PaulDotCom mailing list archives
Re: pixieboot attack
From: Robin Wood <robin () digininja org>
Date: Mon, 16 Jan 2012 16:34:34 +0000
On 16 January 2012 16:24, James Shewmaker <james () bluenotch com> wrote:
There is surprisingly not much to write, just some configuration stuff and a script. I tried a similar project, using an pixiebooting older esxi 3.5 hypervisor and vmotioning the original host OS to a rogue hypervisor over wifi in the parking lot ... then driving away. Biggest problem I had was getting a beacon right (I kept purple-screening with nested hypervisors, as the esxi guest would boot before trying the vmdk shim to physical drive). Both attacks work but some studying needs done to tweak PXE and any needed TFTP to be as fast as possible. In the real world, konboot less useful here than doing something like a tinycore, mounting the NTFS, pilfering, then rebooting to non-PXE. An attacker won't always know which system he's attacked with PXE (could make it beacon or phone home), but credential or other pilfering plus covert egress makes more sense, in my opinion.
That is a good alternative, the only problem would be stopping the attack from looping. The attack system would have to know which machines it has already grabbed things off and not server the attack up again to them.
I think a thin OS style PXE attack is very interesting, but so far hasn't been interesting enough to land a talk at any conference.
It has! I was passed this link earlier from John about a talk from Defcon: http://www.scriptjunkie.us/2011/08/network-nightmare/ I've had a quick read through it and it seems to cover what I was thinking of. Shows there are very few new ideas. Robin
Regards, James Shewmaker _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- pixieboot attack Robin Wood (Jan 16)
- Re: pixieboot attack Jim Halfpenny (Jan 16)
- Re: pixieboot attack Mike Patterson (Jan 16)
- Re: pixieboot attack Robin Wood (Jan 16)
- Re: pixieboot attack James Shewmaker (Jan 16)
- Re: pixieboot attack Robin Wood (Jan 16)
- Re: pixieboot attack Robin Wood (Jan 16)
- Re: pixieboot attack David Auclair (Jan 19)