SCCMHunter
SCCMHunter is a post-ex tool built to streamline identifying, profiling, and attacking SCCM related assets in an Active Directory domain. The basic function of the tool is to query LDAP with the find module for potential SCCM related assets. This is achieved through ACL recon of objects created during the deployment process when extending the AD schema, as well as by performing queries for the keywords "SCCM" or "MECM". This list of targets is then profiled with the SMB module by checking the remarks for default shares required by assets configured with certain SCCM roles. Additionally, the module checks if the MSSQL service is running and if SMB signing is enforced on the endpoint. All of this helps paint a picture for potential attack paths in the environment. Once profiling is complete, the operator can target abusing client enrollment with the HTTP (@_xpn_) module accounts or use the MSSQL (@_mayyhem) module to grab the necessary syntax for complete site server takeover. If a site server takeover is successful, the admin module is available for post exploitation.
This tool was developed and tested in a lab environment. Your mileage may vary on performance. If you run into any problems please don't hesitate to open an issue.
Table of Contents
Installation
git clone https://github.com/garrettfoster13/sccmhunter.git
cd sccmhunter
pip3 install -r requirements.txt
python3 sccmhunter.py
Help
Modules
Find
The find module queries LDAP for default ACLs created during extension of the AD schema during deployment. During installation, under the "System" container, the "System Management" container is created and the site server machine account is granted GenericAll permissions on the container object. Additionally, when configuring a server with the "Management Point" (MP) role in SCCM, the site server publishes this information in the "System Management" container in a mSSMSManagementPoint class object. The MP's dNSHostName attribute is stored here and is how clients will resolve available management points from AD. The last step is to simply query AD for acronyms related to SCCM or MECM based on administrators tendency use descriptive labels for related users, groups, and systems. All potential site server hostnames are logged for use with the SMB and Http modules.
Here's an example of the results following running the find module:
SMB
The SMB module takes the results from Find and enumerates the remote hosts SMB shares, SMB signing status, and checks if the server is running MSSQL. During setup of particular roles in SCCM, such as the MP or distribution point (DP) roles, the remarks for default file shares disclose what the particular server's role is. This is useful due to requirements during deployment for the site server machine account to have local administrator rights for servers configured with the MP, DP, and SQL database roles and are vulnerable to relay attacks if SMB signing is disabled or not required. Through this profiling the operator can streamline the process of identifying this condition. Additionally, the SMB module checks for the existence of the "REMINST" file share found on DPs that indicate the use of PXEBoot. If found, this share is spidered for the presence of media variables files which can be leveraged to potentially obtain, sometimes privileged, domain users credentials as detailed by Christopher Panayi here.
Here's an example of the results following running the smb module:
HTTP
The HTTP module also takes the results from Find and enumerates the remote hosts for SCCM enrollment web services. If found, the module leverages Adam Chester's sccmwtf.py script to spoof client enrollment with provided machine account credentials or with the -auto flag attempts to create a new machine. More info on this attack can be found at Adam's blog here
Here's an example of the results following running the http module with the -auto flag:
MSSQL
The MSSQL module accepts arguments to provide the correct MSSQL query syntax to abuse the site server takeover attack discovered and detailed by Chris Thompson here. The hex-formatted SID of the user being granted "Full Administrator" permissions is queried and provided in the terminal. Once the first round of queries are complete, the operator is prompted to provide the minted administrator account’s AdminID and the second round of queries printed to the terminal.
Here's an example of the results following running the mssql module:
Admin
The Admin module is a post site server takeover module intended to run post exploitation commands through the AdminService API. The module stores recovered users, devices, collections and device relationship data in a local SQLite database. Additional commands available include situation awareness commands to enumerate information on endpoints as well as performing arbitrary script execution on devices. All of my testing was performed in a controlled lab environment so your mileage may vary. If you run into any issues please open and issue and provide as much information as possible to explain the issue.
Here is an example of running the ipconfig situational awareness command.
Show
The show module is intended simply to present the stored CSVs generated during running the find and smb modules. They make for good screenshots :)
Here is an example of the show module showing users and groups related to SCCM:
References
Thanks to the below for all their research and hard work
@_mayyhem
Coercing NTLM Authentication from SCCM
SCCM Site Takeover via Automatic Client Push Installation
@TechBrandon
Push Comes To Shove: exploring the attack surface of SCCM Client Push Accounts
Push Comes To Shove: Bypassing Kerberos Authentication of SCCM Client Push Accounts.
@Raiona_ZA
Identifying and retrieving credentials from SCCM/MECM Task Sequences
@_xpn_
Exploring SCCM by Unobfuscating Network Access Accounts
@subat0mik
The Phantom Credentials of SCCM: Why the NAA Won’t Die
@HackingDave
Owning One to Rule Them All