Re: pixieboot attack

[James Shewmaker <james () bluenotch com>]

There is surprisingly not much to write, just some configuration stuff and
a script.  I tried a similar project, using an pixiebooting older esxi 3.5
hypervisor and vmotioning the original host OS to a rogue hypervisor over
wifi in the parking lot ... then driving away.  Biggest problem I had was
getting a beacon right (I kept purple-screening with nested hypervisors, as
the esxi guest would boot before trying the vmdk shim to physical drive).

Both attacks work but some studying needs done to tweak PXE and any needed
TFTP to be as fast as possible.  In the real world, konboot less useful
here than doing something like a tinycore, mounting the NTFS, pilfering,
then rebooting to non-PXE.  An attacker won't always know which system he's
attacked with PXE (could make it beacon or phone home), but credential or
other pilfering plus covert egress makes more sense, in my opinion.

I think a thin OS style PXE attack is very interesting, but so far hasn't
been interesting enough to land a talk at any conference.

Regards,

James Shewmaker

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com