Cyber security

SCCM HTTP Looter – A Deep Dive Into Exploiting Microsoft SCCM via HTTP

SCCM distribution points (DPs) are the servers used by Microsoft SCCM to host all the files used in software installs, patches, script deployments, etc.

By default, these servers allow access via SMB (TCP/445) and HTTP/S (TCP/80 and/or TCP/443) and require some type of Windows authentication (i.e. NTLM).

The current SCCM DP looting tools rely on the ability to browse SMB shares to collect files.

However, it is not uncommon for an organization to limit inbound SMB access to servers on internal networks, and standard practice to prevent inbound SMB access from the internet.

HTTP/S access on the other hand is usually not restricted on internal networks, and often allowed from the internet. This presents an opportunity for an attacker if there is a way to get files from the SCCM DP via HTTP/S.

Why Hasn’t Anyone Done This Before?

The SMB tools work by enumerating the DataLib folder of the SCCMContentLib$ share to find <filename.ext>.INI files which contain the hash of the file.

They can then locate the actual file at FileLib/<hash[0:4]>/<hash>. This works because with access to the share, you can enumerate all files in the DataLib folder.

Using HTTP/S, things are different. Browsing to http://<SCCM DP>/SMS_DP_SMSPKG$/Datalib shows a directory listing of numbered files and INIs.

For a variety of reasons (like speed), these distribution points can be configured to allow anonymous access.

However, navigating to the non-INI links simply shows the same page, which limits the number of files directly accessible to those in the “root” directory of the Datalib as the hashes extracted from the INI files for directories cannot be used to find the directories in the FileLib since it only stores actual files.

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Pystinger : Bypass Firewall For Traffic Forwarding Using Webshell

Pystinger is a Python-based tool that enables SOCKS4 proxying and port mapping through webshells. It…

1 week ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

1 week ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

1 week ago

How to Bash Append to File: A Simple Guide for Beginners

If you are working with Linux or writing bash scripts, one of the most common…

1 week ago

Mastering the Bash Case Statement with Simple Examples

What is a bash case statement? A bash case statement is a way to control…

1 week ago

How to Check if a File Exists in Bash – Simply Explained

Why Do We Check Files in Bash? When writing a Bash script, you often work…

2 weeks ago