SCCMHunter is a post-ex tool built to streamline identifying, profiling, and attacking SCCM related assets in an Active Directory domain. Please checkout the wiki for detailed usage.
This tool was developed and tested in a lab environment. Your mileage may vary on performance. If you run into any problems please don't hesitate to open an issue.
I strongly encourage using a python virtual environment for installation
git clone https://github.com/garrettfoster13/sccmhunter.git
cd sccmhunter
virtualenv --python=python3 .
source bin/activate
pip3 install -r requirements.txt
python3 sccmhunter.py -h
pipx
can also be used to install globally
pipx install git+https://github.com/garrettfoster13/sccmhunter/
Huge thanks to the below for all their research and hard work and
@_mayyhem
Coercing NTLM Authentication from SCCM
SCCM Site Takeover via Automatic Client Push Installation
@TechBrandon
Push Comes To Shove: exploring the attack surface of SCCM Client Push Accounts
Push Comes To Shove: Bypassing Kerberos Authentication of SCCM Client Push Accounts.
@Raiona_ZA
Identifying and retrieving credentials from SCCM/MECM Task Sequences
@_xpn_
Exploring SCCM by Unobfuscating Network Access Accounts
@subat0mik
The Phantom Credentials of SCCM: Why the NAA Won’t Die
@HackingDave
Owning One to Rule Them All