pxethief

pxethief helps you get creds out of SCCM.

note

Notes below are pretty rough.

Reminder to self: this runs best on Windows!

Install

Get python install from python.org - 64bit installer

pip install -r requirements.txt

I'm having this issue.

Identify hash of the password that was used to encrypt the variables

pxethief.py 5 boot.var

Note: the boot.var is a file you might find in the \\SCCMSERVER\REMINST\SMSTEMP folder

Crack the extracted hash

I found it easier to use the hashcat-6.2.6-SCCM version of hashcat, and then use this syntax:

hashcat-6.2.6-SCCM.exe -m 19850 hash.txt bigbadwordlist.txt

Decrypt and retrieve contents of the media variables file (if cracking was successful)

pxethief.py 3 somevariablesfile.var YOUR-CRACKED-PASSWORD-GOES-HERE

At this point you should be able to get a certificate that will be used to request SCCM policies and task sequences which may have the NAA or other creds.

tip

I sometimes have a heck of a time getting this attack to work, but I opened a GitHub issue that helped me. I also had a situation where the decryption routine seemed to work and I got a funky UnicodeDecodeError: 'utf-16-le' codec can't decode bytes in position 236-237: illegal encoding error. I opened an issue for this and the fix ended up being to comment/uncomment some lines following this guidance and then setting USING_TLS to False in the script:

USING_TLS = False #HTTPS and client certificate support

Install​

Identify hash of the password that was used to encrypt the variables​

Crack the extracted hash​

Decrypt and retrieve contents of the media variables file (if cracking was successful)​

Install

Identify hash of the password that was used to encrypt the variables

Crack the extracted hash

Decrypt and retrieve contents of the media variables file (if cracking was successful)