Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/nccgroup/SCOMDecrypt
SCOMDecrypt is a tool to decrypt stored RunAs credentials from SCOM servers
https://github.com/nccgroup/SCOMDecrypt
Last synced: about 1 month ago
JSON representation
SCOMDecrypt is a tool to decrypt stored RunAs credentials from SCOM servers
- Host: GitHub
- URL: https://github.com/nccgroup/SCOMDecrypt
- Owner: nccgroup
- Created: 2017-02-21T16:15:11.000Z (about 7 years ago)
- Default Branch: master
- Last Pushed: 2023-11-10T07:04:26.000Z (6 months ago)
- Last Synced: 2024-04-14T07:57:57.058Z (about 1 month ago)
- Language: C#
- Homepage:
- Size: 26.4 KB
- Stars: 113
- Watchers: 12
- Forks: 21
- Open Issues: 2
-
Metadata Files:
- Readme: Readme.md
Lists
- awesome-pentest - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Windows Utilities / Web Exploitation Books)
- awesome-pentest - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Windows Utilities / Web Exploitation Books)
- awesome-pentest-resource - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Windows Utilities / Web Exploitation Books)
- awesome-penetest - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Windows Utilities / Web Exploitation Books)
- awesome-pentest - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Tools / Windows Utilities)
- awesome-pentest - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Windows Utilities / Penetration Testing Report Templates)
- awesome-pentest-listas - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Tools / Windows Utilities)
- awesome-pentest - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Windows Utilities / Web Exploitation Books)
- awesome-pentest - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Tools / Windows Utilities)
- awesome-pentest - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Windows Utilities / Penetration Testing Report Templates)
- awesome-pentest - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Windows Utilities / Web Exploitation Books)
- awesome-pentest - SCOMDecrypt - Retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases. (Windows Utilities / Web Exploitation Books)
README
# SCOMDecrypt - SCOM Credential Decryption Tool #
Released as open source by NCC Group Plc - http://www.nccgroup.trust/
Developed by Richard Warren, richard [dot] warren [at] nccgroup [dot] trust
http://www.github.com/nccgroup/SCOMDecrypt
Released under AGPL, see LICENSE for more information
## Introduction ##
This tool is designed to retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases.
For background, please see the NCC Group blog post [here](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/february/scomplicated-decrypting-scom-runas-credentials/)
## Pre-requisites ##
To run the tool you will require administrative privileges on the SCOM server. You will also need to ensure that you have read access to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center\2010\Common\MOMBins
You can check manually that you can see the database by gathering the connection details from the following keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center\2010\Common\Database\DatabaseServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center\2010\Common\Database\DatabaseName## Usage ##
The tool comes in two formats.The first is a C# binary which can simply be run on the SCOM server with no arguments as following:
.\SCOMDecrypt.exe
[+] bobsudo:H a c k T h e P l a n e t
[+] administrator:W i n t e r 2 0 1 5 !
[+] alice:P a s s w 0 r d 1 2 3 !There is also a PowerShell version of the tool too. This is useful in a post-exploitation scenario for use with tools such as Cobalt Strike or Empire. To use the tool with Cobalt Strike:
powershell-import C:\path\to\SCOMDecrypt.ps1
powershell Invoke-SCOMDecrypt
[+] bobsudo:H a c k T h e P l a n e t
[+] administrator:W i n t e r 2 0 1 5 !
[+] alice:P a s s w 0 r d 1 2 3 !To run within the PowerShell console:
powershell.exe -exec bypass
. .\Invoke-SCOMDecrypt.ps1
Invoke-SCOMDecrypt
...