Microsoft has been hit with yet again another critical vulnerability in 2021 by security researcher @jonasLyk who discovered this zero-day while messing around with the upcoming Windows 11 OS – Microsoft’s latest product set to release late this year. If you’ve been keeping up-to-date on platforms like Twitter and LinkedIn then you may have come across a couple of vulnerabilities recently discovered on Windows operating systems – commonly known as ZeroLogon and PrintNightmare (respectively, CVE-2020-1472 & CVE-2021-34527).
Unfortunately – Microsoft’s nightmares didn’t just end there. On July 20th, security researcher @jonasLyk publicised his findings while deep diving on Windows 11 and later confirmed the vulnerability to be present on all supported versions of Windows 10 where “System Protection” is enabled (which is common). The zero-day was officially assigned a CVE number of CVE-2021-36934 on July 21st and is now widely known as “SeriousSAM” or “HiveNightmare”.
The nightmare continues! If you’re familiar with Windows environments and have experience working in IT, you’ll probably be able to make an educated guess on what exactly is vulnerable to exploitation. For those who are unaware – it’s the SAM, SYSTEM, and SECURITY registry hives which are highly confidential files containing local account password hashes. Being able to read such files opens doors to many possibilities – such as cracking the NTLM hashes offline and credential stuffing the network or utilising psexec to log in as an administrator user on the target machine without password cracking at all. However, it doesn’t stop here. To make matters worse – a regular domain user belonging to the “Users” groups or no groups at all (i.e. a non-privileged account) is enough to carry out this attack and possibly take over the entire domain. I should also mention that this vulnerability has existed for years but was only discovered now!
Going into the specifics
To summarise the specifics, the BUILTIN\Users group has read access to the C:\Windows\System32\config directory which is supposedly super “secure” and cannot be accessed by regular users. In fact, even as an Administrator, you can’t even touch the SAM hive on disk while Windows is running!
Regarding the basis of SeriousSAM – it attempts to access system restore points known as Volume Shadow Copies which automatically includes the SAM, SYSTEM, and SECURITY registry hives. I mentioned before how System Protection must be enabled to create these VSCs, but it should be noted that this is not always the case. Sometimes upgrades and software itself will create restore points by default in case the situation arises where you need to revert to a previous version. One can view their shadow copies by issuing the following command at the command prompt:
“vssadmin list shadows”
This pretty much sums up SeriousSAM or HiveNightmare and it is shockingly easy to execute the attack. I should mention that there is currently NO patch update released as of yet for a fix. MSRC has stated a temporary workaround and is currently looking at pushing out an update. They also gave this vulnerability a CVSS rating of 7.8.
Let’s discuss how you can replicate this in your own virtualised environment at home!
- HiveNightmare.exe (https://github.com/GossiTheDog/HiveNightmare/releases/tag/0.6)
- Windows 10 OS
- Enable VSC
- Non-administrator account
- OPTIONAL: Kali Linux to extract the hashes
Press the windows key on your keyboard and type ‘About PC’.
Click on it and on the right-hand side you’ll see ‘System Protection’. Click this and enter your administrator password if prompted. You will then see the following:
First click on ‘Configure’ and enable system protection. Then underneath, set the disk space usage – I gave 7%. Hit ‘Apply’ followed by ‘OK’. Finally – click ‘Create’ and enter any name in the text box and simply confirm, Apply, and click OK to end the process. This is to enable VSC!
Login as a non-administrator user. I created a temporary account called “tester” which belongs to the Users group. Download HiveNightmare.exe from the link provided above (you may need to use Internet Explorer and disable real-time protection on your computer).
Simply run the executable program like such to steal the SAM, SYSTEM, and SECURITY hives:
Step 4 (OPTIONAL):
Open up Kali Linux and use secretsdump.py to extract the local password hashes stored with the stolen hive files:
As easy as that!
From an attacker or penetration testers perspective – we can now crack these NTLM hashes offline and use tools like Crackmapexec to credential spray the network and see which other computers these credentials have access to. Sometimes a user may have low privileges on one device, but they’re given administrator privileges elsewhere – Crackmapexec is excellent for finding pivoting points. We can also now use the captured local administrators password hash and utilise psexec to “Pass-The-Hash” and shell into the network as an Administrator.
View the following website for an official response from Microsoft in order to temporarily mitigate this attack: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934