What are the biggest security concerns on PXE? (election machine network boot)
π€π Theory π²π‘
Nerdpedes,
have a look at
https://security.stackexchange.com/questions/64915/what-are-the-biggest-security-concerns-on-pxe
Best of:
I can capture a full machine image. Do your systems automatically connect to the domain controller after setting up the machine? If so, this image probably has domain controller credentials on it, that I can capture and use elsewhere.
Computer makes a DHCP request --> DHCP server responds with address and PXE parameters --> Computer downloads boot image using TFTP over UDP
If the good guys got the traffic on that low level, unencrypted. Then they would have it all.
PXE can be used to silently and automatically install a modified, or entirely different operating system, including one which runs as an ISO (CD/DVD) image, without actually modifying the hard drive, leaving no trace of it, when machine is rebooted.
Moreover, it allows one to change out the operating system image from any other point on the network.
Are you talking about the winPE environment, I've never seen the ability to download and run an iso in ram without touching the HDD like a live cd. Can you please provide info or instruction on this?
TAILS linux.
Yes but we are talking about pxe booting tails then, I've never seen that done.
I haven't either, I just meant an OS from an ISO image. I suppose you could put the image on a disk and serv that from PXE or something like it.
It would run all in RAM and not touch the HD. That's sort of like an old WYSE dumb terminal.
WinPE can run from RAM, you could boot to a virtual disk over the network, most linux flavors can run as a Live CD...
You can get a lot of stuff running in a WinPE environment, especially if you're the one writing the software.
Yes, this is all true but you need to exit the winPE environment to run the OS. You say you can boot to a virtual disk over the network. Wouldn't this be a thin client / terminal services rather than PXE?
WindowsPE runs in RAM I boot to it from a flash drive and pull out the drive once itβs up all the time
Yes, but have you pxe booted a live cd or similar, that's what we are talking about here. The pxe environment is meant for installing on hdd not running live, I don't know that it's possible.
ah, indeed. So....this is from microsoft. https://docs.microsoft.com/en-us/troubleshoot/mem/configmgr/understand-pxe-boot
"The NBP downloads the operating system loader and the boot files via TFTP, which include the following:
smsboot\x64\pxeboot.com smsboot\x64\bootmgr.exe \SMSBoot\Fonts\wgl4_boot.ttf \SMSBoot\boot.sdi \SMSImages\RR200004\boot.RR200004.wim A RAMDISK is created using these files and the WinPE WIM file in memory.
RAMDISK is created
The client boots from the RAMDISK."
Looks like pxe does boot from RAM? I was under the impression that PXE was for deploying an image/images out easily to clients for installation of said images onto the clients drive. I am not certain anymore due to reading through the doc I linked from microsoft.
Could it be where the infamous thumb drives come into play? to serve up the required software overrides across a LAN?
TY - That's similar to what I was about to say.
My question in this realm is are SSD or other flash media drives forensically retraceable once a new OS is reinstalled?
It depends. Data written to a flash or SSD drive, before either deleting the file and/or reformattng can often be recovered -- easily so, if that region of the drive has not yet been rewritten over with other data. If it has, there are forensic IT tools which can still sometimes recover the old data using statistical analysis and other techniques.
However, an OS which is loaded via PXE, and running in RAM only would leave very little evidence behind, assuming all operations it performed were also in RAM only, once the machine were rebooted (clearing anything in RAM). Analyzing what was previously only in RAM is also possible, but requires more expertise, and favorable conditions.
Also worth mentioning, is that some newer computers and devices often have a built-in 'side computer' which can be running and even accessed remotely, even when the main computer is turned off. The marketing reason for this is to enable remote administration/IT assistance, even when a machine has crashed or is not booted nor powered on.
Thank you for the great info. to your last statement, I know some HP enterprise servers have a separate NIC and rom for remote built in.
HP, Dell, IBM. They all have that. DRAC or ILO, each their own version of the same thing. Access to power cycle, BIOS, and to the OS if it is running.
The only way to prevent it is to enable secure boot with a signed kernel. If that is unavailable or disabled, a person can boot anything they want without a trace.
Just pointing out that you can run bad software on a legit, signed kernel
The old diebold machines would run anything with the right file name on an sd card. No checks what so ever.