Skip to content

Instantly share code, notes, and snippets.

@JohnStarich

JohnStarich/keychain-search.md

Last active November 23, 2020 13:27
Show Gist options
  • Save JohnStarich/df786c85f56d2d4465cf954572b47580 to your computer and use it in GitHub Desktop.
Save JohnStarich/df786c85f56d2d4465cf954572b47580 to your computer and use it in GitHub Desktop.
Download ZIP
keychain-search.sh
Raw
keychain-search.md

Keychain Search script

I found it difficult to search through the iCloud keychain for thousands of potentially breached domain names, like the Cit0day dump.

Turns out iCloud keychain is especially difficult to search through for website domains compared to the login or System keychains.

I made this script to open up the keychain app on macOS and search for any number of domains in a giant file, then print out the possibly affected domains.

It certainly isn't perfect. It's slow and makes many assumptions about the Keychain Access app (for macOS 10.15). Despite that, this script should help anyone trying to search through the Cit0day domain list (or similar breaches) automatically.

Run it

Just run the following, where ~/Downloads/Cit0day.sites.lst is your file containing the domain name list and keychain-search.sh is the path to the below script file. I got my domain list file from this gist: https://gist.github.com/kssi/a476cb0467fea59ca826ab380710a2b4

xargs keychain-search.sh < ~/Downloads/Cit0day.sites.lst | tee affected-domains.txt

The extra tee at the end will helpfully save a copy of the script output to the file affected-domains.txt for later use.

Always verify the scripts you run on your computer. I'm not liable for anything that happens as a result of using this script.

Raw
keychain-search.sh
#!/usr/bin/env bash
function check() {
local domain=$1
domain=$(tr -d '\n' <<<"$domain" | xargs) # Clean input argument. Remove new lines and some repeated spaces.
printf '%s' "$domain" | pbcopy
osascript -e '
activate application "Keychain Access"
tell application "System Events"
keystroke "a" using command down
keystroke "v" using command down
delay 0.5
tell process "Keychain Access"
set passExists to enabled of menu item "Get Info" of menu "File" of menu bar 1
if not passExists then
error number 1
end if
end tell
end tell
' 2>/dev/null
}
for arg in "$@"; do
if check "$arg"; then
echo "$arg"
fi
done
@JohnStarich
Copy link
Author

Thanks for your reply @kssi. That’s alright if there’s some extra malformed data, I’ll just have a few extra items to ignore in the output! 😄

I presume your gist filters out any malformed or duplicate lines?

@kssi
Copy link

kssi commented Nov 20, 2020

@JohnStarich gvolluz's list is broken in many ways. That's what happens when random people over the Internet offer help they're not able to provide. In my list, malformed lines are not filtered but simply fixed. The case is normalized and duplicate entries are removed. Also, some invalid domains are fixed (example: bodybuilder.ir_forum -> bodybuilder.ir).

Ignoring a few extra items on a malformed input makes no sense when you can just use a sane input. :)

@JohnStarich
Copy link
Author

@kssi Fair enough 😛 Not quite so broken I didn't get a useful scan, but enough that the next person should get a better one. I've updated to use your gist in the markdown file above.

@kssi
Copy link

kssi commented Nov 21, 2020

@JohnStarich I've just updated the gist using the latest Troy Hunt's files (the first version had one of them truncated). There are 1479 new domains.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment