Uncategorized

Attacks Against Windows PXE Boot Images

Attacks Against Windows PXE Boot Images
Thomas Elling
February 13th, 2018

If you’ve ever run across insecure PXE boot deployments during a pentest, you know that they can hold a wealth of possibilities for escalation. Gaining access to PXE boot images can provide an attacker with a domain joined system, domain credentials, and lateral or vertical movement opportunities. This blog outlines a number of different methods to elevate privileges and retrieve passwords from PXE boot images. These techniques are separated into three sections: Backdoor attacks, Password Scraping attacks, and Post Login Password Dumps. Many of these attacks will rely on mounting a Windows image and the title will start with “Mount image disk”.[…]

https://blog.netspi.com/attacks-against-windows-pxe-boot-images/

https://docs.microsoft.com/en-us/sccm/osd/plan-design/security-and-privacy-for-operating-system-deployment

Standard
Uncategorized

swissarmy-grubefipxe – A configuration for netbooting various linux distros using PXE/EFI/GRUB

This is a little side-project of mine to be able to netboot various Operating Systems using EFI based computers and GRUB over PXE. I have this running on my QNAP NAS, but I believe almost any decent NAS has the requirements to run this. This project was born out of my disdain for flashing distros to USB keys.[…]

https://github.com/vittorio88/swissarmy-grubefipxe

Standard
Uncategorized

Red Hat Satellite GRUB UEFI PXE script

Satellite 6 TFTP boot file legacy grub conversion script

This script is used to convert the tftp boot files (found in /var/lib/tftpboot/pxelinux.cfg/) which are automatically generated by Satellite 6 into the old legacy grub format. Why is this useful? Recently I encountered some HP servers which have an additional 10GbE card in one of the PCI-E slots on the machine which is used for the PXE boot. Unfortunately this additional interface only supports UEFI boot and not classic bios boot. By default Satellite 6 uses the shim image for UEFI but this doesn’t work with the older Linux kernel used by RHEL6.X. If this script is executed on a capsule or satellite server which has TFTP enabled, it will automatically replace the boot files using the old format which gives a successful boot for RHEL6.

https://github.com/RedHat-Consulting-UK/sat6-efi-converter

 

Standard
Uncategorized

PXE-config: PXE config files for BIOS and UEFI

There’s a new github project for BIOS/UEFI-centric PXE use, called PXE-config:

PXE config files for Legacy BIOS and UEFI netboot installs; also contains kickstart files for automated CentOS, Fedora, etc. installs. This repo contains various config files including PXE boot menu config files & kickstart files for unattended installs over PXE boot. It does not contain /etc/dnsmasq.conf, however, which contains PXE server settings for dhcp, tftp boot, and detecting client architectures (Legacy BIOS vs UEFI). dnsmasq.conf can be found in my jun-dotfiles repo on github.

https://github.com/gojun077/pxe-config

Standard