<p align="center"> <img width="696" alt="image" src="https://github.com/user-attachments/assets/42f6572f-9df1-4229-a213-b02d9526f16d"> </p>

SCCMHunter

SCCMHunter is a post-ex tool built to streamline identifying, profiling, and attacking SCCM related assets in an Active Directory domain. Please checkout the wiki for detailed usage.

Please note

This tool was developed and tested in a lab environment. Your mileage may vary on performance. If you run into any problems please don't hesitate to open an issue.

Installation

I strongly encourage using a python virtual environment for installation

git clone https://github.com/garrettfoster13/sccmhunter.git
cd sccmhunter
virtualenv --python=python3 .
source bin/activate
pip3 install -r requirements.txt
python3 sccmhunter.py -h

pipx can also be used to install globally

pipx install git+https://github.com/garrettfoster13/sccmhunter/

References

Huge thanks to the below for all their research and hard work and <br> @_mayyhem <br> Coercing NTLM Authentication from SCCM <br> SCCM Site Takeover via Automatic Client Push Installation <br> <br> @TechBrandon <br> Push Comes To Shove: exploring the attack surface of SCCM Client Push Accounts <br> Push Comes To Shove: Bypassing Kerberos Authentication of SCCM Client Push Accounts. <br> <br> @Raiona_ZA <br> Identifying and retrieving credentials from SCCM/MECM Task Sequences <br> <br> @_xpn_ <br> Exploring SCCM by Unobfuscating Network Access Accounts <br> <br> @subat0mik <br> The Phantom Credentials of SCCM: Why the NAA Won’t Die <br> <br> @HackingDave <br> Owning One to Rule Them All