# Recon

**Common SCCM Ports**

{% embed url="<https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/ports>" %}

<table><thead><tr><th width="118">Protocol</th><th width="144">Port(s)</th><th>Service</th></tr></thead><tbody><tr><td>TCP</td><td>8530, 8531,</td><td>Site Server, Management Point</td></tr><tr><td></td><td>10123</td><td></td></tr><tr><td>TCP</td><td>49152-49159</td><td>Distribution Point</td></tr><tr><td>UDP</td><td>4011</td><td>Operating System Deployment (OSD)</td></tr></tbody></table>

Nmap

```
# SCCM search
nmap -p 80,443,445,1433,10123,8530,8531 -sV [IP]

# search PXE
nmap -p 67,68,69,4011,547 -sV -sU [IP]
```

### PowerShell

```
([ADSISearcher]("objectClass=mSSMSManagementPoint")).FindAll() | % {$_.Properties}
```

## Configuration Manager

<div align="center" data-full-width="true"><figure><img src="https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FggsIc8fzyNr3BAWagew5%2Fimage.png?alt=media&#x26;token=944afe21-03e6-4e97-bf6d-cb4426a35ea7" alt=""><figcaption></figcaption></figure></div>

## Linux Recon

* sccmhunter: <https://github.com/garrettfoster13/sccmhunter>

```python
python3 sccmhunter.py find -u <user> -p <password> -d <domain> -dc-ip <ip> -debug

# Review collected information
python3 sccmhunter.py show -all 
```

Discovery through SMB

```python
smbmap -u <user> -p <password> -d <domain> -H <ip> 
```

<figure><img src="https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FdayweLby8fkb88Ql1dXA%2Fimage.png?alt=media&#x26;token=9def4b74-7407-4261-be6d-b63cc3ed195a" alt=""><figcaption></figcaption></figure>