From Network boot to Local Admin: PXE Booting

Pre-Execution Boot, or PXE, is a method of booting a workstation machine by loading an operating system across the network. If PXE boot can be enabled (often it is enabled by default, even when machines are restricted from booting CDs or USB Devices) then an stripped down Linux operating system can be loaded over the network and used to compromise the target.

Exploitation is fairly simple, one option is to to set up the attacking machine to act as a PXE server. I found an outdated guide here that covers setting it up on Fedora 7. However I recently trialed the steps on Fedora (Security Spin) 22 and got it working just fine. I actually used it on a Penetration Test to compromise a host build.

 sudo dnf install tftp-server dhcp syslinux 

Whichever interface you’d like to load off and set the IP address to a static address of and configure the dhcpd server by editing the file /etc/dhcp/dhcpd.conf so that it contains the following:

allow booting;
allow bootp;
ddns-update-style interim;
ignore client-updates;
subnet netmask {
  option subnet-mask;
  option broadcast-address;
  range dynamic-bootp;
  filename "pxelinux.0"; 

Next set up syslinux like this:

 cp /usr/share/syslinux/pxelinux.0 /var/lib/tftpboot/ 

Create a boot configuration in /var/lib/tftpboot file as follows:

DEFAULT pxeboot
LABEL pxeboot
 KERNEL vmlinuz
 APPEND initrd=initrd.img

Finally all there is left to do is place the Linux kernel and initial ram disk in the folder /var/lib/tftpboot/. As for the most part when compromising a device through PXE you simply want a terminal access on the device and the ability to read/modify the Windows C: drive any kernel and initrd file will do that simply drops into a command line and has the ability to mount NTFS drives. So on a fedora system you can grab the kernel from your boot directory (/boot/vmlinuz most likely) and create a simple initrd with the command mkinitrd, such as:

 mkinitrd --no-compress --with=X /var/lib/tftpboot/initrd.img 4.0.4-301.fc22.x86_64 

The –with parameter is not required but allows you to specify additional modules that are not built into the kernel by default, should you want the support for additional file systems for example, e.g. –with=reiserfs the detail at the end (4.0.4-301.fc22.x86_64) is the version of kernel that you took from /boot/ – if you’re unsure this is like the running kernel as that’s the default and so your version string can be found using the command:

 uname -r 

Now all there is left to do is plug a cable directly between your attack and target machines and start the required services:

service dhcpd start
service tftp start 

Now reboot the target machine and select PXE booting as the boot device and you should end up with a bash shell on the target machine!