Penetration Testing mailing list archives
Re: USB delivered attacks
From: <mak_pen () hotmail com>
Date: 3 Jun 2004 19:38:44 -0000
In-Reply-To: <40BCBB44.7050202 () linuxbox org> the mere fact that its usb has nothing to do with the attack its self. what is to blame is that autorun is enabled by default on windows XP. that is why the attack works. usb makes it convenient to stick the memmory stick in any computer and have the user just open the memmory stick and the attack works and no antivirus or anything detects this till now. in short, usb = convenience autorun = culprit (so to speak)
Received: (qmail 25692 invoked from network); 1 Jun 2004 18:40:52 -0000 Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26) by mail.securityfocus.com with SMTP; 1 Jun 2004 18:40:52 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing2.securityfocus.com (Postfix) with QMQP id AC217143788; Tue, 1 Jun 2004 20:31:57 -0600 (MDT) Mailing-List: contact pen-test-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <pen-test.list-id.securityfocus.com> List-Post: <mailto:pen-test () securityfocus com> List-Help: <mailto:pen-test-help () securityfocus com> List-Unsubscribe: <mailto:pen-test-unsubscribe () securityfocus com> List-Subscribe: <mailto:pen-test-subscribe () securityfocus com> Delivered-To: mailing list pen-test () securityfocus com Delivered-To: moderator for pen-test () securityfocus com Received: (qmail 7550 invoked from network); 1 Jun 2004 16:09:32 -0000 Message-ID: <40BCBB44.7050202 () linuxbox org> Date: Tue, 01 Jun 2004 19:22:12 +0200 From: Gadi Evron <ge () linuxbox org> User-Agent: Mozilla Thunderbird 0.6 (Windows/20040502) X-Accept-Language: en MIME-Version: 1.0 To: "Antonio Fontes 'Saphyr'" <saphyr () nxtg net> Cc: pen-test () securityfocus com Subject: Re: USB delivered attacks References: <002401c44458$53b94c80$9701010a@JASEVO> <000c01c4475b$e1ed7c50$6401a8c0@phoenix> <007101c447b7$55ffa0e0$c1fc17d4@shania> In-Reply-To: <007101c447b7$55ffa0e0$c1fc17d4@shania> X-Enigmail-Version: 0.84.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on linuxbox.orgIn order to put some 'practice' on this attack, I ve been trying this night to effectively use autorun mechanisms and see what could be possible. After reading the MSDN specs about autorun.inf file creation, I added an autorun.inf into my USB device along with a little batch script whose purpose was to copy the 'SAM' table and copy of the 'SET' command result into a specific folder on the usb device. Nothing happens... Even after being sure auto-run is enabled. Something should be missing... are there specific operating systems that disable auto-run by default ? (I am using windows 2000) However, burning the batch + autorun file onto a cd-rom and inserting it into the tray makes the auto-run sequence loading... So 2-cents question: which os'es do really use USB devices auto-run and on which USB devices does it work ? (not a usb hard-disk key it seems)...USB devices install a driver, nothing to do with autorun.inf that I know of.. You mis-understood. As your test suggested, it does work when using a CD. :) Gadi. -- Email: ge () linuxbox org. Work: gadie () cbs gov il. Backup: ge () warp mx dk. Phone: +972-50-428610 (Cell). PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104 C0D0 A7B3 1CF7 D921 6A06 GPG key for encrypted email: http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA 569A A87E 8DB7 06C7 D450
Current thread:
- Re: USB delivered attacks Balaji Prasad (May 31)
- Re: USB delivered attacks Antonio Fontes 'Saphyr' (Jun 01)
- Re: USB delivered attacks Gadi Evron (Jun 01)
- <Possible follow-ups>
- RE: USB delivered attacks Steven A. Fletcher (Jun 01)
- Re: USB delivered attacks Gadi Evron (Jun 01)
- RE: USB delivered attacks Steven A. Fletcher (Jun 01)
- RE: USB delivered attacks Jerry Shenk (Jun 01)
- Re: USB delivered attacks H D Moore (Jun 02)
- Re: USB delivered attacks PID4x (Jun 02)
- Re: USB delivered attacks Fred Gravel (Jun 02)
- Re: USB delivered attacks mak_pen (Jun 04)
- Re: USB delivered attacks R. DuFresne (Jun 04)
- RE: USB delivered attacks Brian Taylor (Jun 07)
- Re: USB delivered attacks R. DuFresne (Jun 04)
- Re: USB delivered attacks randori _/_ (Jun 04)
- RE: USB delivered attacks Rob Shein (Jun 04)
- Re: USB delivered attacks Gadi Evron (Jun 07)
- Re: USB delivered attacks Kurt Seifried (Jun 04)
- RE: USB delivered attacks Rob Shein (Jun 04)
- Re:USB delivered attacks Peter Harmsen (Jun 07)
- Re: USB delivered attacks Antonio Fontes 'Saphyr' (Jun 01)