Home page logo

pen-test logo Penetration Testing mailing list archives

Evil autorun CD - ideas ? downloadable exploits anywhere ?
From: Petr.Kazil () eap nl
Date: Wed, 2 May 2007 20:59:44 +0200

On the Internet there is much talk about hacking through "evil USB sticks" 

I was inspired by a talk by John Craddock where he told the following 
- He would bake a stack of CD's and bring them to a conference. The stack 
would gradually "evaporate" as people took a CD - even though the stack 
was not marked as "free for taking".  When people inserted the CD a tune 
would be played. Gradually he would start hearing tunes in the 
neighbourhood as people inserted the CD ...

It would be fun to make a few of these CD's and use them during a pentest. 
Of course the payload should be more malicious then.

Question: Has anyone tried this before? Did it work?

Greetings, Petr Kazil

I will try to build a CD that will contain a photo viewer and a set of 
innocent pictures. But it will try to install a keylogger and send the 
collected data to a temporary server that I will install on the network.

My hope is that if I download C++ keylogger source code, modify it a bit 
and compile it myself, that I will be able to evade virus checkers. I also 
might compile and install a network listener backdoor. At the moment I'm 
not even dreaming about rootkits and encrypted channels to the outside 
world - that's much too difficult for me.

I don't think it will be able to collect password hashes or Active 
Directory passwords because the script and programs will be running as a 
normal domain user. But anyway it will be an interesting proof of concept.

I wasn't able to find any exploit details on Google. I just get a lot of 
articles about the risks of autorun and ways to disable it ... 

This idea has one big risk - suppose someone takes the CD home. Then I 
would be committing a criminal act if I exploited his home computer. The 
articles about USB-stick pentesting don't mention this risk.

This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]