This guide will show you how to exploit the HiveNightmare vulnerability known under CVE-2021-36934. This is a way to steal the hashes from the SAM file in Windows as a non-privileged user. This guide will show you how this is done. I will be using a Windows 10 device with a low privilege user with Windows defender on and I will use kali to get the hashes out of the SAM file.
The Explanation
Windows stores its registry data in a small number of proprietary database files, known in Microsoft jargon as hives or hive files in c:\windows\system32\config.
These hive files include a trio called SAM, SECURITY, and SYSTEM, which between them includes secret data including passwords and security tokens that regular users aren’t supposed to be able to access.
The user has got reading rights on the files in this directory. This means that we can copy the files needed to read the hashes to a directory that we can read and write to. Once the following file is acquired SAM, SYSTEM, SECURITY we can then read the hashed from the file SAM file. Once you have got the hashes you can then either use this to pass-the-hass or crack these hashes with hashcat to get the password. The SAM registry data (and the SECURITY and SYSTEM hive files, too) are protected at runtime against access by regular users because the files are in use elsewhere, not because the files are off-limits to regular users from the outset. We can not access the file directly and need to look into the shadow copies to copy the file to another directory
If you want to know more then take a look at this website. It explains it very well
The Preparation
In order for this to work, we need a windows 10 machine and have at least one shadow copy. To turn on shadow copies:
- Open file explore
- Richt click on This pc and select properties
- Click on Advanced System setting
- Select Tab System Protection
- Click on Configure and select Turn on system protection and click on OK
- Click on Create to create a shadow copy now
To check if there is a shadow copy open an Admin command prompt and type in the following:
vssadmin list shadows
The Exploit the HiveNightmare
Turn off Windows Defender real-time protection so you can download the files needed for this exploit. You can turn this back on later
Go to this GitHub and download all the files and unpack it in a directory on your system
The exe Release file in this GitHub is already flagged as a virus in Windows defender. We need to build our own with the files out of this Github in order to bypass Defender. Install Visual studio community 2019 -> Visual Studio Community 2019 – Free IDE and Developer Tools (microsoft.com) and make sure you install all the Windows ADK. Here is a brief explanation of how I installed it
Open the project solution with visual studio 2019
Once loaded build the project
Once the build is finish you will find it in the same directory as where you loaded the sln file
Open a cmd prompt as a normal user and navigate to this directory. Then run the HiveNightmare.exe
Copy those files to your kali machine and use impacket to see the hashes
python3 /opt/impacket/examples/secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL
Now you can crack these hashes with hashcat or john the ripper
The Mitigation
In the same GitHub is also a mitigation.ps1 . Here is the code. This script will check if you are vulnerable and if so it will fix the issue. You need to run this script with admin rights
# Fix HiveNightmare ACLs and snapshots
# v1.0
# Originally by unknown and adapted by @doctormay6 and @GossiTheDog
# Schedule to run as SYSTEM in a deployment tool, test locally first
# Do not run on Windows Server in case you use VSS for backups
#change permissions and delete shadows
$checkPermissions = icacls c:\Windows\System32\config\sam
if ($checkPermissions -like '*BUILTIN\Users:(I)(RX*)*') {
icacls c:\windows\system32\config\*.* /inheritance:e
vssadmin delete shadows /quiet /all
$vulnerable = $true
}
else {
$vulnerable = $false
}
#check permissions
if ($vulnerable -eq $true) {
$checkPermissions = icacls C:\windows\system32\config\sam
if ($checkPermissions -like '*BUILTIN\Users:(I)(RX*)*') {
$permissionsSucces = $false
write-host "ACL change failed. Check permissions running script, e.g. run as SYSTEM."
}
else {
$permissionsSucces = $true
Write-Host "Successfully reset permission inheritance on affected files."
}
}
#check shadow
if ($vulnerable -eq $true) {
$checkShadow = Get-WmiObject Win32_ShadowStorage -Property UsedSpace | Select-Object -ExpandProperty UsedSpace
if (0 -eq $checkShadow) {
$shadowSucces = $true
Write-Host "Successfully deleted old volume shadow copies."
}
else {
$shadowSucces = $false
write-host "Shadow deletion failed. Security software may be blocking this action or check running permissions."
}
}
#check if fixed logic
if ($vulnerable -eq $true) {
if ($permissionsSucces -eq $true -and $shadowSucces -eq $true) {
$fixed = $true
}
else {
$fixed = $false
}
}
else {
$fixed = 'Not applicable'
}
#create new shadow
if ($vulnerable -eq $true -and $shadowSucces -eq $true -and $permissionsSucces -eq $true) {
wmic shadowcopy call create Volume='C:\'
Write-Host ""
}
#output data
write-host "vulnerable: $vulnerable"
write-host "Fixed: $fixed"
The output should look something like this
