rufus777 Posted February 24, 2011 Share Posted February 24, 2011 I wonder if there is someone who has a fake windows updater ... I wonder what does it take? ports, url? I'm sorry that I write in English, hehe, it's not so good:) Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted February 24, 2011 Share Posted February 24, 2011 It doesn't take much to know how a windows machine receives updates. What you need to have is wireshark running between the computer receiving the updates and the gateway. I am pretty certain, when a machine connects to a Microsoft server to check for updates, it uses a URL and a port. With wireshark you can find out that answer and the fake your own update server. Quote Link to comment Share on other sites More sharing options...
dr0p Posted February 25, 2011 Share Posted February 25, 2011 The hard part would be Microsoft signs the updates, can't really fake that without the private key. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted February 25, 2011 Share Posted February 25, 2011 The hard part would be Microsoft signs the updates, can't really fake that without the private key. Unless there is a way to bypass it, and make it look like its legit. Quote Link to comment Share on other sites More sharing options...
digip Posted February 25, 2011 Share Posted February 25, 2011 (edited) The hard part would be Microsoft signs the updates, can't really fake that without the private key. I beleive Didier Stevens has made something that makes any program look legit, by cloning the Certificate of a known windows update from the existing system. If I recall, Dave Kennedy has imported this tool into SET, so when using a meterpreter shell, he can send over an executable that looks like its been signed by Microsoft by stealing its credentials from one of the existing windows update on the victims system. If I can find the video, I'll link it here. NOTE: I don't know that he has released the code publicly though, and for demo purposes is only in his personal version of SET when he gives talks. Found it: Edited February 25, 2011 by digip Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.