Blog: How-Tos

Grab the UI lock password from McAfee A/V, kill the service, send in the malware

David Lodge 26 Aug 2015

Once more I’m drifting away from what I usually write and going back to password cracking (don’t worry, more IoT stuff will be coming soon), and another real world situation.

I’m stuck onsite testing a piece of software and I’m having real problems with the anti-virus solution doing its job and actually stopping me from copying malware on the box. The anti-virus solution is McAfee, which can get quite annoying (from my perspective) as it prevents the user from doing a lot of stuff, such as killing the service.

McAfee has a master unlock password that is stored in the registry. This is set to allow an administrator to unlock the interface and perform some actions on the agent install.

So, in theory I could go into the registry and delete – or change – the registry values. This is too destructive for my liking, so the other way is to try and crack the hash of the unlock password.

This is by no means secret: Metasploit has a module to extract the hash, Mediaservice have a blog post detailing it all with some sample C code that will generate hashes and earlier forms of encoding can be found with a quick web search. But, I can’t throw this into a fast password cracker or offload it onto the GPU.

So, here’s a quick tutorial on how to mangle this password into a state whereby <insert your favourite password cracker> can start cracking it. Like usual I’m going to be using hashcat simply because I know the interface better than other crackers.

Here’s what we’re going to do

I will be going through a lot of items, but here are the main steps:

  1. Get the registry value HKLMSOFTWAREMcAfeeDesktopProtectionUIPEx
  2. Convert it from a base64 value to a hexadecimal string
  3. Send it through hashcat as hash type 140 with a static salt of “01000f000d003300”
  4. Remember to use the –hex-salt flag to hashcat

Extracting the Hash

This is relatively easy, and can be gained quickly if you have access to the registry, as far as I can tell the registry key’s permissions are also set to read for all BUILTINUsers, so any user should be able to view the hash.

The important values are stored in the key HKLMSOFTWAREMcAfeeDesktopProtection. On older versions this may be stored in HKEY_LOCAL_MACHINESoftwareNetwork AssociatedTVDVirusscan EnterpriseCurrentVersion. In these cases you’re stuck in the wrong decade and really ought to upgrade.

You can access this through any mechanism you desire, either regedit or using “reg export” if you like the command line.

The values of interest are:

Value Name Use
UIPMode The protection mode and how the hash is stored, if you have write access you can set this to zero to disable it
UIPPages A comma separated list of functions which define which screens require the password. Don’t mess with this
UIP The value where the user password hash used to be stored on older versions. This is normally blank. If it isn’t see below
UIPEx The hash for the user password

If you’re lazy you can use the post/windows/gather/credentials/mcafee_hashdump script.

Hash Format

We’ll deal with the single UIP format first as this is easy, it’s basically:

hash = md5(unicode($password))

I.e. take the password, convert it to UTF-16 and then md5 it. This is essentially hash type 40 on hashcat, with a blank salt and can easily be cracked.

I have no examples of this, so can’t do a nice screenshot.

Next we have the UIPEx format, I’m guessing that Ex stands for “extended”. McAfee seem to have learnt a bit from their previous attempt and have changed it slightly: they changed the algorithm to SHA1 and added a salt. A static salt (of the hex values 0x01 0x0f 0x0d 0x33). It is then base64’d and stored in the registry key.

This updates the algorithm to:

hash = sha1(unicode($salt . $password))
storedhash = base64(hash)

Here’s the problem: there’s no hashcat hash type that matches a Unicode salt. The closest we can get is type 140:

sha1($salt.unicode($pass))

Fortunately, as the salt is static we can add it ourselves in the hash format.

First off, we need to convert the stored hash to something we can use. As this only needs to be done once, we can do this by hand, using pip3line or a similar program. For an example we’ll be using the hash list on the Mediaservice blog post: 1Or2ZtCTFvnWGxR1M1OnPV+88Eg=

So, we base64 decode it and then convert the raw hexadecimal to a string of hexadecimal characters:

base64d(1Or2ZtCTFvnWGxR1M1OnPV+88Eg=)
= d4eaf666d09316f9d61b14753353a73d5fbcf048

We can now pass this through to hashcat as a hash with the salt. There’s one problem though: we need to convert the salt to Unicode (technically UTF-16). UTF-16 is the version of the Unicode standard most common used by Windows. To get around the lack of characters allowed in a single byte (255) it uses two (or more) bytes to stored character.

As two characters are now being used to store each byte a UTF-16 string is not the same as a normal ASCII string, in programming terms:

utf16($string) != $string

Fortunately it’s easy to convert characters in the normal 7-bit ASCII code page to UTF-16: we just convert it from an 8-bit integer to a 16 bit integer, making 0x01 become 0x0001.

One final thing to bear in mind is that Windows uses a little endian version of UTF-16, so this is actually stored in memory as 0x01 0x00.

After all that, we can convert the static salt to UTF-16:

Unicode(0x01 . 0x0f . 0x0d . 0x33)
= 0x0001 . 0x000f . 0x000d . 0x0033

Then swap the byte order for endianness:

= 0x01 0x00 0x0f 0x00 0x0d 0x00 0x33 0x00

And mash it into a hex string:

= 01000f000d003300

We can now pass the hex string as salt to hashcat using the special –hex-salt flag and we can try and crack the password:

C:toolspasswordshashcat>cudaHashcat32.exe -m 140 d4eaf666d09316f9d61b14753353a73d5fbcf048:
01000f000d003300 –hex-salt ..dictionaries
cudaHashcat v1.36 starting…[…]INFO: approaching final keyspace, workload adjustedd4eaf666d09316f9d61b14753353a73d5fbcf048:01000f000d003300:test

Session.Name…: cudaHashcat
Status………: Cracked
Input.Mode…..: File (..dictionaries/a.txt)
Hash.Target….: d4eaf666d09316f9d61b14753353a73d5fbcf048:…
Hash.Type……: sha1($salt.unicode($pass))
Time.Started…: 0 secs
Speed.GPU.#1…: 0 H/s
Recovered……: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress…….: 1/1 (100.00%)
Rejected…….: 0/1 (0.00%)
HWMon.GPU.#1…: 0% Util, 49c Temp, N/A Fan

Started: Wed Aug 26 11:25:35 2015
Stopped: Wed Aug 26 11:25:37 2015

It was then I found that the client used a 16 character random password, with no chance of cracking it. Oh well, the journey’s often more interesting than the destination (especially if you’re going to Slough).

Prevention

If you’re using McAfee Antivirus and want to stop your users doing this, follow the guidelines for strong passwords; make them long and strong, like good toilet roll.