pxethiefy is a tool to enumerate PXE boot media provided from an SCCM server in a target network by broadcasting for PXE servers, requesting offered boot media and trying to decrypt it.
This tool is heavily based on the tool PXEThief.
While PXEThief is a Windows-based tool (and provides more features), pxethiefy.py has a limited feature set, but can be used from Linux hosts as well.
Shoutout and all credits go to MWR-CyberSec.
This tool is a byproduct of SCCM research, which can be found in this blog: https://www.securesystems.de/blog/active-directory-spotlight-attacking-the-microsoft-configuration-manager/
$:> virtualenv -p python3 venv
$:> source venv/bin/activate
$:> sudo python3 -m pip install -r requirements.txt
$:> sudo python3 pxethiefy.py -h
Sample from an SCCM lab with encrypted PXE boot media:
In case the PXE boot media is encrypted, this hashcat module - once again by MWR-CyberSec - can be used to decrypt the downloaded media file.
Once the password has been cracked, pxethiefy.py can be used to read the media file and show potential next steps:
