-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NAA creds from SCCM #19712
base: master
Are you sure you want to change the base?
NAA creds from SCCM #19712
Conversation
Once accepted, we should neaten up some of the duplicate structures in the PKINIT code (which are also CMS). I've kept that task separate for now. |
I appreciate this information I have been trying to properly set up my new environment and being self taught and learning everything on my own with Google's help and much time effort and trying this has been a journey but I am determined to achieve great things |
Added proper credits for the original research.
Do we have options to advance this independently of a |
@smcintyre-r7 - I believe the way to work around this would be to define the |
This implements retrieval of NAA creds from an SCCM server. Given a computer name and password (which can typically be created by a standard AD domain user), a misconfigured system will just give out
Depends on rapid7/rex-mime#5 and lemontree55/rasn1#40
The main limitation of this work to date is that I've only been able to test on one SCCM server. I'm aware that different crypto schemes are in use, so for now I've given clear error messages in those cases.
Verification
I set up a test environment using GOAD.
msfconsole
samr_computer
(soonsamr_account
) module.use auxiliary/admin/sccm/get_naa_creds
rhost
set to the Domain Controller, with valid domain creds (low priv should be fine), and the computer creds you just optained.MANAGEMENT_POINT
andSITE_CODE
to the values that the module found on the first run (and norhost
)Demo
Autodiscovery:
Explicit Management Point/Site Code: