Monday, August 22, 2016

PXE Boot UEFI and BIOS at the Same Time? Yeah, it's possible.

Recently, I ran across an issue where I needed to PXE boot UEFI and BIOS on the same network with DHCP. With default options, it doesn't work very well. I'm sure there's some way around it, but it was painful for my Sysadmin to deal with.

Today, thanks to BranchCache Bob (https://www.youtube.com/watch?v=k5E97ndlRog), I was able to successfully make it work on Windows Server 2012 R2's DHCP server by setting up Policies.

A couple things:

1. You have to create DHCP Option 60 if it's not there already. On PXE servers that also have DHCP servers installed, this should be installed by default.
2. Option 60 needs to be given a value of "PXEClient", this is required for the UEFI boot process.
3. Don't set Option 60 for the BIOS side.

Now, with that out of the way, let's get to the biscuits and gravy of this...

SETTING UP THE VENDOR CLASSES - 

UEFI and BIOS send out specific information in the packets that the server parses and will help with the filtering later.

To setup the information for this, open the DHCP server, right click the IP class (in this case IPv4), then click "Define Vendor Classes..."



You'll need to add a new DHCP Vendor Class. Click Add, and type in the following information:

UEFI - 64-bit

* Display Name: PXEClient (UEFI x64)
* Description: PXEClient:Arch:00007
* ASCII: PXEClient:Arch:00007

(Note: The ASCII part will need to be typed in manually, and it is case sensitive)

UEFI - 32-bit

* Display Name: PXEClient (UEFI x86)
* Description: PXEClient:Arch:00006
* ASCII: PXEClient:Arch:00006

(Note: The ASCII part will need to be typed in manually, and it is case sensitive)

BIOS - 32 and 64-bit

* Display Name: PXEClient (BIOS x86 and x64)
* Description: PXEClient:Arch:00000
* ASCII: PXEClient:Arch:00000

(Note: The ASCII part will need to be typed in manually, and it is case sensitive)


The "PXEClient:Arch:0000x" is how the server understands what version of the WIM it's receiving, and is needed for the Policies setup in the next part.

The end result will look something like this:

Next, we need to setup the Policies...

POLICIES - 

*IMPORTANT* - Policies can be setup globally through the server, or by the scope. Choose wisely. 

Right click on Policies, click "New Policy..."

Add the following information:

UEFI - 64-bit

* Policy Name: PXEClient (UEFI x64)
* Description: Policy to setup correct server and files for UEFI x64
* Click Next
* Click Add
* Under "Value(s)", select "PXEClient (UEFI x64)", check the box for "Append wildcard(*)", then click Add, then OK
* Click Next
* Select DHCP Standard Options, then select:
     - Option 60 -"PXEClient"
     - Option 66 -
     - Option 67 -
* Click Next
* Make sure all the options look correct, then click Finish

UEFI - 32-bit

* Policy Name: PXEClient (UEFI x86)
* Description: Policy to setup correct server and files for UEFI x86
* Click Next
* Click Add
* Under "Value(s)", select "PXEClient (UEFI x86)", check the box for "Append wildcard(*)", then click Add, then OK
* Click Next
* Select DHCP Standard Options, then select:
     - Option 60 -"PXEClient"
     - Option 66 -
     - Option 67 -
* Click Next
* Make sure all the options look correct, then click Finish

BIOS - 32 and 64-bit

* Policy Name: PXEClient (BIOS x86 and x64)
* Description: Policy to setup correct server and files for BIOS x86 and x64
* Click Next
* Click Add
* Under "Value(s)", select "PXEClient (BIOS x86 and x64)", check the box for "Append wildcard(*)", then click Add, then OK
* Click Next
* Select DHCP Standard Options, then select:
     - **Option 60 is not needed here, don't put it in**
     - Option 66 -
     - Option 67 -
* Click Next
* Make sure all the options look correct, then click Finish

Now with all that setup, it's time to check the Scope Options...

SCOPE OPTIONS - 


The Scope Options should be setup automatically for the scope that the policy that was just setup is defined for. If the policies were setup at the server level, then they should appear in all scopes. 

If you previously defined any options for the scope that are now defined in the policies (for this, Option 60/66/67), you will need to delete them, otherwise it will not function. 

Good luck!

Friday, August 12, 2016

So, you wanna play with the Samurai web targets from Kali?

I wanted to play with the Samurai webapp targets from Kali (because I'm more familiar with Kali, of course), but I couldn't figure out how. They just didn't want to play nicely. Thanks to a good friend of mine that works for company undisclosed, errr, uhhhh...with Kevin Johnson, I got some tips on how to make this work.

Now, if you're a website admin, you probably know this already. I'm not.

Here's the fix:

On the Samurai VM, go to /etc/apache2/sites-available/ and get into the configs of each webapp. Inside you'll see something like this:


The "VirtualHost *IP address:port*" is where you'll change to your IP address you want. 

*EDIT:* You will also need to add the line: 

     ServerName <servername>

as well to the config file...I put mine after DocumentRoot.

Of course, you'll probably want to give yourself a static IP so that it doesn't change. VMware Workstation/Player can be a little finicky at times.

You should also notice that there are two different VirtualHosts here...one for port 80 and one for port 443. Change the IP on both.

Now, on your Kali box (or whatever you want to pentest/play with the webapps from), you'll need to set the hosts file up to point that webapp name to the IP address you placed in the file.

Voila! You're done.

Stay classy.
Aaron