SCCMHunter

SCCMHunter is a post-ex tool built to streamline identifying, profiling, and attacking SCCM related assets in an Active Directory domain. Please checkout the wiki for detailed usage.

Please note

This tool was developed and tested in a lab environment. Your mileage may vary on performance. If you run into any problems please don't hesitate to open an issue.

Installation

I strongly encourage using a python virtual environment for installation

git clone https://github.com/garrettfoster13/sccmhunter.git
cd sccmhunter
virtualenv --python=python3 .
source bin/activate
pip3 install -r requirements.txt
python3 sccmhunter.py -h

pipx can also be used to install globally

pipx install git+https://github.com/garrettfoster13/sccmhunter/

References

Huge thanks to the below for all their research and hard work and
@_mayyhem
Coercing NTLM Authentication from SCCM
SCCM Site Takeover via Automatic Client Push Installation

@TechBrandon
Push Comes To Shove: exploring the attack surface of SCCM Client Push Accounts
Push Comes To Shove: Bypassing Kerberos Authentication of SCCM Client Push Accounts.

@Raiona_ZA
Identifying and retrieving credentials from SCCM/MECM Task Sequences

@_xpn_
Exploring SCCM by Unobfuscating Network Access Accounts

@subat0mik
The Phantom Credentials of SCCM: Why the NAA Won’t Die

@HackingDave
Owning One to Rule Them All