search
githubEdit

Client Push

https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/sccm-mecm/elevate-2-client-push

hashtag
Description

It is possible to coerce NTLM authentication from a site servers push installation account and machine account. The NTLM authentication can either be cracked offline or relayed elsewhere for authentication.

hashtag
Requirements

  1. SCCM automatic site assignment and automatic client push installation are enabled

  2. PKI certificates aren’t required for client authentication

  3. SMB Signing disabled (If relaying authentication)

  4. Domain user credentials

  5. Local Administrator (If performing from Windows)

  6. Fallback to NTLM authentication is not explicitly disabled (default)

hashtag
Credential Capture

hashtag
1) Setup Capture

hashtag
Windows

Setup Inveigh or Invoke-Inveigh to sniff for network traffic (Local Admin Required)

hashtag
Linux

Set up Responder to listen for network traffic in analyse mode.

hashtag
2) Trigger client push installation

Trigger the client push on the site server, targeting the listening host. This process may take a couple of minutes to capture

SharpSCCM

hashtag
3) Crack the hash with Hashcat

hashtag
Relay Authentication

hashtag
1) ntlmrelayx setup

hashtag
Windows

Before setting up ntlmrelayx on Windows we need to divert SMB traffic on port 445 to an alternate port such as 8445 with divertTCPConn (Local Administrator Required)

Configure ntlmrelayx

hashtag
Linux

Trigger Push authentication then wait a minute or two to capture the authentication request.

PreviousCIM RepositoryNextFull Shell RCE

Last updated