Mcafee EPO Static Encryption Key

I came across a Mcafee EPO server not long ago and found that during an on host review it stores the SQL database connection details and encrypted password in a file within the EPO directory, “/conf/orion/”. The password is encrypted with a statically known key that is used on all EPO deployments of a similar version.

The good news is there is already a metasploit module created in which someone has kindly went to the effort to extract the encryption key.

The problem that I encountered was that for me it was not fit for purpose, I needed to decrypt the credentials in the file but the module is a post module and required a session to extract the file. It was not possible to gain a session due to the nature of the test and therefore I rewrote the module into an auxiliary module that takes the file from the local file system and then runs it through the same decryption mechanism.

I hope the following code is of use to someone else who may find themselves in a similar scenario :  epo-doug

Leave a comment

Your email address will not be published. Required fields are marked *