Penetration Testing mailing list archives
RE: Evil autorun CD - ideas ? downloadable exploits anywhere ?
From: "Shenk, Jerry A" <jshenk () decommunications com>
Date: Wed, 2 May 2007 21:28:14 -0400
How about something a little "less intrusive" - just grab ipconfig, netstat, net user, net share and some other simple basic machine info and post it to a waiting website. That would be enough to id the machine, maybe the user, perhaps some other info. For a pen-test, it would be enough to generate a really interesting write-up on people putting unknown CDs in their computer and demonstrate the danger of autorun. Now, rooting every box that runs the CD...that would be even more interesting...but, if it's part of a pen-test, I'm not sure where the problem would be...a user taking the CD home would definitely be interesting...might be a little tough to keep that in scope. Maybe put a warning label on it not to remove it from the building;) -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Petr.Kazil () eap nl Sent: Wednesday, May 02, 2007 3:00 PM To: 'Pen-Testing' Subject: Evil autorun CD - ideas ? downloadable exploits anywhere ? On the Internet there is much talk about hacking through "evil USB sticks" : http://www.theregister.co.uk/2007/04/25/usb_malware/ I was inspired by a talk by John Craddock where he told the following anecdote: - He would bake a stack of CD's and bring them to a conference. The stack would gradually "evaporate" as people took a CD - even though the stack was not marked as "free for taking". When people inserted the CD a tune would be played. Gradually he would start hearing tunes in the neighbourhood as people inserted the CD ... It would be fun to make a few of these CD's and use them during a pentest. Of course the payload should be more malicious then. Question: Has anyone tried this before? Did it work? Greetings, Petr Kazil I will try to build a CD that will contain a photo viewer and a set of innocent pictures. But it will try to install a keylogger and send the collected data to a temporary server that I will install on the network. My hope is that if I download C++ keylogger source code, modify it a bit and compile it myself, that I will be able to evade virus checkers. I also might compile and install a network listener backdoor. At the moment I'm not even dreaming about rootkits and encrypted channels to the outside world - that's much too difficult for me. I don't think it will be able to collect password hashes or Active Directory passwords because the script and programs will be running as a normal domain user. But anyway it will be an interesting proof of concept. I wasn't able to find any exploit details on Google. I just get a lot of articles about the risks of autorun and ways to disable it ... This idea has one big risk - suppose someone takes the CD home. Then I would be committing a criminal act if I exploited his home computer. The articles about USB-stick pentesting don't mention this risk. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------ **DISCLAIMER This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- Evil autorun CD - ideas ? downloadable exploits anywhere ? Petr . Kazil (May 02)
- RE: Evil autorun CD - ideas ? downloadable exploits anywhere ? Shenk, Jerry A (May 02)
- Re: Evil autorun CD - ideas ? downloadable exploits anywhere ? Chris Kuethe (May 02)
- Re: Evil autorun CD - ideas ? downloadable exploits anywhere ? Michael (May 03)
- Re: Evil autorun CD - ideas ? downloadable exploits anywhere ? Joey Boyer (May 04)
- Re: Evil autorun CD - ideas ? downloadable exploits anywhere ? Chris Kuethe (May 02)
- RE: Evil autorun CD - ideas ? downloadable exploits anywhere ? Shenk, Jerry A (May 02)