| | 1 | + | # PXEThief |
| | 2 | + | |
| | 3 | + | PXEThief is a set of tooling that implements attack paths discussed at the DEF CON 30 talk _Pulling Passwords out of Configuration Manager_ (https://forum.defcon.org/node/241925) against the Operating System Deployment functionality in Microsoft Endpoint Configuration Manager (or ConfigMgr, still commonly known as SCCM). It allows for credential gathering from configured Network Access Accounts (https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/accounts#network-access-account) and any Task Sequence Accounts or credentials stored within ConfigMgr Collection Variables that have been configured for the "All Unknown Computers" collection. These Active Directory accounts are commonly over permissioned and allow for privilege escalation to administrative access. |
| | 4 | + | |
| | 5 | + | Likely, the most serious attack that can be executed with this tooling would involve PXE-initiated deployment being supported for "All unknown computers" on a distribution point without a password, or with a weak password. The overpermissioning of ConfigMgr accounts exposed to OSD mentioned earlier can then allow for a full Active Directory attack chain to be executed with only network access to the target environment. |
| | 6 | + | |
| | 7 | + | ## Usage Instructions |
| | 8 | + | |
| | 9 | + | ``` |
| | 10 | + | python pxethief.py -h |
| | 11 | + | pxethief.py 1 - Automatically identify and download encrypted media file using DHCP PXE boot request. Additionally, attempt exploitation of blank media password when auto_exploit_blank_password is set to 1 in 'settings.ini' |
| | 12 | + | pxethief.py 2 <IP Address of DP Server> - Coerce PXE Boot against a specific MECM Distribution Point server designated by IP address |
| | 13 | + | pxethief.py 3 <variables-file-name> <Password-guess> - Attempt to decrypt a saved media variables file (obtained from PXE, bootable or prestaged media) and retrieve sensitive data from MECM DP |
| | 14 | + | pxethief.py 4 <variables-file-name> <policy-file-path> <password> - Attempt to decrypt a saved media variables file and Policy XML file retrieved from a stand-alone TS media |
| | 15 | + | pxethief.py 5 <variables-file-name> - Print the hash corresponding to a specified media variables file for cracking in Hashcat |
| | 16 | + | pxethief.py 6 <identityguid> <identitycert-file-name> - Retrieve task sequences using the values obtained from registry keys on a DP |
| | 17 | + | pxethief.py 7 <Reserved1-value> - Decrypt stored PXE password from SCCM DP registry key (reg query HKLM\software\microsoft\sms\dp /v Reserved1) |
| | 18 | + | pxethief.py 8 - Write new default 'settings.ini' file in PXEThief directory |
| | 19 | + | pxethief.py 10 - Print Scapy interface table to identify interface indexes for use in 'settings.ini' |
| | 20 | + | pxethief.py -h - Print PXEThief help text |
| | 21 | + | ``` |
| | 22 | + | |
| | 23 | + | A file contained in the main PXEThief folder is used to set more static configuration options. These are as follows: |
| | 24 | + | ``` |
| | 25 | + | [SCAPY SETTINGS] |
| | 26 | + | automatic_interface_selection_mode = 1 |
| | 27 | + | manual_interface_selection_by_id = |
| | 28 | + | |
| | 29 | + | [HTTP CONNECTION SETTINGS] |
| | 30 | + | use_proxy = 0 |
| | 31 | + | use_tls = 0 |
| | 32 | + | |
| | 33 | + | [GENERAL SETTINGS] |
| | 34 | + | sccm_base_url = |
| | 35 | + | auto_exploit_blank_password = 1 |
| | 36 | + | ``` |
| | 37 | + | |
| | 38 | + | ### Scapy settings |
| | 39 | + | |
| | 40 | + | * `automatic_interface_selection_mode` will attempt to determine the best interface for Scapy to use automatically for convenience. It does this using two main techniques. If set to '1' it will attempt to use the interface that can reach the machine's default GW as output interface. If set to '2', it will look for the first interface that it finds that has an IP address that is not an autoconfigure or localhost IP address. This will fail to select the appropriate interface in some scenarios, which is why you can force the use of a specific inteface with 'manual_interface_selection_by_id'. |
| | 41 | + | * `manual_interface_selection_by_id` allows you to specify the integer index of the interface you want Scapy to use. The ID to use in this file should be obtained from running `pxethief.py 10`. |
| | 42 | + | |
| | 43 | + | ### General settings |
| | 44 | + | |
| | 45 | + | * `sccm_base_url` is useful for overriding the Management Point that the tooling will speak to. This is useful if DNS does not resolve (so the value read from the media variables file cannot be used) or if you have identified multiple Management Points and want to send your traffic to a specific one. This should be provided in the form of a base URL e.g. |
| | 46 | + | * `auto_exploit_blank_password` changes the behaviour of `pxethief 1` to automatically attempt to exploit a non-password protected PXE Distribution Point. Setting this to `1` will enable auto exploitation, while setting it to `0` will print the tftp client string you should use to download the media variables file. Note that almost all of the time you will want this set to `1`, since non-password protected PXE makes use of a binary key that is sent in the DHCP response that you receive when you ask the Distribution Point to perform a PXE boot. |
| | 47 | + | |
| | 48 | + | ### HTTP Connection Settings |
| | 49 | + | |
| | 50 | + | Not implemented in this release |
| | 51 | + | |
| | 52 | + | ## Setup Instructions |
| | 53 | + | |
| | 54 | + | 1. Create a new Windows VM |
| | 55 | + | 2. Install Python (From https://www.python.org/ or through the store, both should work fine) |
| | 56 | + | 3. Install all the requirements through pip (`pip install -r requirements.txt`) |
| | 57 | + | 4. Install Npcap (https://npcap.com/#download) (or Wireshark, which comes bundled with it) for Scapy |
| | 58 | + | 5. Bridge the VM to the network running a ConfigMgr Distribution Point set up for PXE/OSD |
| | 59 | + | 6. If using `pxethief.py 1` or `pxethief.py 2` to identify and generate a media variables file, make sure the interface used by the tool is set to the correct one, if it is not correct, manually set it in 'settings.ini' by identifying the right index ID to use from `pxethief.py 10` |
| | 60 | + | |
| | 61 | + | ## Limitations |
| | 62 | + | |
| | 63 | + | Proxy support for HTTP requests - Currently only configurable in code. Proxy support can be enabled on line 35 and the address of the proxy set on line 693 of `pxethief.py`. Planning to move this to 'settings.ini' in the next update to the code base |
| | 64 | + | HTTPS and mutual TLS support - Not implemented at the moment. Can use an intercepting proxy to handle this though, which works well in my experience; to do this, you will need to configure a proxy as mentioned above |
| | 65 | + | Linux support - PXEThief currently uses `pywin32` in order to utilise some built-in Windows cryptography functions. This is not available on Linux, since the Windows API is not available on Linux :P The Scapy code, however, is fully functional on Linux, but you will need to patch out (at least) the include of `win32crypt` to get this to run |
| | 66 | + | |
| | 67 | + | ## Proof of Concept note |
| | 68 | + | |
| | 69 | + | Expect to run into issues with error handling with this tool; there are subtle nuances with everything in ConfigMgr and while I have improved the error handling substantially in preparation for the release, this is in no way complete. If there are edge cases that fail, make a detailed issue or fix it and make a pull request :) I'll review these to see where reasonable improvements can be made. Read the code/watch the talk and understand what is going on if you are going to run it in a production environment. Keep in mind the licensing terms - i.e. use of the tool is at your own risk. |
| | 70 | + | |
| | 71 | + | ## Author Credit |
| | 72 | + | |
| | 73 | + | Copyright (C) 2022 Christopher Panayi, MWR CyberSec |
| | 74 | + | |
Christopher Panayi
committed
2 years ago
1 parent 664eaa70