A way to get payloads to work on all computers?

[timmy]

Hi im not sure if this will work but while i was thinking about ophcrack live cd i thought about how they got around the loophole of need admin or whatever to get the hashes they booted it from a live cd. Then i thought if we could boot a linux distribution then run the switchblade from there ? cuz from what i have herd there are portable windows xp,

Would the vulnerabilities be the same ? If it worked we would not have to worry about AVs and the possibilities would be endless!!! Of course its to run from a usb not a cd But srsly if this worked it would work on most computers the only draw back is that you would have to wait while it boots and it would not be exactly stealth since you have to boot. Does anyone think that this will work thanx!!!

[alexthedrifter]

It might be possible with Wine or somthing, I know almost nothing about linux but it sounds plausable.

[ElevenWarrior]

It might be possible with Wine or somthing, I know almost nothing about linux but it sounds plausable.

yes, I know of a project called WinUBCD, It creates a version of (in this case) XP, and you can boot from the disk and have acess to thousands of tools. All we'd have to do to get Win UBCD to work with it would be to add plugins for ophcrack, and any hacking tool we want. I don't code so I don't know how to do its but I do knows its possible.

[timmy]

Um so has anyone tried this boot off a bartpe usb then try there favourite usb payload ?

What were the results (ill test it on my self later)

[X3N]

Um so has anyone tried this boot off a bartpe usb then try there favourite usb payload ?

What were the results (ill test it on my self later)

the problem with that is that 99.9% of the data your trying to gather is held in thier user account files and or thier user account registry entries. So the payload would theoretically run just wouldnt gather any useful information. Now i know there are ways with bartpe to load a user registry hive but i dont think it would do it in exactly the same way in order to work the way you want. What I would be interested in is if someone came up with a payload that did run on bartpe and slurped all the user accounts of useful information...

[ElevenWarrior]

the problem with that is that 99.9% of the data your trying to gather is held in thier user account files and or thier user account registry entries. So the payload would theoretically run just wouldnt gather any useful information. Now i know there are ways with bartpe to load a user registry hive but i dont think it would do it in exactly the same way in order to work the way you want. What I would be interested in is if someone came up with a payload that did run on bartpe and slurped all the user accounts of useful information...

now, a idea that might work would be to build a plugin that would do just that. slurp all info from the accounts. I don't think it'd be too hard, but again I don't code. theres already a windows Xp key finder plugin, reg hive copyier, IP scanners and such, I really think this is a possibility.

[sablefoxx]

If you boot into a live environment you can just copy the SAM file, this has been common practice for sometime, just boot up a copy of Knoppix and copy C:\WINDOWS\system32\config\sam to a USB thumb drive, take it home and crack it any way you like. Or crack it using knoppix, its all gravy.

Even better yet, get a big USB drive and make an Ubuntu Boot Drive out of it and just leave some space open so you can save the SAM file to the same USB drive you used to boot into Ubuntu... hehe

[Bakb0ne]

Running tools like those on the USBHacksaw from linux - No go.

WINE is not Windows emulation software, it's Windows Compatibility Layer, a translator.

You'd be better off booting from Knoppix, BT4, or what have you, copying the SAM file like Sablefoxx said, and other information you want.

It wouldn't take much to design a bash file that grabbed the info you wanted, and copy it to a section on your *nix disc, or email it to yourself if you have time to run a dhcp script to get the network up.

I wouldn't personally recommend a LiveUSB for a number of reasons, and especially not Ubuntu on one.

Not everyone's BIOS are set to boot from USB (Or CD for that matter, but we're talking statistically).

You want the most for your time, not playing with the BIOS for 5 minutes before you get your crap together.

Ubuntu is a resource hog for these things, there's no point in running Gnome to copy files and information, use a terminal. Build a custom kernal, and custom scripts for the startup, you don't need SAMBA, Appletalk, and SSH starting up when you load a Live variant.

[sablefoxx]

It wouldn't take much to design a bash file that grabbed the info you wanted, and copy it to a section on your *nix disc, or email it to yourself if you have time to run a dhcp script to get the network up.

I wouldn't personally recommend a LiveUSB for a number of reasons, and especially not Ubuntu on one.

Not everyone's BIOS are set to boot from USB (Or CD for that matter, but we're talking statistically).

You want the most for your time, not playing with the BIOS for 5 minutes before you get your crap together.

Ubuntu is a resource hog for these things, there's no point in running Gnome to copy files and information, use a terminal. Build a custom kernal, and custom scripts for the startup, you don't need SAMBA, Appletalk, and SSH starting up when you load a Live variant.

True, i was trying to think of a nice all-in-one solution. That way all you need is the usb key, instead of a disc and a usb drive. That's not a bad idea, i was thinking of trying to make something very similar, just a boot disc that emails/ftp/copies to usb drive the sam file when you boot it. Wouldn't need X, or anything like that either...

[timmy]

I think that we have a small problem most os hold there information in different places. Example C:\WINDOWS\system32\config\sam might not exist on vista or a different os. The purpose of this payload would be to work on all os so to get around this i guess you would have to search several files. Maybe a screen could popup when you boot it up and you could select which os its running on

[timmy]

Running tools like those on the USBHacksaw from linux - No go.

WINE is not Windows emulation software, it's Windows Compatibility Layer, a translator.

You'd be better off booting from Knoppix, BT4, or what have you, copying the SAM file like Sablefoxx said, and other information you want.

It wouldn't take much to design a bash file that grabbed the info you wanted, and copy it to a section on your *nix disc, or email it to yourself if you have time to run a dhcp script to get the network up.

I wouldn't personally recommend a LiveUSB for a number of reasons, and especially not Ubuntu on one.

Not everyone's BIOS are set to boot from USB (Or CD for that matter, but we're talking statistically).

You want the most for your time, not playing with the BIOS for 5 minutes before you get your crap together.

Ubuntu is a resource hog for these things, there's no point in running Gnome to copy files and information, use a terminal. Build a custom kernal, and custom scripts for the startup, you don't need SAMBA, Appletalk, and SSH starting up when you load a Live variant.

Um there is a livecd that makes you boot of your usb if the targeted computer does not support it. For me i personally don't like live cds for this task becuase your copying data and what if the traget computer has no internet then your screwed. Besides this payload is not meant for stealth its just meant 2 punch a whole in anything.

[sablefoxx]

I think that we have a small problem most os hold there information in different places. Example C:\WINDOWS\system32\config\sam might not exist on vista or a different os. The purpose of this payload would be to work on all os so to get around this i guess you would have to search several files. Maybe a screen could popup when you boot it up and you could select which os its running on

All versions of Windows XP, Vista, and 7 (99% of the OS's in use) all store the SAM file in C:\WINDOWS\System32\config\. Only early version of NT and 9x stored the SAM elsewhere, and its really not a problem if you run into a computer that stores it in a different place. If Exist statements are pretty easy to write.

Um there is a livecd that makes you boot of your usb if the targeted computer does not support it. For me i personally don't like live cds for this task because your copying data and what if the traget computer has no internet then your screwed. Besides this payload is not meant for stealth its just meant 2 punch a whole in anything.

I think you're missing the point, excluding SMB, SSH, etc, is not to make it more stealthy, its to speed up the boot process so you can get to the data faster, and sending the data over the network is only an option. You always have the option of copying it to removable media.

To answer the original question, if you're booting a Live CD there is no need to run a switchblade playload, because you're already in control of the system and can modify anything you want. That being said creating a Live distro designed to extract data (but not necessarily modify) from the host OS is not a bad idea, and has been around from some time. What backb0ne and i are saying is that you could create a Live CD and/or USB drive to copy the SAM file from the host OS for later cracking. If you just want access to the system outright use NT Password Recovery Live CD, it uses password hash insertion so you can modify a user's password on the host OS, reboot and login.

[timmy]

All versions of Windows XP, Vista, and 7 (99% of the OS's in use) all store the SAM file in C:\WINDOWS\System32\config\. Only early version of NT and 9x stored the SAM elsewhere, and its really not a problem if you run into a computer that stores it in a different place. If Exist statements are pretty easy to write.

I think you're missing the point, excluding SMB, SSH, etc, is not to make it more stealthy, its to speed up the boot process so you can get to the data faster, and sending the data over the network is only an option. You always have the option of copying it to removable media.

To answer the original question, if you're booting a Live CD there is no need to run a switchblade playload, because you're already in control of the system and can modify anything you want. That being said creating a Live distro designed to extract data (but not necessarily modify) from the host OS is not a bad idea, and has been around from some time. What backb0ne and i are saying is that you could create a Live CD and/or USB drive to copy the SAM file from the host OS for later cracking. If you just want access to the system outright use NT Password Recovery Live CD, it uses password hash insertion so you can modify a user's password on the host OS, reboot and login.

Um for your first answer i was thinking that this would be a payload that can be run on everything including mac,linux,vista,etc

and for your second im not thinking about making a distro then running the payload im saying that if the computer does not support booting from a usb then you can use this thing im pretty sure its not a live cd that changes it so that you boot from your usb.

sorry for being noob and not being specific

[sablefoxx]

Um for your first answer i was thinking that this would be a payload that can be run on everything including mac,linux,vista,etc

You're going to run into a problem here. Linux/Mac have a different security architecture then Windows, so the only way to get a payload to run on one of these OS's is to re-write the entire thing (there is no such thing as a SAM file in Linux/OSx). Most payloads (all that i know of) use .bat and .exe files which are specific to the Windows OS, and booting into PE (Pre-installed Environment) isn't going to change this.

[Bakb0ne]

Sable's right here as well, universal payloads won't work, kernels are different, architecture, compilers, coding, it's just a crapshoot.

Your best shot for something like that is to build a library full of different payloads designed for different systems, and compile it into a package that you can choose individual payloads from. Something like Metasploit is pretty close as far as a pre-compiled package. After that, you're almost on your own.

[G-Stress]

This sounds interesting. After a bit of reading an idea came to mind. I'm not quite sure how to do it, but the utilman.exe hack that was mentioned some time ago seems like a good start. If someone could say create a usb payload that when the host machine was at the welcome screen then insert the usb drive and somehow the usb drive would automate the utilman.exe hack then payload2 copying data, etc. all silently running as the SYSTEM user.

[Bakb0ne]

Why not just pack a keylogger into the USB key?

[G-Stress]

I just remembered how the utilman.exe hack worked. If someone could create an .exe payload that does all the work and just rename it to utilman.exe and copy that one instead and then when the series of keys are pressed the payload runs and does it's job.

[DingleBerries]

I dont really feel like reading that whole ultiman.exe thread, but if someone gives me the instructions, i.e. move X to X, copy Y to Y, set hive to Z, ect, ill write the exe. I was thinking something along the lines of FreeDOS to boot and grab the SAM(or just something fast, no GUI, automated) so if you can think of other things that need to be grabbed ill work on that as well. Then included a autorun payload for when your logged in(that can also replace ultiman.exe)

[sablefoxx]

Methinks we need a new thread, getting a bit off topic, but yeah booting into freedos and grabbing the data is a good idea.