SCCMHunter is a post-ex tool built to streamline identifying, profiling, and attacking SCCM related assets in an Active Directory domain. Please checkout the wiki for detailed usage.

This tool was developed and tested in a lab environment. Your mileage may vary on performance. If you run into any problems please don't hesitate to open an issue.

I strongly encourage using a python virtual environment for installation

git clone https://github.com/garrettfoster13/sccmhunter.git
cd sccmhunter
virtualenv --python=python3 .
source bin/activate
pip3 install -r requirements.txt
python3 sccmhunter.py -h

pipx can also be used to install globally

pipx install git+https://github.com/garrettfoster13/sccmhunter/

Huge thanks to the below for all their research and hard work and
@_mayyhem
Coercing NTLM Authentication from SCCM
SCCM Site Takeover via Automatic Client Push Installation

@TechBrandon
Push Comes To Shove: exploring the attack surface of SCCM Client Push Accounts
Push Comes To Shove: Bypassing Kerberos Authentication of SCCM Client Push Accounts.

@Raiona_ZA
Identifying and retrieving credentials from SCCM/MECM Task Sequences

@_xpn_
Exploring SCCM by Unobfuscating Network Access Accounts

@subat0mik
The Phantom Credentials of SCCM: Why the NAA Won’t Die

@HackingDave
Owning One to Rule Them All