keychain-search.sh

keychain-search.md

Keychain Search script

I found it difficult to search through the iCloud keychain for thousands of potentially breached domain names, like the Cit0day dump.

Turns out iCloud keychain is especially difficult to search through for website domains compared to the login or System keychains.

I made this script to open up the keychain app on macOS and search for any number of domains in a giant file, then print out the possibly affected domains.

It certainly isn't perfect. It's slow and makes many assumptions about the Keychain Access app (for macOS 10.15). Despite that, this script should help anyone trying to search through the Cit0day domain list (or similar breaches) automatically.

Run it

Just run the following, where ~/Downloads/Cit0day.sites.lst is your file containing the domain name list and keychain-search.sh is the path to the below script file. I got my domain list file from this gist: https://gist.github.com/kssi/a476cb0467fea59ca826ab380710a2b4

xargs keychain-search.sh < ~/Downloads/Cit0day.sites.lst | tee affected-domains.txt

The extra tee at the end will helpfully save a copy of the script output to the file affected-domains.txt for later use.

Always verify the scripts you run on your computer. I'm not liable for anything that happens as a result of using this script.

keychain-search.sh

#!/usr/bin/env bash

function check() {
    local domain=$1
    domain=$(tr -d '\n' <<<"$domain" | xargs)  # Clean input argument. Remove new lines and some repeated spaces.
    printf '%s' "$domain" | pbcopy
osascript -e '
activate application "Keychain Access"
tell application "System Events"
    keystroke "a" using command down
    keystroke "v" using command down
    delay 0.5
    tell process "Keychain Access"
        set passExists to enabled of menu item "Get Info" of menu "File" of menu bar 1
        if not passExists then
            error number 1
        end if
    end tell
end tell
' 2>/dev/null
}

for arg in "$@"; do
    if check "$arg"; then
        echo "$arg"
    fi
done

The Cit0day list you are using is broken, see here: https://gist.github.com/gvolluz/dd0df2ba2400c4891f95d05de3dde1da/#gistcomment-3533450

You probably want to use this one instead: https://gist.github.com/kssi/a476cb0467fea59ca826ab380710a2b4

Thanks for your reply @kssi. That’s alright if there’s some extra malformed data, I’ll just have a few extra items to ignore in the output! 😄

I presume your gist filters out any malformed or duplicate lines?

@JohnStarich gvolluz's list is broken in many ways. That's what happens when random people over the Internet offer help they're not able to provide. In my list, malformed lines are not filtered but simply fixed. The case is normalized and duplicate entries are removed. Also, some invalid domains are fixed (example: bodybuilder.ir_forum -> bodybuilder.ir).

Ignoring a few extra items on a malformed input makes no sense when you can just use a sane input. :)

@kssi Fair enough 😛 Not quite so broken I didn't get a useful scan, but enough that the next person should get a better one. I've updated to use your gist in the markdown file above.

@JohnStarich I've just updated the gist using the latest Troy Hunt's files (the first version had one of them truncated). There are 1479 new domains.