PaulDotCom mailing list archives
Re: pixieboot attack
From: Jim Halfpenny <jim.halfpenny () gmail com>
Date: Mon, 16 Jan 2012 14:00:11 +0000
Hi, Plenty of networks use PXE to boot machines and many server vendors put PXE boot priority ahead of other boot media by default on their servers. This attack could certainly work and many networks won't have a DHCP server eliminating the need to DoS the legitimate one. Jim On 16 January 2012 09:38, Robin Wood <robin () digininja org> wrote:
I was wondering if this was a new attack vector or if anyone was doing it already... If you find a network which has PXE boot enabled on machines but not currently in use you kill off the existing DHCP server in some way (DHCP exhaustion attack probably) and replace it with your own. Your server then gives them PXE boot information which has them download a Konboot style payload which silently backdoors the OS as it is booting but lets it appear as if it boots normally to the users. You then know from your DHCP logs all the potentially backdoored machines or you can have them call back and tell you that it was successful. Has anyone done this? Do organisations use PXE boot on network machines? Robin _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- pixieboot attack Robin Wood (Jan 16)
- Re: pixieboot attack Jim Halfpenny (Jan 16)
- Re: pixieboot attack Mike Patterson (Jan 16)
- Re: pixieboot attack Robin Wood (Jan 16)
- Re: pixieboot attack James Shewmaker (Jan 16)
- Re: pixieboot attack Robin Wood (Jan 16)
- Re: pixieboot attack Robin Wood (Jan 16)
- Re: pixieboot attack David Auclair (Jan 19)