Breaking News



Advent

CVE-2021-36934 often referred to as SeriousSAM and HiveNightmare vulnerability used to be as soon as discovered by way of Jonas Lykkegaard in July 2021. Because of an ACL misconfiguration in Area house home windows 10 post-build 1809 and Area house home windows 11, non-admin customers are granted be informed get right of entry to to the holy trio of SAM, SYSTEM and SECURITY recordsdata beneath %windirpercentsystem32config record. For this to be true, then again, portions coverage should be turn into on and a quantity shadow replica should be created. The identify ‘HiveNightmare’ is derived from a not unusual identify ‘hives’ which refers back to the recordsdata that experience registry knowledge saved.

Desk of Content material subject matter subject material

  • Gadget coverage and emerging repair issues
  • Exploitation Manner 1: HiveNightmare.exe (C++ exploit)
  • Exploitation Manner 2: serioussam.ps1 (Powershell exploit)
  • Exploitation Manner 3: hive.exe (Switch exploit)
  • Privilege Escalation
  • Conclusion and Mitigation

Gadget coverage and emerging repair issues

Gadget Coverage in Area house home windows: This selection is to be had post-Area house home windows ME and XP, and shall we in a person to create backups, snapshots or repair issues of their area house home windows portions. Must you are feeling the wish to repair your own home house home windows to a prior time limit, you’ll be able to achieve this. Microsoft mentions which recordsdata, settings and configurations are sponsored up correct proper right here.

Quantity Shadow Copy: Submit-Area house home windows 7 and Win Server 2003, a VSS (Quantity Shadow Copy Supplier) accompanies customers of their quest to accurately create backups in their servers, shared folders, and repair issues on native or a ways away methods is NTFS or ReFS is getting used. In our case, quantity shadow replica refers to a neighborhood repair stage created by way of a person.

To turn the exploitation of this vulnerability, we’ll be putting in our non-public lab first. After a blank organize of our non-public Area house home windows 10, we activated the administrator account at the portions and prepare a easy 1234 as its password.

internet specific individual administrator /energetic:positive
internet specific individual administrator 1234

Additional, we’ll have to show at the portions coverage. For this traverse to keep an eye on panel->portions and security->system->portions coverage and configure

Now, check out “activate portions coverage” click on on on follow and superb enough

Whilst you return to the portions coverage menu now, you’ll follow that the in the past grayed out “create” variety throughout the repair stage settings has now been activated. Click on on on on create to create a repair stage these days.

Give it any identify. I gave in a random date as its identify.

We’re superb to head now

Exploitation Manner 1: HiveNightmare.exe (C++ exploit)

Now, to profit from the vulnerability, Kevin Beaumont created a zero-day (and PoC) for a similar. This exploit turns out for the shadow replica throughout the portions and reads it for SAM, SYSTEM and SECURITY hives.

The exploit is written in C++ and created by way of GossiTheDog. It may be discovered correct proper right here. For the reason that exploit is in the neighborhood run, we’ll obtain this throughout the portions the place the portions repair stage has been created and run it the use of a easy non-admin specific individual command suggested. As you’ll be able to see, the suggested obviously a professional us that if the execution is done effectively, 3 recordsdata could be dumped inside the an an identical folder. We check out the an an identical the use of the “dir” command and it follows!

Exploitation Manner 2: serioussam.ps1 (Powershell exploit)

The script created by way of romarroca can also be discovered correct proper right here. It’s created in Powershell and is additional portable than the exe variant created by way of Kevin Beaumont. This copies the SAM and SYSTEM hives from the repair stage unload created. Execution is fairly easy, simply run the script like so

Exploitation Manner 3: hive.exe (Switch exploit)

Christian Mehlmauer translated the an an identical exploit in Switch and created a ready to be completed exe report which can also be discovered correct proper right here. It dumps the holy trio in supply record just by executing the exe report like so

Privilege Escalation

Until now, now we’ve got won the SAM, SECURITY and SYSTEM hive dumps and now we can use those recordsdata to extract the hashes and behavior a switch the hash assault. First, we’re the use of impacket toolkit’s secretsdump.py script to offload the hashes. The positioning is that the attacker (us) has effectively won hives from the sufferer’s tool.

To take a look at this, please obtain impacket toolkit correct proper right here.

Secretsdump is an agentless python script used to acquire relatively numerous hashes from other report sorts together with NTLM from the trio (default area house home windows’ password hash construction). It may be downloaded correct proper right here.

To take a look at this, we’ll replica the 3 recordsdata throughout the provide record and enter:

python3 secretsdump.py -sam /root/SAM -system /root/SYSTEM -security /root/SECURITY LOCAL

As you’ll be able to see throughout the screenshot above, now we’ve got won the NTLM hash for the administrator’s account. Clearly, we knew the password on this case (1234) alternatively preferably, the attacker now cracks this hash the use of John or different likes of hash cracking equipment, or he conducts a “switch the hash” assault.

PassTheHash (PtH): In this sort of assault, the attacker can bypass/flout with authentication mechanisms by way of offering the hash of a password somewhat than the password itself. This susceptible spot is mainly some of the prevalent in Area house home windows methods. On the time of login to group provider in Area house home windows, the backend in the end convert a simple textual content string correct proper right into a hash and compares it with the present hash throughout the database (hives); in a similar way, in PtH assault, the backend code, on account of an inherent susceptible spot, will get fooled when a person enters the hash as a substitute of the password string and shall we in authentication. Consult with the tips correct proper right here for an in-depth working out of this assault.

Now then, from the hashes won throughout the above step, we’ll behavior a PtH assault the use of the Impacket toolkit’s psexec.py script (discovered correct proper right here).

Please follow that, after Area house home windows 10, Microsoft has modified how NTLM hashing works. LM hashes don’t seem to be used anymore alternatively the tool getting used is provide since the old school NT and LM occasions. So, correct proper right here, we can be the use of a string of 32 zeros as a substitute of the LM hash.

PsExec – In Area house home windows, PsTools are used for rather a couple of other process-related purposes like checklist, logging, tracking and so forth. PsExec is used to execute processes remotely. In keeping with Sysinternals (correct proper right here), “PsExec’s maximum tricky makes use of come with launching interactive command-prompts on a ways away methods and remote-enabling equipment like IpConfig that another way wouldn’t have the power to turn details about a ways away methods.”

Impacket has advanced a Python-based PsExec which can be utilized to remotely pop up a CLI the use of credentials. Alternatively, correct proper right here, we can be passing the hash as a substitute by way of:

python3 psexec.py -hashes 00000000000000000000000000000000:7ce21f17c0aee7fb9ceba532d0546ad6 [email protected]

And it has labored its magic!

Conclusion and Mitigation

The benefit of exploitation makes this vulnerability a the most important chance to any organisation. Microsoft has offered coverage patches for a similar, then again, one different workaround is to limit get right of entry to to the contents of %windirpercentsystem32config by way of typing the command in cmd suggested:

icacls %windirpercentsystem32config*.* /inheritance:e

Thank you for studying.

Author: Harshit Rajpal is an InfoSec researcher and left and right kind ideas philosopher. Touch correct proper right here


Leave a Reply

Your email address will not be published. Required fields are marked *

Donate Us

X