Jump to content

USB Switchblade Development

Darren Kitchen

By Darren Kitchen
in USB Hacks

 Share

Recommended Posts

Nakaori Newbie

Nakaori

Posted
Posted

hi.

i have a little problem with that genious developement.

if i put this non u3 on my usb key and plug it into my sp0 or sp1 machine, it just does not do anything.

theres no auto play window at all..

if i rightclick the drive and select auto play it opens an empty window.

payload.gif

anyone with the same problem or someone who knows how to fix it?

Link to comment
Share on other sites
  • Replies 581
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

DLSS Newbie

DLSS

Posted
Posted
hi.

i have a little problem with that genious developement.

if i put this non u3 on my usb key and plug it into my sp0 or sp1 machine, it just does not do anything.

theres no auto play window at all..

if i rightclick the drive and select auto play it opens an empty window.

http://www.lewbacca.de/files/payload.gif

anyone with the same problem or someone who knows how to fix it?

yeah i had that problem at a few pc's @ school , try myversion (on the wiki)

it also has a scan.cmd inside it so if the autorun doesn't work (like in your case) u can start it manually.

Link to comment
Share on other sites
pseudobreed Newbie

pseudobreed

Posted
Posted
The action key is only used in Microsoft Windows XP Service Pack 2 (SP2) or later. It is only supported for drives of type DRIVE_REMOVABLE and DRIVE_FIXED. In the case of DRIVE_REMOVABLE, the action key is required. An action command in the Autorun.inf file of an audio CD or movie DVD is ignored and these media continue to behave as in Windows XP Service Pack 1 (SP1) and earlier.
Link to comment
Share on other sites
pseudobreed Newbie

pseudobreed

Posted
Posted

Not on a non-u3 USB drive on Windows XP SP1. The only option left is to manually run the payload.

The person on a SP1 machine using USB drives should be used to this anyways. You could add some social engineering in there "Oh, let me show you this game..." which is just a batch that calls the payload then runs sol.exe (Solitaire). They may look at you like you are crazy because you are raving about Solitaire, you will just have to continue playing it off. Just tell them you have uber micro in Solitare and they cant compete with you. Play Solitaire just long enough to get the payload done then tell them they win and go to minesweeper. =)

You could do the samething with a picture instead of a game.

P.S. - Anyone know the cheat in minesweeper that changed the top-left pixel black if it was a bomb?

Link to comment
Share on other sites
DLSS Newbie

DLSS

Posted
Posted
Not on a non-u3 USB drive on Windows XP SP1. The only option left is to manually run the payload.

The person on a SP1 machine using USB drives should be used to this anyways. You could add some social engineering in there "Oh, let me show you this game..." which is just a batch that calls the payload then runs sol.exe (Solitaire). They may look at you like you are crazy because you are raving about Solitaire, you will just have to continue playing it off. Just tell them you have uber micro in Solitare and they cant compete with you. Play Solitaire just long enough to get the payload done then tell them they win and go to minesweeper. =)

You could do the samething with a picture instead of a game.

P.S. - Anyone know the cheat in minesweeper that changed the top-left pixel black if it was a bomb?

nope but u cna get instant win in solitaire by alt-shift-2 (alfanumeral)

Link to comment
Share on other sites
Darren Kitchen Grand Master

Darren Kitchen

Posted
  • Author
Posted
Not on a non-u3 USB drive on Windows XP SP1. The only option left is to manually run the payload.

The person on a SP1 machine using USB drives should be used to this anyways. You could add some social engineering in there "Oh, let me show you this game..." which is just a batch that calls the payload then runs sol.exe (Solitaire). They may look at you like you are crazy because you are raving about Solitaire, you will just have to continue playing it off. Just tell them you have uber micro in Solitare and they cant compete with you. Play Solitaire just long enough to get the payload done then tell them they win and go to minesweeper. =)

You could do the samething with a picture instead of a game.

P.S. - Anyone know the cheat in minesweeper that changed the top-left pixel black if it was a bomb?

To make it even better, offer to deathmatch them in multiplayer solitare. Ok, I'm done derailing the thread. It's a bummer about the SP0, SP1 bug. No wait, feature. Hmm... Maybe thats a mitigation technique. Calling all systems administrators! Protect yourself from the dreaded switchblade by downgrading all of your machines to SP0!!

Oh, for real this time, I'll stop being silly (one of those days). I guess U3 FTW.

Link to comment
Share on other sites
G-Stress Newbie

G-Stress

Posted
Posted

Was wondering if anyone was working on making this cross-platform at all? Specifically with pseudobreed's payload, I love it:)

Also pseudobreed I saw that your working on a way to do a NAT to NAT connection, that would be really nice if you figure that out. Just curious is there a way to configure/port forward via command line?

Link to comment
Share on other sites
moonlit Newbie

moonlit

Posted
Posted

Ditto, I'm also considering discontinuing work on AVKill for now, I wanna see where this is going...

It's a great project, it shows what can be done but as VaKo said the potential for abuse is collosal... I won't give anyone ideas but we all know what could be added to this or things that could modify it that could make this an EXTREMELY destructive tool...

Link to comment
Share on other sites
psychoaliendog Newbie

psychoaliendog

Posted
Posted

So, theres the USB switchblade, the USB Hacksaw, and the USB chainsaw. So whats next the USB Atom Bomb, the USB Sarin Nerve gas, or the USB Chuck Norris?

but, seriously, a potential solution, although not a good one, is to make a version that pops up a message box that lets lets the user(or should I say viewer) know what its doing as its doing it.

Link to comment
Share on other sites
pseudobreed Newbie

pseudobreed

Posted
Posted

@G-Stress

I found an app that works connecting NAT to NAT, however, it as not very discreet. Then I started working on an app that would find the hwnd of an icon so I could get rid of it from the system tray. Then I decided I was going about it the wrong way and Im working on OpenVPN now. Especially since my router has a client in it.

As for protection, disable autorun for starters. For the semi-savvy, always hold down shift. On the U3 you have to hold it down for a little longer as the drive inserts, then the CD-Rom is installed and then it autoplays.

Remove the Autoplay 'feature' from the right click menu on removable/cd-rom drives?

Or maybe only allow usb drives that have a certain serial number to mount.

It has always been said, and machine that someone can physically get to, is not secure.

Link to comment
Share on other sites
CaveMan Newbie

CaveMan

Posted
Posted
This worries me, the potential for abuse is horrific. What protection is there against the switchblade beyond hot gluing the usb ports?

just dont let anyone near your comp unless they are your friends... and your friends wouldn't do it apart from as a joke so it doesn't really matter

but yea, most people wouldn't exploit something like this, and the script kiddies dont want to get near what they are attacking because they are scared of getting caught

but i could be wrong

edit: http://hak5.org/wiki/USB_Antidote i think needs to be updated and improved :P

Link to comment
Share on other sites
VaKo Newbie

VaKo

Posted
Posted

My main concern was just that a USB drive looks so benighen, and that the hack is far more wide known than any means of defeating it (the hack was a front page digg in a matter of hours, i've yet to see a counter to it). Its also pretty script kiddy friendly, it doesn't require that much skill to download and use. While I'm all for public disclosure of exploits, some consideration to a fix must be given. Its not just a case of personal systems, its a case of school systems which given the audience age of hak5, might be an issue. I know I was a dumb fuck at school, who else would admit that of themselves? Turning off autorun is one thing, but its only a stop gap. Would something that scanned the removable drives at boot, then denied any drives that were subsiquently added to run anything work?

Link to comment
Share on other sites
moonlit Newbie

moonlit

Posted
Posted

I know I was less than a model student as far as school and IT facilities went and I do know I would've pushed that little bit harder if (the computers back then had USB and) I'd had the Switchblade at my disposal... VaKo does have a point, it's not personal systems so much as public terminals; Schools, colleges, libraries, photo kiosks and even your offices machines at work... with the ability to be modified to spread itself and all, I think it could be something of a problem there...

On the flip side though, it will indeed teach the admins of those machines to keep an eye out...

Link to comment
Share on other sites
pseudobreed Newbie

pseudobreed

Posted
Posted

I would start by rewriting the drivers that Windows uses when mounting removable drives.

Maybe make an app that reinstalls new drivers (Like a rootkit) would, then have it compare to a list of serials numbers? If it's on the list, then mount the drive, other wise leave the drive in the "ejected" state.

Then maybe email the sys admin that an alien drive has been inserted in system "such and such" please run over and take the USB drive away from them.

These people will actually test your network for this type of vulnerability.

Hacksafe can provide these physical penetration tests, and vulnerability analysis for removable media such as USB flash drives. Contact a senior consultant to discuss.

Now that I think about it. Turn off autorun. As soon as you do that, you level the field. Then you just have to worry about physical access to the machine. That has always been a concern for anyone in security and they should have a proper setup on the machine to limit physical access.

I know of a couple places that you have to go through a metal detector, and can not bring in keys, pens, usb drives, ipods. And the machine itself is in a case locked down so you have no access to the cd-rom drive, or mobo. The internet access is limited to an internal proxy where some type of IDS checks all out-going traffic.

Then with all of that, they have an open wifi into the network. Ha. However, the above machine is still behind another firewall.

Link to comment
Share on other sites
DLSS Newbie

DLSS

Posted
Posted
Ditto, I'm also considering discontinuing work on AVKill for now, I wanna see where this is going...

It's a great project, it shows what can be done but as VaKo said the potential for abuse is collosal... I won't give anyone ideas but we all know what could be added to this or things that could modify it that could make this an EXTREMELY destructive tool...

i hope u wont ... :( @least not until its finished ....

beside seeing there is a antidote topic means we've got a fix coming anyway ...

and it isn't our foult it got on digg (who put it up there anyway in the 1stplace ? )

i really hope we can continue this project.

u guys do have a point that its easy to download , maby we shud lock up the download links (like they do on some w4r3z boards) so only forum members with minimum lets say 25 posts can acces them ?

besides u can protect ure system against the switchblade , even without any av active it cant get sh*t off of my pc but does work on other pc's .

(dont ask me how , i dont have a clue :P , but my pc is switchblade proof)

Link to comment
Share on other sites
marc Newbie

marc

Posted
Posted

Heh, going pretty good eh MaxDamage

edit: i think theres been so much work, im now spoilt for choice when going to extract a bunch of files to my USB drive. One super version combining the lot would be great. Perhaps a setup install, allowing people to choose what type of drive they want/what they want the drive to do.

I guess its easy for me to say this rather than get down and write myself.

Keep it up guys.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...