USB Pocket-Knife Development

[jewelsT]

In the readme directions, I'm having some difficulty with this:

(You must edit the "X:WIPSBSsend. bat" and "X:WIPNMAPsend. bat" file to point to your own Gmail account)

I can't get any files to show in sbs or nmap.  Properties show they are there, but I can't see them.  Sure it's probably something stupid that I'm overlooking, but I'm frustrated and out of cigarettes. 

[GonZor]

In the readme directions, I'm having some difficulty with this:

(You must edit the "X:WIPSBSsend. bat" and "X:WIPNMAPsend. bat" file to point to your own Gmail account)

I can't get any files to show in sbs or nmap.  Properties show they are there, but I can't see them.  Sure it's probably something stupid that I'm overlooking, but I'm frustrated and out of cigarettes. 

easiest way to do this would be pop open a cmd, go to the directory and use the attrib command to remove the system and hidden file status...

so it should look like this

cd /d X:WIPSBS
attrib -s -h *.*

cd /d X:WIPNMAP
attrib -s -h *.*

[Leapo]

Sorry about that, it's because they have both the Hidden and the System flags set.

You can find the settings for showing hidden and system files by going to the Control Panel > Folder Options > View tab. You want to change the "Hidden Files and Folder" option to "Show Hidden Files and Folders", as well as un-check "Hide Protected Operating System Files".

That should allow the files to be shown from inside explorer without removing the flags.

[trustme]

Another "No" vote for releasing the worm functionality in any way, shape, or form.  If people really want it, they can code it in themselves.

[GonZor]

I've been thinking about how this could spread, and who's hands the hacksaw could pass through (with your e-mail address embedded in it no less). There is no denying that it could cause massive amounts of damage, and I've come to the conclusion that even if the higher-ups give the green light on posting more dangerous code like this, the version I release will be neutered so that it can only propagate one time.

And I do mean one time and one time only; Any computer infected with your "master key" will only auto infect one flash drive, which will be able to infect only one computer before it auto-deletes itself, and the computer it infects will not be given the ability to auto propagate again.

Far less dangerous than letting it spread exponentially, but it still gives you a taste (and if you plan it just right, the ability to get the hacksaw onto a specific persons PC).

I still don't think this should be released, it is very simple to make this self propagate and a publicly released version will only wreak havoc even if it terminates after one copy. there are also several things to look at...

-will the machine with the "master key" infect every USB or just the first?

-will the secondary infected USB infect every computer or just the first?

Even if you have thought these through I still vote 'NO'

Another "No" vote for releasing the worm functionality in any way, shape, or form.  If people really want it, they can code it in themselves.

QFE, If people don't know how to code it in themselves then they shouldn't be allowed to because they don't know how much damage this could cause.

I know there are several people that will disagree with me but it is for the good of Hak5 I vote no, also I would still like to hear from some of the 'higher ups' as leapo put it...

[Leapo]

I still don't think this should be released, it is very simple to make this self propagate and a publicly released version will only wreak havoc even if it terminates after one copy. there are also several things to look at...

-will the machine with the "master key" infect every USB or just the first?

-will the secondary infected USB infect every computer or just the first?

I believe I covered that in, but just in case it wasn't clear, the answer to both of those questions would be "just the first". The maximum number of computers that could end up with the hacksaw on them is limited to only 2.

Even if you have thought these through I still vote 'NO'

That appears to be the general consensus at this point, and for good reason. Hell, I don't even feel comfortable using more than the single propagation version :-?

[elmer]

What might be cool is to make it to where it just makes a log file that says "I was at %computername% on %date% at %time%" and email it to you. Could be fun to see how far it gets.

[Leapo]

Now that would be a cool thing to experiment with, and not all that hard to write up, considering all it has to do is spread and send you back some general information about what computer it's on (computer name, current date and time, current time zone).

But, would something like that be releasable? It isn't malicious in any way, but it is technically a still a worm...

[elmer]

Is there a way to find out the time zone? You might want to talk to the higher ups, as you call them, about this. It would be awesome if they said yes.

[Leapo]

Windows obviously stores timezone information somewhere (I suspect it's stored unencrypted in the registry), so as long as everyone has their time zone set correctly, you could effectively track how far around the globe its managed to spread and how long its taken to get that far.

I already have it mostly coded (with the exception of reading the current time zone), along with an antidote. I figure I'll write up a note for anyone who discovers the files, which explains exactly what those files are doing on their flash drive or computer, clearly stating what they do, and directing users to the included antidote if they wish to remove the files from their computer or flash drive (hence the included antidote).

I want this to be treated like, well, like a chain letter, except not nearly as annoying. You can probably guess what I'll be naming this mini-payload and possible new module for my main payload, the USB Chain-Letter (sounds a lot better than calling it a non-malicious USB-writable-media propagated worm).

Now, the question is, who do I contact at Hak5 about releasing this? I suspect I should probably go straight to Darren or Wess, either writing them directly or pointing them to this thread.

[GonZor]

the USB Chain-Letter (sounds a lot better than calling it a non-malicious USB-writable-media propagated worm).

I still don't like the idea of associating a "worm" of any kind with Hak5.

[elmer]

the USB Chain-Letter (sounds a lot better than calling it a non-malicious USB-writable-media propagated worm).

I still don't like the idea of associating a "worm" of any kind with Hak5.

Then just say it was from DL.TV  :P. But, seriously, a worm is bad if it does something bad, not for just being bad. I don't think it's that big of a deal, but the "higher ups" may have a different opinion. If they don't want it released, don't release it.

There is a windows tool (I think I might have originally seen it in Leapo's payload) called "wget." If you made it download "h t t p : / / g e o t o o l . s e r v e h t t p . c o m /" (blacklisted, so take out spaces) and email it as an attachment, that would be awesome. I am not even sure if that's possible, but then you wouldn't need a way to get the time zone.

[Leapo]

But, seriously, a worm is bad if it does something bad, not for just being bad.

That's my general line of thinking as well. The Chain-Letter idea isn't anywhere near as bad as unleashing an unstoppable hacksaw plague upon the unsuspecting masses.

That said, GonZor is correct in that it is still technically a worm, even if it has no malicious function and comes with its own removal tool.

I don't think it's that big of a deal, but the "higher ups" may have a different opinion. If they don't want it released, don't release it.

Exactly why I have yet to release ANYTHING that auto-propagates. I'll be sending out a few PM's so we can settle this matter and get my thread back on track :-P

And to alley any remaining concerns, the next update to my Payload will still be released as planned, but without any of these recent self-propagating modules. (BTW, thanks for the link elmer, I have a few ideas as to how that could be used)

[jollyrancher82]

Why can't children do anything useful with their time these days. :-(

[elmer]

Darren is on IRC on his phone. I sent him a link to this thread and asked him to out in his thoughts when he could. Any time now, he should say something.

Why can't children do anything useful with their time these days. :-(

Because there is nothing useful to do.

[Leapo]

Why can't children do anything useful with their time these days. :-(

What exactly would you be referring to with that statement?

[7even Sins]

Hey,All

@Leapo

Forget the statement just keep doing the A+ work you have been doing

you think maybe you can make a video for us power newbies like myself. ;)

As GonZor has been thinking of doing him self it would be a big help

anyways you and GonZor keep doing what you do.

best of luck

7Sins

[elmer]

Forget the statement just keep doing the A+ work you have been doing

you think maybe you can make a video for us power newbies like myself. ;)

I might be able to make a video of what he's doing. I know what he's doing and how he's doing it. At one point I managed to get the switchblade to email the logfile to me. About what do you want the video to be?

As GonZor has been thinking of doing him self it would be a big help

anyways you and GonZor keep doing what you do.

I don't understand what you mean at all by this statement. I think you may have forgotten to put in a word. I suspect that I am not the only one who doesn't understand you. Could you please rephrase this for me and the others?

[GonZor]

As GonZor has been thinking of doing him self it would be a big help

anyways you and GonZor keep doing what you do.

I don't understand what you mean at all by this statement. I think you may have forgotten to put in a word. I suspect that I am not the only one who doesn't understand you. Could you please rephrase this for me and the others?

It made sense to me, maybe you need to be sleep deprived to understand. Although some more punctuation could make it easier to read I think he meant...

As GonZor has been thinking of doing himself, it would be a big help.

Anyway you and GonZor keep doing what you do.

Meaning "GonZor has planned to release a video to help explain his payload and how it works. It would help the people that are new to this. Keep up the good work". Although correct me if I'm wrong, that is just my interpretation.

[7even Sins]

Hey,All

@ elmer

Hehe yes my English not 100% here so I use a translator,sometimes it works sometimes all goes to hell on me

I will try to do a better job here.and yes if you have Videos please can you post link for me.

@ GonZor

Yes thank you this is just what I was trying to say here.on top of using the translator

I have bad eyes. anyways will give it a better try from here out.

Best of luck

7Sins

[Shifty]

Whilst I agree with the general consensus that the worm shouldn't be released I think it could be worth working on a security related application of it as identified below by setzer1411.

It is a great Idea I would use it at work here so i could see who is using a usb drive ( not allowed to normal employees ). In that application it would be helpful.

The idea here would be to see who has connected a removable device to a network machine and what files have been transferred either way. An idea of how that could work is that the program would propagate onto the USB drive and log the time, date, machine name, domain and any files transferred. The program would only run if the domain value matched your company domain. The program would then email the results to a sys admin or auditor for reviewing. Obviously the infected USB drive wouldn't propagate the program onto other machines as we'd be stuck in the same situation.

The way this program would work is that you would install the program onto the machine of a troublesome user and then be able to keep track of their USB use across the network. Another application of this could be if you worked in a secure environment where USB drive use was required then you could authorise USB access by a similar method. You would then be able to keep track of which files are being transferred and know that only authorised drives were being used.

I'm aware that this kind of program could still be open for abuse if correctly hacked but in the application described above all it's going to tell you is which files have been transferred which way.

Just a thought...

Keep up the good work GonZor and Leapo. I'm just about to download the latest builds of both your payloads to have a play with.

[elmer]

@ elmer

Hehe yes my English not 100% here so I use a translator,sometimes it works sometimes all goes to hell on me

I will try to do a better job here.and yes if you have Videos please can you post link for me.

Oh, that explains a lot. No need to apologize. I have experienced first hand the bad translations they give. My main computer is not here (it's being repaired) for the rest of the week, but once I get it back I can make a video about it. I can make a text explanation if you want me to.

It is a great Idea I would use it at work here so i could see who is using a usb drive ( not allowed to normal employees ). In that application it would be helpful.

The USB Chain-letter is ideal for this. As long as you know the hostnames of all your computers, this would be perfect. Mak a little batch script to combine your log files, then open it in Notepad or something and do a search in the file (Ctrl+F) for company hostnames..

[7even Sins]

Hi,elmer

Yes a  text explanation would be a big help to me.this way I can print it out

makes seing a lot better for me.

Thank you

7Sins

[elmer]

Leapo, if any of this is wrong, please tell me.

The Chain-Letter

Leapo has set up the "USB Dumper" application to launch a batch script, rather than to grab all of the files on the USB drive. Depending on the location, the batch file does different things.

From a computer that already has the Chain-Letter on it, the batch file copies over a mini-payload to the inserted thumb drive that will (on AutoRun) make a log file that says something like "I was at COMPUTERNAME on DATE at TIME." It then uses a program called Stunnel to connect to the GMail servers and send an email with the log file as the attachment.

Another thing the thumb drive will then be doing is carrying around the Chain-Letter. Not only does it make the log file, it copies over a mini-payload to the computer, which in turn copies it to all other attached thumb drives.

The Pocket-Knife

From what I can tell, this isn't as hard to explain. Some very nice people have made applications which are very useful for security-testing and information retrieval, but can also be used in a more grey-hat way. For our uses, we use the grey-hat aplication,

The applications can do various things (see: Switchblade Packages - Hak.5 Wiki). The Pocket-Knife tells these applications to put the output into a log file, which is then stored on your thumb drive.

The Pocket-Knife also includes the Hacksaw, which is what Leapo based the Chain-Letter on. It copies a mini-payload to a computer which will use USB Dumper to grab all the files on a USB drive and place them into a temporary directory, which is then compressed using the RAR format into little one-megabyte files. It then uses a program called Stunnel to connect to the GMail servers and send multiple emails with the RAR files as the attachments.

I hope this explained everything you need to know, if you need to know more, just ask.

[Megaman]

This works pretty good but avast always catches the auto run and manual.  Maybe there is something I' missin'.