Hello, and welcome to this course. Where we're talking about the use of Python scripts for achieving initial access on a computer. That stage in the Mitre ATTACK framework. In this video we're going to be talking about USB AutoRun. If you've used USB drive before, you're probably familiar with AutoRun. That's the files that are designed to automatically run when a USB drive is plugged into a computer. Now, with current versions of Windows, AutoRun isn't available because obviously running programs by default when you plug in a USB, can create a security risk. However, some computers might still have AutoRun enabled, making it a viable initial access factor. In the cases where that's not the case, then a lot of these same techniques are going to be useful in say, a social engineering attack. If you can create a plausible looking executable that someone might think is something legitimate and run it, then achieve the same goal as if you could automatically run that executable. The file I have open here in Notepad++ is the Python file we're going to be using for this particular demonstration. As we see up at the top of the file, we're going to be using PyInstaller to create a Windows executable from a Python script. This is helpful because, well Python script might not be runnable and a target system, ie, if they don't have Python installed, if you've got a self-contained executable, it's going to run on windows. This makes it useful for AutoRun, and more useful in general for phishing attacks. We're also going to use shutil, for a couple of commands, and we're importing OS for operating system commands. Here we've got a few definitions of variables that we're going to be using throughout the rest of this script. We have a filename here, which is the name of our malicious executable. In this case, our malicious executable isn't particularly malicious, all it says is a malicious program, but it's an example of a Python file, and we can easily write that file to be malicious and dangerous, and other ways. We also have an executable name, benign.exe in this case, we could easily change this to something else, more plausible, as part of a phishing or social engineering attack. We have an icon name here. One of the things that PyInstaller allows us to do, is to set the display icon for an executable. This is helpful because many executables you might trust and run by default on Windows, have very recognizable images. In this case, we're using the very recognizable Firefox icon as the display icon for our malicious executable. If we were using this in a social engineering attack, we could maybe label this as a standalone copy of Firefox or something similar. We're then getting the current working directory, or present working directory because we're going to use it in a few different places throughout this code, and then we're defining a directory for our hypothetical USB drive. In this case, just going to be using a folder inside the present working directory called USB, but you can see how we could easily change this directory to a mounted USB drive on our computer, as we build this, so that we can create our malicious USB. This is just a little bit of clean-up code here, saying that if the executable already exists, we should remove it because the operations that we're going to perform, won't work when we're trying to move it onto the USB, if that USB already exists. Our first step here, is we're going to be using PyInstaller to create our malicious executable. This is our actual command to do so. We're calling PyInstallers main function, and then calling run inside of that. The reason why we have this slightly different syntax here for function calls, is typically PyInstallers designed to be run as a standalone program on the command line terminal, etc. However, since it's Python related, it's designed to allow you to run it within Python as well, in this way. Calling this, is similar to saying PyInstaller, and then passing it the following list of arguments. We're telling it to use a malicious.py, put everything into a single file, clean up everything before doing so. We've set our log level to Error here, just so that it doesn't print out a bunch of information. PyInstaller's fairly noisy by default, and so telling it to only tell us if something goes wrong, makes us a cleaner Python program to run. We then specify our output name of the executable we're creating, so in this case, benign.exe, and we can specify that we want its icon to be set to, in this case the Firefox icon. Again, this is useful more for our social engineering use case, where we say drop out USB that has a promising looking executable on it, rather than a AutoRun use case, where potentially this particular executable would be hidden on the USB drive anyway. When we call this command, it's going to run PyInstaller and wrap our Python file in a self-contained executable. Well then, when we're done with that print that the executable was created and move into some cleanup steps. PyInstaller, by default, creates a few directories. For example, it's going create a dist directory where the final executable is going to be placed. We're going to move that into our current working directory and clean up the dist directory, the build directory, and the pycache directories so that we have a clean folder once we're done here. We're also going to remove a temporary file, or a configuration file called, in this case, benign.exe.spec, which talks about the specifications. At this point, what we have is a Python script that's wrapped into a self-contained executable. It doesn't need Python to be installed on the target machine to run. Everything that it needs is bundled inside that executable. Next few lines of code we have here are designed to implement the autorun part of our attack. Not as useful on modern operating systems, unless someone's explicitly set up autorun, but still useful for looking at a legacy system where autorun has not been disabled. We're going to now use Python I/O or File I/O, to create a file called Autorun.inf, which is the file that we'll have to place on this USB drive to cause it to run automatically. These are the lines of code that we need to include in that. We need to have autorun in parentheses on its own line, and instruction of what to do. It's supposed to open benign.exe. It's going to say Start Firefox Portable, if it asks or do you want to take this action in a prompt? It's going to label this as My USB, then we're specifying that we've specified the icon essentially. We want to use our icon and not some other icon. Once that's completed, we're going to print that we're setting up the USB, then we'll perform a few steps to actually move things, in this case, into our USB folder, but it easily could be a actual USB drive. Moving both the benign.exe, and the Autorun.inf files to the USB directory. Then, we're using Windows system commands to change the attributes of that particular file to hidden. We're printing the command Will Be Running, then we actually run it using the os.system command. In the end, what we should have is a hidden Autorun.inf file, then a currently not hidden benign.exe file, that's a self-contained wrapped Python script. We don't hide this, because we can use it for our social engineering attack, but we just as easily could have run this last command twice and hid benign.exe as well. Now that we've seen how the code works, or is written, let's see it in action. We've got a split screen here. We're inside the directory we see down here at the bottom. We've got a USB folder here, which is empty. We have our Python script, the icon file and our malicious Python script malicious.py. If we run Python malicious.py here, what we're going to see is just it prints, "I am a malicious program." Now, let's run our Python file for creating our malicious USB drive with autorun on it. As it moves through the process, it's going to be printing statements. We actually see down here that things are changing as it built the malicious executable using pyinstaller, cleaned up after itself, then our malicious executable, and our autorun file are now tucked away inside this USB directory in the same folder. You can either do it this way and then copy it over, or set the program up to do this automatically. Notice, based off of its transparent color here, autorun.inf is hidden in this case, we're set up to view hidden files, but if I unclick that, it disappears. Similarly, we could hide benign.exe if we chose, or we can take advantage of the fact that if we change this to just Firefox.exe. It actually it looks like a legitimate program. After we've created our malicious USB drive, then all we have to do is actually deliver it to the target to perform the attack. Mailing it, dropping in a parking lot et cetera and hoping that someone will plug it into their computer. Ideally, it would be great if they have autorun installed and enabled, because then our malicious executable would run no matter what. However, if not, hopefully, we could craft a pre-tax that would convinced them to click on this executable and see what it actually does. This is another demonstration of how to use Python for achieving initial access on a system, in this case, using self-contained, standalone Python scripts that could be run on a target computer, and could essentially do something malicious once they're there. Thank you.
