一个从文本文件到CSV的红宝石转换步骤,祝您好运!
ShreevatsaR在评论中指出,此ruby转换仅涵盖“互联网密码”,而不涵盖“应用程序密码”。这是由于脚本的目的是将“互联网密码”导出到应用程序中1Password。
这是堆栈溢出问题和答案,大致相同
System.keychain在这里:
security dump-keychain -d /Library/Keychains/System.keychain > systemkeychain.txt
要使AppleScript与对话框交互,系统首选项->安全和隐私首选项->隐私选项卡,辅助功能选项必须启用“ Script Editor.app”
我写了一个Python脚本,将钥匙串转储转换为Excel文件,并认为我可以与您共享它。我选择使用CSV或TSV以外的Excel,因为很多人都安装了Excel,只需双击该文件即可使用。您当然可以修改脚本以打印任何其他格式。我是在OS X 10.11 El Capitan上完成的,但也应该在较旧的OS上也可以使用。
由于我不喜欢将密码以明文形式存储在硬盘驱动器上,因此我使用Disk Utility应用程序创建了一个加密的容器。只需打开“磁盘工具”(按cmd+ Space,键入“磁盘”)。在应用程序中,按cmd+ N获取新图像,将名称更改为SEC,将加密更改为256位AES,然后将其保存在SEC下的所选目录中。然后双击文件(或使用“磁盘工具”)安装卷。
在安全容器中创建一个名为keychain.py的新文件,然后粘贴以下代码。
现在打开Terminal.app并将目录更改为已安装的加密卷:
cd /Volumes/SEC我们需要python软件包管理器来安装Excel模块(系统会提示您输入密码):
sudo easy_install pip我们需要安装Python Excel模块:
sudo pip install xlwt现在,使用此问题的其他答案之一导出密码。我只是这样做
security dump-keychain -d > keychain.txt,垃圾邮件的另一只手按住了鼠标,然后单击了“允许”按钮。最后一步是使用python脚本将txt文件转换为可读的Excel工作表:
python keychain.py keychain.txt keychain.xls
。
#!/usr/bin/env python
import sys
import os
import re
import xlwt
# Regex to match both generic and internet passwords from a keychain dump
regex = re.compile(
r"""
keychain:\s"(?P<kchn>[^"]+)"\n # absolute path and file of keychain
version:\s(\d\d\d)\n # version
class:\s"(?P<clss>(genp|inet))"\n # generic password or internet password
attributes:\n
(\s*?0x00000007\s<blob>=(?P<name>[^\n]+)\n)? # name
(\s*?0x00000008\s<blob>=(?P<hex8>[^\n]+)\n)? # ? only used at certificates
(\s*?"acct"<blob>=(?P<acct>[^\n]+)\n)? # account
(\s*?"atyp"<blob>=(?P<atyp>[^\n]+)\n)? # account type ("form"), sometimes int
(\s*?"cdat"<timedate>=[^"]*(?P<cdat>[^\n]+)\n)? # datetime created
(\s*?"crtr"<uint32>=(?P<crtr>[^\n]+)\n)? # vendor key with four chars like "aapl"
(\s*?"cusi"<sint32>=(?P<cusi>[^\n]+)\n)? # ? always null
(\s*?"desc"<blob>=(?P<desc>[^\n]+)\n)? # description
(\s*?"gena"<blob>=(?P<gena>[^\n]+)\n)? # ? always null except one rare cases
(\s*?"icmt"<blob>=(?P<icmt>[^\n]+)\n)? # ? some sort of description
(\s*?"invi"<sint32>=(?P<invi>[^\n]+)\n)? # ? always null
(\s*?"mdat"<timedate>=[^"]*(?P<mdat>[^\n]+)\n)? # datetime last modified
(\s*?"nega"<sint32>=(?P<nega>[^\n]+)\n)? # ? always null
(\s*?"path"<blob>=(?P<path>[^\n]+)\n)? # path
(\s*?"port"<uint32>=(?P<port>[^\n]+)\n)? # port number in hex
(\s*?"prot"<blob>=(?P<prot>[^\n]+)\n)? # ? always null
(\s*?"ptcl"<uint32>=(?P<ptcl>[^\n]+)\n)? # protocol but is blob ("http", "https")
(\s*?"scrp"<sint32>=(?P<scrp>[^\n]+)\n)? # ? always null except one rare cases
(\s*?"sdmn"<blob>=(?P<sdmn>[^\n]+)\n)? # used for htaccess AuthName
(\s*?"srvr"<blob>=(?P<srvr>[^\n]+)\n)? # server
(\s*?"svce"<blob>=(?P<svce>[^\n]+)\n)? # ? some sort of description
(\s*?"type"<uint32>=(?P<type>[^\n]+)\n)? # some blob: "iprf", "note"
data:\n
"(?P<data>[^"]*)" # password
""", re.MULTILINE | re.VERBOSE)
# Dictionary used by the clean function (Apple is not always right about the
# types of the field)
field2type = {
"name": "blob",
"hex8": "blob",
"acct": "blob",
"atyp": "simple",
"cdat": "timedate",
"crtr": "uint32",
"cusi": "sint32",
"desc": "blob",
"gena": "blob",
"icmt": "blob",
"invi": "sint32",
"mdat": "timedate",
"nega": "sint32",
"path": "blob",
"port": "uint32",
"prot": "blob",
"ptcl": "blob",
"scrp": "sint32",
"sdmn": "blob",
"srvr": "blob",
"svce": "blob",
"type": "blob",
"data": "simple",
"kchn": "simple",
"clss": "simple"
}
def clean(field, match):
value = match.group(field)
if not value or value == "<NULL>":
# print null values as empty strings
return ""
if field2type[field] == "blob":
# strip " at beginning and end
return value[1:-1]
elif field2type[field] == "timedate":
# convert timedate to the iso standard
value = value[1:-1]
return value[0:4] + "-" + value[4:6] + "-" + value[6:8] + "T" + \
value[8:10] + ":" + value[10:12] + ":" + value[12:14] + "Z" + value[16:19]
elif field2type[field] == "uint32":
# if it really is a hex int, convert it to decimal
value = value.strip()
if re.match("^0x[0-9a-fA-F]+$", value):
return int(value, 16)
else:
return value
else:
# do nothing, just print it as it is
return value
def print_help():
print "Usage: python keychain.py INPUTFILE OUTPUTFILE"
print "Example: python keychain.py keychain.txt keychain.xls"
print " where keychain.txt was created by `security dump-keychain -d > keychain.txt`"
print " When dumping the keychain, you have to click 'Allow' for each entry in your"
print " keychain. Position you mouse over the button and go clicking like crazy."
print "Keychain 0.1: convert an Apple Keychain dump to an Excel (XLS) spreadsheet."
# Check for correct parameters
if len(sys.argv) != 3:
print_help()
sys.exit(1)
elif len(sys.argv) == 3:
if not os.path.isfile(sys.argv[1]):
print "Error: no such file '{0}'".format(sys.argv[1])
print_help()
exit(1)
# Read keychain file
buffer = open(sys.argv[1], "r").read()
print "Read {0} bytes from '{1}'".format(len(buffer), sys.argv[1])
# Create excel workbook and header
wb = xlwt.Workbook()
ws = wb.add_sheet("Keychain")
ws.write(0, 0, "Name")
ws.write(0, 1, "Account")
ws.write(0, 2, "Password")
ws.write(0, 3, "Protocol")
ws.write(0, 4, "Server")
ws.write(0, 5, "Port")
ws.write(0, 6, "Path")
ws.write(0, 7, "Description")
ws.write(0, 8, "Created")
ws.write(0, 9, "Modified")
ws.write(0, 10, "AuthName")
ws.write(0, 11, "AccountType")
ws.write(0, 12, "Type")
ws.write(0, 13, "Keychain")
# Find passwords and add them to the excel spreadsheet
i = 1
for match in regex.finditer(buffer):
ws.write(i, 0, clean("name", match))
ws.write(i, 1, clean("acct", match))
ws.write(i, 2, clean("data", match))
ws.write(i, 3, clean("ptcl", match))
ws.write(i, 4, clean("srvr", match))
ws.write(i, 5, clean("port", match))
ws.write(i, 6, clean("path", match))
ws.write(i, 7, clean("desc", match))
ws.write(i, 8, clean("cdat", match))
ws.write(i, 9, clean("mdat", match))
ws.write(i, 10, clean("sdmn", match))
ws.write(i, 11, clean("atyp", match))
ws.write(i, 12, clean("clss", match))
ws.write(i, 13, clean("kchn", match))
i += 1
wb.save(sys.argv[2])
print "Saved {0} passwords to '{1}'".format(i-1, sys.argv[2])
从OSX 10.10.3开始,有一种新的方式可以自动接受(我在升级过程中遇到了问题)
Bash函数(添加到.profile或.bash_rc文件中)
## At the terminal when you start getting the prompts, type `Accepts` and press enter
function Accepts () {
osascript <<EOF
tell application "System Events"
repeat while exists (processes where name is "SecurityAgent")
tell process "SecurityAgent" to click button "Allow" of window 1
delay 0.2
end repeat
end tell
EOF
}
## At the terminal when you start getting the prompts, type `Accepts YourUsername YourPassword` and press enter
function AcceptWithCreds () {
username="$1"
password="$2"
[ -z "${password}" ] && return 1
osascript 2>/dev/null <<EOF
set appName to "${username}"
set appPass to "${password}"
tell application "System Events"
repeat while exists (processes where name is "SecurityAgent")
tell process "SecurityAgent"
if exists (text field 1 of window 1) then
set value of text field 1 of window 1 to appName
set value of text field 2 of window 1 to appPass
end if
end tell
tell process "SecurityAgent" to click button "Allow" of window 1
delay 0.2
end repeat
end tell
EOF
echo 'Finished...'
}
并使用此脚本转储您的密钥环(sudo ./dump.sh)
#!/bin/bash
# Run above script in another window
security dump-keychain -d login.keychain > keychain-login.txt
security dump-keychain -d /Library/Keychains/System.keychain > keychain-system.txt
execution error: System Events got an error: osascript is not allowed assistive access.了命令行。我发现解决此问题的最简单方法是将AppleScript代码粘贴到“脚本编辑器”应用程序中,然后从那里运行它。
osascript is not allowed assistive access通过在系统偏好设置=>安全和隐私=>可访问性中允许您的终端应用可以避免该错误。
@MichaelStoner的答案是一个好的开始,但是在OS X 10.10.3 Yosemite上却失败了,他的AppleScript代码报告了该问题System Events got an error: Can’t get group 1 of window 1 of process "SecurityAgent". Invalid index。
经过一番尝试后,以下解决方案为我工作:
tell application "System Events"
repeat while exists (processes where name is "SecurityAgent")
tell process "SecurityAgent"
keystroke " "
end tell
delay 1
end repeat
end tell
开始后,您必须单击“允许”对话框。该代码将花费一些时间,但是我建议不要降低延迟(“ delay 0.2”使我强制关闭Mac)。只是喝杯咖啡。
钥匙串导出功能适用于ITEMS,而不适用于整个钥匙串。它也不会让您导出大多数项目-即当您看到灰色的导出功能时。
要将钥匙串从一台Mac复制到另一台Mac,请使用Migration Assistant应用。
或通过复制〜/ Library / Keychains /文件夹中的钥匙链文件来手动执行此操作。
在新计算机上打开“ 钥匙串访问”应用程序,然后选择File> Add Keychain…。
该security二进制将在命令行中的钥匙串取回物品,所以你可以脚本在python系统地倾倒内容。这实际上取决于所需的数据格式以及以后的使用方式。
如果您知道执行新解决方案需要花费多长时间,以及是否需要学习/搜索将内容转储为所选格式的现有程序或库,则复制/粘贴也是不错的选择。
导出项目菜单用于公钥和/或私钥导出,对于这些公钥和/或私钥导出,行业标准的文件格式可以在存储到文件系统中进行交换和传输时对数据进行适当的编码和保护。该功能在Keychain Assistant的帮助中简要记录。
有一个工具调用KeychaindumpPro https://hackforums.net/showthread.php?tid=5803486。
静默从钥匙串中提取密码短语/帐户/付款/安全票据/ PublicKey / PrivateKey / SymmetricKey /证书等。