Validating the key in use on an endpoint

  • 9 May 2020
  • 0 replies
  • 186 views

Userlevel 1
Badge +4

I made a relatively big discovery today, and would like to share.  It may greatly help those developing their own API scripts.

For some time support has said that there is no way to determine the key in use on a particular system systematically.  The only information available is the HPL Key value in the registry at “HKLM:\SOFTWARE\Wow6432Node\WRData\HPL” and this is an encrypted value for the key, so it isn’t possible to determine the key in use, although it would be the same value for all endpoints in a site.

I discovered that this isn’t entirely true.  The HPL registry key is a MD5 hash of the site key (without dashes).  So while you can’t determine the site key from the MD5 hash, you can verify the MD5 hash if you have the site key.

Since querying endpoint information via the API requires the Site ID as well, it was not possible previously to systematically determine the site ID required without using and providing a site name match. Name matches can be unreliable.

The use of the HPL registry key and MD5 hash of the site key makes it possible to directly determine the site id for a particular endpoint without knowing it.  In the site information obtained from the API, AccountKeyCode stores the site key (without dashes).  This means you can iterate through the site list until you find a MD5 hash of AccountKeyCode that matches the HPL key in the registry to systematically determine the correct site by only using information available to the endpoint.

This is probably only of use to those that want to write API scripts that run on endpoints with use of an RMM, but it’s a new tool that wasn’t available previously.

--------------------------------------

Here is a sample Powershell script that you can run on an endpoint from your RMM to see if the key in use matches the one you provide to the script.  Just make sure to edit the line “$webrootKey= $env:SiteKey” to work with your RMM to supply the keycode value to the script.

# Quick script to determine if the provided key matches the key in use on the system.
# Webroot saves the MD5 hash of the key to the HPL key in the registry.
# We can't determine the site key from the registry MD5, but if provided a key, we can see if it matches the one Webroot is currently using.

$WebrootKey = $env:SiteKey
# Strip out any dashes in the site key before generating the MD5. Also make sure the key is in all upper case.
$WebrootKey = $WebrootKey.ToUpper() -replace '-', ''
$md5 = New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider
$utf8 = New-Object -TypeName System.Text.UTF8Encoding
$hash = [System.BitConverter]::ToString($md5.ComputeHash($utf8.GetBytes($WebrootKey)))
$hash = $hash -replace '-', ''

function Test-Win64() {
return [IntPtr]::size -eq 8
}

# Set the registry location to check depending on if the machine is running 64bit or 32bit Windows.
if (Test-Win64 -eq $true) {
$HPLKey="HKLM:\SOFTWARE\Wow6432Node\WRData"
}
else {
$HPLKey="HKLM:\SOFTWARE\WRData"
}

$HPL=(Get-ItemProperty -Path $HPLKey).HPL

# Compare the generated hash with the existing HPL key in the registry. If they match, Webroot is using the key provided to the script.
if ($hash -eq $HPL) {
write-host "INFO: Webroot key on device matches provided key."
}
else {
write-host "WARNING: Webroot key on device does not match provided key."
}

 


0 replies

Be the first to reply!

Reply