Uncategorized

Attacks Against Windows PXE Boot Images

Attacks Against Windows PXE Boot Images
Thomas Elling
February 13th, 2018

If you’ve ever run across insecure PXE boot deployments during a pentest, you know that they can hold a wealth of possibilities for escalation. Gaining access to PXE boot images can provide an attacker with a domain joined system, domain credentials, and lateral or vertical movement opportunities. This blog outlines a number of different methods to elevate privileges and retrieve passwords from PXE boot images. These techniques are separated into three sections: Backdoor attacks, Password Scraping attacks, and Post Login Password Dumps. Many of these attacks will rely on mounting a Windows image and the title will start with “Mount image disk”.[…]

https://blog.netspi.com/attacks-against-windows-pxe-boot-images/

https://docs.microsoft.com/en-us/sccm/osd/plan-design/security-and-privacy-for-operating-system-deployment

Standard
Uncategorized

swissarmy-grubefipxe – A configuration for netbooting various linux distros using PXE/EFI/GRUB

This is a little side-project of mine to be able to netboot various Operating Systems using EFI based computers and GRUB over PXE. I have this running on my QNAP NAS, but I believe almost any decent NAS has the requirements to run this. This project was born out of my disdain for flashing distros to USB keys.[…]

https://github.com/vittorio88/swissarmy-grubefipxe

Standard
Uncategorized

Red Hat Satellite GRUB UEFI PXE script

Satellite 6 TFTP boot file legacy grub conversion script

This script is used to convert the tftp boot files (found in /var/lib/tftpboot/pxelinux.cfg/) which are automatically generated by Satellite 6 into the old legacy grub format. Why is this useful? Recently I encountered some HP servers which have an additional 10GbE card in one of the PCI-E slots on the machine which is used for the PXE boot. Unfortunately this additional interface only supports UEFI boot and not classic bios boot. By default Satellite 6 uses the shim image for UEFI but this doesn’t work with the older Linux kernel used by RHEL6.X. If this script is executed on a capsule or satellite server which has TFTP enabled, it will automatically replace the boot files using the old format which gives a successful boot for RHEL6.

https://github.com/RedHat-Consulting-UK/sat6-efi-converter

 

Standard
Uncategorized

PXE-config: PXE config files for BIOS and UEFI

There’s a new github project for BIOS/UEFI-centric PXE use, called PXE-config:

PXE config files for Legacy BIOS and UEFI netboot installs; also contains kickstart files for automated CentOS, Fedora, etc. installs. This repo contains various config files including PXE boot menu config files & kickstart files for unattended installs over PXE boot. It does not contain /etc/dnsmasq.conf, however, which contains PXE server settings for dhcp, tftp boot, and detecting client architectures (Legacy BIOS vs UEFI). dnsmasq.conf can be found in my jun-dotfiles repo on github.

https://github.com/gojun077/pxe-config

Standard
Uncategorized

Using UEFI’s network stack

Tore Anderson has a new blog post on using UEFI with PXE remote boot over IPv6:

http://blog.toreanderson.no/2015/11/16/ipv6-network-boot-with-uefi-and-ipxe.html

I’m glad they used PXE, I am not sure UEFI HTTP boot works with IPv6 yet, initial checkin was for IPv4 only. 🙂

Standard
Uncategorized

LinuxCon Europe UEFI Mini-Summit presentations available

Earlier this month, the UEFI Forum recently had a “Mini-Summit” at LinuxCon Europe. The presentations are now available online (so far just the slides, unclear if A/V will show up on Youtube later):

UEFI Mini-Summit at LinuxCon Europe: October 7, 2015

* UEFI Forum Update and Open Source Community Benefits – Mark Doran (Intel)
* What Linux Developers Need to Know About Recent UEFI Spec Advances – Jeff Bobzin (Insyde Software)
* LUV Shack: An Automated Linux Kernel and UEFI Firmware Testing Infrastructure – Matt Fleming (Intel)
* Goodbye PXE, Hello HTTP Boot – Dong Wei (HP)
* UEFI Development in an Open Source Ecosystem – Michael Krau (Intel)

More information (about halfway down the page, past the Youtube section):

http://www.uefi.org/learning_center/presentationsandvideos

 

Standard