Extracting tokens from encrypted backup

[Esgariot]

Hi,

I'm trying to extract token secrets from encrypted backup.

I've managed to extract authenticator.plist, which contains multiple entries that resemble base64, but do not decode into valid utf-8.

Here's the steps that got me there:

1. Create local encrypted backup of your device, as specified in https://support.apple.com/en-us/HT205220
2. use https://github.com/jsharkey13/iphone_backup_decrypt (you will find backups in ~/Library/Application Support/MobileSync/Backup/
3. Specify the passphrase
4. extract Library/Preferences/me.mattrubin.authenticator.plist using extract_file
5. Convert the plist from binary to xml using plutil -convert xml1 <plist file>

I've noticed that all the secret entries fit the Z2VucXXXXXXXXXXXXXXXXXXXXXX= pattern.
Is it possible to decode it further? I suppose it would represent the Token object, serialized

[Esgariot]

Looking at https://github.com/mattrubin/OneTimePassword/blob/66f284e22c170ffcc2c9dcf055a1efeb260c766d/Sources/PersistentToken.swift#L31-L35 maybe this is not a feasible approach.

[Esgariot]

https://github.com/dunhamsteve/ios is a bit more ergonomic, and allows dumping keychain file

[Esgariot]

Now I'm missing a way to import dumped ascii keychain into macos keychain store, to then query stuff as specified in #383 (comment)

[Esgariot]

I've managed to decode the url, by base64-decoding the "gena" field from irestore's dumpkeys output, into otpauth://totp/<skipped>algorithm=SHA1&digits=6&issuer=<skipped>&duration=30. There's no secret in this decoded url :<

[FolioForThatGuy]

Did you ever get further? I've gotten to the same point with the codes but can't find out where the secret is. I'm moving to android so an encrypted backup and restore isn't even an option.

[Esgariot]

@FolioForThatGuy I didn't, ultimately regenerated OTPs and moved on