1、创建一个新的Windows VM; 2、安装Python:https://www.python.org/; 3、通过pip安装该工具所需的全部依赖组件:pip install -r requirements.txt; 4、为Scapy安装Npcap组件:#download; 5、将VM与运行了ConfigMgr的网络桥接; 6、如果使用pxethief.py 1或pxethief.py 2来识别和生成一个媒体变量文件,请确保工具使用了正确的接口,如果接口不正确的话,则需要在settings.ini中手动配置;
git clone https://github.com/MWR-CyberSec/PXEThief.git
pip install -r requirements.txt
python pxethief.py -h
pxethief.py 1
pxethief.py 2 <IP Address of DP Server>
pxethief.py 3 <variables-file-name> <Password-guess>
pxethief.py 4 <variables-file-name> <policy-file-path> <password>
pxethief.py 5 <variables-file-name>
pxethief.py 6 <identityguid> <identitycert-file-name>
pxethief.py 7 <Reserved1-value>
pxethief.py 8
pxethief.py 10
pxethief.py -h
[SCAPY SETTINGS]
automatic_interface_selection_mode = 1
manual_interface_selection_by_id =
[HTTP CONNECTION SETTINGS]
use_proxy = 0
use_tls = 0
[GENERAL SETTINGS]
sccm_base_url =
auto_exploit_blank_password = 1
automatic_interface_selection_mode:该设置将尝试判断Scapy的最佳接口,方便起见,如果设置为1,则尝试使用默认网关作为输出接口;如果设置为2,则尝试寻找第一个拥有IP地址的接口; manual_interface_selection_by_id:该设置允许指定Scapy需要使用的接口的整数索引值;
sccm_base_url:该设置可以覆盖工具交互的管理节点,该参数需要设置为一个URL基地址,例如http://mp.configmgr.com,而不要设置成mp.configmgr.com或http://mp.configmgr.com/stuff; auto_exploit_blank_password:修改pxethief 1的行为,将其修改为自动尝试利用一个无密码保护的PXE节点。设置为1,将会自动实现漏洞利用,设置为0则会打印tftp客户端字符串;
https://forum.defcon.org/node/241925 https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/accounts#network-access-account https://www.mwrcybersec.com/research_items/identifying-and-retrieving-credentials-from-sccm-mecm-task-sequences https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Christopher%20Panayi%20-%20Pulling%20Passwords%20out%20of%20Configuration%20Manager%20Practical%20Attacks%20against%20Microsofts%20Endpoint%20Management%20Software.pdf https://github.com/MWR-CyberSec/configmgr-cryptderivekey-hashcat-module
精彩推荐