Merge pull request #14 from Tw1sm/feature/sccm-modules

Add SCCM Modules

Author: Tw1sm

CHANGELOG.md

@@ -1,4 +1,16 @@
 # Changelog
+## [v0.3.0] - 08/05/2024
+### Added
+- SCCM modules from [SQLRecon](https://github.com/skahwah/SQLRecon?tab=readme-ov-file#sccm-modules)
+    - `addadmin`
+    - `credentials`
+    - `logons`
+    - `removeadmin`
+    - `sites`
+    - `taskdata`
+    - `tasklist`
+    - `users`
+
 ## [v0.2.1] - 07/26/2024
 ### Fixed
 - Issue [#12](https://github.com/Tw1sm/PySQLRecon/issues/12)
@@ -7,7 +19,6 @@
 ### Added
 - `sample` module to retrive table data without manual SQL query
 
-
 ## [v0.1.4] - 02/03/2024
 ### Fixed
 - Issue [#9](https://github.com/Tw1sm/PySQLRecon/issues/9)

README.md

@@ -9,6 +9,8 @@ PySQLRecon
 
 PySQLRecon is a Python port of the awesome [SQLRecon](https://github.com/skahwah/SQLRecon) project by [@sanjivkawa](https://twitter.com/sanjivkawa). See the [commands](#commands) section for a list of capabilities.
 
+[Post](https://tw1sm.substack.com/p/takeover-1-with-pysqlrecon) demonstrating SCCM TAKEOVER-1 with PySQLRecon.
+
 ## Install
 PySQLRecon can be installed with `pip3 install pysqlrecon` or by cloning this repository and running `pip3 install .`
 
@@ -39,7 +41,8 @@ links                [NORM] Enumerate linked servers [I,L]
 olecmd               [PRIV] Execute a system command using OLE automation procedures [I,L]
 query                [NORM] Execute a custom SQL query [I,L]
 rows                 [NORM] Get the count of rows in a table [I,L]
-sample               [NORM] Query a sample of table data [I,L]   
+sample               [NORM] Query a sample of table data [I,L]
+sccm                 [SUBM] Submodule for SCCM specific commands   
 search               [NORM] Search a table for a column name [I,L]
 smb                  [NORM] Coerce NetNTLM auth via xp_dirtree [I,L]
 tables               [NORM] Enumerate tables within a database [I,L]
@@ -48,6 +51,19 @@ whoami               [NORM] Gather logged in user, mapped user and roles [I,L]
 xpcmd                [PRIV] Execute a system command using xp_cmdshell [I,L]     
 ```
 
+### SCCM Commands
+SCCM commands can be found by running `pysqlrecon [OPTIONS] sccm -h` (required global flags will need to be specified for this to work - see [usage](#usage))
+```
+addadmin             [PRIV] Elevate an account to Full Administrator [I]
+credentials          [NORM] Display encrypted credentials [I]
+logons               [NORM] Display SCCM clients and last logged on user [I]
+removeadmin          [PRIV] Remove elevated account or elevated privileges [I]
+sites                [NORM] Gather SCCM site info [I]
+taskdata             [NORM] Decrypt task sequences [I]
+tasklist             [NORM] Display task sequences [I]
+users                [NORM] Enumerate SCCM users [I]   
+```
+
 ## Usage
 PySQLRecon has global options (available to any command), with some commands introducing additional flags. All global options must be specified *before* the command name:
 ```
@@ -70,7 +86,14 @@ Target execution of a PySQLRecon command on a linked server (instead of the SQL
 
 Impersonate a user account while running a PySQLRecon command with the `--impersonate` flag.
 
-`--link` and `--impersonate` and incompatible.
+`--link` and `--impersonate` are incompatible.
+
+### Usage with `ntlmrelayx`
+PySQLRecon can be used with `proxychains` to take advantage of relayed authentication targeting a `mssql://` service. Due to the way ntlmrelayx sessions work, the `--database` parameter will not be respected when running PySQLRecon (the relay session will always be connected to the master database). This can come into play especially when using SCCM modules, which require the site database to be sepecified. To fix this, first change the database context using the `query` module (this will persist across any subsequent PySQLRecon usage, with the same relay session). Example:
+```
+proxychains4 pysqlrecon -t <target> -d <DOMAIN> -u <username> -p FAKE query --query 'use new_db_name'
+```
+You can now run modules/queries that target resources within that specifc database, even without specifying `--database`, from the same `ntlmrelayx` session.
 
 ## Development
 pysqlrecon uses Poetry to manage dependencies. Install from source and setup for development with:
@@ -85,7 +108,7 @@ poetry run pysqlrecon --help
 PySQLRecon is easily extensible - see the template and instructions in [resources](resources/command_template/)
 
 ### TODO
-- [ ] Add SQLRecon SCCM commands
+- [x] Add SQLRecon SCCM commands
 - [ ] Add Azure SQL DB support?
 
 ## References and Credits
@@ -94,3 +117,4 @@ PySQLRecon is easily extensible - see the template and instructions in [resource
 - [https://securityintelligence.com/x-force/databases-beware-abusing-microsoft-sql-server-with-sqlrecon/](https://securityintelligence.com/x-force/databases-beware-abusing-microsoft-sql-server-with-sqlrecon/)
 - [https://gist.github.com/skahwah/a585e176e4a5cf319b0c759637f5c410](https://gist.github.com/skahwah/a585e176e4a5cf319b0c759637f5c410)
 - Also checkout [MSSqlPwner](https://github.com/ScorpionesLabs/MSSqlPwner) for other offensive MSSQL capabilities written in Python
+- [PXEThief](https://github.com/MWR-CyberSec/PXEThief)

poetry.lock

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "pysqlrecon"
-version = "0.2.1"
+version = "0.3.0"
 description = "Offensive MSSQL Python toolkit"
 authors = ["Matt Creel <mcreel31@gmail.com>"]
 readme = "README.md"
@@ -12,6 +12,7 @@ python = "^3.11"
 rich = "^12.5.1"
 typer = "^0.6.1"
 impacket = "^0.11.0"
+pycryptodome = "^3.20.0"
 
 [tool.poetry.group.dev.dependencies]
 ruff = "^0.0.235"

pyproject.toml

@@ -1 +1 @@
-__version__ = '0.2.1'
+__version__ = '0.3.0'

pysqlrecon/__init__.py

@@ -45,7 +45,7 @@ def main(
 
     # Misc Options
     debug: bool = typer.Option(False, '--debug', help='Turn DEBUG output ON', rich_help_panel='Misc Options'),
-    basic_tables: bool = typer.Option(False, '--basic-tables', help='Use simple ASCII table output', rich_help_panel='Misc Options'),
+    basic_tables: bool = typer.Option(False, '--basic-tables', help='Use simple ASCII table output (avoids truncation)', rich_help_panel='Misc Options'),
     quiet: bool = typer.Option(False, '--quiet', help='Hide the banner', rich_help_panel='Misc Options')):
 
     if not quiet:
@@ -57,6 +57,10 @@ def main(
         logger.warning("Cannot use --impersonate and --link together")
         exit()
 
+    if not sql_auth and domain is None:
+        logger.warning("Windows authentication requires a domain specified with -d/--domain")
+        exit()
+
     # accesing a link may require Kerberos auth
     if link is not None and kerberos is False:
         logger.warning("Querying a linked server may require specifying Kerberos authentication")

pysqlrecon/__main__.py

@@ -8,9 +8,10 @@
 from pysqlrecon.lib.clr import ClrMixin
 from pysqlrecon.lib.module import ModuleMixin
 from pysqlrecon.lib.query import QueryMixin
+from pysqlrecon.lib.sccm import SccmMixin
 
 
-class PySqlRecon(SqlAgentMixin, ClrMixin, ModuleMixin, QueryMixin):
+class PySqlRecon(SqlAgentMixin, ClrMixin, ModuleMixin, QueryMixin, SccmMixin):
 
     # https://learn.microsoft.com/en-us/sql/relational-databases/errors-events/database-engine-events-and-errors-6000-to-6999?view=sql-server-ver16
     DUPLICATE_ASM_ERROR = 6285

pysqlrecon/lib/__init__.py

@@ -0,0 +1,99 @@
+from Crypto.Cipher import DES3
+from hashlib import sha1
+import struct
+
+from pysqlrecon.logger import logger
+
+
+class SccmMixin:
+
+    #
+    # https://github.com/skahwah/SQLRecon/blob/main/SQLRecon/SQLRecon/modules/SCCM.cs#L844
+    #
+    @staticmethod
+    def decode_data(encrypted_blob):
+
+        data_len = struct.unpack_from('<I', encrypted_blob, 52)[0]
+        encrypted_data = encrypted_blob[64:64 + data_len]
+        logger.debug(f"Encrypted data length: {data_len}")
+
+        hash_base = encrypted_blob[4:44]
+
+        logger.debug(f"Hash Base: [ {', '.join([str(byte) for byte in hash_base])} ]")
+
+        key = SccmMixin.aes_des_key_derivation(hash_base)[:24]
+        logger.debug(f"Derived Key: [ {', '.join([str(byte) for byte in key])} ]")
+        
+        iv = bytes([0] * 8)
+        cipher = DES3.new(key, DES3.MODE_CBC, iv)
+        decrypted = cipher.decrypt(encrypted_data)
+
+        # Remove PKCS7 padding
+        padding_len = decrypted[-1]
+        if isinstance(padding_len, int) and padding_len > 0 and padding_len <= 8:
+            decrypted = decrypted[:-padding_len]
+
+        try:
+            decoded_string = decrypted.decode('utf-16-le')
+        except UnicodeDecodeError as e:
+            print(f"Decoding error: {e}")
+            raise
+
+        return decoded_string
+    
+
+    #
+    # https://github.com/MWR-CyberSec/PXEThief/blob/main/media_variable_file_cryptography.py#L23
+    #
+    @staticmethod
+    def aes_des_key_derivation(password):
+        key_sha1 = sha1(password).digest()
+        
+        b0 = b""
+        for x in key_sha1:
+            b0 += bytes((x ^ 0x36,))
+            
+        b1 = b""
+        for x in key_sha1:
+            b1 += bytes((x ^ 0x5c,))
+
+        # pad remaining bytes with the appropriate value
+        b0 += b"\x36"*(64 - len(b0))
+        b1 += b"\x5c"*(64 - len(b1))
+            
+        b0_sha1 = sha1(b0).digest()
+        b1_sha1 = sha1(b1).digest()
+        
+        return b0_sha1 + b1_sha1
+    
+
+    @staticmethod
+    def convert_sid_to_binary(sid_string):
+        # Split the SID string into its components
+        sid_parts = sid_string.split('-')
+        
+        # Extract the revision level (first part after 'S')
+        revision = int(sid_parts[1])
+        
+        # Extract the identifier authority (next part)
+        identifier_authority = int(sid_parts[2])
+        
+        # Extract the sub authorities (remaining parts)
+        sub_authorities = [int(part) for part in sid_parts[3:]]
+
+        # Create the binary representation
+        # Start with revision and sub-authority count
+        sid_binary = struct.pack('B', revision) + struct.pack('B', len(sub_authorities))
+        
+        # Handle identifier authority
+        if identifier_authority > 0xFFFFFFFF:
+            sid_binary += struct.pack('>Q', identifier_authority)[2:]
+        else:
+            sid_binary += b'\x00\x00' + struct.pack('>I', identifier_authority)
+
+        # Add each sub authority
+        for sub_authority in sub_authorities:
+            sid_binary += struct.pack('<I', sub_authority)
+
+        return sid_binary
+

pysqlrecon/lib/sccm.py

@@ -3,6 +3,7 @@
                                 enablexp, disablexp, xpcmd, enablerpc, disablerpc, enableole,\
                                 disableole, enableclr, disableclr, olecmd, agentstatus, agentcmd, \
                                 clr, adsi, sample
+from pysqlrecon.modules import sccm
 
 __all__ = [
     checkrpc,
@@ -34,5 +35,8 @@
     olecmd,
     agentstatus,
     agentcmd,
-    adsi
+    adsi,
+
+    # sccm submodule
+    sccm
 ]

pysqlrecon/modules/__init__.py

@@ -0,0 +1,33 @@
+import typer
+
+from pysqlrecon.modules.sccm import users, sites, credentials, logons, tasklist, taskdata, \
+                                    addadmin, removeadmin
+
+__all__ = [
+    addadmin,
+    credentials,
+    logons,
+    removeadmin,
+    sites,
+    taskdata,
+    tasklist,
+    users
+]
+
+COMMAND_NAME = "sccm"
+HELP = "[blue][SUBM][/] Submodule for SCCM specific commands"
+
+
+app = typer.Typer(add_completion=False,
+    rich_markup_mode='rich',
+    context_settings={'help_option_names': ['-h', '--help']},
+    pretty_exceptions_show_locals=False
+)
+
+for command in __all__:
+    app.add_typer(
+        command.app,
+        name=command.COMMAND_NAME,
+        help=command.HELP
+    )
+