Jump to content

USB Switchblade Development

Darren Kitchen

By Darren Kitchen
in USB Hacks

 Share

Recommended Posts

Ouroboros Newbie

Ouroboros

Posted
Posted

the only way to maintain USB functionality and block the switchblade consistently is to use a filter driver and application blocking. The filter driver needs the following properties;

1. Must block moves/copies from a USB storage device into the PC

2. Detect and flag executables that start from the removeable drive

3. Detect and flag files opened from the USB storage device

Application blocking must have the following properties

1. Overt blocking of unknown executables from USB devices (blacklist or whitelist)

2. Covert blocking of saving of opened files originating from the USB device onto the PC (save-as blocking from whitelist applications)

The above will not protect against the following

1. person hand types batch files and executes

2. javascript in webpage stored on USB device

3. device driver attacks by USB devices masquarading as non-storage devices

4. any file stored on a USB device, accessed by a whitelisted application on the PC, which does not use normal save-as methods, or provides unusual access methods (examples include encrypted containers which mount locally and do not appear to be a removable drive)

5. filter driver attacks

For people who want to learn more, microsoft has an IFS kit with USB filter driver examples (currently being rolled into the new windows driver framework, so the toolkit name may have changed some). This is not for the faint of heart, as you start getting deep into kernel stuff and you can mess up badly. Typically, you'd want a guinea pig machine connected by serial to your dev/debug machine. The IFS kit costs some money, but I'm sure it can be acquired. There is some related stuff from sysinternals, but they stopped giving source code at an early version number, the source code isn't even available from their site anymore (gotta use wayback machine on mirror sites), and uses some truely ancient stuff to allow work with win98, so some of the methods may not even work anymore due to deprecation in the API's. But it is good reference materials. Developing file system filter drivers you can install on the fly requires good NTFS knowledge, but you can do some interesting things with it.

There's a reason why most of the filter driver work is done by israeli security companies (virtually all of them are staffed by former psyops and comm/info warfare guys who got out after training instead of going career military, so these guys are well trained). Application blocking is a relatively trivial exercise for whitelisiting, by doing quick and dirty hash signatures of every executable that should run, and blocking the rest through filter driver interception.

Link to comment
Share on other sites
  • Replies 581
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

renegadecanuck Newbie

renegadecanuck

Posted
Posted
My main concern was just that a USB drive looks so benighen, and that the hack is far more wide known than any means of defeating it (the hack was a front page digg in a matter of hours, i've yet to see a counter to it). Its also pretty script kiddy friendly, it doesn't require that much skill to download and use. While I'm all for public disclosure of exploits, some consideration to a fix must be given. Its not just a case of personal systems, its a case of school systems which given the audience age of hak5, might be an issue. I know I was a dumb fuck at school, who else would admit that of themselves? Turning off autorun is one thing, but its only a stop gap. Would something that scanned the removable drives at boot, then denied any drives that were subsiquently added to run anything work?
Schools not that worrisome, sicne you must be a dmin to use it, and by default at is disabled for limited accounts.
Link to comment
Share on other sites
PoyBoy Newbie

PoyBoy

Posted
Posted

Im in school and could be classified as a jumpy fuck when im doing something i shouldnt be. Loosing my switchblade and asking my teacher for it couldnt have helped. Got it back without any trouble thats a different story though...

Link to comment
Share on other sites
pseudobreed Newbie

pseudobreed

Posted
Posted

@Ouroboros

DeviceLock does most of this. It does not whitelist apps, but drive serials.

Sygate was working on a program that you could "map" applications to whitelist. However, Symantec aquired them and Im not sure what became of it.

And, the major problem about all of this is the fact that you strip the drive of it's only functionality, to be an external drive...

And then, if you do manage to map and whitelist read/write packets... the driver would have to be pretty fast.

This so far is the only problem I have with DeviceLock, the driver slows down transfer rates to and from the usb drives.

And, there are already groups of people writing spoof drivers for usb removable drives. Lets say you stick in a drive, however, windows thinks it's a HID device.

I strongly believe, no matter what you do, a physically accesible machine is not a secure one.

Link to comment
Share on other sites
moonlit Newbie

moonlit

Posted
Posted
And, there are already groups of people writing spoof drivers for usb removable drives. Lets say you stick in a drive, however, windows thinks it's a HID device.

Isn't this possibly with registry hacks?

IIRC if you tell Windows that the device with XXXX manufacturer code and XXXX property 1, XXXX property 2 etc (I forget exactly what info it uses) it'll try to install the driver for the device you redirected it to...

Eg: You have a Sandisk U3 drive... you hack the registry so that Windows sees Sandisk as HP and U3 USB mass storage device as a printer... problem solved...

Link to comment
Share on other sites
Darren Kitchen Grand Master

Darren Kitchen

Posted
  • Author
Posted
And, there are already groups of people writing spoof drivers for usb removable drives. Lets say you stick in a drive, however, windows thinks it's a HID device.

Isn't this possibly with registry hacks?

IIRC if you tell Windows that the device with XXXX manufacturer code and XXXX property 1, XXXX property 2 etc (I forget exactly what info it uses) it'll try to install the driver for the device you redirected it to...

Eg: You have a Sandisk U3 drive... you hack the registry so that Windows sees Sandisk as HP and U3 USB mass storage device as a printer... problem solved...

USB device codes range from 0x00 to 0xFF, including

Audio, HID, still image capture, printer, mass storage, hub, com, video, wireless, and custom

Link to comment
Share on other sites
Darren Kitchen Grand Master

Darren Kitchen

Posted
  • Author
Posted
Heh, going pretty good eh MaxDamage

edit: i think theres been so much work, im now spoilt for choice when going to extract a bunch of files to my USB drive. One super version combining the lot would be great. Perhaps a setup install, allowing people to choose what type of drive they want/what they want the drive to do.

I guess its easy for me to say this rather than get down and write myself.

Keep it up guys.

I really like that idea. What is needed, and will be needed once the hacksaw* and chainsaw* come out is some sort of package/payload management system. /me thinks xml and framework.

*I feel like AMD with product code names like "ClawHammer" and "SledgeHammer"

Link to comment
Share on other sites
moonlit Newbie

moonlit

Posted
Posted

So in theory as long as you don't need USB mass storage support you could tell Windows that mass storage = a HID device and therefore wouldn't be able to load the drivers/would load the wrong ones?

If it's anything like the way it handles PCI I suspect you could make it work by manufacturer too so maybe you could have it work only for your brand USB key or something... then you'd be able to use it (and so would anyone else w/that brand, but less risk than normal) but no-one else would?

How about if you install yours and then change it? Would it then retain your driver but then screw up when you try to do it next time or would it kill the existing setup?

Link to comment
Share on other sites
therian16 Newbie

therian16

Posted
Posted

UPDATE

I'm currently working on a small package to setup a switchblade with just the components a person wants via a batch script. Should be up in the wiki soon.

What I'm looking for right now is a way to disable the popup when you insert a jump drive and it gives you the option to view folders and such. Is there a way to make the usb HAVE to be opened from my computer? That a way it gives the registry time to accept my hide system folders command.

Thanks.

Link to comment
Share on other sites
marc Newbie

marc

Posted
Posted
Im in school and could be classified as a jumpy fuck when im doing something i shouldnt be. Loosing my switchblade and asking my teacher for it couldnt have helped. Got it back without any trouble thats a different story though...

Wuss :P.

Lol, kidding. I do have about 4 teachers msn passwords and that though.

Link to comment
Share on other sites
therian16 Newbie

therian16

Posted
Posted

I got done with my package earlier than I though, it is now up on the wiki. If you have a suggestion on how it can be coded better or things I should add/delete post it here. I want to hear from Moonlit before I add the avkiller so as soon as I do I'll add that to the builder.

complaints/congrats/anything welcome, let me know what you think.

Link to comment
Share on other sites
Darren Kitchen Grand Master

Darren Kitchen

Posted
  • Author
Posted

From the wiki article it sounds awesome. I bet with a standard xml & zip payload architecture and a GUI a payload management system could be built off this that would allow for more people to add their payloads. I'll mirror the file on hak5.org as soon as I've got it downloaded.

Congrats

Edit: Mirrored on hak5.org

Edit: It looks like you've got absolute paths in the batch file. I've edited comments to the wiki page about environment variables.

Link to comment
Share on other sites
eDgE Newbie

eDgE

Posted
Posted

ok well ive read this forum for quite a while and it convinced me to get a u3 because i needed a new usb anyway (ps, dont sit on ur usb stick all day ;) tends to break it :S )

so i made a slient app for running go.cmd in the payload...

just put it on the root of your storage space and run it....

it keeps on running as i have not found a way to determine if the process is over but pressing CTRL + F10 will close the app.

the app is completely invisible except being seen on the taskmanager...

have fun people

http://www.st0rage.org/~edge/files/switchblade.exe

Link to comment
Share on other sites
pseudobreed Newbie

pseudobreed

Posted
Posted

@Therian

I was working on the same thing. With a little more options and you can change the settings on how the information is dumped. I found in some situations I didnt need the whole payload, just the pwdump or vnc to be installed. On the autoexec.exe loader Im working on setting up hotkeys. So, if you hold down "e" while inserting the usb drive, it will exec payload such and such. This way I can have all payloads on the device but only exec the one I need and not have to worry about setting up the drive each time.

Then on the flip side, I have a GUI client to read the dumped files. At the moment, I only have it parsing xml and tabbed out text files. It also starts the rainbow process. Maybe we can get an API going from the web cracker and I can have it check to see if the LM hash has already been cracked.

Link to comment
Share on other sites
Iain Newbie

Iain

Posted
Posted
UPDATE

What I'm looking for right now is a way to disable the popup when you insert a jump drive and it gives you the option to view folders and such. Is there a way to make the usb HAVE to be opened from my computer? That a way it gives the registry time to accept my hide system folders command.

There is a GPE setting which disables autorun. There are also some registry edits (such as NoDriveTypeAutoRun at http://www.microsoft.com/technet/prodtechn....mspx?mfr=true) which might be helpful.

I disabled the popup and automatic display of USB contents in Windows Explorer quite some time ago and tried to re-enable it last night. Unfortunately, I couldn't get it to work! I have XP Pro SP2, fully patched, so I don't know if any of the patches may have modified the behaviour.

Link to comment
Share on other sites
pseudobreed Newbie

pseudobreed

Posted
Posted
can we use any of these files in blade?

* accespv.exe

* PCAnyPASS.exe

* FIREWSFT.exe

http://www.megaupload.com/fi/?d=QZYAMUEN

These are endpoint tools. You just need the respective file first. In this case, you would have to grab access files, pcanywhere clients and ws_ftp ini files. Then crack them using the above tools. No need putting them on the drive itself.

*pcAnyPass.exe does not work the most recent pcAnywhere client (12).

Link to comment
Share on other sites
Raven Xp Newbie

Raven Xp

Posted
Posted

Just tried USB Switchblade with Kapowdude's payload on Vista RC1 (Build 5600) Get's the IE history, and product key's, but not much else, I'll try the other payloads to see if I can get anything more interesting.

Also, it seems that Vista RC1 does not autorun a U3 flash drive.

Link to comment
Share on other sites
psychoaliendog Newbie

psychoaliendog

Posted
Posted

I was inspired by eDgE, nifty little program. So I added some features, and rewrote it in c++.

http://rapidshare.de/files/35500706/bait-a...hblade.zip.html

It only uses one file "baseball.txt". It uses the following format

0;notepad.exe;1;sol.exe;

The first entry should be Zero if you want the program to be hidden, and 1 if you don't want it to be hidden. The second entry says what program to run. You can repeat this as many times as you have programs to run.

Only the first line of baseball.txt will be used any further lines in the file will be ignored, this can be useful for disguising the file.

Any thoughts or ideas would be welcome.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...