> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/sccm-mecm/cred-3-wmi-local-secrets.md).

# CRED-3 - WMI Local Secrets

## Document Reference

* [CRED-3](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-3/cred-3_description.md)

## Description

Dump currently deployed secrets via WMI

The Netwrok Access Account (NAA) is a domain account provisioned on a site server. The NAA account is used by SCCM clients to download software from the distribution point. Otherwise, it serves no other purpose within the configuration.

The NAA accounts are stored within the CCM\_NetworkAccessAccount class located in  the WMI namespace `root\ccm\policy\Machine\ActualConfig`&#x20;

The class contains two attributes which are effectively stored credential data these are:

* NetworkAccessUsername
* NetworkAccessPassword

These values contains encrypted data for values within them. With local administrative privileges, its possible to utilize tools such as SharpSCCM and SharpDPAPI to decrypt the data blocks and retrieve the credentials for the currently configured NAA.

## Requirements

* Local administrator privileges on an SCCM client

To discover if any NAA credentials are stored locally, the following PowerShell command can be executed.

```powershell
Get-WmiObject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"
```

The following tools can be used to extract this information from the system.

## Windows

### SharpSCCM

```
SharpSCCM.exe local secrets -m wmi
```

<figure><img src="/files/wq4j8x8RkY8ZEE2szaCs" alt=""><figcaption></figcaption></figure>

### SharpDPAPI&#x20;

{% code overflow="wrap" %}

```powershell
SharpDPAPI.exe SCCM
```

{% endcode %}

<figure><img src="/files/sNM6ZxkjGD9UbrYMTHmg" alt=""><figcaption></figcaption></figure>

## Linux

### SystemDPAPIdump.py

Github: <https://github.com/fortra/impacket/blob/755efbffc7bd54c9dcf33d7c5e04038801fd3225/examples/SystemDPAPIdump.py>

```python
python3 SystemDPAPIdump.py -sccm <domain>/<user>:<pass>@<ip>
```

<figure><img src="/files/hZEQqx68WezhN8t6gqoc" alt=""><figcaption></figcaption></figure>

### sccmhunter

```python
sccmhunter.py -u <User> -p Password> -target <ip>
```

<figure><img src="/files/7l8ocAZ6St3Bxb5QEuvU" alt=""><figcaption></figcaption></figure>

## Defence

* [PREVENT-3: Harden or disable network access accounts](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/defense-techniques/PREVENT/PREVENT-3/prevent-3_description.md)
* [PREVENT-4: Configure Enhanced HTTP](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/defense-techniques/PREVENT/PREVENT-4/prevent-4_description.md)
* [PREVENT-10: Enforce the principle of least privilege for accounts](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/defense-techniques/PREVENT/PREVENT-10/prevent-10_description.md)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/sccm-mecm/cred-3-wmi-local-secrets.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
