rufus777 Posted February 24, 2011 Posted February 24, 2011 I wonder if there is someone who has a fake windows updater ... I wonder what does it take? ports, url? I'm sorry that I write in English, hehe, it's not so good:) Quote
Infiltrator Posted February 24, 2011 Posted February 24, 2011 It doesn't take much to know how a windows machine receives updates. What you need to have is wireshark running between the computer receiving the updates and the gateway. I am pretty certain, when a machine connects to a Microsoft server to check for updates, it uses a URL and a port. With wireshark you can find out that answer and the fake your own update server. Quote
dr0p Posted February 25, 2011 Posted February 25, 2011 The hard part would be Microsoft signs the updates, can't really fake that without the private key. Quote
Infiltrator Posted February 25, 2011 Posted February 25, 2011 The hard part would be Microsoft signs the updates, can't really fake that without the private key. Unless there is a way to bypass it, and make it look like its legit. Quote
digip Posted February 25, 2011 Posted February 25, 2011 (edited) The hard part would be Microsoft signs the updates, can't really fake that without the private key. I beleive Didier Stevens has made something that makes any program look legit, by cloning the Certificate of a known windows update from the existing system. If I recall, Dave Kennedy has imported this tool into SET, so when using a meterpreter shell, he can send over an executable that looks like its been signed by Microsoft by stealing its credentials from one of the existing windows update on the victims system. If I can find the video, I'll link it here. NOTE: I don't know that he has released the code publicly though, and for demo purposes is only in his personal version of SET when he gives talks. Found it: Edited February 25, 2011 by digip Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.