NetExec icon indicating copy to clipboard operation
NetExec copied to clipboard
verified publisher icon Pennyw0rth

New module: SCCM enumeration on DP and PSS with winreg

Open Mauriceter opened this issue 11 months ago • 1 comments

Description

Hello, this is a small module to gather information with winreg: https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/RECON/RECON-6/recon-6_description.md The module is mainly based on the go version https://github.com/slygoo/pssrecon It provides additional information that can supplement information gathered with the ldap module sccm

Type of change

  • [ ] New feature (non-breaking change which adds functionality)
  • [ ] This change requires a documentation update

How Has This Been Tested?

Tested on a slightly modified SCCM lab of GOAD

Screenshots (if appropriate):

output image

Checklist:

  • [x] I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
  • [ ] I have added or updated the tests/e2e_commands.txt file if necessary
  • [ ] New and existing e2e tests pass locally with my changes
  • [x] My code follows the style guidelines of this project (should be covered by Ruff above)
  • [x] If reliant on third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
  • [x] I have performed a self-review of my own code
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

Mauriceter avatar Mar 04 '25 10:03 Mauriceter

Nice one, thanks for the PR!

NeffIsBack avatar Mar 04 '25 10:03 NeffIsBack

I have changed stuff a bit:

  • name sccmrecon->sccm-recon6 because that more accurately represents the technique: https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/RECON/RECON-6/recon-6_description.md
  • Muted the output if we can't query the SMS, because this will likely be run against large ranges and would spam a lot. The error is still visible with --verbose

NeffIsBack avatar Sep 01 '25 13:09 NeffIsBack

Hi! thx for the improvement, should the name be sccm_recon6 ? also the module try to check if the database server needs SMB signing so unless I misunderstood your changes it needs to create a new connection to the database to check it

Mauriceter avatar Sep 01 '25 14:09 Mauriceter

Hi! thx for the improvement, should the name be sccm_recon6?

Honestly i am not a huuuge fan of underscores instead of the single dash, but if you prefer that feel free to change it back. But we will probably soon go over the module list and standardize it to one of the two ways, because imo it is confusing to have both.

also the module try to check if the database server needs SMB signing so unless I misunderstood your changes it needs to create a new connection to the database to check it

Good point! Missed that it tries to connect to the remote database and not the local host we are targeting (at least not always). Will readd it, but with error handling as this threw stack traces in my lab.

NeffIsBack avatar Sep 01 '25 14:09 NeffIsBack

@Mauriceter if the changes look good to you we are ready for merging

NeffIsBack avatar Sep 01 '25 14:09 NeffIsBack

All good! I just changed indentation for one line image

Mauriceter avatar Sep 01 '25 14:09 Mauriceter

Sounds good 👍 thought that was intended

NeffIsBack avatar Sep 01 '25 14:09 NeffIsBack

@Mauriceter do you have twitter/linkedIn?

NeffIsBack avatar Sep 01 '25 15:09 NeffIsBack

@Mauriceter could you also open up PRs to the NetExec wiki and add documentation for this PR and #905?

NeffIsBack avatar Sep 01 '25 15:09 NeffIsBack

twitter : @j_debats

Sure, I will add the doc for the wiki!

Mauriceter avatar Sep 01 '25 15:09 Mauriceter

Should be ggod for both PRs

Mauriceter avatar Sep 01 '25 16:09 Mauriceter