Metasploit mailing list archives

Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit?

From: Chip <jeffschips () gmail com>
Date: Tue, 02 Aug 2011 17:27:46 -0400

On 8/2/2011 4:49 PM, Robin Wood wrote:

On 2 August 2011 17:53, Chip<jeffschips () gmail com>  wrote:

I know this is not entirely along the lines of metasploit but knowing that
almost all who subscribe to this list are network gurus I thought I would
post my question here -- it may, in fact, have something to do with an
exploit affecting the MBR of a host machine.

I have a windows xp machine which connects to a mail server with encrypted
traffic before anyone logs in, right after start up and when the windows xp
login splash screen comes up.   I know this is the case because I attached
an inline tap to the network to watch traffic and see this activity every
time the machine starts up.

Reading a lot recently about MBR exploits I'm wondering how I can track down
what culprit is doing this?  Since it occurs ONLY prior to login, I cannot
look at tasklist or netstat in a shell and see anything.  I'm hoping someone
on this list could advise either in the list or off the list.

I do have some captured packets of the activity, but it is encrypted TLS
traffic.

Create a meterpreter binary and run it on the machine with psexec
you've then got full access to the machine and can watch what happens
when you log in at the keyboard.

Have you checked who owns the mail server the traffic is going to? Is
it a legit one or some dodgy backstreet one? If it goes via domain
name you could try doing a DNS MITM to send it to a machine you own,
it might not validate that the certificate is the correct one so you
would be able to capture the traffic and decode it. You can do the
same if it does IP you just need to setup routing and IPs correctly.

Robin

Very, very interesting option and since it does do domain name lookup --I can see that in the network tap -- I find that might be the way togo! My question is if I used the meterpreter binary psexec method, willthat load a session prior to login, because this malware seems to dropsilent once login occurs. And if I get a meterpreter session, are youthen suggesting I run tasklist or netstat then to tease out the culprit?


Thanks.
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Chip (Aug 02)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Robin Wood (Aug 02)
  - Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Chip (Aug 02)
    - Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Robin Wood (Aug 02)
    - Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Average SecurityGuy (Aug 02)
    - Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Joshua Smith (Aug 02)
    - Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Jose Selvi (Aug 03)
    - Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Chip (Aug 03)
    - Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Nicolas Braud-Santoni (Aug 04)
    - Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Chip (Aug 04)