git404hub

what is cred1py fr?

specterops/cred1py — explained in plain English

Analysis updated 2026-07-19 · repo last pushed 2024-10-05

172PythonAudience · ops devopsComplexity · 4/5StaleSetup · hard

tl;dr

A security testing tool that extracts hidden passwords from Microsoft SCCM servers used for remote computer setup. It works through a proxy connection, letting penetration testers pull credentials from inside a network they've already accessed.

vibe map

mindmap
  root((repo))
    What it does
      Extracts SCCM credentials
      Pulls boot config files
      Gets decryption keys or hashes
    How it works
      Uses SOCKS5 proxy tunnel
      Exploits CRED-1 weakness
      Works with PxeThiefy
    Use cases
      Authorized penetration tests
      Red team engagements
      Network pivot attacks
    Audience
      Penetration testers
      Red team operators
      Security professionals
    Tech stack
      Python
      SOCKS5 proxy
      HashCat compatible

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

what do people make with this?

VIBE 1

Pivot through a compromised machine to extract SCCM network access credentials during a penetration test.

VIBE 2

Retrieve password hashes from PXE boot files and crack them offline to gain broader network access.

VIBE 3

Extract decryption keys from boot configuration files on a Microsoft SCCM server during red team operations.

VIBE 4

Use alongside PxeThiefy to complete the credential decryption pipeline in an authorized security assessment.

what's the stack?

PythonSOCKS5

how it stacks up fr

specterops/cred1pys0912758806p/agentic-sop-to-workopennswm-lab/faros
Stars172173174
LanguagePythonPythonPython
Last pushed2024-10-05
MaintenanceStale
Setup difficultyhardeasyhard
Complexity4/53/54/5
Audienceops devopsops devopsresearcher

Figures from each repo's GitHub metadata at analysis time.

how do i run it?

Difficulty · hard time til it works · 1h+

Requires an existing foothold inside a target network with a SOCKS5 proxy, access to an SCCM PXE server, and a separate direct connection to the distribution server for partial file download.

The license for this repository is not specified in the available documentation.

in plain english

Cred1Py is a security testing tool that helps penetration testers and red teamers extract sensitive credentials from SCCM (Microsoft's system management software) servers. Specifically, it exploits a weakness called CRED-1 to retrieve network access account usernames and passwords that are stored in boot configuration files on PXE servers, the systems organizations use to remotely install operating systems on new machines. In plain terms, when a company sets up remote computer imaging, the PXE server holds encrypted files containing credentials needed to join new machines to the network. Cred1Py requests those files from the server, extracts the cryptographic keys or password hashes protecting them, and either hands you the decryption key directly or produces a hash you can crack offline using a tool like HashCat. Once decrypted, the credentials inside can be used to access the network. What makes this tool distinct is that it runs through a SOCKS5 proxy, essentially a tunnel that routes traffic through an already-compromised machine. This means a security professional who has gained a foothold inside a network can reach the PXE server through that foothold, without needing direct network access from their own machine. This mirrors how real attackers operate once inside an environment. The tool is designed for security professionals conducting authorized penetration tests or red team engagements. For example, if a tester has compromised a server and established a command-and-control connection, they could use this tool to pivot to the organization's PXE server and extract credentials that might open doors to broader network access. Cred1Py works alongside another tool called PxeThiefy, which handles the final decryption step. Because SOCKS5 has limitations with certain file transfer methods, this tool retrieves only a small portion of the boot file through the proxy, the rest must be downloaded separately through a standard file-sharing connection to the distribution server. The project credits Christopher Panayi for the original CRED-1 research and Carsten Sandker for the Pxethiefy tool it builds upon.

prompts (copy fr)

prompt 1
Help me set up Cred1Py to extract SCCM credentials from a PXE server through a SOCKS5 proxy. What command-line arguments do I need and how do I configure the proxy connection?
prompt 2
I have a Cred1Py output hash that I need to crack with HashCat. What hash mode and command should I use to decrypt the SCCM network access account password?
prompt 3
I have access to a compromised machine inside a network and want to use Cred1Py to pivot to the SCCM PXE server. Walk me through the steps from establishing the SOCKS5 tunnel to retrieving the boot file portion.
prompt 4
Explain how Cred1Py and PxeThiefy work together. What portion of the boot file does Cred1Py retrieve through the proxy, and how do I download the rest directly from the distribution server?

Frequently asked questions

what is cred1py fr?

A security testing tool that extracts hidden passwords from Microsoft SCCM servers used for remote computer setup. It works through a proxy connection, letting penetration testers pull credentials from inside a network they've already accessed.

What language is cred1py written in?

Mainly Python. The stack also includes Python, SOCKS5.

Is cred1py actively maintained?

Stale — no commits in 1-2 years (last push 2024-10-05).

What license does cred1py use?

The license for this repository is not specified in the available documentation.

How hard is cred1py to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is cred1py for?

Mainly ops devops.

peek the repo → explain another one

This repo across BitVibe Labs

double-check against the repo, no cap.