Network Nightmare – PXE talk at Defcon

defcon19 podium image
Hope you were able to see my talk at Defcon 19, Network Nightmare - Ruling the Nightlife Between Shutdown and Boot with PXEsploit.

If not, you can see the slides here and watch the demos below. As a quick summary, the Preboot Execution Environment, available on almost all motherboards as "Network Boot," provides a way for anyone who can run a DHCP server on the subnet to take complete control of the booting system before the hard drive is ever accessed. We can use pxelinux, a linux bootloader for PXE, to load up a linux kernel and initrd into the memory of the booting system for complete control. This may include shellcode that will be run online or dropped onto the hard disk and run on boot in the operating system, and is now available as the pxesploit modules in Metasploit, providing a variety of attacks for direct attack or pivoting via meterpreter. Securing PXE is difficult, so the best idea is probably to simply turn the feature off.


Creating an running an online control PXE image:

Launching PXE attack via pivot:

, ,

  1. #1 by John Sawyer on August 24, 2011 - 3:38 am

    Great presentation at DEF CON and nice meeting you afterwards. PXEsploit is awesome. I’ve been testing it in my lab and the exploit module is working fine, but I’ve had issues with the post-exploit module. It’s failing when starting the DHCP server and occurs on both XP and Server 2003. Here is the error message. If you’ve got suggestions on the issue, I’d appreciate it. Thank you.


    [*] Starting DHCP server…
    [-] Post failed: Rex::Post::Meterpreter::RequestError lanattacks_start_dhcp: Operation failed: 360
    [-] Call stack:
    [-] /opt/framework3/msf3/lib/rex/post/meterpreter/extensions/lanattacks/lanattacks.rb:29:in `start_dhcp’
    [-] (eval):82:in `run’

    • #2 by scriptjunkie on August 25, 2011 - 1:45 am

      Thanks for the report; looks like I accidentally used a previous version of the project file. Please update and try again, and let me know if you still have the problem. The metasploit bug tracker is probably the best place to further track the bug if there are more issues, so register and add an issue there.

  2. #3 by Mr M on October 17, 2011 - 6:09 pm

    Hi Mr SCriptJunkie,

    Very nice presentation on Defcon 19.
    Where can I download the tool?

    Mr M

  3. #5 by Reza on May 15, 2013 - 11:01 am

    first Thank you for such a nice video. It helps me to find out some security bugs.
    second I apologize for my bad english.
    I must use pxe.
    so I decide to use boot integrity services. but I can’t find a way to add certificate to bis. so I decided to use UEFI for security.
    can it bring security for me?
    how can I run a server that uses pxe and works with secure keys?
    can you help me please?

    • #6 by scriptjunkie on May 17, 2013 - 9:34 pm

      I have not tested this, but I believe the same basic PXE attack will work with UEFI by using linux EFI images. See for an example.

      Creating a secure configuration depends on what your motherboard supports. Intel now recommends the use of AMT (Active Management Technology) to perform remote out-of-band management. Is that supported on your motherboards?

      Alternatively, if your hardware does not support secure alternatives, you will need to rely on switch/router features like ACL’s to prevent any system other than the real PXE server from sending DHCP or TFTP messages.

  4. #7 by Reza on May 25, 2013 - 10:33 am

    sorry for delay.
    I will test AMT and I send a feedback to you.
    thank you very much.

  5. #8 by Reza on May 25, 2013 - 6:07 pm

    I test UEFI secure boot enabled with pxe. I install my keys on it.
    I’m surprised but unfortunately in uefi, first EFI file that come from network runs without signature checking.
    my motherboards won’t support AMT.

    so I think I must use especial switches:(
    I continue my search and I hope to find a way that don’t need hardware(and full of cost!) solutions…
    Thank you very much for your help.

Comments are closed.