# MECM Discovery
Searching for MECM infrastructure can be done with multiple tools. When the MECM role is installed, it creates a few Active Directory objects in the `CN=System Management,CN=System,DC=` container that tools will look for by querying a domain controller via LDAP. The big ones are:
Object Class
Details
mSSMSSite
Defines MECM site information (e.g., site server name)
mSSMSManagementPoint
Defines the Management Point
mSSMSDistributionPoint
Defines the Distribution Point
So let's enumerate.
{% tabs %}
{% tab title="sccmhunter" %}
{% embed url="" %}
SCCMHunter is a tool made by one of the researchers at SpecterOps who had a large part in discovering recent MECM vulnerabilities. A more in-depth Wiki can be found at [this hyperlink](https://github.com/garrettfoster13/sccmhunter/wiki) that is not sus. Definitely recommend reviewing the Wiki!
{% code title="Attacker (Windows/Linux)" %}
```bash
# Use LDAP to search for MECM-related objects
python3 sccmhunter.py find -u [username] -p [password] -d [domain] -dc-ip [DC IP]
# Query MECM-related hosts identified from above to determine their site role
python3 sccmhunter.py smb -u [username] -p [password] -d [domain] -dc-ip [DC IP]
# Display all results from the find/smb modules
python3 sccmhunter.py show -all
# Export list of Management Points in JSON format
python3 sccmhunter.py show -mps -json
```
{% endcode %}
{% endtab %}
{% tab title="netexec" %}
{% embed url="" %}
no need for intro!
{% endembed %}
{% code title="Attacker (Windows/Linux/macOS)" %}
```bash
# Use LDAP to search for MECM-related objects
netexec ldap [DC IP] -u [username] -p [password] -M sccm -o REC_RESOLVE=true
```
{% endcode %}
{% endtab %}
{% tab title="ldapsearch" %}
{% embed url="" %}
{% code title="Linux (Attacker)" %}
```bash
ldapsearch \
-H ldap://dc.domain.local -D 'user@domain' -w 'password' \
-b 'CN=System Management,CN=System,DC=domain,DC=local' \
-s one '(objectClass=mSSMSManagementPoint)' \
dNSHostName cn mSSMSSiteCode
```
{% endcode %}
{% endtab %}
{% endtabs %}