Skip to main content

USB Autorun

I lost my notes on this, so this is from memory mostly, except for the actual ini that I made and recovered from one of my USBs.

To get anything (example below is winmine.exe) to automatically run on a Thumb drive, Autorun has to be enabled on the host Windows system.  The file will, in fact, run, if there are no media files in four or less directories deep.  If there are, Windows will pop up a dialog asking you what you want to do (ie, run the ini or play the wav file).  So you can put the autorun.ini in the home directory, and tell it to point to a file several folders deep for an executable, or just leave the file extension off of the executable in the root directory.  The file can even be a hidden file for a hint of stealth.  So, a CONOP for a PENTEST would be to laden a thumb drive with MP3s, more than 5 folders deep, and put only the autorun in the root folder.  Then it could be made read-only, so it could not be edited/deleted, and reference a payload several folders deep, which is hidden.  

Here is an example:

autorun.inf contained:

label=WinMine Game
action=Play Winmine From Thumb


;; note, can't have known file extension in kernel
;; attrib +R (read only), -S (system file), -H (Hidden) -A (archive)
- strip off .ico from icon, or else it will be recognized as media and a window will pop up
- Results may vary with VMWare.
- autoPlay is just for CDs.  AutoRun is expanded to other devices.
- AutoPlay is necessary for U3 drives, but NOT for normal thumb drives

here are some of my paper notes for possible extensions of the above:
open=Menu open
action=Windows Explorer
action= Browse files on the drive using Windows explorer to find... this text will wrap off screen, and can be followed by an action

check out this 
Microsoft's site for further details

some useful actions can be the following: 
;; where xxx.exe = exploit
to disable autorun, look for "@SYSoesNotExist" in the registry.   Also check out my Disabling Windows Autorun blog for more details.   


Popular posts from this blog

ADS-B plotting with Kali (and other SDR goodies)

Recently I wanted to try some Software Defined Radio stuff.   
I had a RTL-SDR, FM+DAB, DVB-T USB Stick Set with RTL2832U & R820T. that I got from:
But, even though this dongle would break out FM radio stations, and ATC frequencies (like the local Ground Control, tower, and even ATIS), which was cool, it wouldn't break out ADS-B.   
Thus, I bought a Vantech Green Mini RTL2832U R820T DVB-T SDR DAB FM USB DIGITAL TV Tuner Receiver RTL-SDR Project + DAB dongle Tuner MCX Input from Amazon, and tried this.  
This dongle was able to listen to the 1090MHz frequency required for ADS-B (as it goes from 25MHz to 1700MHz).  There were tons of Windows programs out there for breaking out and plotting ADS-B Mode S broadcasts, but not many for Linux.  
For Kali Linux, here's how I got it running and plotting planes around my home:
0) before you start, you should do an apt-get update to ensure you hav…

Beaglebone Black as a Wireless Intrusion Detection System (WIDS)

Recently I have been wanting a wireless IDS (WIDS) to detect nefarious wifi activity.  I also had a Beaglebone Black hanging around that I wanted to put to good use.   This seemed like a perfect match, and indeed it seems to be so!

I did some research on WIDSs, and although there is SUPPOSED to be several out there, nearly all that I seemed to find was commercial and Windows-based products, not something I could use myself.   
About the only exception to that rule was Kismet, so I decided to give that a try.  Kismet is supposed to work as a WIDS, and per its documentation should catch the following attacks:
Kismet supports the following alerts, where applicable the WVE (Wireless Vulnerability and Exploits, ID is included: AIRJACKSSID Fingerprint Deprecated The original 802.11 hacking tools, Airjack, set the initial SSID to 'airjack' when starting up. This alert is no longer relevant as the Airjac…

Temper Temperature monitor on a Beaglebone Black

Beaglebone Black as a temperature monitor:

Recently I wanted to monitor the temperature of my shed.  I thought I'd use a small computer such as a Raspberry Pi or a Beaglebone or Odroid.

My Raspberry Pi boxes were all in use, so I grabbed my Beaglebone, which was doing nothing.

I flashed it with the Debian9.32018-03-054GB SDIoTimage, but that seemed like it was running lots of bloatware and the ethernet interface wouldn't take a static IP with /etc/network/interfaces.

So I went with the Debian9.32018-01-284GB SDLXQTi image instead.  I still had the same problem, that lots of junk was running, and I couldn't configure my interface by modifying /etc/network/interfaces

So my first step was to get rid of all the bloatware.  If you're using a Raspberry Pi or something, you can skip this and just go to the second step below

STEP 1--Remove Blotatware from Beaglebone Black:

With some searching, I came across this post:…