# SCCM search
nmap -p 80,443,445,1433,10123,8530,8531 -sV [IP]
# search PXE
nmap -p 67,68,69,4011,547 -sV -sU [IP]
([ADSISearcher]("objectClass=mSSMSManagementPoint")).FindAll() | % {$_.Properties}
python3 sccmhunter.py find -u <user> -p <password> -d <domain> -dc-ip <ip> -debug
# Review collected information
python3 sccmhunter.py show -all
smbmap -u <user> -p <password> -d <domain> -H <ip>