Recon

Common SCCM Ports

Ports used for connections - Configuration ManagerMicrosoftLearn

Protocol	Port(s)	Service
TCP	8530, 8531,	Site Server, Management Point
	10123
TCP	49152-49159	Distribution Point
UDP	4011	Operating System Deployment (OSD)

Nmap

# SCCM search
nmap -p 80,443,445,1433,10123,8530,8531 -sV [IP]

# search PXE
nmap -p 67,68,69,4011,547 -sV -sU [IP]

PowerShell

([ADSISearcher]("objectClass=mSSMSManagementPoint")).FindAll() | % {$_.Properties}

Configuration Manager

Linux Recon

• sccmhunter: https://github.com/garrettfoster13/sccmhunter

python3 sccmhunter.py find -u <user> -p <password> -d <domain> -dc-ip <ip> -debug

# Review collected information
python3 sccmhunter.py show -all 

Discovery through SMB

smbmap -u <user> -p <password> -d <domain> -H <ip>