Extracting token on live macOS

<< Click to Display Table of Contents >>

Navigation:  Elcomsoft Phone Breaker > Working with Apple devices > Extracting authentication token for iCloud > Extracting token on macOS >

Extracting token on live macOS

You can sign in to iCloud account to download data stored there using the iCloud Authentication token.

To get an Authentication token to iCloud, you will need an Elcomsoft Apple Token Extractor for macOS. This tool is shipped together with EPB (atex.dmg file). You can find it in EPB installation folder.

Elcomsoft Apple Token Extractor supports macOS versions up to 10.15.

EPB allows you to extract authentication tokens for:

Current iCloud user

Other iCloud user

User of a non-live operating system (e.g., by using disk image mounted to the current computer)

User permissions required for getting authentication token:

Authentication Token For

Permissions Required

iCloud account of the currently logged macOS user

User's permissions are enough

iCloud account of a different macOS user

root permissions are required

 

Types of authentication tokens extracted by EPB:


macOS lower 10.3

macOS 10.3 and higher

Account with two-factor authentication

Authentication token without limitations

Authentication token with limitations

Account without by two-factor authentication

Authentication token for account without two-factor authentication

Authentication token for account without two-factor authentication

 

The "icloud_token_<timestamp>.plist" file, which is created as the result of the token extraction, might contain the following types of tokens:

Token Type

Description

auth_token

Authentication token. Has no limitations.

auth_token_with_limitations

Authentication token with limitations. Has the following limitations:

The token cannot be used to download iCloud backups.

The token is valid only if it was extracted on the current computer and the user did not log out of iCloud.

ctoken

Continuation token. Cannot be used in EPB yet.

 

plist_file_with_token

 

To extract the Authentication token for the current iCloud user, do the following:

1. Run the atex.dmg file.

NOTE: If Elcomsoft Apple Token Extractor cannot be opened, see the detailed information in the Troubleshooting topic.

2. Copy the atex file from the mounted image to the folder where you want the file with authentication token to be saved.

3. Go to the directory where you saved the atex file.

4. Launch the atex file. The "icloud_token_<timestamp>.plist" file will be created in the Users/<current user name> directory.

   You will see the full path to the created file in the opened Terminal window.

NOTE: Make sure that there is Internet connection on the computer where the token is extracted. Otherwise, only the token with limitations will be extracted.

5. The created "icloud_token_<timestamp>.plist" file contains the Authentication token of the current iCloud user.

The "icloud_token_<timestamp>.plist" file created for the current iCloud user contains the following information:

macOS Version

Contents

macOS up to 10.12.5

Apple ID (apple_id)

Authentication token (auth_token)

Continuation token (ctoken)

Password to Apple ID - in some cases

macOS 10.3 and higher

Apple ID (apple_id)

Authentication token (auth_token)

Authentication token with limitations (auth_token_with_limitations)

Continuation token (ctoken)

Password to Apple ID - in some cases

 

To extract the Authentication token for a different iCloud user, do the following:

1.Run the atex.dmg file.

NOTE: If Elcomsoft Apple Token Extractor cannot be opened, see the detailed information in the Troubleshooting topic.

2.Copy the atex file from the mounted image to the folder where you want the file with authentication token to be saved.

3.Open the command-line Terminal.

4.Go to the directory where you saved the atex file.

5.To list all iCloud users, use the command sudo atex -l or sudo atex --iCloudUserList

sudo command is used to get root privileges for running the program.

6.Enter the password of the root user when prompted.

7.The list of all iCloud users will be displayed.

8.To get authentication token, run the command sudo atex --getToken -u <username> -p <password>

   For example: sudo atex --getToken -u mary -p 1234

NOTE: Make sure that there is Internet connection on the computer where the token is extracted. Otherwise, only the token with limitations will be extracted.

9. The file "icloud_token_<timestamp>.plist" will be created in the directory from which atex was launched.

   You will see the full path to the created file in the opened Terminal window.

10. The created "icloud_token_<timestamp>.plist" file contains the Authentication token of the selected iCloud user.

The "icloud_token_<timestamp>.plist" file created for a different iCloud user contains the following information:

macOS Version

Contents

macOS up to 10.12.5

Apple ID (apple_id)

Authentication token (auth_token)

Continuation token (ctoken)

Password to Apple ID - in some cases

macOS 10.3 and higher

Apple ID (apple_id)

Authentication token with limitations (auth_token_with_limitations)

Continuation token (ctoken)

Password to Apple ID - in some cases

 

Parameters for running atex in the Terminal:

Parameter

Meaning

-h or [--help]

Displays help message

-l or [--iCloudUserList]

Displays usernames of iCloud users

--getToken -u <username> -p <password>

Gets the authentication token for a specified user. Username and   password should be entered without brackets.

-u or [--username]

Indicates a specified user. Username should be entered without brackets.

-p or [--password]

Indicates a password for a specified user. Password should be entered without brackets.