Evil autorun CD - ideas ? downloadable exploits anywhere ?

From: Petr.Kazil@eap.nl
Date: Wed May 02 2007 - 14:59:44 EDT

• Next message: Claudio Broglia: "Re: Penetration Testing"
• Previous message: Petr.Kazil@eap.nl: "RE: Firewall testing tool - name forgotten ... found!"
• In reply to: Jeremiah Brott: "RE: Firewall testing tool - name forgotten ..."
• Next in thread: Shenk, Jerry A: "RE: Evil autorun CD - ideas ? downloadable exploits anywhere ?"
• Reply: Shenk, Jerry A: "RE: Evil autorun CD - ideas ? downloadable exploits anywhere ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On the Internet there is much talk about hacking through "evil USB sticks"
:
http://www.theregister.co.uk/2007/04/25/usb_malware/

I was inspired by a talk by John Craddock where he told the following
anecdote:
- He would bake a stack of CD's and bring them to a conference. The stack
would gradually "evaporate" as people took a CD - even though the stack
was not marked as "free for taking". When people inserted the CD a tune
would be played. Gradually he would start hearing tunes in the
neighbourhood as people inserted the CD ...

It would be fun to make a few of these CD's and use them during a pentest.
Of course the payload should be more malicious then.

Question: Has anyone tried this before? Did it work?

Greetings, Petr Kazil

I will try to build a CD that will contain a photo viewer and a set of
innocent pictures. But it will try to install a keylogger and send the
collected data to a temporary server that I will install on the network.

My hope is that if I download C++ keylogger source code, modify it a bit
and compile it myself, that I will be able to evade virus checkers. I also
might compile and install a network listener backdoor. At the moment I'm
not even dreaming about rootkits and encrypted channels to the outside
world - that's much too difficult for me.

I don't think it will be able to collect password hashes or Active
Directory passwords because the script and programs will be running as a
normal domain user. But anyway it will be an interesting proof of concept.

I wasn't able to find any exploit details on Google. I just get a lot of
articles about the risks of autorun and ways to disable it ...

This idea has one big risk - suppose someone takes the CD home. Then I
would be committing a criminal act if I exploited his home computer. The
articles about USB-stick pentesting don't mention this risk.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

• Next message: Claudio Broglia: "Re: Penetration Testing"
• Previous message: Petr.Kazil@eap.nl: "RE: Firewall testing tool - name forgotten ... found!"
• In reply to: Jeremiah Brott: "RE: Firewall testing tool - name forgotten ..."
• Next in thread: Shenk, Jerry A: "RE: Evil autorun CD - ideas ? downloadable exploits anywhere ?"
• Reply: Shenk, Jerry A: "RE: Evil autorun CD - ideas ? downloadable exploits anywhere ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:45 EDT