SharpDPAPI icon indicating copy to clipboard operation
SharpDPAPI copied to clipboard

Published 20 hours ago verified publisher icon GhostPack

[SCCM] Credentials from objects.data

Open guervild opened this issue 2 years ago • 2 comments

Hello

Based on the article (https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9).

I made a method to parse the objects.data file and retrieve NAA creds on disk.

Example:

.\SharpDPAPI sccm /useobjectfile

or from a given file

.\SharpDPAPI sccm /useobjectfile /mkfile:<masterkeys file> /pathToFile:<path to a objects.data file>

The PR is based on the @subat0mik's one.

guervild avatar Sep 03 '22 20:09 guervild

@guervild Thanks for this! We're reviewing it and will try to get it merged soon.

subat0mik avatar Oct 06 '22 17:10 subat0mik

Thanks!

guervild avatar Oct 06 '22 19:10 guervild

@HarmJ0y I tested this PR and looks good.

@guervild I ported this code over to SharpSCCM as well: https://github.com/Mayyhem/SharpSCCM/pull/14

subat0mik avatar Oct 20 '22 05:10 subat0mik

Hello @subat0mik

Ahah I must confess that I have hesitated between SharpSCCM and SharpDpapi before to do this PR, so its great that now both have the functionality !

Also, I like that that check and the use the environment variable : https://github.com/Mayyhem/SharpSCCM/blob/25721da160201151c2c8c0d25c19954e2c7e1f3c/lib/Credentials.cs#L24

Maybe, we could add it here too ?

guervild avatar Nov 07 '22 22:11 guervild

Hey @guervild, this new functionality you wrote is awesome! I just merged @subat0mik's port into SharpSCCM. Sorry it took so long to test, but I was having a regex matching issue in my environment that @subat0mik wasn't experiencing I had to figure out. The updated regex is here:

https://github.com/Mayyhem/SharpSCCM/blob/main/lib/Credentials.cs#L41

I added "?" to the two captured groups to make the matching non-greedy, which fixed the issue I was having where data after the closing tag was being matched in some parts of my objects.data file.

Could you please update this PR with the updated regex?

Mayyhem avatar Nov 16 '22 22:11 Mayyhem

Hey @Mayyhem

Thank you very much for your message, I really appreciate ! I also like this new feature in my recent engagement 😄

I fixed the regex, should i also change this : https://github.com/Mayyhem/SharpSCCM/blob/25721da160201151c2c8c0d25c19954e2c7e1f3c/lib/Credentials.cs#L24 ?

guervild avatar Nov 16 '22 22:11 guervild

Don't worry about that for now so we can get this one merged. Thanks though!

subat0mik avatar Nov 16 '22 23:11 subat0mik