Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Evil autorun CD - ideas ? downloadable exploits anywhere ?
From: "Shenk, Jerry A" <jshenk () decommunications com>
Date: Wed, 2 May 2007 21:28:14 -0400

How about something a little "less intrusive" - just grab ipconfig,
netstat, net user, net share and some other simple basic machine info
and post it to a waiting website.  That would be enough to id the
machine, maybe the user, perhaps some other info.  For a pen-test, it
would be enough to generate a really interesting write-up on people
putting unknown CDs in their computer and demonstrate the danger of
autorun.

Now, rooting every box that runs the CD...that would be even more
interesting...but, if it's part of a pen-test, I'm not sure where the
problem would be...a user taking the CD home would definitely be
interesting...might be a little tough to keep that in scope.  Maybe put
a warning label on it not to remove it from the building;)

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Petr.Kazil () eap nl
Sent: Wednesday, May 02, 2007 3:00 PM
To: 'Pen-Testing'
Subject: Evil autorun CD - ideas ? downloadable exploits anywhere ?

On the Internet there is much talk about hacking through "evil USB
sticks" 
:
http://www.theregister.co.uk/2007/04/25/usb_malware/

I was inspired by a talk by John Craddock where he told the following 
anecdote:
- He would bake a stack of CD's and bring them to a conference. The
stack 
would gradually "evaporate" as people took a CD - even though the stack 
was not marked as "free for taking".  When people inserted the CD a tune

would be played. Gradually he would start hearing tunes in the 
neighbourhood as people inserted the CD ...

It would be fun to make a few of these CD's and use them during a
pentest. 
Of course the payload should be more malicious then.

Question: Has anyone tried this before? Did it work?

Greetings, Petr Kazil


I will try to build a CD that will contain a photo viewer and a set of 
innocent pictures. But it will try to install a keylogger and send the 
collected data to a temporary server that I will install on the network.

My hope is that if I download C++ keylogger source code, modify it a bit

and compile it myself, that I will be able to evade virus checkers. I
also 
might compile and install a network listener backdoor. At the moment I'm

not even dreaming about rootkits and encrypted channels to the outside 
world - that's much too difficult for me.

I don't think it will be able to collect password hashes or Active 
Directory passwords because the script and programs will be running as a

normal domain user. But anyway it will be an interesting proof of
concept.

I wasn't able to find any exploit details on Google. I just get a lot of

articles about the risks of autorun and ways to disable it ... 

This idea has one big risk - suppose someone takes the CD home. Then I 
would be committing a criminal act if I exploited his home computer. The

articles about USB-stick pentesting don't mention this risk.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------




**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which 
they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the 
intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the 
message. If you have received this communication in error, please notify the sender and delete this e-mail message. The 
contents do not represent the opinion of D&E except to the extent that it relates to their official business.


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault