This is a simple proof of concept illustrating the use of shim (with the transparent loader enhancements) to load iPXE, which in turn boots an operating system.
Title contains all of the documentation. Bluntly, I’m not sure what this does, I’m not great at PXE and iPXE. Amongst other things, here’s an ipxe.efi, but no source code, so this is NOT open source, be careful. I have no time to dig further…
There’s an URL to a live.com download in the blog, as well as PowerShell script inline with blog text:
Attacks Against Windows PXE Boot Images
February 13th, 2018
If you’ve ever run across insecure PXE boot deployments during a pentest, you know that they can hold a wealth of possibilities for escalation. Gaining access to PXE boot images can provide an attacker with a domain joined system, domain credentials, and lateral or vertical movement opportunities. This blog outlines a number of different methods to elevate privileges and retrieve passwords from PXE boot images. These techniques are separated into three sections: Backdoor attacks, Password Scraping attacks, and Post Login Password Dumps. Many of these attacks will rely on mounting a Windows image and the title will start with “Mount image disk”.[…]
This is a little side-project of mine to be able to netboot various Operating Systems using EFI based computers and GRUB over PXE. I have this running on my QNAP NAS, but I believe almost any decent NAS has the requirements to run this. This project was born out of my disdain for flashing distros to USB keys.[…]
Satellite 6 TFTP boot file legacy grub conversion script
This script is used to convert the tftp boot files (found in /var/lib/tftpboot/pxelinux.cfg/) which are automatically generated by Satellite 6 into the old legacy grub format. Why is this useful? Recently I encountered some HP servers which have an additional 10GbE card in one of the PCI-E slots on the machine which is used for the PXE boot. Unfortunately this additional interface only supports UEFI boot and not classic bios boot. By default Satellite 6 uses the shim image for UEFI but this doesn’t work with the older Linux kernel used by RHEL6.X. If this script is executed on a capsule or satellite server which has TFTP enabled, it will automatically replace the boot files using the old format which gives a successful boot for RHEL6.
There’s a new github project for BIOS/UEFI-centric PXE use, called PXE-config:
PXE config files for Legacy BIOS and UEFI netboot installs; also contains kickstart files for automated CentOS, Fedora, etc. installs. This repo contains various config files including PXE boot menu config files & kickstart files for unattended installs over PXE boot. It does not contain /etc/dnsmasq.conf, however, which contains PXE server settings for dhcp, tftp boot, and detecting client architectures (Legacy BIOS vs UEFI). dnsmasq.conf can be found in my jun-dotfiles repo on github.