CRED-1 - PXE Abuse
Document Reference
Unencrypted Boot Mediums
PXE Boot mediums may be deployed to endpoints wherein the PXE boot image is not encrypted. When this is the case it is trivial to initiate the PXE installation sequence and pillage credentials on the resulting image when installation is complete.
Broadly, this means it is trivial to obtain local SAM hashes and SCCM secrets from the installed image.
Requirements
Unauthenticated network access
Line of sight to DHCP server (optional, but helps)
Line of sight to PXE-enabled distribution point
Manual
This process can be performed manually by using virtualisation on the attack system (Virtualbox, Vmware etc..). Configuring a VM to network boot
Once the initial PXE image is loaded, if the image is not password protected then we can simply proceed without requiring password input.
Proceed until an option for continuing with limited setup appears, then continue with the limited setup process.
When the system is finalised the logon screen for the administrator account will be presented. Gracefully shutdown the VM through the power options menu.
Ensure the VM is gracefully shutdown through the windows power options. If the VM is terminated in an ungraceful state you will not have write access to reset the administrator password through a live boot medium.
Boot a live distro such as Kali Linux over the top of the newly created VM. Browse to the mounted Windows disk /Windows/Windows/System32/Config
where the SAM and SYSTEM hive files reside.
Then use impacket-secretsdump
to obtain the SAM hashes from the system.
After this, ideally we will access the VM as the administrative account to identify further credentials. chntpw
can be used to wipe any local account credentials within the SAM database, we will wipe the local administrator account credentials, save changes and reboot into the installed Windows VM.
After saving changes and rebooting the Windows VM. It should auto login as the native administrator account as there is now no password in place.
Sometimes this process seems to fail. If so try again and ensure the account is unlocked then blank the password again. Save the hive and perform a graceful shutdown in Kali.
Once logged in as an administrative user, it is advised to use SharpSCCM to identify any local secrets for the NAA account. There is potential for the NAA account to be over-privileged in domain or for its password to be reused within the environment.
Credential Material obtained for lateral movement
SAM hashes
SCCM NAA account credentials
PXETHIEF
PXETHIEF is best utilised from a Windows based system so it can decrypt password values. PXETHIEF helps automate the process of collecting ConfigMgr Collection Variables, Task Sequence variables and NAA account credentials from PXE images.
Requirements
Install npcap: https://npcap.com/#download
Install Python3: https://www.python.org/downloads/windows/
Install TFTP Client (Windows Feature)
Clone PXEThief repository: https://github.com/MWR-CyberSec/PXEThief
The PowerShell script below will attempt to download and install the above requirements. npcap
is not able to be installed silently and will require manual intervention to finalise.
Execute
Encrypted Boot Mediums
SCCM can be configured to set passwords on PXE. When this is the case, a valid password needs to be provided before the boot media is accessible. PXETHIEF can be used to obtain the hashed password value, if the password is weak, we can crack it and proceed with the same steps in the above sections of this document to perform credential extraction.
Download the boot var with TFTP
Use with option 5 in PXETHIEF to receive the PXE password hash
To crack the hash in hashcat, we need to use Christopher Panayi’s hashcat module, which needs to be compiled into a hashcat build to support SCCM hashes.
hashcat module: https://github.com/MWR-CyberSec/configmgr-cryptderivekey-hashcat-module
Otherwise, I have created a fork of hashcat, with this module for hashcat 6.2.6 with precompiled Linux and Windows binaries here: https://github.com/The-Viper-One/hashcat-6.2.6-SCCM
Now that the PXE password has been obtained, the same steps in Unencrypted Boot Medium section can be followed for credential extraction.
Defence
Last updated