30.04.2024 ยท dadevel

System Center Configuration Manager (SCCM) aka Microsoft Endpoint Configuration Manager (MECM) is Microsoft's Software deployment solution.

SCCM site hierarchy (source)

Discover SCCM servers over the network without authentication.

nslookup.exe type=SRV _mssms_mp_%sitecode%._tcp.corp.local

Look for commanName=SMS in the script results (source).

sudo nmap -vv -n -Pn -T4 --min-rate 1000 -sS -sV --version-intensity 0 --open -p 80,443,445,1433,8530,8531,10123 192.168.0/24
sudo nmap -vv -n -Pn -T4 --min-rate 1000 -sU -sV --version-intensity 0 --open -p 67,68,69,4011,547 192.168.0/24
httpx -title -server -status-code -l ./computers.txt -path /ccm_system_windowsauth/request

Discover SCCM servers via LDAP.

rm -rf ~/.sccmhunter
sccmhunter find -d corp.local -u jdoe -p 'passw0rd' -dc-ip dc01.corp.local
sccmhunter smb -d corp.local -u jdoe -p 'passw0rd' -dc-ip dc01.corp.local
sccmhunter show -users
sccmhunter show -computers
sccmhunter show -smb
([ADSISeacher]('objectClass=mSSMSManagementPoint')).FindAll() | %{$_.Properties}

Get site info on SCCM-managed computer.

PS > Get-WMIObject -Namespace root\ccm -ClassName SMS_Authority
CurrentManagementPoint : sccmmp01.corp.local
Name                   : SMS:CRP
PS > .\SharpSCCM.exe local site-info

Other tools: