Saturday, May 23, 2009

Social Engineering meets Offensive technologies: using USB U3 flash drive with meterpreter payload

I was recently involved in a Social Engineering experiment the goal of which was to obtain access to a PC inside the organization. I am not going to cover the social engineering aspect of the job in this post. I want to concentrate on another, technical, aspect of how close proximity to physical hardware has gotten the data I needed.

I have been reading elsewhere on how Social Engineers leverage client side exploitation which involves either a browser exploitation or email attachments, or
USB devices left with the "secretary". During the engagement I had an opportunity to
corce the receptionist into printing out my "resume" on her machine. So I thought it may be a perfect time to try the "USB" way. To that day I never had messed around with U3 system or created my own custom payload for that specific purpose. This was a perfect opportunity to have fun.

There are several viable approaches and already pre-made USB payload distribution serving the purpose: HackSaw, SwitchBlade, others. Read more Here:
http://dotnetwizard.net/soft-apps/hack-u3-usb-smart-drive-to-become-ultimate-hack-tool/ and here: http://wiki.hak5.org/wiki/USB_Switchblade

I decided to go with customized version of Switchblade. I ripped out what I did not need for the compromise of the targeted computer, created U3CUSTOM image and overlayed the contents of my Walmart-bought $10 U3 SanDisk 1GB Cruzer drive.

The goal was to show up the next morning and attempt to hand the drive with my "resume" to the secretary (very nice and honest woman, btw), and have here print it out. I chose not to rely on Microsoft Word macros because I had some knowledge about the company's policy preventing such elevation. I also knew that the company ran updated Antivirus, and that the solution needed to be stealthy. I was not sure which one though, so I had to be careful to avoid detection of the payload on my USB as best I could. I also had to provision for connection back to her PC.

I needed to know the IP and all other relevant information and only had about 20-30 seconds of "hit-and-run" while she opens up the document and hands me the printed copy.

Prep Steps taken:
1. Remaster U3 image to include Alex Sotirov's http://www.phreedom.org/software/metsvc/. Modify the source and recompile it with MinGW compiler to elevate the chances of AV evasion. Something like this:

C:\metsvc-1.0\metsvc-1.0\src>c:\MinGW\bin\gcc.exe -O4 -o metsvc.exe metsvc.cpp -l ws2_32 -l advapi32


This executable has given me trouble before when I tried several packers: UPX and ASPack, and MPRESS with various degrees of passing the score on VirusTotal. I finally decided not to pack at all and go with heavy optimization at compile time and hexeditor to polish the deal.

I would have loved to use msfpayload for obfuscation but I had no linux box at my disposal, and I did not seem to find this executable in Win32 MSF Framework distribution.

2. UPX-pack other useful executables fetching the history and passwords from her PC (in case my remote session connection fails and I need to login directly to PC).

3. Once inserted into USB slot, U3 will silently run my chain of commands. I had to test for the whole operation to complete within 20 seconds. I have added several more tweaks ( like enabling firewall exceptions for the meterpreter service, via netsh commands) to make extra checks.

4. I remove the drive with information saved in the logs and go from there...

Show time

Everything went better than I expected from the AV evasion perspective. No popups or error messages. I even got Wireless Key hash via WIFIKE from NirSoft. The logs showed that the meterpreter service did start up and I did eventually find a way to verify that :)


So I was happy because I now have more or less another methodology I can use to help others realize the risks of Social Engineering meeting Exploitation technology.

0 comments: