Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/nccgroup/SCOMDecrypt

SCOMDecrypt is a tool to decrypt stored RunAs credentials from SCOM servers
https://github.com/nccgroup/SCOMDecrypt

Last synced: about 1 month ago
JSON representation

SCOMDecrypt is a tool to decrypt stored RunAs credentials from SCOM servers

Host: GitHub
URL: https://github.com/nccgroup/SCOMDecrypt
Owner: nccgroup
Created: 2017-02-21T16:15:11.000Z (about 7 years ago)
Default Branch: master
Last Pushed: 2023-11-10T07:04:26.000Z (6 months ago)
Last Synced: 2024-04-14T07:57:57.058Z (about 1 month ago)
Language: C#
Homepage:
Size: 26.4 KB
Stars: 113
Watchers: 12
Forks: 21
Open Issues: 2
Metadata Files:
- Readme: Readme.md

Lists

awesome-pentest - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Windows Utilities / Web Exploitation Books)
awesome-pentest - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Windows Utilities / Web Exploitation Books)
awesome-pentest-resource - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Windows Utilities / Web Exploitation Books)
awesome-penetest - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Windows Utilities / Web Exploitation Books)
awesome-pentest - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Tools / Windows Utilities)
awesome-pentest - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Windows Utilities / Penetration Testing Report Templates)
awesome-pentest-listas - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Tools / Windows Utilities)
awesome-pentest - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Windows Utilities / Web Exploitation Books)
awesome-pentest - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Tools / Windows Utilities)
awesome-pentest - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Windows Utilities / Penetration Testing Report Templates)
awesome-pentest - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Windows Utilities / Web Exploitation Books)
awesome-pentest - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Windows Utilities / Web Exploitation Books)

README

# SCOMDecrypt - SCOM Credential Decryption Tool #

Released as open source by NCC Group Plc - http://www.nccgroup.trust/

Developed by Richard Warren, richard [dot] warren [at] nccgroup [dot] trust

http://www.github.com/nccgroup/SCOMDecrypt

Released under AGPL, see LICENSE for more information

## Introduction ##

This tool is designed to retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases.

For background, please see the NCC Group blog post [here](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/february/scomplicated-decrypting-scom-runas-credentials/)

## Pre-requisites ##

To run the tool you will require administrative privileges on the SCOM server. You will also need to ensure that you have read access to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center\2010\Common\MOMBins

You can check manually that you can see the database by gathering the connection details from the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center\2010\Common\Database\DatabaseServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center\2010\Common\Database\DatabaseName

## Usage ##

The tool comes in two formats.The first is a C# binary which can simply be run on the SCOM server with no arguments as following:

.\SCOMDecrypt.exe
[+] bobsudo:H a c k T h e P l a n e t
[+] administrator:W i n t e r 2 0 1 5 !
[+] alice:P a s s w 0 r d 1 2 3 !

There is also a PowerShell version of the tool too. This is useful in a post-exploitation scenario for use with tools such as Cobalt Strike or Empire. To use the tool with Cobalt Strike:

powershell-import C:\path\to\SCOMDecrypt.ps1
powershell Invoke-SCOMDecrypt
[+] bobsudo:H a c k T h e P l a n e t
[+] administrator:W i n t e r 2 0 1 5 !
[+] alice:P a s s w 0 r d 1 2 3 !

To run within the PowerShell console:

powershell.exe -exec bypass
. .\Invoke-SCOMDecrypt.ps1
Invoke-SCOMDecrypt
...