SharpPXE #1804

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

carlospolop wants to merge 1 commit into master from update_SharpPXE_20260124_182914

Open

SharpPXE #1804

.../active-directory-methodology/sccm-management-point-relay-sql-policy-secrets.md

-Original file line number
+Diff line change
@@ Expand Up / @@ -131,12 +131,24 @@ WHERE dp.name IN ('smsdbrole_MP','smsdbrole_MPUserSvc') @@
     ---
-    ## 6. Detection & Hardening
+    ## 6. PXE boot media harvesting (SharpPXE)
+    * **PXE reply over UDP/4011**: send a PXE boot request to a Distribution Point configured for PXE. The proxyDHCP response reveals boot paths such as `SMSBoot\\x64\\pxe\\variables.dat` (encrypted config) and `SMSBoot\\x64\\pxe\\boot.bcd`, plus an optional encrypted key blob.
+    * **Retrieve boot artifacts via TFTP**: use the returned paths to download `variables.dat` over TFTP (unauthenticated). The file is small (a few KB) and contains the encrypted media variables.
+    * **Decrypt or crack**:
+      - If the response includes the decryption key, feed it to **SharpPXE** to decrypt `variables.dat` directly.
+      - If no key is provided (PXE media protected by a custom password), SharpPXE emits a **Hashcat-compatible** `$sccm$aes128$...` hash for offline cracking. After recovering the password, decrypt the file.
+    * **Parse decrypted XML**: plaintext variables contain SCCM deployment metadata (**Management Point URL**, **Site Code**, media GUIDs, and other identifiers). SharpPXE parses them and prints a ready-to-run **SharpSCCM** command with GUID/PFX/site parameters prefilled for follow-on abuse.
+    * **Requirements**: only network reachability to the PXE listener (UDP/4011) and TFTP; no local admin privileges are needed.
+    ---
+    ## 7. Detection & Hardening
 . **Monitor MP logins** – any MP computer account logging in from an IP that isn’t its host ≈ relay.
 . Enable **Extended Protection for Authentication (EPA)** on the site database (`PREVENT-14`).
 . Disable unused NTLM, enforce SMB signing, restrict RPC (
        same mitigations used against `PetitPotam`/`PrinterBug`).
 . Harden MP ↔ DB communication with IPSec / mutual-TLS.
+. **Constrain PXE exposure** – firewall UDP/4011 and TFTP to trusted VLANs, require PXE passwords, and alert on TFTP downloads of `SMSBoot\\*\\pxe\\variables.dat`.
     ---
@@ Expand All / @@ -159,4 +171,5 @@ WHERE dp.name IN ('smsdbrole_MP','smsdbrole_MPUserSvc') @@
     - [I’d Like to Speak to Your Manager: Stealing Secrets with Management Point Relays](https://specterops.io/blog/2025/07/15/id-like-to-speak-to-your-manager-stealing-secrets-with-management-point-relays/)
     - [PXEthief](https://github.com/MWR-CyberSec/PXEThief)
     - [Misconfiguration Manager – ELEVATE-4 & ELEVATE-5](https://github.com/subat0mik/Misconfiguration-Manager)
+    - [SharpPXE](https://github.com/leftp/SharpPXE)
     {{#include ../../banners/hacktricks-training.md}}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

SharpPXE #1804

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

SharpPXE #1804

Are you sure you want to change the base?

Uh oh!

SharpPXE #1804

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing