Metasploit mailing list archives
Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit?
From: Jose Selvi <jselvi () pentester es>
Date: Wed, 03 Aug 2011 08:59:47 +0200
Since it seems to be a very fast action, I think you may use automatic checks at the boot time, for example: 1) Set up a service which makes a TCP connection. Check at network if your TCP connection happens before the evil SSL connection. If not, you need to set up your checks earlier than as a service. 2) Set up a service which looks for information about the process that makes the SSL connection. It's an unknown binary in the file system? If so, maybe you got it. 3) If not, probably it's a thread in a known Windows binary. First check that Microsoft signature of this binary is OK. If so, probable there is another binary injecting a DLL in the process at run time. 4) Set up a service which look interaction between this process and each other. When another process injects code to this, we got it. 5) Continue going back until you got the malware binary. You can try also the reverse option, run windows xp boot process step by step and see what happens. The malware sure is launched somewhere. Another option is to look at google for the mailserver IP, maybe there are other people that already know how this malware works. Good Luck! Regards! El 02/08/11 23:32, Robin Wood escribió:
On 2 August 2011 22:27, Chip <jeffschips () gmail com> wrote:On 8/2/2011 4:49 PM, Robin Wood wrote:On 2 August 2011 17:53, Chip<jeffschips () gmail com> wrote:I know this is not entirely along the lines of metasploit but knowing that almost all who subscribe to this list are network gurus I thought I would post my question here -- it may, in fact, have something to do with an exploit affecting the MBR of a host machine. I have a windows xp machine which connects to a mail server with encrypted traffic before anyone logs in, right after start up and when the windows xp login splash screen comes up. I know this is the case because I attached an inline tap to the network to watch traffic and see this activity every time the machine starts up. Reading a lot recently about MBR exploits I'm wondering how I can track down what culprit is doing this? Since it occurs ONLY prior to login, I cannot look at tasklist or netstat in a shell and see anything. I'm hoping someone on this list could advise either in the list or off the list. I do have some captured packets of the activity, but it is encrypted TLS traffic.Create a meterpreter binary and run it on the machine with psexec you've then got full access to the machine and can watch what happens when you log in at the keyboard. Have you checked who owns the mail server the traffic is going to? Is it a legit one or some dodgy backstreet one? If it goes via domain name you could try doing a DNS MITM to send it to a machine you own, it might not validate that the certificate is the correct one so you would be able to capture the traffic and decode it. You can do the same if it does IP you just need to setup routing and IPs correctly. RobinVery, very interesting option and since it does do domain name lookup -- I can see that in the network tap -- I find that might be the way to go! My question is if I used the meterpreter binary psexec method, will that load a session prior to login, because this malware seems to drop silent once login occurs. And if I get a meterpreter session, are you then suggesting I run tasklist or netstat then to tease out the culprit? Thanks.It depends on what it counts as a login, it may only be watching for one from the GUI, if so psexec may not be noticed. If it is then just install an old ftp server from exploit-db and exploit that to get your Meterpreter shell, there is no login then. And yes, watch with tasklist and other tools. I'm no good with forensics, I'm sure there are others on this and other lists who will be able to tell you what to look for. Robin
-- Jose Selvi. Security Technical Consultant CISA, CISSP, CNAP, GCIH, GPEN http://www.pentester.es SANS Mentor in Madrid (Spain). September 23 - November 25 SEC560: Network Penetration Testing and Ethical Hacking http://www.sans.org/mentor/details.php?nid=24133 http://www.pentester.es/2010/12/nuevo-grupo-y-descuento-para-network.html _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Chip (Aug 02)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Robin Wood (Aug 02)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Chip (Aug 02)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Robin Wood (Aug 02)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Average SecurityGuy (Aug 02)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Joshua Smith (Aug 02)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Jose Selvi (Aug 03)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Chip (Aug 03)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Nicolas Braud-Santoni (Aug 04)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Chip (Aug 04)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Chip (Aug 02)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Robin Wood (Aug 02)