Execute JPeG Files As EXE : Only For Penetration Testing

Execute JPeG Files As EXE : Only For Penetration Testing

execute-jpeg-as-exe

While Penetration Testing , we come across scenarios where we need to social engineer in order to get the malware executed and test the strength of the organisation’s employee’s cyber security Awareness .  Well here is a way to do so . What if we could get a Jpg extension file executed as an EXE (PE : Portable executable) . The good news is , yes this is possible .

Here is a tutorial will show you how to create JPG files that will act like EXE (PE) files.

#Disclaimer : Please don’t perform Un-Authorized penetration testing . It’s Illegal . Any Damages Done , the Author holds No responsibility . This Tutorial/Post is purely for educational purposes . 

Executing Jpeg files as Exe (PE file) using Registry

Now to understand this technique we will dig into the Registry . Basically the Windows Registry is a HIVE of information . It contains all the information related to the the operating system as well as the files on the system . Now Among the various settings and configurations present inside the registry ,  there is also the settings / configurations that define how Windows executes EXE files is stored .  Also it stores the way the JPEG files are executed .

This means that we need to make windows think a JPG file is an EXE file. But we cant do that without potentially damaging the OS’s configuration or risk that any future changes made by programs will set JPG back to its default registry value. So from here on , its not the responsibility of Author if anything happens to your system/OS . What we are about to do may destroy your system as well (the worst case scenario) . You are at your own risk .

  • We need to do is create a file that will look like its a JPG (not be the icon, but by the type) and will act like an EXE. (Pretty simple huh?)

This will be our file:

“file.jpg “

Notice the space after the “.jpg”. This is no ordianry space, but a special char and has a very important role in our hack . Here

Get the EXE you want to convert to “jpg”:

rename it from”file.exe” to “file.jpg”. Now press the rename again,and in the end of the .jpg, press the ALT key and on then on keypad, type “0160”.
#IMPORTANT!!

This will look like this: “file.jpg “. You can now rename it to something like “my pic.jpg ” to make it convincing

  • Go to:

Start -> Run -> Regedit

Right click on the HKEY_CLASSES_ROOT key
New -> Key

Call it “.jpg ” (the space represants the ALT+0160)

Inside it, you will find the (Default) string.

Double click on it and write “exefile“.

Then right click anywhere but on the Default string
New -> String Value

Call it “Content Type“. and edit it so it will say “application/x-msdownload“.

Right click on the “.jpg ” key
New -> Key

Call it “PeistentHandler“.

Inside it, edit the Default string to “{098f2470-bae0-11cd-b579-08002b30bfeb}

Now every EXE file that will have the “.jpg ” type, will be executed like a regular EXE!

To export the Registry key in a registry file to send to the victim ,  Right click on the “.jpg ” key and Export.

Well there is one piece of Social Engineering that you still need to deal with . The Settings we just changed in the Registry will make the hack work only on the machine we changed the registry settings in . To make it work in the Target system you either need to Send this exported registry file and make the target execute it or Bind this with the jpg file using some binder .

Using an Exe Binder to bind the files together is a good idea . Well I prefer that . Though if you a great at social engg. then make the target execute the reg file separately , would be another way out.

#Like , Share and Comment if this post is helpful to you 

#Disclaimer : Please don’t perform Un-Authorized penetration testing . It’s Illegal . Any Damages Done , the Author holds No responsibility . This Tutorial/Post is purely for educational purposes . 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s