On a recent engagement, I used pytune to enroll a Windows device. When I ran download_apps, it found policies but didn't print anything out. So I printed out the whole object instead of just PolicyBody to discover that there are encrypted policies in EncryptedPolicyBody.
|
for policy in policies: |
|
self.logger.info(f'#{i} (policyid:{policy["PolicyId"]}):\n') |
|
print(policy["PolicyBody"] + '\n') |
|
i=i+1 |
pytune.py -v download_apps -d device_name -m device_name_mdm.pfx
[*] downloading scripts...
[!] scripts found!
[*] #1 (policyid:e9de7c4f-a0d2-4f35-a6b6-950481932e5c):
{'AccountId': '[REDACTED], 'PolicyId': 'e9de7c4f-a0d2-4f35-a6b6-950481932e5c', 'DisplayName': None, 'PolicyType': 1, 'DocumentSchemaVersion': '1.0', 'PolicyHash': 'UzbvyvEoo5Q3C4n2qCUYQYQCi/kG/Pbb6XpeaMfUBHQ=', 'PolicyBody': None, 'EncryptedPolicyBody': '<EncryptedMessage xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Management.Services.Common.Cryptography" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><EncryptedContent>MIICQwYJKoZIhvcNAQcDoIICNDCCAjACAQAxggFZMIIBVQIBADA9MCkxJzAlBgNVBAMTHk1pY3Jvc29mdCBJbnR1bmUgTURNIERldmljZSBDQQIQ04iSlPr4TIJACytbs5E/3zANBgkqhkiG9w0BAQcwAASCAQAeA2inWqMNFAzSDjWxfKmKirv1X5M8TcNPhEwDNN5fIQexSKkfoOBgxVGQhzhDRKJCR+ufdRWD9XGmL4hizG0Vj+MI4vsZgIE40aN7wpmYL8Fvx5YC3z3G7H0y4QyZzBWzQPC62TtK/t0paRyb1euLu0lNHRQbih7+Sld+T8mKQOrFnwvp4C7gl+eRe9dzgDRiA1+3AgpW3FQvAOTVmbCf2nt09ZFqr/Fg4M/dnYN+XVI4ZCWE4ByIaIagnE8l2Pex3MhSrSDIEdcTpxpu28rvWDB9eyeFkCD+nAJaKtSp46OWOcE5jrRoBk/4ZpMOv8CY9Oz9+jNr5dBZFMp4c2X8MIHNBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCW03h8ijdrXRdk5V4Ku48egIGg82E+nnMqVP+N31RPpMK0sRlNwoRA0cIBg3L6jXBwT70bs9uSaUXrgn021SDAlkL9J3+Rpz1VOrZRvykFji56wDOaeKk0FKhVS/7Ds0Ri3KamtNYE8uQduAuFObM9e0rvHUrumK2yb8MpKNvt4TDQ4PizrTHBWA271pWkSZMPc/VvnQBsHRRbtGLI1jfWzvCDZ5DBgcICM6YUvJdzdui+og==</EncryptedContent><RecipientCertThumbprints xmlns:a="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><a:string>DE55F2C87D476C11CECBE9D33803FCBBB7AF1A04</a:string></RecipientCertThumbprints></EncryptedMessage>
<more stuff>Turns out EncryptedPolicyBody is PKCS7 encrypted with the MDM certificate you get from enrolling (the RecipientCertThumbprints shown matches the thumbprint of the cert). Therefore, it's possible to decrypt the contents with openssl.
"MIICMwYJKoZIhvcNAQcDoIICJDCCAiACAQAxggFZMIIBVQIBADA9MCkxJzAlBgNVBAMTHk1pY3Jvc29mdCBJbnR1bmUgTURNIERldmljZSBDQQIQ04iSlPr4TIJACytbs5E/3zANBgkqhkiG9w0BAQcwAASCAQBCCtV1e4gbfI1Vyfe3TJfW+hOeFTWlYfFrkFvhRWlRvQLb+kqVBgZtZsCoS0vgpOays9T123HiI71ozdRAcEE67dAuDKiBVCotV71Evyi26AwDmHvGZ922xhPjKNANbuppMgy3imRoB5aRiui1ew47F0AyGc4d6GOX9r1QT9/KviFh3wW2HgLSalPx9hr49pNwn8WIKeZm9a6bCGFiI744NEuFfiRwZLkyRnb9MdQ1hIrj87IqQ4OcXJS3hHdK1qt2DDYn2ZCkt7TD4vm7Mp/Du9ecGzEUrZEOUWQCXcqsxm2q2dpkiquy5fJDm6HXe25mBqo5ZMetDcbVcI+svmaiMIG9BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCPx6vzpxc2fbKdW+saWkzjgIGQ0g5HIrMcw6aJV5wiWubSObxLqGnQqXl3FCGgeiFhaDnyMIYU6qcXksvMm2DAJ7f/ZI/IwrSZvUOcVwfODMP2oO2BvQfVV5ZVzsA+3oMzGkvI/rIdx+vsFhbExM2axf3THcoBa6w+IJkL5tQC62QlE1mtLbFkppqlnUPV1cyj4p2Qb/i1P8m9vO3o1ALylePp" | decode base64 | openssl cms -decrypt -inform DER -recip device_name_mdm.crt -inkey device_name_mdm.key
cmd.exe /c wmic product where "name like 'Netsurion Sensor'"
cmd.exe /c wmic product where "name like 'Netsurion Sensor'" call uninstall
This can be added to pytune using cryptography library. Would you take a PR for this?
On a recent engagement, I used pytune to enroll a Windows device. When I ran
download_apps, it found policies but didn't print anything out. So I printed out the whole object instead of justPolicyBodyto discover that there are encrypted policies inEncryptedPolicyBody.pytune/device/windows.py
Lines 403 to 406 in 214760b
Turns out
EncryptedPolicyBodyis PKCS7 encrypted with the MDM certificate you get from enrolling (theRecipientCertThumbprintsshown matches the thumbprint of the cert). Therefore, it's possible to decrypt the contents with openssl.This can be added to
pytuneusing cryptography library. Would you take a PR for this?