Recon
Common SCCM Ports
Protocol
Port(s)
Service
TCP
8530, 8531,
Site Server, Management Point
10123
TCP
49152-49159
Distribution Point
UDP
4011
Operating System Deployment (OSD)
Nmap
# SCCM search
nmap -p 80,443,445,1433,10123,8530,8531 -sV [IP]
# search PXE
nmap -p 67,68,69,4011,547 -sV -sU [IP]
PowerShell
([ADSISearcher]("objectClass=mSSMSManagementPoint")).FindAll() | % {$_.Properties}
Configuration Manager

Linux Recon
sccmhunter: https://github.com/garrettfoster13/sccmhunter
python3 sccmhunter.py find -u <user> -p <password> -d <domain> -dc-ip <ip> -debug
# Review collected information
python3 sccmhunter.py show -all
Discovery through SMB
smbmap -u <user> -p <password> -d <domain> -H <ip>

Last updated