search

MWR-CyberSec / PXEThief

PXEThief is a set of tooling that can extract passwords from the Operating System Deployment functionality in Microsoft Endpoint Configuration Manager
GNU General Public License v3.0
324 stars 47 forks source link

Help with pxethief option 3 and PFX files #12

Open 7MinSec opened 1 month ago

7MinSec commented 1 month ago

Hi there,

On a pentest I've cracked the password that protects the variables file, and am now trying to get the option 3 firing but am having issues.

My initial errors were very similar to this issue, and that got me closer as then the next run of pxethief resulted in [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1020)'))).

Then I found this BloodHound Slack thread which led me to try setting USING_TLS to True.

It seems now I'm closer as my output of the pxethief run is:

<snip>
[+] CCMClientTimestamp Signature Generated
[+] ClientToken Signature Generated
[+] Retrieving x64UnknownMachineGUID from MECM MP...
If you encountered errors at this point, it is likely as a result of one of two things: a) network connectivity or b) the signing algorithm

Fix network connectivity issues by ensuring you can connect to the HTTP port on the server and fixing DNS issues or by using the SCCM_BASE_URL to hardcode the beginning of the URL used to access the MP: e.g. http://192.168.56.101

The SHA1 signing algorithm is implemented by generateSignedData and the SHA256 signing algorithm is implemented by generateClientTokenSignature
If you encountered errors, for CCMClientIDSignature, CCMClientTimestampSignature and clientTokenSignature change the current signing algorithm to the one not in use
Could not find the TLS certificate file, invalid path: output.crt
</snip>

I do get a variables.xml and NETBIOSDOMAINNAME_randomnumber_SMSTSMediaPFX.pfx if that matters?

7MinSec commented 1 month ago

I just posted this in the BH Slack thread as well:

Ohhhhhhhh wait I think I get it. Ok I didn't muck with lines 343/353, but once I set USING_TLS from False to True and made my request again, I got a .pfx file. I then used the gist you referenced (https://gist.github.com/datvm/4de10d7e8f034f62742a4b7effe32bb3) to create a output-key.key and output.crt and then I ran pxethief with option 3 again and got the delicious creds!

If this is the proper fix/workaround feel free to close this issue.