cypherhash Posted September 6, 2006 Share Posted September 6, 2006 Something that would be really interesting is having this work even if autorun is enabled, by exploiting the USB to either enable temporarily or just run this code. A lot of places are now preventing the autorun feature for fear of things like this. I'd be interested to see / help with that solution. Quote Link to comment Share on other sites More sharing options...
Hug_It Posted September 6, 2006 Share Posted September 6, 2006 I'd love to see it expanded so that it can email or somehow send the results to a user specified destination just for use in penetration testing. Leave a few USB sticks around a company and just wait for the users to pick them up and plug them in. Great example to convince companies to quit allowing their users administrative priviledges. Either the U3 version or Amish's version would be satisfactory. Anyone know how to do that? Quote Link to comment Share on other sites More sharing options...
Sparda Posted September 6, 2006 Share Posted September 6, 2006 File Sharing is enabled, and even with the firewall and anti-virus turned off I'm still getting the same errors. It seems to work great pulling all of my passwords from applications, but it wont even generate the hash to run against rainbow.. Perhaps there is no password on the admin acount. In that instance windows would force remote users to logon using the guesst acount. Quote Link to comment Share on other sites More sharing options...
cypherhash Posted September 6, 2006 Share Posted September 6, 2006 Interesting article that sounds exactly like what you described, http://www.darkreading.com/document.asp?do...T.svl=column1_1. Now if only they'd release the source of their program. Though I doubt it would be hard to whip something together. Quote Link to comment Share on other sites More sharing options...
elitegoodguy Posted September 6, 2006 Share Posted September 6, 2006 This works great. However 1 problem. I want to make it as stealthy as possible but it causes a popup box saying that it wan't to restart the computer to finish installing the hardware. Anyone know how to disable that or get around this? Thanks Quote Link to comment Share on other sites More sharing options...
Sparda Posted September 6, 2006 Share Posted September 6, 2006 That sounds like it could be a computer (or windows rather) specific problem. Windows will do that on some computer for what ever reason, it's just egnorable. Quote Link to comment Share on other sites More sharing options...
elitegoodguy Posted September 6, 2006 Share Posted September 6, 2006 That sounds like it could be a computer (or windows rather) specific problem. Windows will do that on some computer for what ever reason, it's just egnorable. I tried it on 5 computers at work. mine, and 4 others. Mine did not do that, however all 4 others did Quote Link to comment Share on other sites More sharing options...
Hug_It Posted September 6, 2006 Share Posted September 6, 2006 Interesting article that sounds exactly like what you described, http://www.darkreading.com/document.asp?do...T.svl=column1_1. Now if only they'd release the source of their program. Though I doubt it would be hard to whip something together. Exactly what I was thinking. Quote Link to comment Share on other sites More sharing options...
Guest MaxDamage Posted September 6, 2006 Share Posted September 6, 2006 ... Quote Link to comment Share on other sites More sharing options...
elitegoodguy Posted September 6, 2006 Share Posted September 6, 2006 Hey man I feel famous LOL. Seriously thanks for the credit Darren. 8)When I developed the first payload it was just a proof of concept put together in half an hour as soon as I found out how to replace the U3 iso. Anywaz since then I have written some more, and refined it a bit. I have also got a bolt on, that silently finds the local smtp server (or builds its own if directly connected) and emails the results. So If you guys want to help develop it further I’m up for it. And if you need help getting it running then just ask :). I also have a nun U3 version somthing like Amesh'e that I could add if you need it. That would be great... would this be something that copies all the required files to the HD then emails from there? I'm thinking that so I won't have to be at the local computer any longer than needs be. Quote Link to comment Share on other sites More sharing options...
Guest MaxDamage Posted September 6, 2006 Share Posted September 6, 2006 ... Quote Link to comment Share on other sites More sharing options...
brainkill Posted September 6, 2006 Share Posted September 6, 2006 avast dont like it :(and wiggs out what files? pleas email me at admin@vertex-hosting.net with the files it flags. I will encrypt them. I have encrypted pwdump.exe lsaext.dll and pwservice and they are hosted at http://brainkill.net/hack. Consult page for direct links. Thanks Quote Link to comment Share on other sites More sharing options...
Guest MaxDamage Posted September 6, 2006 Share Posted September 6, 2006 ... Quote Link to comment Share on other sites More sharing options...
brainkill Posted September 6, 2006 Share Posted September 6, 2006 nice, how do you ecrypt exe's ? secret :X I dont give it out for fear of it becoming public and caught by avs. I WILL ENCRYPT THEM BUT I WONT GIVE OUT THE ENCRYPTER. Sorry. It would also allow any blackhat-wannabe to hack people. Im not going to let that happen. Quote Link to comment Share on other sites More sharing options...
DLSS Posted September 6, 2006 Share Posted September 6, 2006 avast dont like it :( and wiggs out what files? pleas email me at admin@vertex-hosting.net with the files it flags. I will encrypt them. I have encrypted pwdump.exe lsaext.dll and pwservice and they are hosted at http://brainkill.net/hack. Consult page for direct links. Thanks i think i can guess how :P i'll do a quick check . that message was just emediately while dowloading (the on acces scanner) but i'll disable it and maually test each file seperate and send u the results Quote Link to comment Share on other sites More sharing options...
Guest MaxDamage Posted September 6, 2006 Share Posted September 6, 2006 ... Quote Link to comment Share on other sites More sharing options...
DLSS Posted September 6, 2006 Share Posted September 6, 2006 ok so here's avast's output and the warning/info/advice it gives it gives following warnings with following files : file : batexemailpv.exe[uPX]Malware name : Win32:MailPassView [Tool] Malware type : Other potentially dangerous program VPS version : 0636-1, 06/09/2006 recommended action : move to chest file : batexemspass.exe[uPX] Malware name : Win32:Messen [Tool] Malware type : Other potentially dangerous program VPS version : 0636-1, 06/09/2006 recommended action : move to chest Quote Link to comment Share on other sites More sharing options...
brainkill Posted September 6, 2006 Share Posted September 6, 2006 ok so here's avast's output and the warning/info/advice it givesit gives following warnings with following files : file : batexemailpv.exe[uPX]Malware name : Win32:MailPassView [Tool] Malware type : Other potentially dangerous program VPS version : 0636-1, 06/09/2006 recommended action : move to chest file : batexemspass.exe[uPX] Malware name : Win32:Messen [Tool] Malware type : Other potentially dangerous program VPS version : 0636-1, 06/09/2006 recommended action : move to chest I must have the original programs... before the were encrypted in UPX in order to encrypt them fully. Thanks Quote Link to comment Share on other sites More sharing options...
marlasinger Posted September 6, 2006 Share Posted September 6, 2006 Hey all, The symantec anti virus auto-protect is showing up. I used brainkill's version of pwdump and pwservice.exe and LsaExt.dll. I have no problems with pwservice or pwdump, but LsaExt.dll is getting auto-quarenteened. Pspv.exe is getting nailed as well. The good news is that I god mspass.exe working and it logs chat user/pass combos in plaintext. I plan on adding outlook and other mail support as well. Any suggestions for LsaExt.dll and pspv.exe? TIA Marla :zombie: Quote Link to comment Share on other sites More sharing options...
Ouroboros Posted September 6, 2006 Share Posted September 6, 2006 I asked on Digg, but didn't get an answer so I am asking at the source. Is there a particular reason why the U3 ISO image is being replaced with a custom ISO image? Since the U3 launchpad is a real application (backed by big corporations so antivirus is much less likely to block it), which already has the ability to autolaunch an application registered to it, why not go that route? All it takes is the U3 developer API (available for free), some tweaking to an exe to behave as U3 expects, and packing it up as a U3 install file. To prevent easy tagging by antivirus, randomly pad the exe before creation the U3 install file. Since U3 always had the ability to load up from a local U3 install file, this is relatively easy to test. I realize a lot of batch files are being used, but a simple exe to execute batch files shouldn't be a problem, right? I don't see a clear advantage to using the custom ISO. Am I missing something? Quote Link to comment Share on other sites More sharing options...
PoyBoy Posted September 6, 2006 Share Posted September 6, 2006 I was thinking that too. I like my skype! dammit! and sudoku. and trillian. and firefox. and thunderbird, etc I like your idea EDIT: It aslo seems lots cleaner to just use the original interface, with a package Quote Link to comment Share on other sites More sharing options...
silivrenion Posted September 7, 2006 Share Posted September 7, 2006 A small modification can be made that will allow someone to easily create a file of lm password hashes alongside the usual machine output. The benefit? Well, lets say someone wanted to go to several computers, and wanted to grab a long list of passwords to crack in one fell swoop. Copying and pasting from all of the individual log files would be tedious to create an lm hash list, so why not create it on the fly? edit your switchblade batch file so that at the bottom, you see this. Also, note that your switchblade file might not have the URL history, depending on the version you chose. Pay attention to the line that starts with TYPE. ... [continued from file] ... Echo ************************************ >> Documentslogfiles%computername%.log 2>&1 echo ***********[Dump URL History]******* >> Documentslogfiles%computername%.log 2>&1 Echo ************************************ >> Documentslogfiles%computername%.log 2>&1   cscript //nologo .DUH.vbs >> Documentslogfiles%computername%.log 2>&1 TYPE Documentslogfiles%computername%.log | find ":::" | find /V "NO PASSWORD" | find /V "HelpAssistant" >> Documentslogfilespwfile.txt :End exit Pay special attention to the line that starts with TYPE. Lets go through it one by one. TYPE Documentslogfiles%computername%.log This will get the output we just created with switchblade, so we can work with it. find ":::" I noticed all of the lm hashes had three colons in their lines, which appeared no where else. Might aswell use that to our advantage! find /V "NO PASSWORD" | find /V "HelpAssistant" There's two types of lines that we don't want to see, ones that have no password to crack, and those that are of the Microsoft created account "HelpAssistant". If there's other search terms you don't want to see, you can add them also. >> Documentslogfilespwfile.txt This will create a password file if it doesnt exist. If it does exist, the password file will be appended to, so that you can rapidly gather passwords into one file for quick cracking.... which can be done with the next small code edit Making rcrack one-click friendly use notepad to create the following file, and save it as crack.bat or something with a batch extension. This will be saved on your cracking computer at home that contains your rainbow tables. Hopefully you don't bring those with you on your USB key!!! :o @echo off echo Starting crack, writing output to log.txt ... echo  >> log.txt echo ************************************ >> log.txt echo Cracking started by %username% at %date% %time%  >> log.txt rcrack.exe *.rt -f pwfile.txt >> log.txt echo Cracking complete at %date% %time% >> log.txt echo ************************************ >> log.txt echo Success! this batch file will process your password file you created, and output the status of it to log.txt in your cracking folder. This way you can leave your computer cracking unattended, and still be able to get the results later in an organized manner, with all of your passwords you gathered in one neat and convenient location. Quote Link to comment Share on other sites More sharing options...
Deus Posted September 7, 2006 Share Posted September 7, 2006 I am using Amish's Solution but when I plug in the USB drive I get the pop up window askinf what I want to do. I fI choose "Open Files on Folder" then it runs fine. How do I get it to run without the window popping up? Quote Link to comment Share on other sites More sharing options...
nachtfrau Posted September 7, 2006 Share Posted September 7, 2006 Since we are on the subject of "physical" access to someone's box and some utilities to use, why not use "Hirens Boot CD"? A very powerful, yet simple array of tools all tossed into a nice little neat package. I know it's off subject and it's very "nubish" utility yet it works and has a bunch of great tools which I use on a daily basis. Although it doesn't crack the password and give you the hash, yet it will reset the password for you with a few keyboard strokes. Badda-bing Badda-boom your in the box with Administrator access. I have not yet found a windows machine it doesn't work on. Only drawback would be that if someone has a CMOS/BIOS password on the box and you wouldn't be able to access the BIOS without providing a password or removing the battery to reset the BIOS back to default settings. Just a thought... Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 7, 2006 Author Share Posted September 7, 2006 I havent read pages 3 & 4 yet but someone on IRC asked for a link to the tables so lemme get that out there. Rainbow Tables: http://rainbowtables.shmoo.com/ Gotta love the shmoo group! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.