Query LDAP for SCCM infrastructure through schema extension checks, Management Point discovery, and keyword searches.
The find module performs comprehensive LDAP enumeration to identify SCCM-related infrastructure in Active Directory environments. This is typically the first step in any SCCM assessment.
The find module uses multiple discovery techniques to build a complete picture of SCCM infrastructure without requiring elevated privileges.
The find module queries LDAP using four distinct approaches to identify SCCM assets:
1. Schema Extension Discovery
DACL Analysis of System Management ContainerChecks the Discretionary Access Control List (DACL) for the ‘System Management’ container that is manually created during the AD schema extension process. This container is a key indicator of SCCM deployment.
2. Management Point Resolution
Published Management Point DiscoveryResolves any published Management Points that clients use to query for policy and content. These are critical infrastructure components that handle client communications.
3. Distribution Point Detection
PXE-Enabled Distribution PointsIdentifies PXE-enabled Distribution Points that utilize Windows Deployment Services (WDS) for operating system deployment. These can be leveraged for network access account extraction.
4. Naming Convention Search
Keyword-Based DiscoverySearches for “SCCM” and “MECM” keywords throughout the entire directory based on commonly observed naming convention habits in enterprise environments.
Nested group resolution is disabled by default. Use the -resolve flag cautiously as it can be slow and inefficient in large environments.
└─# python3 sccmhunter.py find -u 'lowpriv' -p 'P@ssw0rd' -d internal.lab -dc-ip 10.10.100.100 ( 888 d8 \ dP"Y e88'888 e88'888 888 888 8e 888 ee 8888 8888 888 8e d88 ,e e, 888,8, )C88b d888 '8 d888 '8 888 888 88b 888 88b 8888 8888 888 88b d88888 d88 88b 888 " ##--------> Y88D Y888 , Y888 , 888 888 888 888 888 Y888 888P 888 888 888 888 , 888 )d,dP "88,e8' "88,e8' 888 888 888 888 888 "88 88" 888 888 888 "YeeP" 888 / ( v0.0.2 @garrfoster [21:15:03] INFO [*] Checking for System Management Container. [21:15:03] INFO [+] Found System Management Container. Parsing DACL. [21:15:03] INFO [+] Found 3 computers with Full Control ACE [21:15:03] INFO [*] Querying LDAP for published Sites and Management Points [21:15:03] INFO [+] Found 3 Management Points in LDAP. [21:15:03] INFO [*] Searching LDAP for anything containing the strings 'SCCM' or 'MECM' [21:15:03] INFO [+] Found 5 principals that contain the string 'SCCM' or 'MECM'.
The basic query provides a quick overview of SCCM infrastructure without detailed information. Use the debug flag for comprehensive details.
Verbose Debug Query
Run enumeration with detailed debug output for comprehensive analysis
Copy
Ask AI
python3 sccmhunter.py find -u 'lowpriv' -p 'P@ssw0rd' -d internal.lab -dc-ip 10.10.100.100 -debug ( 888 d8 \ dP"Y e88'888 e88'888 888 888 8e 888 ee 8888 8888 888 8e d88 ,e e, 888,8, )C88b d888 '8 d888 '8 888 888 88b 888 88b 8888 8888 888 88b d88888 d88 88b 888 " ##--------> Y88D Y888 , Y888 , 888 888 888 888 888 Y888 888P 888 888 888 888 , 888 )d,dP "88,e8' "88,e8' 888 888 888 888 888 "88 88" 888 888 888 "YeeP" 888 / ( v0.0.2 @garrfoster [21:22:46] DEBUG [*] Database ready. [21:22:46] DEBUG [+] Bind successful ldap://10.10.100.100:389 - cleartext [21:22:46] INFO [*] Checking for System Management Container. [21:22:46] INFO [+] Found System Management Container. Parsing DACL. [21:22:46] INFO [+] Found 3 computers with Full Control ACE [21:22:46] INFO [*] Querying LDAP for published Sites and Management Points [21:22:46] INFO [+] Found 3 Management Points in LDAP. [21:22:46] INFO [*] Searching LDAP for anything containing the strings 'SCCM' or 'MECM' [21:22:46] INFO [+] Found 5 principals that contain the string 'SCCM' or 'MECM'. [21:22:46] INFO Site Servers Table [21:22:46] INFO +---------------------+------------+-------+-----------------+--------------+---------------+----------+---------+ | Hostname | SiteCode | CAS | SigningStatus | SiteServer | SMSProvider | Config | MSSQL | +=====================+============+=======+=================+==============+===============+==========+=========+ | active.internal.lab | | | | True | | | | +---------------------+------------+-------+-----------------+--------------+---------------+----------+---------+ | sccm.internal.lab | | | | True | | | | +---------------------+------------+-------+-----------------+--------------+---------------+----------+---------+ | sccm.internal.lab | | | | True | | | | +---------------------+------------+-------+-----------------+--------------+---------------+----------+---------+ [21:22:46] INFO Management Points Table [21:22:46] INFO +---------------------+------------+-----------------+ | Hostname | SiteCode | SigningStatus | +=====================+============+=================+ | active.internal.lab | ACT | | +---------------------+------------+-----------------+ | mp.internal.lab | LAB | | +---------------------+------------+-----------------+ | sccm.internal.lab | LAB | | +---------------------+------------+-----------------+ [21:22:46] INFO Computers Table [21:22:46] INFO +-------------------+------------+-----------------+--------------+-------------------+---------------------+---------------+--------+---------+ | Hostname | SiteCode | SigningStatus | SiteServer | ManagementPoint | DistributionPoint | SMSProvider | WSUS | MSSQL | +===================+============+=================+==============+===================+=====================+===============+========+=========+ | sccm.internal.lab | | | | | | | | | +-------------------+------------+-----------------+--------------+-------------------+---------------------+---------------+--------+---------+ [21:22:46] INFO Users Table [21:22:46] INFO +------+--------+------------------+------------------------+---------------+ | cn | name | sAMAAccontName | servicePrincipalName | description | +======+========+==================+========================+===============+ +------+--------+------------------+------------------------+---------------+ [21:22:46] INFO Groups Table [21:22:46] INFO +------------------+------------------+------------------+-------------------------------------------+---------------+ | cn | name | sAMAAccontName | member | description | +==================+==================+==================+===========================================+===============+ | SCCM_SiteServers | SCCM_SiteServers | SCCM_SiteServers | CN=ACTIVE,CN=Computers,DC=internal,DC=lab | | | | | | CN=SCCM,CN=Computers,DC=internal,DC=lab | | +------------------+------------------+------------------+-------------------------------------------+---------------+
Debug mode provides detailed tables with comprehensive information about discovered SCCM infrastructure including site servers, management points, computers, users, and groups.
