SCCMSecrets
SCCMSecrets.py aims at exploiting SCCM policies distribution for credentials harvesting, initial access and lateral movement.
Install / Use
/learn @synacktiv/SCCMSecretsREADME
SCCMSecrets
SCCMSecrets.py is an SCCM policies exploitation tool. It goes beyond NAA credentials extraction, and aims to provide a comprehensive approach regarding SCCM policies exploitation. The tool can be executed from various levels of privileges, and will attempt to uncover potential misconfigurations related to policies distribution. More detail regarding the tool and its usage is available in the associated article: https://www.synacktiv.com/publications/sccmsecretspy-exploiting-sccm-policies-distribution-for-credentials-harvesting-initial
Two subcommands are available: policies and files.
Policies
This subcommand interacts with an SCCM Management Point in order to dump the contents of all secret policies (including NAA configuration, task sequences containing credentials, or collection variables). To do so, an approved SCCM device is needed, which can be obtained in three ways.
- If you do not provide a machine account, SCCMSecrets will attempt to register a device and abuse automatic device approval. This is a (non-default) SCCM configuration which automatically grants the "Approved" state to new devices registered anonymously.
- If you provide a machine account, SCCMSecrets will register a new device using the authenticated registration endpoint. By default, SCCM will grant the "Approved" state to devices registered through this endpoint.
- If you provide the
--altauthflag, SCCMSecrets will exploit an alternate authentication endpoint, allowing to bypass mTLS requirements, and to get an approved device without credentials and without the automatic device approval misconfiguration (more information here). This only works when the MP is configured to use HTTPS, AND the SCCM site is configured to enforce HTTPS site-wide (if the MP is using HTTPS but the site allows either HTTP or HTTPS, devices are not automatically approved). - You can also provide an existing device (
--use-existing-device). This argument expects a directory containing theguid.txtfile (device GUID) and thekey.pemfile (device private key). This can be a device created by a previous SCCMSecrets execution, or the one corresponding to a compromised legitimate SCCM client.
Note that SCCM policies are associated with collections. Registering a new device will place this device in default collections - thus, only secret policies from default collections will be retrieved. This is why impersonating a compromised legitimate SCCM client with the --use-existing-device can be interesting. Indeed, this legitimate client could be part of custom collections associated with additional secret policies.
Output will be placed in a subdirectory of the loot directory (format: [timestamp]_policies).
$ python3 SCCMSecrets.py policies -h
Usage: SCCMSecrets.py policies [OPTIONS]
Dump secret policies from an SCCM Management Point
╭─ Options ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ * --management-point -mp TEXT The client's SCCM management point. Expects either a URL, or a hostname/IP (defaults to HTTP in the latter case) [required] │
│ * --client-name -cn TEXT [Optional] The name of the client that will be created in SCCM - or a random name if using an existing device [required] │
│ --machine-name -u TEXT [Optional] A machine account name. If not provided, SCCMSecrets will try to exploit automatic device approval │
│ --machine-pass -p TEXT [Optional] The password for the machine account │
│ --machine-hash -H TEXT [Optional] The NT hash for the machine account │
│ --registration-sleep -rs INTEGER [Optional] The amount of time, in seconds, that should be waited after registrating a new device. A few minutes is recommended so that the new device can be added to │
│ device collections (3 minutes by default, may need to be increased) │
│ [default: 180] │
│ --use-existing-device -d TEXT [Optional] This option can be used to re-run SCCMSecrets.py using a previously registered device ; or to impersonate a legitimate SCCM client. In both cases, it │
│ expects the path of a folder containing a guid.txt file (the SCCM device GUID) and the key.pem file (the client's private key). Note that a client-name value must also │
│ be provided to SCCMSecrets (but does not have to match the one of the existing device) │
│ --pki-cert -c TEXT [Optional] The path to a valid domain PKI certificate in PEM format. Required when the Management Point enforces HTTPS and thus client certificate authentication │
│ --pki-key -k TEXT [Optional] The path to the private key of the certificate in PEM format │
│ --altauth -a [Optional] Use the MP's alternate authentication endpoint. This endpoint bypasses mutual TLS requirements, and automatically approves devices registered through it. It │
│ only works when the MP uses HTTPS AND HTTPS is enforced site-wide │
│ --verbose -v [Optional] Enable verbose output │
│ --help -h Show this message and exit. │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
Files
This subcommand will index files stored on a Distribution Point and download interesting ones. SCCMSecrets will first attempt to identify if anonymous access is enabled (non-default). If this is the case, files can be indexed and downloaded without authentication. Otherwise, domain credentials will be needed.
It is possible to download files by extension. SCCMSecrets will index files of all packages hosted on the Distribution Point (resulting in an index.txt file with the Unix tree format), and it will download files with specified extensions. When providing an empty list of extensions, only file indexing will be performed.
In both cases, from the produced index file, it is possible to use the --urls flag to download specific interesting files (without reindexing).
Note that mTLS requirements, if they are implemented, can be bypassed by providing the --nocert flag.
Output will be placed in a subdirectory of the loot directory (format: [timestamp]_files).
$ python3 SCCMSecrets.py files --help
Usage: SCCMSecrets.py files [OPTIONS]
Dump interesting files from an SCCM Distribution Point
