Skip to content

csandker/pxethiefy

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

pxethiefy.py

pxethiefy is a tool to enumerate PXE boot media provided from an SCCM server in a target network by broadcasting for PXE servers, requesting offered boot media and trying to decrypt it.

This tool is heavily based on the tool PXEThief. While PXEThief is a Windows-based tool (and provides more features), pxethiefy.py has a limited feature set, but can be used from Linux hosts as well. Shoutout and all credits go to MWR-CyberSec.

This tool is a byproduct of SCCM research, which can be found in this blog: https://www.securesystems.de/blog/active-directory-spotlight-attacking-the-microsoft-configuration-manager/

Install

$:> virtualenv -p python3 venv
$:> source venv/bin/activate
## We need to send and receive raw packets, which usually requires sudo permissions, therefore you got two options here
## Either install and run as sudo
$:> sudo venv/bin/python3 -m pip install -r requirements.txt 
$:> sudo venv/bin/python3 pxethiefy.py -h

## OR install as normal user as follows
$:> python3 -m pip install -r requirements.txt
$:> sudo setcap CAP_NET_RAW=+eip /usr/bin/python3.8 ## change with your python3 version --> run ls -lah /usr/bin/python3* to check symlinks
$:> python3 pxethiefy.py -h

Usage

Overview

Sample from an SCCM lab with encrypted PXE boot media:

Example use

In case the PXE boot media is encrypted, this hashcat module - once again by MWR-CyberSec - can be used to decrypt the downloaded media file.

Once the password has been cracked, pxethiefy.py can be used to read the media file and show potential next steps:

Decrypt boot media with pxethiefy.py

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages