Likely, the most serious attack that can be executed with this tooling would involve PXE-initiated deployment being supported for “All unknown computers” on a distribution point without a password, or with a weak password. The overpermissioning of ConfigMgr accounts exposed to OSD mentioned earlier can then allow for a full Active Directory attack chain to be executed with only network access to the target environment.
A file contained in the main PXEThief folder is used to set more static configuration options. These are as follows:
Not implemented in this release
Expect to run into issues with error handling with this tool; there are subtle nuances with everything in ConfigMgr and while I have improved the error handling substantially in preparation for the tool’s release, this is in no way complete. If there are edge cases that fail, make a detailed issue or fix it and make a pull request 🙂 I’ll review these to see where reasonable improvements can be made. Read the code/watch the talk and understand what is going on if you are going to run it in a production environment. Keep in mind the licensing terms – i.e. use of the tool is at your own risk.
Copyright (C) 2022 Christopher Panayi, MWR CyberSec
