HiveJack : Internal Penetration Testing To Dump Windows Credentials

HiveJack is a tool that can be used during internal penetration testing to dump Windows credentials from an already-compromised host. It allows one to dump SYSTEM, SECURITY and SAM registry hives and once copied to the attacker machines provides an option to delete these files to clear the trace.

Often, this is a repetitive process, once an attacker gets system-level access on the compromised host dumping hives values is the next step. Time is very valuable when it comes to internal penetration testing. HiveJack will save you plenty of time when it comes to dumping and deleting the files. You’ll never have to remember the command to perform the actions.

Files dumped in the c:\temp\ folder of the compromised host:

Files are successfully deleted from the compromised host upon clicking on the Delete Hives button:

Any suggestions or ideas for this tool are welcome – just tweet me on @ManiarViral

A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the operating system is started or a user logs in.

Also Read – Top 3 Open-Source Software Security Concerns and How to Mitigate Them

Registry files have the following two formats:

  • Standard format: Supported from Windows 2000, also supported in the later versions of the Windows for backward compatibility
  • Latest format: Supported starting with Windows XP

HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE\SAM, HKEY_LOCAL_MACHINE\Security, and HKEY_USERS.DEFAULT; all other hives use the latest format.

During an internal penetration test, the attacker often wants to perform a lateral movement from one host to the other. To move from one host to the other attacker often requires account credentials. Using HiveJack attacker would be able to gather credentials via system hives.

HiveJack is useful once the attacker has successfully gained local admin or system privileges on one of the compromised hosts. To further gain access within the network attacker can use registry hives. Dumping these hives would allow an attacker to capture system users’ password hashes. 

Upon dumping the registry hives and pulling it on the attacking box one can use a tool such as secretsdump available here:

Once the password hashes are obtained it opens the doors to a variety of attacks such as pass-the-hash, spraying or password cracking to perform a lateral movement within the network.

When hive files are copied to the attacking machine it is a good practice to delete the files from the temp folder to avoid leaking of sensitive files or cleaning the traces.

Quick Tip

It is a good practice to check the C:\Windows\repair\ location to obtain the SAM and SYSTEM files to avoid detection from EDR solutions. However, this directory contains outdated copies of the original C:\Windows\System32\config\ files so it might not reflect the current users’ credentials. However, if the passwords are cracked it may be useful to know any password patterns such as Winter2020 or Summer2020

How do I use this?

Note: Please make sure you have a temp folder in the ‘C:’ Drive of the compromised host before dumping the registry hives.