Add AES256 secret policy blob decryption support (SCCM) #2020
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The block cipher algorithm for task sequence blobs in SCCM secret policies seems to have changed from 3DES to AES starting from (I believe) SCCM version 2403. You can recognize 3DES and AES blobs with the prefixes
8913and8A13respectively. Surprisingly, none of the existing public SCCM tools seem to support this yet which can result in missing out on high-value credentials.This PR adds support for the decryption of such AES-encrypted blobs when using
ntlmrelayxwith the--sccm-policiesflag to dump secret policies from the SCCM MP using a relay. Testing has been done with Ludus SCCM Lab that by default runs on a version before 2403 and which you can manually upgrade to the latest available version on the SCCM site server. This allows easily reproducing the situation before and after.