[SCCM] Credentials from objects.data#17
Conversation
|
@guervild Thanks for this! We're reviewing it and will try to get it merged soon. |
|
Thanks! |
|
@HarmJ0y I tested this PR and looks good. @guervild I ported this code over to SharpSCCM as well: Mayyhem/SharpSCCM#14 |
|
Hello @subat0mik Ahah I must confess that I have hesitated between SharpSCCM and SharpDpapi before to do this PR, so its great that now both have the functionality ! Also, I like that that check and the use the environment variable : https://github.com/Mayyhem/SharpSCCM/blob/25721da160201151c2c8c0d25c19954e2c7e1f3c/lib/Credentials.cs#L24 Maybe, we could add it here too ? |
|
Hey @guervild, this new functionality you wrote is awesome! I just merged @subat0mik's port into SharpSCCM. Sorry it took so long to test, but I was having a regex matching issue in my environment that @subat0mik wasn't experiencing I had to figure out. The updated regex is here: https://github.com/Mayyhem/SharpSCCM/blob/main/lib/Credentials.cs#L41 I added "?" to the two captured groups to make the matching non-greedy, which fixed the issue I was having where data after the closing tag was being matched in some parts of my objects.data file. Could you please update this PR with the updated regex? |
Signed-off-by: guervild <11190755+guervild@users.noreply.github.com>
|
Hey @Mayyhem Thank you very much for your message, I really appreciate ! I also like this new feature in my recent engagement 😄 I fixed the regex, should i also change this : https://github.com/Mayyhem/SharpSCCM/blob/25721da160201151c2c8c0d25c19954e2c7e1f3c/lib/Credentials.cs#L24 ? |
|
Don't worry about that for now so we can get this one merged. Thanks though! |
Hello
Based on the article (https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9).
I made a method to parse the objects.data file and retrieve NAA creds on disk.
Example:
or from a given file
The PR is based on the @subat0mik's one.