I was wondering if this was a new attack vector or if anyone was doing it already...
If you find a network which has PXE boot enabled on machines but not currently in use you kill off the existing DHCP server in some way (DHCP exhaustion attack probably) and replace it with your own. Your server then gives them PXE boot information which has them download a Konboot style payload which silently backdoors the OS as it is booting but lets it appear as if it boots normally to the users. You then know from your DHCP logs all the potentially backdoored machines or you can have them call back and tell you that it was successful. Has anyone done this? Do organisations use PXE boot on network machines? Robin _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
