Thursday, November 26, 2009

USB Hack

There are many usb hacks currently on the web, each with unique abilities and purposes. The idea behind the hack is to make use of the autorun feature that most systems employ. This means that when you plug in your USB stick (those capable of thbe autorun feature, see U3 supported drives), it can autorun a program or script. This means that you can be at a coffee shop and you can turn around to by some coffee and leave your comp unattended for a1 min and in that space of time, a malicious user can plug his thumbdrive in you system for 5 seconds and aquire valuable information, such as passwords and browser history. Thats it, 5 seconds and you get pwned.

This project is mostly used on the customizable U3 drives but can be made to work with regular thumb drives with a difference. Its not fully automatic. When u pluggin the drive, you should be prompted with a screen in which with a click of the 'Open' button, you can make your script or executable run. For our demo, we would be using a regular thumb drive to simulate the attack. We are gonna use windows for this.

Files you would need:
[nircmd.exe] :
[iepv.exe] :
[drive.ico]: Just an icon that i used. Use any icon and rename to drive.ico

Open up notepad and type the following. Save the file as Autorun.inf:

OPEN="nircmd.exe execmd iepv.exe /stext ievh.txt"
ACTION=Start my application

Copy iepv.exe, nircmd.exe, drive.ico and Autorun.inf to a newly formatted thumb drive. Voila, you are finished. The Autorun.inf would cause a prompt to appear when you plug your thumb drive in a windows system. Nircmd.exe is a useful multi-purpose commandline utility that we used to stealthily execute iepv.exe (to hide the command prompt that may popup anytime u execute a command line based tool). Iepv.exe is a small utility that does one thing well, dump Internet Explorer's history contents.

To execute the attack (if u havent figured the rest out already), all you do is plug the usb drive into a windows system. A autorun popup appears asking you to open the drive. All you do from here onwards is click open then the iepv.exe would execute its job in the background. Within 5 seconds you should be able to unplug the drive and take it away with you. When you open your drive their would be a text file, iehv.txt stored to the thumb drive with a listing of the browsing history of your target. This method can be extended by the use of scripts and other executeables. i'd leave some examples of this stuff in the resources section.

Resourses/Good reading:

No comments:

Post a Comment