Windows Pxe Boot Image

Sep 04, 2017 Well since you have MDT setup you could create a capture task sequence and then boot using the mdt boot cd/usb drive. And then capture the image. If you have a low volume deployment you can use MDT for image deployment, or move the captured image to WDS and use that for image deployment. To create the image for a PXE boot. In provisioning from a local data store, installation files are located on local media. Usually, a local boot image is used. However, you can create a WinPE 2.0 or later image file for booting the target machine from the PXE server (PXE boot) instead of a local boot. To create the image, do either of the.

If this is the case, right click on the boot image that you want your DP to offer for all PXE requests, go to properties-Data Source and check the box 'Deploy this boot image from the PXE-enabled distribution point'. Un-check the same box for the boot image you want to remove. I hope this helps, Rafael. Jul 12, 2013 If this is the case, right click on the boot image that you want your DP to offer for all PXE requests, go to properties-Data Source and check the box 'Deploy this boot image from the PXE-enabled distribution point'. Un-check the same box for the boot image you want to remove. I hope this helps, Rafael.

All about PXE Boot Server tool

What is PXE and PXE Boot tool

In computing, The PXE (short for Preboot Execution Environment) describes a standardized client-server environment that boots a software assembly, retrieved from a network, on PXE-enabled clients.

A PXE Boot tool is usually a network boot software which is designed for solving the problem that boots many computers from an image file on network.

What a PXE Boot Server tool can do for you

1. Maintain or install system for multiple computers without inserting CD or USB into these computers one by one.
2. Deal with the sitaution where your computer cannot start normally already and it can't boot through loading image file on inner hard drive.
3. Boot up multiple client computers within LAN when the clients have no available CD-ROM drive and USB ports or you have no CD or USB image at hand.

Download the best PXE Boot Tool - EaseUS Todo Backup PXE Server

EaseUS Todo Backup PXE Server is the best PXE Boot tool. Allowing network booting of EaseUS Todo Backup Recovery Environment on target machines, it is especially useful for bare metal recovery or network deployment. Now you can download the program and try it to install Windows 10/8/7/Server 2012......via PXE boot.

How to use EaseUS PXE Boot Server to boot up multiple computers on the network

1. To install EaseUS Todo Backup PXE server, click 'Enable PXE' in Tools. EaseUS Todo Backup will configure the boot image directory automatically.

2. Boot your target computer through a network interface.

e.g. To enable network boot (on ASUS motherboard with UEFI boot):

  • Restart your computer, press 'Del' or 'F2' to enter the UEFI, then select 'Advanced Mode'.
  • Choose 'Advanced' > 'Onboard Devices Configuration' and enable 'Realtek PXE Option ROM'.
  • Go back and enable 'Network Stack Configuration'.
  • Switch to Boot section and enable 'Network Stack Driver Support'.
  • Save the changes and reboot the computer, then press 'F8' and select 'Realtek Boot Agent'.

3. Then it will automatically locate the EaseUS Todo Backup PXE server, which allows network booting of EaseUS Todo Backup Recovery Environment on target machines. You can perform file backup and recovery, disk/partition backup, bare-metal recovery, etc on your target computer.

Boot

Note: Make sure there is a working DHCP(Dynamic Host Control Protocol) in your network so that the booting computers can automatically get IP addresses and boot into EaseUS Todo Backup Recovery Environment.

If you’ve ever run across insecure PXE boot deployments during a pentest, you know that they can hold a wealth of possibilities for escalation. Gaining access to PXE boot images can provide an attacker with a domain joined system, domain credentials, and lateral or vertical movement opportunities. This blog outlines a number of different methods to elevate privileges and retrieve passwords from PXE boot images. These techniques are separated into three sections: Backdoor attacks, Password Scraping attacks, and Post Login Password Dumps. Many of these attacks will rely on mounting a Windows image and the title will start with “Mount image disk”.

Recommended tools:

  • Windows image (blog uses Windows 10 Professional)

General overview:

  • PXE booting a Windows image with Hyper-V
  • Backdoor attacks
  • Password Scraping attacks

PXE booting a Windows image with Hyper-V

Image

Create a new VM through the New Virtual Machine Wizard. Follow the guided steps and make sure to choose the “Install an operating system from a network-based installation server” option. Check the settings menu after the wizard is complete and make sure “Legacy Network Adapter” is at the top of the Startup order.

Save and start the VM. The PXE network install should start and begin the Microsoft Deployment Toolkit deployment wizard.

Run through the wizard and start the installation task sequence for the target image. This can take a while.

Mounting a Windows image

Once the setup is completely finished (including the Windows operating system setup), you should have a working Windows VM. Make sure to shutdown the VM safely and download the Kali Linux iso. Go to the Settings menu and choose the location of your DVD drive image file.

Now, change the boot order so that “CD” is at the top of the BIOS startup order.

Save the settings and start the VM. Choose to boot into the “Live (forensic mode)”.

Windows Pxe Boot Image Using

Once Kali is booted, mount the Windows partition with the following sample commands. Make sure to change the example /dev/sda2 partition use case.

Backdoor Attacks

1. Add a local Administrator during setup.

This is probably the simplest way to gain elevated access to the system image. After going through the Windows PE boot process, go back into the Settings menu for the VM. Set “IDE” to be at the top in the “Startup order” of the BIOS section.

Save the settings, start the VM, and connect to the console. The VM should enter the initial Windows setup process. Pressing Shift+F10 will bring up a system console. Note that this is different than pressing F8 during the Windows PE deployment phase. Enter the following commands to add your local Administrator user.

Check the Administrators group membership.

Now that the user has been created and added to the Administrators group, wait for the VM to finish setup and log in.

Once logged in, you will have local Administrator privileges! We can go a step further and obtain local system with PsExec.

The local system cmd prompt can be used to check if the computer account has domain user privileges. This can be a good starting point for mapping out the domain with a tool like BloodHound/SharpHound.

2. Mount image disk – Add batch or executable files to all users.

Windows Pxe Boot Image

The shortcuts or files located in C:Users%username%AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup will run when the users log in at startup. Change directories to the Administrator’s Startup directory and create a batch file with the following commands.

Windows pxe boot image editor

The batch file will run when the Administrator user logs in. If this attack is combined with attack scenario #4, the Administrator user can log in with a blank password. Check to see that the startup user is created and added to the Administrators group after login.

3. Mount image disk – Overwrite sethc.exe or other accessibility options.

Replacing sethc.exe (Sticky Keys) is a classic privilege escalation technique. sethc.exe is located at %windir%System32sethc.exe. The command below copies cmd.exe and renames it to sethc.exe.

If sticky keys is enabled, a local system cmd prompt will pop up when “Shift” is clicked five times in a row.

4. Mount image disk – Use chntpw tool to overwrite Administrator password.

The chntpw tool can clear the password for a Windows user. The SAM and SYSTEM files are located in the %windir%System32config directory.

The netspi user’s password is cleared and the account can be logged into without entering a password.

Password Scraping Attacks

5. Scrape VM memory files for passwords during install or login.

My colleague James Houston deserves a huge shout out for coming up with this attack. The general idea here is to use the snapshot or suspension functionality to capture passwords in the VM’s memory. This can be done during the actual PXE boot deployment process, installation, or login steps. This example will retrieve the password for the deployment service account during the MDT deployment process.

The deployment user is used to join computers to the domain in the “Computer Details” step of the deployment task sequence.

At this point, either suspend or take a snapshot of the VM’s current state. In Hyper-V, use the Checkpoint functionality to take a snapshot. Under the Checkpoint menu in Settings, make sure that “Standard checkpoints” is selected. This will ensure application and system memory is captured. The snapshot location is also set in this menu.

Browse to the snapshot file location and look for the corresponding files for your hypervisor.

  • VMWare: .vmem, .vmsn (snapshot memory file), .vmss (suspended memory file)
  • Hyper-V: .BIN, .VSV, .VMRS (virtual machine runtime file)

Since this example uses Hyper-V, copy off the .VMRS file to search for passwords. I used Kali Linux along with strings and grep to locate the service account and password. Searching for keywords like “User” or “Password” is a great start if the username or password was not displayed during the Windows Deployment Wizard.

6. Mount image disk – Review local Unattend/Sysprep files.

Unattend and Sysprep files can contain passwords used for deployment and setup. The following locations contain files related to Sysprep.

  • %windir%Panther
  • %windir%PantherUnattend
  • %windir%System32Sysprep
Pxe

In this case, the unattend.xml file has been sanitized but it is always worth checking these locations for passwords and sensitive information.

7. Mount image disk – Copy the SAM file and pass the hash with the Administrator account.

The SAM and SYSTEM files are located in the %windir%System32config directory.

Windows Pxe Boot Image Windows 10

This file can be copied off to your local machine and Mimikatz can be used to extract the hashes. The Administrator hash can be used in pass the hash attacks with CrackMapExec or Invoke-TheHash.

This can be an extremely effective technique to elevate privileges if the domain has shared local Administrator passwords.

Windows Pxe Boot Image Free

8. Mount image disk – Copy the SAM file and crack the Administrator account.

Like above, once the SAM and SYSTEM files are copied to your local machine, the Administrator account can be cracked with Hashcat or John the Ripper. A sample Hashcat command is below. Visit the hashcat wiki for setup and basic usage.

Windows Pxe Boot Image Editor

Post Login Password Dumps

Once the techniques above have given access to the PXE booted image, we can dump passwords. Mimikatz is a great tool for password dumping.

sekurlsa::logonpasswords will dump passwords from LSASS memory.

lsadump::secrets dumps the LSA secrets.

vault::cred dumps saved credentials from the Credential Manager. However, if a saved credential is set as a domain password type, this command will not retrieve the credential successfully. The Mimikatz wiki has a good explanation on how to extract these credentials.

Mitigation and Prevention

There are inherent security risks associated with the use of PXE deployments that do not require authentication or authorization of any kind, especially on user LANs. It is highly recommended that PXE installations require credentials to begin the installation process. For example, this can be configured on a distribution server simply by checking “Require a password when computers use PXE” in System Center Configuration Manager.

One of the main takeaways from the attacks above is that applications or software that contain sensitive data should not be included in any images. In addition, shared local Administrator passwords or service account passwords should not be used on images (or anywhere in the domain). Images can be compromised and this should help reduce the risk to machines on the domain. Finally, PXE deployments should only be available on isolated networks. Check out these best practices from Microsoft for more information on securing PXE boot deployments.

Windows Pxe Boot Image Usb

References

Thanks to Scott Sutherland (@_nullbind), Alex Dolney (@alexdolney), and James Houston for their wisdom and guidance!

  • https://www.vmware.com/products/personal-desktop-virtualization.html
  • https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/
  • https://www.kali.org/downloads/
  • https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
  • https://github.com/BloodHoundAD/BloodHound
  • https://github.com/BloodHoundAD/SharpHound
  • https://github.com/byt3bl33d3r/CrackMapExec
  • https://github.com/Kevin-Robertson/Invoke-TheHash
  • https://hashcat.net/wiki/
  • https://github.com/gentilkiwi/mimikatz
  • https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials
  • https://docs.microsoft.com/en-us/sccm/osd/plan-design/security-and-privacy-for-operating-system-deployment