Autorun Bypass

Cash machines raided with infected USB sticks” (BBC News).

I guess I’ve never focused long enough on an ATM machine to even consider USB ports. Just seems like a silly thing to put on one. They are hidden but we see how well that prevented hackers from cutting holes in the machine coverings. It took some time to finally catch these thieves despite them targeting the same machine several times… why? There are surveillance cameras. I guess it’s not suspicious to have a person attend to an ATM machine over the course of time it takes to cut a hole in the machine, upload malware from a USB and then patch the hole up again. Oh and in addition, the intruder needed to phone the head honcho in order to validate varying sequence controls. The gang had their own system of checks and balances. Back to the point, to me, anything longer than 2-3 minutes at an ATM is suspicious but I’m really not that patient.

I wonder how did the thieves test the malware they used to infect the ATM? Their software brought up a secret interface on the machine listing all forms of stored currency. The mastermind must have had quite the knowledge on ATMs. When I code up something, I have to test it like crazy in the environment. I guess if he discovered USB access, he could easily use an I/O device to enumerate the environment.

Disclaimer: Just because I discuss such matters does not mean I endorse or participate in such activity. It is important to understand weaknesses in order to know how to secure a device.

This got me thinking… what options are there to enumerate a system through I/O… There’s a lot of options. I guess it would be easy to get a USB and set a malicious script to automatically run on startup. To do this, create an autorun.inf script:

[AutoRun]
SHELLEXECUTE=<EXE TO RUN>

Problems with this, since Windows 7, Microsoft has automatically disabled autorun for USB devices… dang it.

No worries, introducing the Teensy!

Teensy, $20 on Adafruit

This fun device emulates a keyboard or mouse I/O device and bypasses normal USB restrictions and is compatible with most platforms including Windows, OS X and Linux. Metasploit even includes payload creation for the device. A good tutorial on how to accomplish this can be found here.

Metasploit

The tutorial shows how to open a line of communication or meterpreter session between a listening device and the teensy victim. Ownage! With this available, someone could pull down environmental variables such as:

  • OS version – sysinfo
  • User accounts – getuid
  • Hashes – hashdump
  • Network info – ipconfig
  • Running processes – ps
  • For extra fun, you can access and take a picture from the webcam with webcam_list and webcam_snap
  • Cover your tracks by clearing out the logs – clearev

With this information, one could enumerate the environment enough to understand its weaknesses and what further scripts/tools/steps can be used to hack the device.

End lessen, be aware of USB devices and easy port access. Have some legal fun!

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.