Jump to content

BootServerReply Hacking


ubernerd
 Share

Recommended Posts

I plan to deploy several PXE servers to handle client boots and I would love to be able to identify the server that the client booted from so I can write scripts that work on all servers instead of having to specialize the scripts for each server.

In searching for at solution for this, I came across this key in the registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\PXE

Where there is a value containing what appears to be the BootServerReply, and I have identified the boot server address in at least two locations in the data, both I'm not sure which is which.

Can anyone tell me how to decode these data or am I going down the wrong road here?

Any other good ideas on the subject would be appriciated (<- misspelled ???)

To clarify here is the registry data I have found

I have highlighted the server ip address (0a,1e,01,c8 or 10.30.1.200) , which was found in four different locations.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\PXE]"DHCPServerACK"=hex:02,01,06,00,2a,dd,02,ee,00,00,00,00,00,00,00,00,0a,1e,01,\

0a,0a,1e,01,c8,00,00,00,00,00,0c,29,dd,02,ee,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,77,69,6e,70,65,5c,70,78,65,62,6f,\

6f,74,2e,6e,31,32,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,63,82,53,63,35,01,05,3a,\

04,00,00,a8,c0,3b,04,00,01,27,50,33,04,00,01,51,80,36,04,0a,1e,01,c8,01,04,\

ff,ff,ff,00,05,04,0a,1e,01,c8,06,04,0a,1e,01,c8,43,09,5c,63,69,70,63,63,2e,\

30,00,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

....

Link to comment
Share on other sites


  • 6 months later...

FYI

After seeing this thread I created an advisory case at Microsoft, in order to get some confermation on where to look inside that binary file.

The place you are finding the IP adress is indeed the correct location, as confirmed by the MS technichian.

But those two keys were never ment to be used for anything other than MS's own debugging, as I have been told directly by one of the engineers behind Windows Deployment Services, so... It's up to you if you wan't to continue to use this information "as is", because it's in the greyzone as to what MS would provide support for, in the event of 'whatnot'.

Link to comment
Share on other sites

Not to go off on a complete tangent, but . . .

If you have multiple servers, I would assume they are on their own IP segment (if this assumption is wrong, then ignore everything else)

Such as: 10.30.1.200 and maybe a 10.30.2.200

Why not just have a WinPE2 side IP detection script that will tell you what segment your on, and then you know what server it booted off of.

If I'm not understanding what your trying to do, just ignore the the crazy old man.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.


×
×
  • Create New...