Tuesday, September 13, 2011

Another way to bypass McAfee detection


During a penetration test we obtained the complete administration of a Windows server.

We were looking for a way to get more information on this server and wanted to use the technique pass-the-hash developed by Hernan Ochoa to get NT / LM hashes from memory..

The problem is that this server is running McAfee VirusScan Enterprise version 8.7i tool which detects wce.exe as malicious.

To disable the antivirus service is necessary to know an administrative password.
In previous versions it was possible to disable the password by modifying the registry value UIP in (1) HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection or (2) HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Entreprise\CurrentVersion
Today you can not change the registry because of permissions added after the following vulnerability


But we found the following registries “HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore\On Access Scanner\Configuration\Default\ExcludedItem_X”





Some of them are excluded path by default "c:\inetpub\mailroot\", "c:\program file\exchsrvr\schema", "%systemroot%\IIS Temporary Compressed"

Simply we put our binaries in any of the directories named in ExcludedItem_X using the functionality that McAfee offers to run any binary, and we finally got our needed hash.

I hope you need it if you ever come across with this antivirus, surely the technique should be applicable to other antivirus.

Have fun!

No comments: