Didier Stevens

Tuesday 26 September 2006

PiXiE dust

Filed under: Hacking — Didier Stevens @ 9:05

Once more, I had to convince by example (movie included).

Our laptops are locked down, a normal user has only 2 boot options: from the hard disk or from the network. Removable media boot (Floppy, CD, …) is disabled. Network boot is allowed because the laptops are installed with Microsoft RIS (a network boot technology), and this feature is not disabled after installation.
This allows a user to boot from another image and access the hard disk without restrictions. Contrary to the arguments of the workstation installation team, this isn’t hard to do and you don’t need a specialized network environment with a Microsoft RIS server.

To pull this of, you need a DHCP and BOOT server, and a boot image. I didn’t find freeware to create the boot images, I had to use emBoot’s Network Boot Tools trial version.

The procedure in a nutshell:

  • configure a Windows XP machine with a static IP address and connect it to a network hub
  • install a DHCP & TFTP server on the Windows XP machine
  • serve a Network Bootdisk image from the Windows XP machine
  • connect the laptop to the hub and boot from network
  • use the Network Bootdisk to transfer files from the laptop to the Windows XP machine

Making the boot disk

  • the Network Bootdisk doesn’t work with PXE (a network boot technology), but this forum thread explains how to modify the Network Bootdisk to solve this problem
  • add NTFSDOS from Sysinternals to the Network Boot disk to provide access to NTFS volumes
  • start the Bootimage Editor from the Network Boot Tools
  • create an image file from the Network Bootdisk image you just prepared, and call it netbootdisk.img
  • create a PXE menu boot file: add netbootdisk.img and save it as netbootdisk.pxe

Preparing the workstation

The workstation will host the DHCP and TFTP server to provide the boot image to the laptop. I also share a folder on this workstation to transfer files.

  • to avoid authentication problems with the Network Bootdisk, I use a Windows XP workstation in Workgroup mode with a blank Administrator password
  • configure a static IP address:
  • create a share on the workstation, configure it with write permissions
  • disable the firewall
  • install tftpd32 (DHCP & TFTP server), it’s just one executable and it’s freeware
  • create a folder tftpboot and copy the images to it (netbootdisk.img and netbootdisk.pxe)
  • start tftpd32
  • point the “Current Directory” to the tftpboot folder
  • set “IP pool starting address” to
  • set “Size of pool” to 10
  • set the “Boot File” to netbootdisk.pxe
  • set the “Mask” to
  • Save the configuration


The server is now ready.

Executing the attack

  • connect the laptop to the network hub
  • boot the laptop, go to the BIOS boot menu and select network boot
  • follow the Network Bootdisk instructions until the command line prompt is displayed
  • start the net command and connect to the share
  • start ntfsdos
  • now we can access and copy any file to the share (the free NTFSDOS version is readonly)


I agree that configuring the boot images is not a trivial task, but I’m sure that you can find ready-made bootdisks on the Internet.

However, setting up the boot server and booting the laptop is childs play, and the only software you need is a simple DHCP/TFTP daemon.

I didn’t find free software to replace the Network Boot Tools (except for the DHCP/TFTP daemon). The PXE specification defines an API you can use when you boot from the network (this API provides a TFTP client, amongst other things). The only open source example I found using the PXE API is PXELINUX. The source code of the boot image is assembler code that has to be assembled with NASM.

Here is a YouTube movie showing you the complete boot. A hires (XviD) version can be found here. This example is on VMware, not on the laptop. In this movie, I transfer the SAM and SYSTEM file to crack the administrator password with Cain & Abel. I use a simple password (test) to speed up the brute-force attack.

Blog at WordPress.com.