Hope you were able to see my talk at Defcon 19, Network Nightmare – Ruling the Nightlife Between Shutdown and Boot with PXEsploit.
If not, you can see the slides here and watch the demos below. As a quick summary, the Preboot Execution Environment, available on almost all motherboards as “Network Boot,” provides a way for anyone who can run a DHCP server on the subnet to take complete control of the booting system before the hard drive is ever accessed. We can use pxelinux, a linux bootloader for PXE, to load up a linux kernel and initrd into the memory of the booting system for complete control. This may include shellcode that will be run online or dropped onto the hard disk and run on boot in the operating system, and is now available as the pxesploit modules in Metasploit, providing a variety of attacks for direct attack or pivoting via meterpreter. Securing PXE is difficult, so the best idea is probably to simply turn the feature off.
Creating an running an online control PXE image: http://www.archive.org/download/CreatingPxeImageForOnlineControl/OnlineControl.mpeg
Launching PXE attack via pivot: http://www.archive.org/download/PxesploitPivot/pivot7.mpeg