specterops/cred1py — explained in plain English
Analysis updated 2026-07-19 · repo last pushed 2024-10-05
Pivot through a compromised machine to extract SCCM network access credentials during a penetration test.
Retrieve password hashes from PXE boot files and crack them offline to gain broader network access.
Extract decryption keys from boot configuration files on a Microsoft SCCM server during red team operations.
Use alongside PxeThiefy to complete the credential decryption pipeline in an authorized security assessment.
| specterops/cred1py | s0912758806p/agentic-sop-to-work | opennswm-lab/faros | |
|---|---|---|---|
| Stars | 172 | 173 | 174 |
| Language | Python | Python | Python |
| Last pushed | 2024-10-05 | — | — |
| Maintenance | Stale | — | — |
| Setup difficulty | hard | easy | hard |
| Complexity | 4/5 | 3/5 | 4/5 |
| Audience | ops devops | ops devops | researcher |
Figures from each repo's GitHub metadata at analysis time.
Requires an existing foothold inside a target network with a SOCKS5 proxy, access to an SCCM PXE server, and a separate direct connection to the distribution server for partial file download.
Cred1Py is a security testing tool that helps penetration testers and red teamers extract sensitive credentials from SCCM (Microsoft's system management software) servers. Specifically, it exploits a weakness called CRED-1 to retrieve network access account usernames and passwords that are stored in boot configuration files on PXE servers, the systems organizations use to remotely install operating systems on new machines. In plain terms, when a company sets up remote computer imaging, the PXE server holds encrypted files containing credentials needed to join new machines to the network. Cred1Py requests those files from the server, extracts the cryptographic keys or password hashes protecting them, and either hands you the decryption key directly or produces a hash you can crack offline using a tool like HashCat. Once decrypted, the credentials inside can be used to access the network. What makes this tool distinct is that it runs through a SOCKS5 proxy, essentially a tunnel that routes traffic through an already-compromised machine. This means a security professional who has gained a foothold inside a network can reach the PXE server through that foothold, without needing direct network access from their own machine. This mirrors how real attackers operate once inside an environment. The tool is designed for security professionals conducting authorized penetration tests or red team engagements. For example, if a tester has compromised a server and established a command-and-control connection, they could use this tool to pivot to the organization's PXE server and extract credentials that might open doors to broader network access. Cred1Py works alongside another tool called PxeThiefy, which handles the final decryption step. Because SOCKS5 has limitations with certain file transfer methods, this tool retrieves only a small portion of the boot file through the proxy, the rest must be downloaded separately through a standard file-sharing connection to the distribution server. The project credits Christopher Panayi for the original CRED-1 research and Carsten Sandker for the Pxethiefy tool it builds upon.
A security testing tool that extracts hidden passwords from Microsoft SCCM servers used for remote computer setup. It works through a proxy connection, letting penetration testers pull credentials from inside a network they've already accessed.
Mainly Python. The stack also includes Python, SOCKS5.
Stale — no commits in 1-2 years (last push 2024-10-05).
The license for this repository is not specified in the available documentation.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Don't trust strangers blindly. Verify against the repo.