Re: pixieboot attack

[Jim Halfpenny <jim.halfpenny () gmail com>]

Hi,
Plenty of networks use PXE to boot machines and many server vendors
put PXE boot priority ahead of other boot media by default on their
servers. This attack could certainly work and many networks won't have
a DHCP server eliminating the need to DoS the legitimate one.

Jim

On 16 January 2012 09:38, Robin Wood <robin () digininja org> wrote:
> I was wondering if this was a new attack vector or if anyone was doing
> it already...
>
> If you find a network which has PXE boot enabled on machines but not
> currently in use you kill off the existing DHCP server in some way
> (DHCP exhaustion attack probably) and replace it with your own. Your
> server then gives them PXE boot information which has them download a
> Konboot style payload which silently backdoors the OS as it is booting
> but lets it appear as if it boots normally to the users.
>
> You then know from your DHCP logs all the potentially backdoored
> machines or you can have them call back and tell you that it was
> successful.
>
> Has anyone done this? Do organisations use PXE boot on network machines?
>
> Robin
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com