SCCMHunter : A Comprehensive Tool For SCCM Asset Exploitation

SCCMHunter is a Python-based post-exploitation tool designed for security professionals to identify, profile, and exploit System Center Configuration Manager (SCCM) assets within an Active Directory (AD) domain.

Developed by Garrett Foster, it serves as a powerful resource for penetration testing and security assessments by uncovering vulnerabilities in SCCM environments.

Core Functions

1. Asset Discovery:
   • SCCMHunter queries LDAP using its find module to locate SCCM-related assets. It identifies objects created during AD schema extensions, Management Points, and other SCCM keywords like “SCCM” or “MECM”.
2. Profiling:
   • The tool profiles identified assets using the smb module. This includes checking SMB signing status, default shares, MSSQL services, and roles like SMS Provider or Distribution Point. This profiling helps map potential attack paths.
3. Exploitation:
   • After profiling, SCCMHunter allows attackers to:
     • Abuse client enrollment using the HTTP module.
     • Perform site server takeovers using the MSSQL module.
     • Extract Network Access Account (NAA) credentials via the DPAPI module.
4. Post-Exploitation:
   • If successful in compromising the hierarchy, the admin module facilitates lateral movement and further exploitation within the network.

To install SCCMHunter:

• Clone the repository: bashgit clone https://github.com/garrettfoster13/sccmhunter.git cd sccmhunter virtualenv --python=python3 . source bin/activate pip3 install -r requirements.txt python3 sccmhunter.py -h
• Alternatively, use pipx for global installation.
• Reconnaissance: Enumerate SCCM assets and roles.
• Privilege Escalation: Exploit misconfigurations to gain higher privileges.
• Credential Extraction: Retrieve sensitive credentials like NAA.
• Lateral Movement: Leverage SCCM features for network pivoting.

SCCMHunter was developed in a lab environment, so performance may vary in real-world scenarios. Users encountering issues are encouraged to report them via GitHub.

The development of SCCMHunter builds on research by cybersecurity experts such as @_mayyhem, @TechBrandon, and others who have explored SCCM vulnerabilities extensively.