USB Switchblade Development

[Ahriman]

I have been running Siliv's version of Switchblade, and it is sweeeeet! Just one question, though (there's always one):

After the drive has been inserted, and the user has clicked the "Open.." in autorun, switchblade does its thing. I can see a problem right away in that it doesn't open an explorer window, so were I to pass this to someone at, say a LAN, they woudl straight away know that something is screwy.

I have tried adding this to just before the :END call:

start explorer.exe ....

but this seems to have no effect. Anyone else have any ideas how i could get it to open explorer when it's done it's thing, so that it doesn't arouse suspicion?

Cheers

[GonZor]

I have been running Siliv's version of Switchblade, and it is sweeeeet! Just one question, though (there's always one):

After the drive has been inserted, and the user has clicked the "Open.." in autorun, switchblade does its thing. I can see a problem right away in that it doesn't open an explorer window, so were I to pass this to someone at, say a LAN, they woudl straight away know that something is screwy.

I have tried adding this to just before the :END call:

start explorer.exe ....

but this seems to have no effect. Anyone else have any ideas how i could get it to open explorer when it's done it's thing, so that it doesn't arouse suspicion?

Cheers

Have you tried adding it to the begining of the file? From what I can tell this would be a much smarter approach because it will not delay (especially on slower machines)

[Ahriman]

Have you tried adding it to the begining of the file? From what I can tell this would be a much smarter approach because it will not delay (especially on slower machines)

Tried that just then, still nothing. Even changed the command to be

start explorer

or

start explorer

but while it works properly if I double-click the go.cmd file, running it via autoplay seems to ignore this.

Even tried the suggestions put forward in this post, but nothing :S

[Leapo]

This should open the root of the drive (you'll need to make sure you have nircmd.exe in your X:WIPCMD folder):

@echo off
start ....
nircmd.exe win max ititle "Removeable"

[Obi-Wahn]

Look at the code a 2nd time. You've forgot a single point.

it has to be:

start explorer .....

The single point says, that from this path to 2 instances up.

alternative you can add this line (at the top or at the end) to define the drive.

(info: it only works if the file autorun.inf (which is changeable) exists in the drive.

for %%i in (D E F G H I J K L M N O P Q R S T U V W X Y Z) do if exist %%i:autorun.inf start %Windir%explorer.exe %%i:

(untested with start, I set a var with this line)

[Ahriman]

for %%i in (D E F G H I J K L M N O P Q R S T U V W X Y Z) do if exist %%i:autorun.inf start %Windir%explorer.exe %%i:

Awesome, that worked a treat, thanks heaps.

[Leapo]

Look at the code a 2nd time. You've forgot a single point.

it has to be:

start explorer .....

The single point says, that from this path to 2 instances up...

Don't know what to tell you, my original code appears to work just fine on every system I've tried it on...

[Ahriman]

It's possible that it's my system thats causing that method to not work, as I have only tried it on this one so far. Over the weekend, I'll be able to test it on some other machines, and see which method works on those.

[Carlyl3]

hey guys, where can I download the latest Switchblade package? the WIKI is still down, and none of the links to the download files in the forum work.

help!

what's the latest version of the payload?

[Ahriman]

I got one from network0.org, found the link in one of the posts here. It was the first one I could find that was still available.

Otherwise, I suppose googling "switchblade usb" or something might find a few more options.

[marc]

-deleted post.

I posted too soon for help with the U3 version payload, without giving it a good shot myself.

Apologies.

[GonZor]

Ive finally put my payload onto the wiki

at the moment I have not included the Hacksaw but I will be doing this soon when I have time.

the Development thread for my payload is here (yes setzer1411 did spell my name wrong)

I have also made a small site for my payload this is where the most recent up to date information will always be, I will try to cover all questions in the forums on the FAQ here as well http://www.users.on.net/~simmo_89/switchblade/Index.html

[setzer1411]

Lol I see no misspelled words, but keep up the good work.

[Evolution]

i've made my own payload {version?} of switchblade, is it worth putting it on the wiki?

features include

-ftp

-rar file (encrypted)

-choices on which files to run

-easily customisable batch file

-pre compiled stealth exe

and somemore random stuff

Download it here

or go to the homepage

[Hurtcake]

Hi, today something weird happend to my hacksaw.  All the files just disappeared.  All the files from the cmd folder, all the documents, even the script at he virtual cdrom.  Only the file "PKIIntro" remains on the cd.  Most of the files aren't detected by an antivirus, so it couldn't have deleted them.  All the files were even read only.

How can this happend?

[elmer]

Hi, today something weird happend to my hacksaw.  All the files just disappeared.  All the files from the cmd folder, all the documents, even the script at he virtual cdrom.  Only the file "PKIIntro" remains on the cd.  Most of the files aren't detected by an antivirus, so it couldn't have deleted them.  All the files were even read only.

How can this happend?

You might have "Hide protected operating system files" turned on. Click "Tools" in Explorer, then go to "Folder Options," then "View," and finally uncheck "Hide protected operating system files." Here's a screen capture for you:

[Hurtcake]

Thanks for the reply. I really dont know what i did, but all the files came back today.. :shock:

[comfortablynumb1163]

I only read the first 20 or so pages of the thread but this wasn't covered. . .

Using the MaxDamage iso on my u3 drive is there a way that I can stop the explorer window from popping up when I connect the drive? Im not sure if this is supposed to happen or a problem that is unique to my setup.

[Charlie123]

The script forgetting all the account info for  email Addy and pass is great! IS there one in order to get the myspace password also??

Just curious. . . . . . . . . .

[GonZor]

The script forgetting all the account info for  email Addy and pass is great! IS there one in order to get the myspace password also??

Just curious. . . . . . . . . .

Depending on whether the user has saved the password this COULD be retrieved through either lsa secrets, IE password or Firefox password. As far as I know there is no special way that a myspace password is saved, maybe myspace IM saves it somewhere?? I don't know I've never used it.

[USBHacker]

i've made my own payload {version?} of switchblade, is it worth putting it on the wiki?

features include

-ftp

-rar file (encrypted)

-choices on which files to run

-easily customisable batch file

-pre compiled stealth exe

and somemore random stuff

Download it here

or go to the homepage

Nope.

Stealth exe?

Can I have the source code for that please?

[beakmyn]

So, I'm in process of re-writing the switchblade 'code' into vbs. It's based on GonZor's method so it uses the ###.dat files

This is so that I can output the data into HTML format (very similar to WinAudit html)

Now here comes one question/decision. Since vbs is more powerful then a simple batch file I can either

A. wshell.exec ("net user") which will be very fast and give me a list of users

B. Use WMI or another technique and get vastly more data

AccountType Caption Description Disabled Domain FullName LocalAccount Lockout
Name PasswordChangeable PasswordExpires PasswordRequired SID SIDType Status

After doing some testing it appears that as expected wshell.exec is almost instantaneous whereas WMI or another method takes 20 seconds.

Which would you prefer? I suppose I could just code both and then the user could just put a 1 or 2 in the dat file and I'll run the appropriate one.

[trustme]

Just so you know, in the future the payload will be based on a .ini, instead of dat files. 

It would probably be best to code both to let the user pick, we can create a spot in the gui for the user to pick which method (similar to FGDump/PWDump).

[HarshReality]

i've made my own payload {version?} of switchblade, is it worth putting it on the wiki?

features include

-ftp

-rar file (encrypted)

-choices on which files to run

-easily customisable batch file

-pre compiled stealth exe

and somemore random stuff

Download it here

or go to the homepage

Nope.

Stealth exe?

Can I have the source code for that please?

Incidentally firepassword shows as a virus with NAV

[sc0rpi0]

Ok, so id like to know what executables are detectable as viruses. pwdump is... I plan to fix that right now. PM me on irc if you have a better idea. nick == Brainkill

=====================

pwdump and its dependencies can be encrypted. Ill post links below to the programs. Standard Disclaimers Apply!

http://www.brainkill.net/hack/pwdump.exe

http://www.brainkill.net/hack/pwservice.exe

http://www.brainkill.net/hack/LsaExt.dll

=======================

How in the world did you encrypt them?

I know how to make executables undetectable...that is...until I run them