PXEThief – Set Of Tooling That Can Extract Passwords From The Operating System Deployment Functionality In Microsoft Endpoint Configuration Manager

Likely, the most serious attack that can be executed with this tooling would involve PXE-initiated deployment being supported for “All unknown computers” on a distribution point without a password, or with a weak password. The overpermissioning of ConfigMgr accounts exposed to OSD mentioned earlier can then allow for a full Active Directory attack chain to be executed with only network access to the target environment.

A file contained in the main PXEThief folder is used to set more static configuration options. These are as follows:

Not implemented in this release

Expect to run into issues with error handling with this tool; there are subtle nuances with everything in ConfigMgr and while I have improved the error handling substantially in preparation for the tool’s release, this is in no way complete. If there are edge cases that fail, make a detailed issue or fix it and make a pull request 🙂 I’ll review these to see where reasonable improvements can be made. Read the code/watch the talk and understand what is going on if you are going to run it in a production environment. Keep in mind the licensing terms – i.e. use of the tool is at your own risk.

Copyright (C) 2022 Christopher Panayi, MWR CyberSec



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page