Ex Android Dev

Pentest tale - Dumping cleartext credentials from antivirus

I have nothing “mind blown” to share, so let me tell you a story.

On one of my past pentests, I was engaged to perform an internal penetration test of the network with an assumed breach scenario. I have had access to the machine as a regular employee would.

So, what is the first thing you would do?
I have tried to run some enumeration scripts, but I haven’t been so careful and antivirus had been triggered. Very soon after, I have been informed by the blue team that my actions have been noticed and they provided me with the picture of antivirus sending them an alert email. That made me wonder, how did the antivirus send the email exactly?

The installed antivirus was ESET. I have started browsing around its settings and I have come across email notifications.

esset-email-notification-settings

Basically, whenever ESET catches something, it sends an email notification.

esset-email-notification

Depending on the installation and permissions, you might not have an option to edit any settings in the antivirus. That was the case in my scenario, I had read-only permission.

I have tried various ways to read those credentials, among the other things, I have tried the ESET’s export function with the hope to export email credentials in cleartext.

eset-export-settings

Of course, the password was encrypted. eset-export-settings

Then it came to my mind, how can ESET send an email if credentials were encrypted? It uses an SMTP, of course it needs cleartext credentials to authenticate to the SMTP server.

So there were 2 possible routes from that point. Find the key and decrypt the credentials or dump the process memory and search for credentials. Guess which one I have chosen. Yes, I have chosen the lazy one.

I have used task manager, found the process and dumped its memory. task-mgr-2

task-mgr-3

A simple search for “SMTP_” through the dump file resulted in the cleartext credentials.

findstr SMTP_ <dump_file>

findstr-cleartext-password

I wish I could tell you how credentials I have obtained were domain admin’s or how I managed to pwn the whole domain, but sadly that was not the case. I could only send an email as that user.

I hope you find this useful, and next time don’t forget to check your target’s antivirus configuration.

The end!