Dave and Dave first used PXE boot to create a system on the network. They didn’t have to compromise a system because all they needed to do was connect to the network and then boot a PXE image that was configured to install, boot, and join the domain with valid credentials. The image they booted from had credentials saved from an undisclosed location in order to join the domain as part of the boot and config process. They then used stored credentials on the machine and Systems Center logs to figure out where the central Systems Center machine was located. They got into the central machine and figured out, again from logs, what the machine was regularly pushing out to all the machines on the network. The Microsoft Systems Center Configuration Manager was used to push security patches, so they found a script/executable file that got regularly pushed out to other machines and replaced it with their own .exe. A script was dropped in the admin’s startup directory that would sign or create a hash for their new .exe, the one thing they couldn’t do themselves. After which, the central machine would push out their “patch” to other machines and within minutes they had a reverse root shell on over 900 boxes.
The gentlemen did encounter a few roadblocks that were circumvented by taking advantage of some new features in MSCCM intended to make network management easier for administrators. They dug into the windows logs multiple times to find the necessary information. In one case they needed the location (IP) of the central server, which is normally attained only with the appropriate credentials. Instead, they simply searched the logs for a certain keyword, like “central,” that exposed log lines with the information they needed. They stated that they had been using the PXE boot exploit for 4 years, but only now decided to talk about it. PXE makes it dead easy to deploy images to people without them needing any knowledge of how to set up a computer, but also lets anyone get imaged and configed because no user interaction is required.
The whole concept of MSCCM as an easy network management tool does sound appealing, and if utilized correctly it can ease the updating of network settings, deployment of software updates, scripts, security patches, etc. across numerous devices. Its feature sets may also present one major security risk, which is the possibility of a network becoming easier to compromise.