I came across a Mcafee EPO server not long ago and found that during an on host review it stores the SQL database connection details and encrypted password in a file within the EPO directory, “/conf/orion/db.properties”. The password is encrypted with a statically known key that is used on all EPO deployments of a similar version.
The good news is there is already a metasploit module created in which someone has kindly went to the effort to extract the encryption key.
The problem that I encountered was that for me it was not fit for purpose, I needed to decrypt the credentials in the file but the module is a post module and required a session to extract the file. It was not possible to gain a session due to the nature of the test and therefore I rewrote the module into an auxiliary module that takes the file from the local file system and then runs it through the same decryption mechanism.
I hope the following code is of use to someone else who may find themselves in a similar scenario : epo-doug