So the other day I decided to play around and see what it would take to gain control over a machine without administrative privileges. So this is what I did. I found a reverse connect back shell for windows on the government security page. Symantec does not detect it. I was going to code my own but I got lucky and found this one first. So then I wrote some batch files and visual basic scripts that would save them selves and the revshell into the user directory and user startup directory. These areas are all writable with non admin privs. The VBS script in the startup directory will strat up the revshell each time the user logs in. On a remote server I have netcat listening for a connection from my revshell. I then used my U3 drive and gonzor's switchblade to load the revshell and batch files onto the machine. So in the end all I have to do is plug my jumpdrive into a windows machine and I have instant control. If the user was running under a non administrative account I can then use exploits to elevate my privs on the machine. If the user was running an admin account then I have an instant administrative account on the machine. I chose to do it this way to keep antivirus from detecting the attack and to keep a non-administrative user from stopping the attack.
Attack Mitigation:
Run a firewall like zonealarm
Disable windows autorun
Be cautions of what media you put into your machine
Be cautions of what you run
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment