SCCMHunter is a Python-based post-exploitation tool designed for security professionals to identify, profile, and exploit System Center Configuration Manager (SCCM) assets within an Active Directory (AD) domain.
Developed by Garrett Foster, it serves as a powerful resource for penetration testing and security assessments by uncovering vulnerabilities in SCCM environments.
Core Functions
- Asset Discovery:
- SCCMHunter queries LDAP using its
findmodule to locate SCCM-related assets. It identifies objects created during AD schema extensions, Management Points, and other SCCM keywords like “SCCM” or “MECM”.
- SCCMHunter queries LDAP using its
- Profiling:
- The tool profiles identified assets using the
smbmodule. This includes checking SMB signing status, default shares, MSSQL services, and roles like SMS Provider or Distribution Point. This profiling helps map potential attack paths.
- The tool profiles identified assets using the
- Exploitation:
- After profiling, SCCMHunter allows attackers to:
- Abuse client enrollment using the HTTP module.
- Perform site server takeovers using the MSSQL module.
- Extract Network Access Account (NAA) credentials via the DPAPI module.
- After profiling, SCCMHunter allows attackers to:
- Post-Exploitation:
- If successful in compromising the hierarchy, the
adminmodule facilitates lateral movement and further exploitation within the network.
- If successful in compromising the hierarchy, the
To install SCCMHunter:
- Clone the repository: bash
git clone https://github.com/garrettfoster13/sccmhunter.git cd sccmhunter virtualenv --python=python3 . source bin/activate pip3 install -r requirements.txt python3 sccmhunter.py -h - Alternatively, use
pipxfor global installation. - Reconnaissance: Enumerate SCCM assets and roles.
- Privilege Escalation: Exploit misconfigurations to gain higher privileges.
- Credential Extraction: Retrieve sensitive credentials like NAA.
- Lateral Movement: Leverage SCCM features for network pivoting.
SCCMHunter was developed in a lab environment, so performance may vary in real-world scenarios. Users encountering issues are encouraged to report them via GitHub.
The development of SCCMHunter builds on research by cybersecurity experts such as @_mayyhem, @TechBrandon, and others who have explored SCCM vulnerabilities extensively.
