Viralmaniar/HiveJack Viralmaniar/HiveJack

  • Stars
    star
    109
  • Rank 309,299 (Top 7 %)
  • Language
    C#
  • License
    MIT License
  • Created about 4 years ago
  • Updated about 4 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
Viralmaniar/HiveJack
github

Viralmaniar

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

This tool can be used during internal penetration testing to dump Windows credentials from an already-compromised host. It allows one to dump SYSTEM, SECURITY and SAM hives and once copied to the attacker machines provides option to delete these files to clear the trace.

HiveJack

This tool can be used during internal penetration testing to dump Windows credentials from an already-compromised host. It allows one to dump SYSTEM, SECURITY and SAM registry hives and once copied to the attacker machines provides an option to delete these files to clear the trace.

Often, this is a repetitive process, once an attacker gets system-level access on the compromised host dumping hives values is the next step. Time is very valuable when it comes to internal penetration testing. HiveJack will save you plenty of time when it comes to dumping and deleting the files. You'll never have to remember the command to perform the actions. ;)

image

Files dumped in the c:\temp\ folder of the compromised host:

image

Files are successfully deleted from the compromised host upon clicking on the Delete Hives button:

image

Any suggestions or ideas for this tool are welcome - just tweet me on @ManiarViral

A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the operating system is started or a user logs in.

Registry files have the following two formats:

  • Standard format: Supported from Windows 2000, also supported in the later versions of the Windows for backward compatibility
  • Latest format: Supported starting with Windows XP

HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE\SAM, HKEY_LOCAL_MACHINE\Security, and HKEY_USERS.DEFAULT; all other hives use the latest format.

During an internal penetration test, the attacker often wants to perform a lateral movement from one host to the other. To move from one host to the other attacker often requires account credentials. Using HiveJack attacker would be able to gather credentials via system hives.

HiveJack is useful once the attacker has successfully gained local admin or system privileges on one of the compromised hosts. To further gain access within the network attacker can use registry hives. Dumping these hives would allow an attacker to capture system users' password hashes. 

Upon dumping the registry hives and pulling it on the attacking box one can use a tool such as secretsdump available here: https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py

image

Once the password hashes are obtained it opens the doors to a variety of attacks such as pass-the-hash, spraying or password cracking to perform a lateral movement within the network.

When hive files are copied to the attacking machine it is a good practice to delete the files from the temp folder to avoid leaking of sensitive files or cleaning the traces.

Quick Tip

It is a good practice to check the C:\Windows\repair\ location to obtain the SAM and SYSTEM files to avoid detection from EDR solutions. However, this directory contains outdated copies of the original C:\Windows\System32\config\ files so it might not reflect the current users' credentials. However, if the passwords are cracked it may be useful to know any password patterns such as Winter2020 or Summer2020

How do I use this?

Method 1:
Use a HiveJack.exe file from the release section (https://github.com/Viralmaniar/HiveJack/releases/download/v1.0/HiveJack.exe) and run it on the compromised host. The hives will get stored at the c:\temp\ folder.

Method 2:
Open the solution using Visual Studio and look at the code to build the solution.

Note: Please make sure you have a temp folder in the 'C:' Drive of the compromised host before dumping the registry hives.

Questions?

Twitter: https://twitter.com/maniarviral
LinkedIn: https://au.linkedin.com/in/viralmaniar

Contribution & License

MIT License

Copyright (c) 2020 Viral Maniar

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Any suggestions or ideas for this tool are welcome - just tweet me on @ManiarViral @PreemptiveCyber

More Repositories

1

Passhunt

Passhunt is a simple tool for searching of default credentials for network devices, web applications and more. Search through 523 vendors and their 2084 default passwords.
Python
1,160
star
2

BigBountyRecon

BigBountyRecon tool utilises 58 different techniques using various Google dorks and open source tools to expedite the process of initial reconnaissance on the target organisation.
C#
1,081
star
3

Powershell-RAT

Python based backdoor that uses Gmail to exfiltrate data through attachment. This RAT will help during red team engagements to backdoor any Windows machines. It tracks the user activity using screen capture and sends it to an attacker as an e-mail attachment.
Python
983
star
4

I-See-You

ISeeYou is a Bash and Javascript tool to find the exact location of the users during social engineering or phishing engagements. Using exact location coordinates an attacker can perform preliminary reconnaissance which will help them in performing further targeted attacks.
Shell
651
star
5

SMWYG-Show-Me-What-You-Got

This tool allows you to perform OSINT and reconnaissance on an organisation or an individual. It allows one to search 1.4 Billion clear text credentials which was dumped as part of BreachCompilation leak. This database makes finding passwords faster and easier than ever before.
Python
379
star
6

Wifi-Dumper

This is an open source tool to dump the wifi profiles and cleartext passwords of the connected access points on the Windows machine. This tool will help you in a Wifi penetration testing. Furthermore, it is useful while performing red team or an internal infrastructure engagements.
Python
270
star
7

Remote-Desktop-Caching-

This tool allows one to recover old RDP (mstsc) session information in the form of broken PNG files. These PNG files allows Red Team member to extract juicy information such as LAPS passwords or any sensitive information on the screen. Blue Team member can reconstruct PNG files to see what an attacker did on a compromised host. It is extremely useful for a forensics team to extract timestamps after an attack on a host to collect evidences and perform further analysis.
Python
209
star
8

XposedOrNot

XposedOrNot (XoN) tool is to search an aggregated repository of xposed passwords comprising of ~850 million real time passwords. Usage of such compromised passwords is detrimental to individual account security.
Python
134
star
9

PeekABoo

PeekABoo tool can be used during internal penetration testing when a user needs to enable Remote Desktop on the targeted machine. It uses PowerShell remoting to perform this task. Note: Remote desktop is disabled by default on all Windows operating systems.
Python
130
star
10

Phirautee

A proof of concept crypto virus to spread user awareness about attacks and implications of ransomwares. Phirautee is written purely using PowerShell and does not require any third-party libraries. This tool steals the information, holds an organisation’s data to hostage for payments or permanently encrypts/deletes the organisation data.
PowerShell
111
star
11

MurMurHash

This little tool is to calculate a MurmurHash value of a favicon to hunt phishing websites on the Shodan platform.
Python
108
star
12

In-Spectre-Meltdown

This tool allows to check speculative execution side-channel attacks that affect many modern processors and operating systems designs. CVE-2017-5754 (Meltdown) and CVE-2017-5715 (Spectre) allows unprivileged processes to steal secrets from privileged processes. These attacks present 3 different ways of attacking data protection measures on CPUs enabling attackers to read data they shouldn't be able to. This tool is originally based on Microsoft: https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in
Python
95
star
13

DDWPasteRecon

DDWPasteRecon tool will help you identify code leak, sensitive files, plaintext passwords, password hashes. It also allow member of SOC & Blue Team to gain situational awareness of the organisation's web exposure on the pastesites. It Utilises Google's indexing of pastesites to gain targeted intelligence of the organisation. Blue & SOC teams can collect and analyse data from these indexed pastesites to better protect against unknown threats.
C#
35
star
14

Guided-Access-Mode-Bypass

This write-up will provide detailed description on how to bypass Guided Access mode on Apple iPhones.
18
star
15

Reg-Hives

This tool can be used during internal penetration testing to dump Windows credentials from an already-compromised host. Use it to copy SYSTEM, SECURITY and SAM hives and download them back to the attacker machines.
Python
14
star
16

Pentest-Stuff

DIGITAL Command Language
11
star
17

Viralmaniar

6
star
18

Flubber-Ducky

3
star
19

Pentest-Payloads

3
star
20

viralmaniar.github.io

JavaScript
2
star
21

Information-Security-Links

Access to awesome blogs and tutorials related to information security field.
1
star
22

OSCE_learning

1
star
23

JavaScript_Code_Snippets

1
star
24

Javascript

Short snippets for pentesting.
1
star