Anonymous ID: 1475ac Aug. 3, 2021, 9:33 a.m. No.14259681   🗄️.is 🔗kun   >>9753 >>9760 >>9935 >>0121

PXE

 

[not in this anon's wheelhouse, posting for codefags and networkfags to ponder]

 

"Next, the system BIOS searches for other peripherals and microcontrollers, and executes any Option ROMs on these components necessary to initialize them. Option ROMs execute very early in the boot process and can add a variety of features to the boot process. For example, the Option ROM on a network adapter could load the Preboot Execution Environment (PXE), whichallows a computer to boot over the network.

 

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-147.pdf

 

Boot PXE

 

The PXE boot (Pre-boot eXecution Environment) allows a workstation to boot from the network. It relies on a specific DHCP server response defined in RFC 4578 [DHCP & PXE].

 

The PXE client sends a DHCP request with specific options related to PXE and the DHCP server response give, in addition to the usual IP addressing information, the location of the pre-boot file on the network, accessible via TFTP.

 

Once the image is loaded, the client installs the content on the local disk and integrates it into the Active Directory through a dedicated service account included in the PXE pre-boot image. Once the installation is completed, the workstation is functional and the enrollment in the Active Directory is effective.

 

Retrieval of sensitive data

 

ThesePXE boot featureshave already been studied by many people [NETSPI] and areuseful for an attacker because they allow extracting sensitive information.Indeed, an attacker can boot on PXE and take advantage of this automated process to obtain a standard workstation in the target domain, without prior information.

 

In particular, it is possible to :

 

Press F8 key during the Windows PE deployment phase, which prompts an administrator console on the machine. This providesaccess to the contents of the file system that will be deployed to the workstation.

 

Press Shift+F10 during the setup process will bring up a system console. For example, a local administrator account could be added on the device or the SAM and SYSTEM databases could be extracted toobtain the default password hash of the local administrator account;

 

Extract and analyse the memory of the workstation during the setup in order toextract sensitive information;[vote counts?]

 

Retrieve the pre-boot image file ".wim" to access all the settings: password of the service account used for integration in the domain, files containing default passwords such as "unattend.xml", etc.

 

Hardening

 

Protect the PXE boot sequence

 

To avoidan attacker with access to the corporate network booting into PXE,it is strongly recommended that the ability to boot this way is limited to specific network areas, such as dedicated rooms with physical access control.

On the other hand, it is also recommended to require a password before starting the deployment. This can be configured by checking the "Require a Password when computers use PXE" checkbox in the SCCM configuration.

More generally, Microsoft's recommendations for deploying PXE [PXE SECURITY] are a good starting point to secure any PXE installation.

 

https://www.securityinsider-wavestone.com/2020/01/taking-over-windows-workstations-pxe-laps.html