HiveJack is a tool that can be used during internal penetration testing to dump Windows credentials from an already-compromised host. It allows one to dump SYSTEM, SECURITY and SAM registry hives and once copied to the attacker machines provides an option to delete these files to clear the trace.
Often, this is a repetitive process, once an attacker gets system-level access on the compromised host dumping hives values is the next step. Time is very valuable when it comes to internal penetration testing. HiveJack will save you plenty of time when it comes to dumping and deleting the files. You’ll never have to remember the command to perform the actions.
Files dumped in the c:\temp\ folder of the compromised host:
Files are successfully deleted from the compromised host upon clicking on the Delete Hives button:
Any suggestions or ideas for this tool are welcome – just tweet me on @ManiarViral
A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the operating system is started or a user logs in.
Also Read – Top 3 Open-Source Software Security Concerns and How to Mitigate Them
Registry files have the following two formats:
HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE\SAM, HKEY_LOCAL_MACHINE\Security, and HKEY_USERS.DEFAULT; all other hives use the latest format.
During an internal penetration test, the attacker often wants to perform a lateral movement from one host to the other. To move from one host to the other attacker often requires account credentials. Using HiveJack attacker would be able to gather credentials via system hives.
HiveJack is useful once the attacker has successfully gained local admin or system privileges on one of the compromised hosts. To further gain access within the network attacker can use registry hives. Dumping these hives would allow an attacker to capture system users’ password hashes.
Upon dumping the registry hives and pulling it on the attacking box one can use a tool such as secretsdump available here: https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py
Once the password hashes are obtained it opens the doors to a variety of attacks such as pass-the-hash, spraying or password cracking to perform a lateral movement within the network.
When hive files are copied to the attacking machine it is a good practice to delete the files from the temp folder to avoid leaking of sensitive files or cleaning the traces.
Quick Tip
It is a good practice to check the C:\Windows\repair\ location to obtain the SAM and SYSTEM files to avoid detection from EDR solutions. However, this directory contains outdated copies of the original C:\Windows\System32\config\ files so it might not reflect the current users’ credentials. However, if the passwords are cracked it may be useful to know any password patterns such as Winter2020 or Summer2020
How do I use this?
Note: Please make sure you have a temp folder in the ‘C:’ Drive of the compromised host before dumping the registry hives.
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…