GhostPack
[SCCM] Credentials from objects.data
Hello
Based on the article (https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9).
I made a method to parse the objects.data file and retrieve NAA creds on disk.
Example:
.\SharpDPAPI sccm /useobjectfile
or from a given file
.\SharpDPAPI sccm /useobjectfile /mkfile:<masterkeys file> /pathToFile:<path to a objects.data file>
The PR is based on the @subat0mik's one.
@guervild Thanks for this! We're reviewing it and will try to get it merged soon.
@HarmJ0y I tested this PR and looks good.
@guervild I ported this code over to SharpSCCM as well: https://github.com/Mayyhem/SharpSCCM/pull/14
Hello @subat0mik
Ahah I must confess that I have hesitated between SharpSCCM and SharpDpapi before to do this PR, so its great that now both have the functionality !
Also, I like that that check and the use the environment variable : https://github.com/Mayyhem/SharpSCCM/blob/25721da160201151c2c8c0d25c19954e2c7e1f3c/lib/Credentials.cs#L24
Maybe, we could add it here too ?
Hey @guervild, this new functionality you wrote is awesome! I just merged @subat0mik's port into SharpSCCM. Sorry it took so long to test, but I was having a regex matching issue in my environment that @subat0mik wasn't experiencing I had to figure out. The updated regex is here:
https://github.com/Mayyhem/SharpSCCM/blob/main/lib/Credentials.cs#L41
I added "?" to the two captured groups to make the matching non-greedy, which fixed the issue I was having where data after the closing tag was being matched in some parts of my objects.data file.
Could you please update this PR with the updated regex?
Hey @Mayyhem
Thank you very much for your message, I really appreciate ! I also like this new feature in my recent engagement 😄
I fixed the regex, should i also change this : https://github.com/Mayyhem/SharpSCCM/blob/25721da160201151c2c8c0d25c19954e2c7e1f3c/lib/Credentials.cs#L24 ?
Don't worry about that for now so we can get this one merged. Thanks though!