OVERVIEW
Exploiting the most legit service of the Microsoft operating system has become more common nowadays. In the past few months, we can observe more severe vulnerabilities like printer nightmare which can’t even be resolved still now.
On the past week of Monday, a security researcher named Jonas L has reported that the Security Account Manager (SAM) file on Windows 10 and 11 systems was READ-enabled for all local users. This makes vulnerable access to the local user to extract more sensitive information.
HIVE-NIGHTMARE [CVE-2021-36934]
A Local authorized user can successfully extract a piece of sensitive information such as account password hashes, Discover the original Windows installation password, Obtain Data Protection Application Programming Interface (DPAPI) computer keys that can be used to decrypt all computer private keys, Obtain a computer machine account that can be used in a Kerberos Silver Ticket attack, The above proves that the attacker can easily achieve an RCE to a high privileged account.
Pre-Requirement:
A system with at least one shadow copy [A shadow copy is a snapshot of a volume that duplicates all of the data that is held on that volume at one well-defined instant in time. VSS], in addition to security configuration enabled state.
Tools:
A zero-day exploit for HiveNightmare, which allows you to retrieve all registry hives in Windows 10 as a non-administrator user. For example, this includes hashes in SAM, which can be used to execute code as SYSTEM.
Is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object-oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library
Exploiting
Initially, the attacks worked on various windows environments, till now we can’t get any official patches.
- The attack begins with the compromised or less privileged accounts
- Using the tool Hive Nightmare the attacker can easily extract the sensitive data such as SAM File, System File, Security File
- Execute the following exe via powershell
- Before executing the HIVENIGHTMARE.exe the system must meet some pre-requirements, The following are mentioned below
- System protection must be in enabled state
- The system must have at least one shadow copy
- After the successful execution it automatically generated the the SAM, System, Security
.\HiveNightmare.exe
After extracting the SAM file we can use the secretsdump.py
Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes
Prevention/Recommendations
- Microsoft recommends restricting access to the problematic folder and deleting Volume Shadow Copy Service (VSS) shadow copies to mitigate this issue.
- Restrict access to the contents of %windir%\system32\config
- Open Command Prompt or Windows PowerShell as an administrator. Run this command: icacls %windir%\system32\config\*.* /inheritance:e
- Delete Volume Shadow Copy Service (VSS) shadow copies
- Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
- Create a new System Restore point (if desired).