CRED-5 - MSSQL Database
Document Reference
Description
Dump credentials from the site database
Site servers are granted sysadmin roles on their respective site databases. This is default and is a requirement for SCCM to function. If the site server machine account credentials have been obtained, this then allows for the SC_UserAccount table to be read and obtain encrypted passwords blobs for provisioned SCCM accounts which are stored within this table.
When this attack is performed, the encrypted data blobs must be encrypted on the site server otherwise it is not possible to decrypt them.
Requirements
Site database access
Access to the private key used for encryption stored on the primary site server
Tools Required
Windows
SQL Client (mssqlclient, SQLRecon)
sccmdecryptpoc.exe: https://github.com/The-Viper-One/RedTeam-Pentest-Tools/tree/main/SCCM
Linux
mssqlclient
Linux
Dump Account Credentials
Dump Task Sequence Data
Windows
The same attack can be repeated as above in the Linux section for Windows when using mssqlclient.exe. At the time of writing I had issue authenticating as a machine account to the site server database using the suggested SQLRecon. If using a machine account mssqlclient.exe would be the preferred way of doing this, otherwise if you have access to a user who has admin rights of the site server database then SQLRecon or PowerUPSQL should be sufficient.
Decrypt Secrets
To decrypt the data, we need to run sccmdecrypt on the main site server.
Needs to be run from an administrative shell on the main site server to decrypt the strings successfully
Defensive IDs
Last updated
