PaulDotCom mailing list archives
pixieboot attack
From: Robin Wood <robin () digininja org>
Date: Mon, 16 Jan 2012 09:38:16 +0000
I was wondering if this was a new attack vector or if anyone was doing it already... If you find a network which has PXE boot enabled on machines but not currently in use you kill off the existing DHCP server in some way (DHCP exhaustion attack probably) and replace it with your own. Your server then gives them PXE boot information which has them download a Konboot style payload which silently backdoors the OS as it is booting but lets it appear as if it boots normally to the users. You then know from your DHCP logs all the potentially backdoored machines or you can have them call back and tell you that it was successful. Has anyone done this? Do organisations use PXE boot on network machines? Robin _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- pixieboot attack Robin Wood (Jan 16)
- Re: pixieboot attack Jim Halfpenny (Jan 16)
- Re: pixieboot attack Mike Patterson (Jan 16)
- Re: pixieboot attack Robin Wood (Jan 16)
- Re: pixieboot attack James Shewmaker (Jan 16)
- Re: pixieboot attack Robin Wood (Jan 16)
- Re: pixieboot attack Robin Wood (Jan 16)
- Re: pixieboot attack David Auclair (Jan 19)