Physical media social engineering (PMSE) involves using removable media like CDs and USB drives to gain access to information on a target system or network. It acts as a physical Trojan by dropping malicious payloads onto client systems. PMSE plays on people's curiosity by providing interesting media that also installs malware without direct contact. The presenter tested a PMSE attack using 100 infected CDs containing malware that provided a meterpreter shell on 53 machines, with admin access on 37 XP systems without security software. While PMSE provides anonymity and flexibility, it also requires resources and may only succeed the first try against a target.

1. Poison Apples: Physical Media Social EngineeringDEFCON 19 2011David MartinezA+ / Network +

2. Don’t talk to strangers…Social Engineering normally consist of anything from simply asking for info, to dumpster diving.Goal is to gain information/access by false means.Most companies train against it.People are more concerned with privacy and security then before.

3. …unless they have candy.Physical Media Social Engineering (PMSE) involves using CD’s, USB drives, etc to access information and possibly gain entry to a target network or system.

4. What is it exactly?“Loaded” media that contains some sort of info the target would be interested in, but also contains malicious scripts and programs.Acts as a physical Trojan, dropping the payload onto the client system.Open possibilities for distribution. Anything from a single USB drive with music for friends, to a corporate “Training” CD-ROM are fair game. Can be customized to target system.Little to no initial contact with target.

5. Think Snow WhitePhysical MediaInnocent, but naïve targetEvil h4x0r

6. Snow White gets pwnt

7. How is this Social Engineering?Plays on the curiosity of the target.Can be used as an additional attack vector to go with common SE attacks.Uses many of the same techniques, without actually interfacing with the target.

8. How can it be used?The fact that PMSE is very modular lends itself to any size attack, with almost any media you can imagine.3 main distribution schemes would be:Single TargetTargeted DemographicCorporation/WorkplaceAnything is possible however…

9. Single Target PMSEMost effective in targeting a weak link in a companies hierarchy.Benefits most from prior knowledge of target system and environment.Only one shot to get it right in most cases.Higher probability of detection.Less anonymity.Higher chance of direct contact.

10. Targeted Demographic PMSETarget is a certain demographic in general, not a specific person or institution.Most similar to p2p-based Trojans.Most effective depending on demographic being targeted.Allows for the most creativity in distribution of media.Provides the best anonymity.Lowest probability of direct contact with target.

11. Corporate/Institution PMSESimilar to Targeted Demographic, but the only similar variable is the Institution the victim’s work for or attend.Prior knowledge of infrastructure, hierarchy, and workstations is helpful.Corporate offices, Schools, Medical facilities are all vulnerable if done correctly.Risk of detection via corporate security policies, both physical and electronic.

12. PMSE Attack DemosAll that is needed is:Physical MediaCover storyMalicious codeSome coding knowledge (Batch is sufficient)Interesting, but believable, mediaDistribution methodCommon Sense

13. Basic SE Attack

14. Physical Media SE Attack

15. TestingSpread 100 infected CD’s in my local area.Target was a male crowd, from teen to college.Men’s bathroom, locker rooms, outside gym’s, etc.Used Meterpreter service reverse tcp payload exe, encoded with shakati_ga_ni, and binded to JPG file.Set JPG to auto-run to force infection.

16. The bait…

17. …the catchOut of 100 CD’s distributed:53 were a hit, and provided a meterpreter shell.Was able to access admin account on 37 machines.36 of the infected machines were XP, with no active AV/Firewall software.Meterpreter service was removed upon logging data, no changes were made to target machines.

18. Pros/Cons of PMSEProsLittle to no verbal/physical contact with target Completely anonymous in most cases.Uses any tool needed. Gives a modular feel to the attack.Relies on target's interest and curiosity.Benefits greatly from prior SE attacks and inside knowledge.Extremely scalable and modifiableCan be anything from a single-target, to a large corporation.ConsCan be expensive and time-consuming on a large scale.Never 100% fool-proof, due to differences in systems, infrastructures, and environments.Typically only give you one shot to accomplish goal.

19. WikiLeaks as a proving groundMay 2010- PFC Bradley Manning takes CD-RW’s with music into work. Erases contents, copies highly classified military documents from SIPRNet. Leaks info to WikiLeaks, which post them online to Public Domain.Manning claimed he had “no malicious intent”, but could have easily been CD’s or USB’s loaded with custom-tailored malware to drop onto SIPRNet.

20. Questions?David MartinezDown South HackingDMartinez7500@downsouthhacking.com@dmartinez7500 on twitter