Drive-By Hacking: How to Root a Windows Box by Walking Past It
Social engineering is described as the clever manipulation of the natural tendency of human trust. All of the passwords, locks, and encryption in the entire world are useless against a good social engineer who can charm or trick you into giving it up.
But what once started as a clever ploy on the telephone has turned into a sophisticated array of digital tactics and methods designed to get a target to turnover what they value most. While hacking and cracking will always have a place in information security, new attack vectors are opening up and you would be hard pressed not to take advantage of it.
In this article, you'll get a walkthrough on SET (Social-Engineer Toolkit), a menu-based series of Python scripts that interfaces with the Metasploit Framework to craft and deliver payloads. From cloning sites that phish passwords to walk-by rooting. Interested? You should be! I am going to show you how to create a CD/DVD/USB drive that when plugged into almost any Windows computer, roots it and opens up a shell on YOUR remote computer.
Subversion is a software version management system developed by Apache. As many pentesting tools rely on subversion to handle their packaging and distribution, it is a key piece of software to use. You may download it from their site linked above, or on a Debian/Ubuntu system, you can:
$ sudo apt-get install subversion
Now you need is to create a folder in your /home directory. Change into that and use Subversion to download the packages we need. Use su or sudo to bring up a root prompt and start with downloading the Metasploit Framework with:
# svn co https://www.metasploit.com/svn/framework3/trunk/
And we might as well grab SET while we are at it:
# svn co http://svn.secmaniac.com/social_engineering_toolkit set/
SET is an incredibly powerful framework, and I consider it to be in the top five needed tools. Let's go ahead and navigate to the directory SVN downloaded and start SET with:
$ sudo ./set
If you did not notice, SET must be ran with root privileges. You should now be looking at the welcome menu.
Options 4-6 are rather self explanatory, so we'll skip over those and dig right into the good stuff—the attack vectors. SET is unusual in pentesting tools, in that it is menu-based and not command line. This makes it very easy for new users to pick up and play around with.
Go ahead and enter '1' to bring up the 'Social-Engineering Attacks' menu and be greeted with:
Here is where we will start having fun.
Your options range from attacking APs to abusing QR codes and everything between. The idea behind all the vectors in the toolkit is that they rely on abusing the trust of the target, from getting them to enter their credentials on your fake Facebook page to hijacking their system with a USB drive. Sometimes the best way to enter a building is to simply ignore the door.
Let's walk through one of my personal favorites, the Infectious Media Generator.
Autorun. Just the mention of this should make every security professional cringe. This is one of the very first things I disable on a server and in this lesson, I will explain why.
Windows (and some flavors of Linux) are configured to automatically scan the contents of and execute files coded to autorun. Simply by plugging in the device or placing the CD in the drive you can force the OS to run code if you have physical access to it. Using Metasploit to craft a custom binary, SET allows us to make a file that when autorun, will inject its payload into a running process, and open up a remote shell on your computer that is configured to listen for it. From libraries to your girlfriends laptop, the uses for this are endless. I am sure you are excited to see how this works, so let's get right to it. It's easier then you think!
As you can see, the options are extensive and it might not all make sense to you right away. Don't worry, for now we are going to use the Windows Shell Reverse_TCP payload. This will be injected into running memory and attached to a process. After it has exploited that vulnerability, it will open a remote shell!
Here is where we have to hide our payload from antivirus. As before, SET lets you know your options and how likely they are to pass undetected. Truth be told, you can almost always choose the recommended backdoored executable here. The only time you would want to change that would be if you had a specific reason to use another encoding. We will select '16':
SET will ask you what port you want the listener to run on. Port 443 is the default and in this example, I simply hit enter to use it. As the dialog says, there will be two files in your SET home directory folder 'auorun'. Program.exe is the backdoored file containing the Metasploit payload and autorun.inf is the file that tells windows, if autorun is enabled, to start Program.exe.
Now you are ready. SET has gone to the background and Metasploit has taken control. The listener is waiting for requests from Program.exe, and all that's left to be done is copy those two files to your removable media and start rooting! As soon as you plug it in (if it works), you should be greeted with a shell that looks something like this:
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2010 Microsoft Corp.
C:\Documents and Settings\Administrator\Desktop>
That's it! You are now inside that computer and can do as you please!
- You can use Program.exe on its own if you have access to the computer. The autorun.inf is only there so you may plug it in as you walk by. Also keep in mind, autorun needs to be enabled on the machine.
- Be careful. Unauthorized access into a computer or network is a crime in a lot of places. This should be used for testing purposes only.
- As of this writing, the general vulnerability is unpatched. Metasploit injects the payload DLLs into an already running process and it never touches the hard drive at time of exploit. The only issues you might run into would be:
- Getting physical axx to the box.
- Autorun has to be enabled (or else you have to manually load the .exe, as I pointed out).
- Antivirus needs to not hit on it. This is the one that causes the biggest issues to people; AVG tends to be the best at finding it.
I was able to perform this exploit on a fully patched Windows XP machine last week (as of this writing).