Windows Pxe Boot Image

If this is the case, right click on the boot image that you want your DP to offer for all PXE requests, go to properties-Data Source and check the box 'Deploy this boot image from the PXE-enabled distribution point'. Un-check the same box for the boot image you want to remove. I hope this helps, Rafael. Feb 13, 2018 Gaining access to PXE boot images can provide an attacker with a domain joined system, domain credentials, and lateral or vertical movement opportunities. This blog outlines a number of different methods to elevate privileges and retrieve passwords from PXE boot images.

If you’ve ever run across insecure PXE boot deployments during a pentest, you know that they can hold a wealth of possibilities for escalation. Gaining access to PXE boot images can provide an attacker with a domain joined system, domain credentials, and lateral or vertical movement opportunities. This blog outlines a number of different methods to elevate privileges and retrieve passwords from PXE boot images. These techniques are separated into three sections: Backdoor attacks, Password Scraping attacks, and Post Login Password Dumps. Many of these attacks will rely on mounting a Windows image and the title will start with “Mount image disk”.

Recommended tools:

Windows image (blog uses Windows 10 Professional)

General overview:

PXE booting a Windows image with Hyper-V
Backdoor attacks
Password Scraping attacks

PXE booting a Windows image with Hyper-V

Create a new VM through the New Virtual Machine Wizard. Follow the guided steps and make sure to choose the “Install an operating system from a network-based installation server” option. Check the settings menu after the wizard is complete and make sure “Legacy Network Adapter” is at the top of the Startup order.

Save and start the VM. The PXE network install should start and begin the Microsoft Deployment Toolkit deployment wizard.

Run through the wizard and start the installation task sequence for the target image. This can take a while.

Mounting a Windows image

Once the setup is completely finished (including the Windows operating system setup), you should have a working Windows VM. Make sure to shutdown the VM safely and download the Kali Linux iso. Go to the Settings menu and choose the location of your DVD drive image file.

Now, change the boot order so that “CD” is at the top of the BIOS startup order.

Save the settings and start the VM. Choose to boot into the “Live (forensic mode)”.

Once Kali is booted, mount the Windows partition with the following sample commands. Make sure to change the example /dev/sda2 partition use case.

Backdoor Attacks

1. Add a local Administrator during setup.

This is probably the simplest way to gain elevated access to the system image. After going through the Windows PE boot process, go back into the Settings menu for the VM. Set “IDE” to be at the top in the “Startup order” of the BIOS section.

Save the settings, start the VM, and connect to the console. The VM should enter the initial Windows setup process. Pressing Shift+F10 will bring up a system console. Note that this is different than pressing F8 during the Windows PE deployment phase. Enter the following commands to add your local Administrator user.

Check the Administrators group membership.

Now that the user has been created and added to the Administrators group, wait for the VM to finish setup and log in.

Once logged in, you will have local Administrator privileges! We can go a step further and obtain local system with PsExec.

The local system cmd prompt can be used to check if the computer account has domain user privileges. This can be a good starting point for mapping out the domain with a tool like BloodHound/SharpHound.

2. Mount image disk – Add batch or executable files to all users.

The shortcuts or files located in C:Users%username%AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup will run when the users log in at startup. Change directories to the Administrator’s Startup directory and create a batch file with the following commands.

The batch file will run when the Administrator user logs in. If this attack is combined with attack scenario #4, the Administrator user can log in with a blank password. Check to see that the startup user is created and added to the Administrators group after login.

3. Mount image disk – Overwrite sethc.exe or other accessibility options.

Replacing sethc.exe (Sticky Keys) is a classic privilege escalation technique. sethc.exe is located at %windir%System32sethc.exe. The command below copies cmd.exe and renames it to sethc.exe.

If sticky keys is enabled, a local system cmd prompt will pop up when “Shift” is clicked five times in a row.

4. Mount image disk – Use chntpw tool to overwrite Administrator password.

The chntpw tool can clear the password for a Windows user. The SAM and SYSTEM files are located in the %windir%System32config directory.

Create Pxe Boot Image In Windows 7

The netspi user’s password is cleared and the account can be logged into without entering a password.

Password Scraping Attacks

5. Scrape VM memory files for passwords during install or login.

My colleague James Houston deserves a huge shout out for coming up with this attack. The general idea here is to use the snapshot or suspension functionality to capture passwords in the VM’s memory. This can be done during the actual PXE boot deployment process, installation, or login steps. This example will retrieve the password for the deployment service account during the MDT deployment process.

The deployment user is used to join computers to the domain in the “Computer Details” step of the deployment task sequence.

At this point, either suspend or take a snapshot of the VM’s current state. In Hyper-V, use the Checkpoint functionality to take a snapshot. Under the Checkpoint menu in Settings, make sure that “Standard checkpoints” is selected. This will ensure application and system memory is captured. The snapshot location is also set in this menu.

Browse to the snapshot file location and look for the corresponding files for your hypervisor.

VMWare: .vmem, .vmsn (snapshot memory file), .vmss (suspended memory file)
Hyper-V: .BIN, .VSV, .VMRS (virtual machine runtime file)

Since this example uses Hyper-V, copy off the .VMRS file to search for passwords. I used Kali Linux along with strings and grep to locate the service account and password. Searching for keywords like “User” or “Password” is a great start if the username or password was not displayed during the Windows Deployment Wizard.

6. Mount image disk – Review local Unattend/Sysprep files.

Unattend and Sysprep files can contain passwords used for deployment and setup. The following locations contain files related to Sysprep.

%windir%Panther
%windir%PantherUnattend
%windir%System32Sysprep

In this case, the unattend.xml file has been sanitized but it is always worth checking these locations for passwords and sensitive information.

7. Mount image disk – Copy the SAM file and pass the hash with the Administrator account.

The SAM and SYSTEM files are located in the %windir%System32config directory.

This file can be copied off to your local machine and Mimikatz can be used to extract the hashes. The Administrator hash can be used in pass the hash attacks with CrackMapExec or Invoke-TheHash.

This can be an extremely effective technique to elevate privileges if the domain has shared local Administrator passwords.

8. Mount image disk – Copy the SAM file and crack the Administrator account.

Like above, once the SAM and SYSTEM files are copied to your local machine, the Administrator account can be cracked with Hashcat or John the Ripper. A sample Hashcat command is below. Visit the hashcat wiki for setup and basic usage.

Post Login Password Dumps

Once the techniques above have given access to the PXE booted image, we can dump passwords. Mimikatz is a great tool for password dumping.

sekurlsa::logonpasswords will dump passwords from LSASS memory.

lsadump::secrets dumps the LSA secrets.

vault::cred dumps saved credentials from the Credential Manager. However, if a saved credential is set as a domain password type, this command will not retrieve the credential successfully. The Mimikatz wiki has a good explanation on how to extract these credentials.

Mitigation and Prevention

There are inherent security risks associated with the use of PXE deployments that do not require authentication or authorization of any kind, especially on user LANs. It is highly recommended that PXE installations require credentials to begin the installation process. For example, this can be configured on a distribution server simply by checking “Require a password when computers use PXE” in System Center Configuration Manager.

One of the main takeaways from the attacks above is that applications or software that contain sensitive data should not be included in any images. In addition, shared local Administrator passwords or service account passwords should not be used on images (or anywhere in the domain). Images can be compromised and this should help reduce the risk to machines on the domain. Finally, PXE deployments should only be available on isolated networks. Check out these best practices from Microsoft for more information on securing PXE boot deployments.

References

Thanks to Scott Sutherland (@_nullbind), Alex Dolney (@alexdolney), and James Houston for their wisdom and guidance!

https://www.vmware.com/products/personal-desktop-virtualization.html
https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/
https://www.kali.org/downloads/
https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
https://github.com/BloodHoundAD/BloodHound
https://github.com/BloodHoundAD/SharpHound
https://github.com/byt3bl33d3r/CrackMapExec
https://github.com/Kevin-Robertson/Invoke-TheHash
https://hashcat.net/wiki/
https://github.com/gentilkiwi/mimikatz
https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials
https://docs.microsoft.com/en-us/sccm/osd/plan-design/security-and-privacy-for-operating-system-deployment

Prerequisites

The MECM version number must be 2103 to support Windows 10 version 21H1.

Windows ADK version 2004 must be used to deploy operating systems with Configuration Manager and support the previous requirement stated above.

The Windows 10 version 21H1 ISO image must be downloaded. It can be obtained through the Microsoft Evaluation Center, Volume Licensing Service Center, or Microsoft Developer Network (MSDN) subscription.

For the latest prerequisites, be sure to check the Microsoft webpage at https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/configs/support-for-windows-10.

Note

The use case presented in this tutorial is deploying Windows 10 to new computers, with the Configuration Manager client installed on Windows 10. There are other possible use cases that are not covered in this tutorial.

Check MECM version number

Click on the blue rectangle in the upper-left corner and click “About Configuration Manager” to see the MECM version number.

Mount Windows 10 version 21H1 ISO and extract files

On File Explorer, navigate to the ISO file, right-click it, and select “Mount” to mount the ISO file.

Then, copy all of the files from the ISO to a folder of your choice. Make sure this folder is shared; you will see why this is important in the next section.

At this time, if you wish to customize the install.wim file, you can create the “Build and capture a reference operating system image” task sequence in the Configuration Manager Console at Software LibraryOverviewOperating SystemsTask Sequences. Customizing images will not be covered in this tutorial; I will use the vanilla install.wim file.

Add Operating System Image

In the Configuration Manager console, navigate to Software LibraryOverviewOperating SystemsOperating System Images and click on “Add Operating System Image”.

Specify the path to the WIM file in UNC format.

Optionally, you can choose to extract a specific image index from the specified WIM file; I choose to extract Windows 10 Pro for this tutorial.

Select the architecture (x86 or x64).

Finally, select the language and click Next.

Enter a name, version, and comment, and click Next.

Review the information and click Next.

Wait until successful completion of the wizard.

Distribute Content (Operating System image)

Click the operating system image, then click on “Distribute Content”.

Review selected content and click Next.

You can choose to add distribution point(s) or distribution point group(s) to distribute the content by clicking “Add > Distribution Point” or “Add > Distribution Point Group”, respectively. After successfully adding distribution point(s) or distribution point group(s), click “Next”.

Review and confirm the settings, then click “Next” if you are satisfied.

Verify successful completion of the task. Click “Close”.

Select the operating system image and wait until the “Content Status” shows Success (green color).

Create Task Sequence: Install an existing image package

In the Configuration Manager console, go to Software LibraryOverviewOperating SystemsTask Sequences and click “Create Task Sequence”.

As I wish to install Windows 10 on new computers, I will select “Install an existing image package” and click “Next”.

Enter a task sequence name and description. Select a boot image for your chosen architecture. Optionally, this task sequence can be run with the high performance power plan. Click “Next”.

Browse to the image package. Then, select the image index. You can choose whether or not to configure the task sequence to use BitLocker encryption and/or partition and format the target computer before installing the operating system. Optionally, you can specify the product key to activate Windows. Finally, you have the choice to randomly generate the local administrator password and disable the account or enable the account and specify the local administrator password. It is a best security practice to disable the Administrator account in Windows 10. Click “Next”.

Choose whether the computer should join a workgroup or domain. Fill out all of the required information. Click “Next”.

Specify the Configuration Manager client package by clicking on “Browse” and selecting the package. Optionally, specify additional installation properties. Click “Next”.

You can optionally choose to capture user settings and files, capture network settings, and/or capture Windows settings. I will not capture any of these settings, as my use case is deploying Windows 10 to new computers. Click “Next”.

As I am not installing any software, I select “Do not install any software updates”. Choose the software update installation option that suits your use case. Click “Next”.

You can choose the applications you want to install. I will not be installing any applications for simplicity. Once you have added the applications you wish to install, click “Next”.

Confirm your settings. Once you are satisfied, click “Next”.

Wait until the task sequence completed successfully. Close the wizard.

Using PXE to deploy an OS

Distribute both x86 and x64 PXE-enabled boot images to one or more PXE-enabled distribution points, so PXE can be used to deploy an operating system. For the vendor documentation on this topic, look at https://docs.microsoft.com/en-us/mem/configmgr/osd/deploy-use/use-pxe-to-deploy-windows-over-the-network.

Enable PXE on boot images

On the Configuration Manager console, go to Software LibraryOverviewOperating SystemsBoot Images. Right-click “Boot image (x86)” and click “Properties”. Go to the “Data Source” tab. Make sure “Deploy this boot image from the PXE-enabled distribution point” is checked to enable PXE on this boot image.

Repeat the same steps in the previous paragraph for “Boot image (x64)”.

Distribute content (boot images) if required

On the Configuration Manager console, go to Software LibraryOverviewOperating SystemsBoot Images. Check the “Content Status” for both boot images (“Boot image (x64)” and “Boot image (x86)”).

Because the “Content Status” for each selected boot image (“Boot image (x64)” and “Boot image (x86)”) shows Unknown (gray color), I will have to distribute both boot images. Therefore, I will select both boot images and click “Distribute Content”.

Review selected content and click “Next”.

Confirm the settings and click “Next” to apply them.

Once the task has completed, close the wizard.

Configuring PXE Settings on the Distribution Point

On the Configuration Manager console, navigate to AdministrationOverviewDistribution Points. Right-click the distribution point (that was previously configured to distribute boot images and operating system image(s)) and click on Properties. Click on the PXE tab.

The option Enable PXE support for clients is required to add PXE functionality to the distribution point.

Allow this distribution point to respond to incoming PXE requests: if checked, Windows Deployment Services will be used to respond to PXE service requests.

Enable unknown computer support: if checked, the distribution point can support computers not managed by Configuration Manager.

For my use case of deploying Windows 10 to new PCs, I will check all 3 of these boxes.

Deploy Windows 10 version 21H1 Task Sequence

On the Configuration Manager console, go to Software LibraryOverviewOperating SystemsTask Sequences, right-click on the task sequence you want to deploy, and click “Deploy”.

Select the device collection where the deployment will be performed. The “All Unknown Computers” collection includes computers not managed by Configuration Manager. Click “Next”.

Select the purpose of the deployment. For my use case of installing Windows 10 to new PCs, I will make the task sequence available to media and PXE. Click “Next”.

You can specify the schedule for this deployment, if you wish. Click “Next”.

I leave the default selection options for user experience. Click “Next”.

I leave the default alert options. Click “Next”.

Windows 10 Pxe Boot Image

You can specify how clients interact with the distribution points here. Click “Next”.

Confirm the settings. To apply them, click “Next”.

Windows Pxe Boot Image

Close the wizard after the task is completed.

Boot the computer(s) using PXE boot to install Windows 10

After successfully using PXE boot to boot the computer(s), the Task Sequence Wizard should appear. Enter the correct password for the media (if necessary). Click “Next”.

Windows Pxe Boot Image Editor

Select the task sequence that you want to run and click “Next”.

Pxe Boot Iso Image Windows 10

All that is left to do is wait until the installation of Windows 10 finishes on the computer(s).