CRED-5 - MSSQL Database
Last updated
Was this helpful?
Last updated
Was this helpful?
Dump credentials from the site database
Site servers are granted sysadmin roles on their respective site databases. This is default and is a requirement for SCCM to function. If the site server machine account credentials have been obtained, this then allows for the SC_UserAccount table to be read and obtain encrypted passwords blobs for provisioned SCCM accounts which are stored within this table.
When this attack is performed, the encrypted data blobs must be encrypted on the site server otherwise it is not possible to decrypt them.
Site database access
Access to the private key used for encryption stored on the primary site server
Windows
SQL Client (mssqlclient, SQLRecon)
sccmdecryptpoc.exe:
Linux
mssqlclient
Dump Account Credentials
Dump Task Sequence Data
The same attack can be repeated as above in the Linux section for Windows when using mssqlclient.exe. At the time of writing I had issue authenticating as a machine account to the site server database using the suggested SQLRecon. If using a machine account mssqlclient.exe would be the preferred way of doing this, otherwise if you have access to a user who has admin rights of the site server database then SQLRecon or PowerUPSQL should be sufficient.
To decrypt the data, we need to run sccmdecrypt on the main site server.
