Requirements
- Any (SMS Admins local group)
Usage
Copy
Ask AI
└─# python3 sccmhunter.py admin -u administrator -p P@ssw0rd -ip 10.10.100.9 -h
(
888 d8 \
dP"Y e88'888 e88'888 888 888 8e 888 ee 8888 8888 888 8e d88 ,e e, 888,8, )
C88b d888 '8 d888 '8 888 888 88b 888 88b 8888 8888 888 88b d88888 d88 88b 888 " ##-------->
Y88D Y888 , Y888 , 888 888 888 888 888 Y888 888P 888 888 888 888 , 888 )
d,dP "88,e8' "88,e8' 888 888 888 888 888 "88 88" 888 888 888 "YeeP" 888 /
(
vdev0.0.3
@garrfoster
Usage: sccmhunter admin [OPTIONS] COMMAND [ARGS]...
Run administrative commands through the AdminService API.
╭─ Options ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ * -u TEXT Username [default: None] [required] │
│ * -p TEXT Password or NTLM hash. (LM:NT) [default: None] [required] │
│ * -ip TEXT IP address or hostname of site server [default: None] [required] │
│ -debug Enable Verbose Logging │
│ -au TEXT Optional script approval username [default: None] │
│ -ap TEXT Optional script approval password [default: None] │
│ --help -h Show this message and exit. │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
Interactive Shell Commands
Once connected, you’ll have access to an interactive shell with various command categories:Copy
Ask AI
[19:26:57] INFO [!] Enter help for extra shell commands
() (C:\) >> help -v
Documented commands (use 'help -v' for verbose/'help <topic>' for details):
Credential Extraction Commands
======================================================================================================
decrypt Decrypt provided encrypted blob decrypt [blob]
decryptEx Decrypt provided blob with session key decryptEx [session key] [blob]
get_azurecreds Extract Azure application cred blobs get_azurecreds
get_azuretenant Get Azure Tenant Info get_azuretenant
get_creds Extract encrypted cred blobs get_creds
get_forestkey Extract forest discovery session key blobs get_forestkey
get_pxepassword Extract pxeboot encrypted cred blobs get_pxepassword
Database Commands
=======================================================================================================
get_collection Query for all (*) or single (id) collection(s)
get_collectionmembers Query for all members of a colection. Warning: could be heavy
get_device Query specific device information
get_lastlogon Query for devices the target recently signed in
get_puser Query for devices the target is a primary user
get_user Query specific user information
Interface Commands
======================================================================================================
exit Exit the console.
interact Target Device/Collection to Query interact (device code)
PostEx Commands
=========================================================================================================
add_admin Add SCCM Admin add_admin (user) (sid)
backdoor Backdoor CMPivot Script backdoor (/path/to/script)
backup Backup original CMPivot Script
delete_admin Remove SCCM Admin delete_admin (user)
delete_script Delete a script from the SCCM server. delete_script (GUID)
list_scripts List scripts.
restore Restore original CMPivot Script
script Run script on target script (/path/to/script)
show_admins List admin users show_admins
show_consoleconnections List console sessions and source show_consoleconnections
show_rbac List users and their roles show_rbac
Situational Awareness Commands
======================================================================================================
administrators Query local administrators on target
cat Read file contents. cat (filename)
cd Change current working directory.
console_users Show total time any users has logged on to the target.
disk Show disk information on the target.
environment Show configured environment variables on target.
ipconfig Run ipconfig on target
list_disk Show drives mounted to the target system.
ls List files in current working directory.
osinfo Show OS info of target system.
ps List running processes on target.
services List running services on target.
sessionhunter
sessions Show users with an active session on the target system.
shares List file shares hosted on target.
software Show installed software on the target system.
The admin module provides comprehensive post-exploitation capabilities through SCCM’s AdminService API. Commands are organized into logical categories for efficient operation.
Some commands require script approval if the SCCM hierarchy is configured with script approval requirements (default setting). Use alternate credentials with the
-au and -ap parameters for script approval.