clankill3r
commented
7 years ago Makes me wonder if you could fake a windows update. Since windows so often installs software on a reboot...
Open f3d0x0 opened 7 years ago
clankill3r
commented
7 years ago Makes me wonder if you could fake a windows update. Since windows so often installs software on a reboot...
wismna
commented
7 years ago I noticed the same thing! It opened a new Edge window when no other browsers are opened, but a new tab in Firefox when it was opened. I noticed nothing of the sort on either Mac or Linux.
samyk
commented
7 years ago @clankill3r I doubt Windows Update would be susceptible as I'm assuming the updates themselves are signed, and likely the communication itself is protected, but there may be other vulnerabilities. You never know until you try!
mame82
commented
7 years ago @fEDUntu
In my opinion the answer to this magic is the connectivity test which is requested by win 10 every time a new network is detected. The reason is that windows wants to tell you if your new network has Internet connectivity or if there is a captive portal involved and so on. Thus multiple steps are involved in doing this.
Checking the IP of www.msftconnecttest.com, you should see something familiar. On win 7 this would be www.msftncsi.com.
So if your network is able to resolve the aforementioned URL but doesn't provide the HTTP content expected - Windows tells the user that it assumes that additional steps have to be done to get Internet connection. If the user clicks on this message a browser is opened, requesting an non TLS HTTP webpage, to force show up of a potential captive (CP) portal. In PoisonTaps case this CP would be the webpage you have seen. So as pointed out, in all cases I have seen so far, there's still user interaction required to open up the browser window (click on message). I never analyzed all facets of these connectivity tests, but could imagine that these test is involved in the magically opening browser window.
Additionally Win 10 starts multiple HTTP requests to various Microsoft hosts, in order to send telemetry data.
I'm doing a pentest for my company and in the meanwhile i'm trying to experiment some new physical attacks involving USB ports as attack vectors. The workstation that I'm testing is a fully patched Windows 10 with all security updates, full-disk encryption and a strong "cloud-based" firewall. I armed my Raspberry Pi Zero with PoisonTap correctly and, during my tests, in this particolar workstation I surprisingly found that the PoisonTap is working without an open browser, because after a minute Internet Explorer is automatically open with the incredible HTML5 canvas animation and suggest me that PoisonTap is working: cookies are stored in the log file, and the web-cache backdoors are reachable from my C&C Server! :)
I was surprised about that, and I started analysing the network traffic to find what services could trigger the PoisonTap. The only HTTP traffic that I found was direct to 3 IP addresses:
I suppose this traffic is some sort of background Windows updates, and this triggered the PoisonTap. But what is currently not clear to me is how this background traffic could pop-up a new Internet Explorer browser? Anyone else found similar behaviors?