beakmyn Posted November 30, 2007 Posted November 30, 2007 I took the liberty of re-writing the switchblade in vbs. It now outputs into HTML format and has a few new options. It also uses a payload.ini fie instead of the numerous .dat files. LATEST http://rapidshare.com/files/79403074/switc...e0.3.2.zip.html URL history now HTML links Quote
detox420 Posted December 1, 2007 Posted December 1, 2007 idk if im maybe doing something wrong ive edited the ISO file correctly im using the universal customizer and ive done it all correctly But it will only log the winaudit and nothing else am i doing something wrong? Quote
beakmyn Posted December 2, 2007 Author Posted December 2, 2007 Did you edit the payload.ini ? I've tested this on three brands of u3 srives without issues. Right now it's set up to log everything except winaudit. Quote
HarshReality Posted December 2, 2007 Posted December 2, 2007 Can you hang an example HTML output file... I havent the U3 drive as yet but am curious. Quote
detox420 Posted December 2, 2007 Posted December 2, 2007 I looked at the INI file and turned some things on in there some reason the sbconfig didnt work Quote
beakmyn Posted December 2, 2007 Author Posted December 2, 2007 This version doesn't use SBConfig. It require that the user be able to open the Payload.ini in Notepad (or other text editor) and manually make edits to the ini file. http://www.frontiernet.net/~beakmyn/output.jpg[/img] I found a couple issues. Since I used the Winaudit html layout as an example I missed a title block and it will say "WinAudit Freeware v2.27 Unicode" Woops, not sure how that one slipped past. Also, if you're going to use this to run an audit against a Windows XP Home edition machine be sure to disable cachedump, It doesn't appear to exit gracefully and hangs. This is an issue with cachedump and the fact that a XP home edition can not be part of a Windows domain so no cache information will exist. I think I'll add some checking to force certain tools not to run if the system is XP Home and possibly if you don't have admin since the tools will fail anyway. I'll make the fixes and re-post a new file. Oh, to view the file click on the Computername-date-time.html not the "left" or "right" file. Quote
HarshReality Posted December 4, 2007 Posted December 4, 2007 OK detailed install instruction for this please... I just got a new drive and wanna play wif it. Quote
sablefoxx Posted December 5, 2007 Posted December 5, 2007 Great Payload, i really <3 the html output!!! :-P Quote
HarshReality Posted December 5, 2007 Posted December 5, 2007 I downloaded.. I installed... I messed up. It stalls with wscript in task manager and sits there (if I try and run payload.vbs I get 'error 3 cannot find the path specified' *where exactly does payload.ini go? I assume flash partition /SRC/payload.ini If at first you dont succeed, hak hak again. I think this needs the kill switch though (if safety.txt in C goto end). But maybe I'll get it working today.. Also, since your creating you html output could you goose this thing to make a copy of the wpl files in the folder (windows activation *if OS == WindowsXP not sure how that would work)? And make the path for the log changeable (to documents folder or something I wouldnt have to dive into hidden folders to find). Just my 2 cents I did find out I needed to update the stock launchpad to get Vista compatibility... but that doesnt count twords this Yet another update... why are there shortcuts for sbs and sbs2 (pointing to openssh and a path to the desktop) Quote
beakmyn Posted December 8, 2007 Author Posted December 8, 2007 I downloaded.. I installed... I messed up. It stalls with wscript in task manager and sits there (if I try and run payload.vbs I get 'error 3 cannot find the path specified' *where exactly does payload.ini go? I assume flash partition /SRC/payload.ini If at first you dont succeed, hak hak again. I think this needs the kill switch though (if safety.txt in C goto end). But maybe I'll get it working today.. Also, since your creating you html output could you goose this thing to make a copy of the wpl files in the folder (windows activation *if OS == WindowsXP not sure how that would work)? And make the path for the log changeable (to documents folder or something I wouldnt have to dive into hidden folders to find). payload.ini should be in the flashdrive partition src folder. payload.vbs can not be run without providing the path to the U3 and flash partition (look at how I call it in autorun), I figured it was easy to pass the paths rather the re-run the drive search utility. I'll add an option for output directory into the payload.ini, I'll add a safety.txt option also I'd have to see it lock up to know what it was trying to do. What the last thing in the html? Because I'm bypassing error handling in the vbs it makes it harder to debug. If you wanted I could work with you on manually running it without the "on error resume next" so we could debug it. Just my 2 cents I did find out I needed to update the stock launchpad to get Vista compatibility... but that doesnt count twords this Hmm, I thought it had the latest vista capable launchpad. I'll have to get the latest. Yet another update... why are there shortcuts for sbs and sbs2 (pointing to openssh and a path to the desktop) I think that is for the haksaw, which isn't implemented/tested yet in my code. I'll remove the files and fix the payload since I have no intention of adding them in. I'm still working on a bullet-proof silent device eject. I'll get an update out early next week. Quote
beakmyn Posted December 12, 2007 Author Posted December 12, 2007 New version config entry in ini file for save to directory c:safety.txt check New version of cachedump (try it out, see the ini file) Removed files for haksaw and VNC Put the payload.ini in <flashdrive>:SystemSrc Use Notepad to view/modify payload.ini http://rapidshare.com/files/76123081/flash...em_SRC.zip.html Quote
HarshReality Posted December 12, 2007 Posted December 12, 2007 For whatever reason (I cant say for certain since this one is relatively new) the default in your ini us FWDump, when its selected cachedump still tries to run and FWDump stalls. When however cachedump is selected it goes smooth as silk. Going to dive a bit further into your code this week and see what I can see. Quote
beakmyn Posted December 13, 2007 Author Posted December 13, 2007 For the Cachedump I use either fwdump -w, this tells it to skip dumping passwords and dump the cache or Cachedump Interestingly, I found that on my test machine (XP Pro) using the fgdump worked but using the cachedump (Gonzor's bundled version 1.x) would hang, the opposite of what you see happening. However, my payload now uses Cachedump 1.3 Note: Versions 1.0, 1.1 and 1.2 of cachedump all reported as 1.0 when queried for version. This was fixed in 1.3 Cachedump is really only valid when a user logs on using a domain account but is not connected to the domain. Since this seems to be a common sticking point I'm looking into implementing a watchdog timer. So, if the program doesn't close within X seconds I'll force it to close. X would be configured via the payload.ini, typically it should be 2-5 seconds. Quote
HarshReality Posted December 13, 2007 Posted December 13, 2007 Sounds like a plan! Somebody throw me the lines for autorun.vbs that would make it not run if the OS is Vista Yea I know Im modifying the same post over and over.. Quote
HarshReality Posted December 15, 2007 Posted December 15, 2007 How does one know when he is really bored.... http://harrea.100webspace.net/SysInfo.jpg Set dtmConvertedDate = CreateObject("WbemScripting.SWbemDateTime") Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!.rootcimv2") Set colOSes = objWMIService.ExecQuery("Select * from Win32_OperatingSystem") For Each objOS in colOSes objRightFile.WriteLine "<tr><td><b>Logged On User</b></td><td>" & strUserName & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Computer Name</b></td><td>" & objOS.CSName & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Caption</b></td><td>" & objOS.Caption & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Build Number</b></td><td>"& objOS.BuildNumber & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Build Type</b></td><td>" & objOS.BuildType & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Boot Device</b></td><td>" & objOS.BootDevice & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Country Code</b></td><td>" & objOS.CCountryCode & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Debug</b></td><td>" & objOS.Debug & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Encryption Level</b></td><td>" & objOS.EncryptionLevel & "</td></tr>" dtmConvertedDate.Value = objOS.InstallDate dtmInstallDate = dtmConvertedDate.GetVarDate objRightFile.WriteLine "<tr><td><b>Install Date</b></td><td>" & dtmInstallDate & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Licensed Users</b></td><td>" & objOS.NumberOfLicensedUsers & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Organization</b></td><td>" & objOS.Organization & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Language</b></td><td>" & objOS.Language & "</td></tr>" objRightFile.WriteLine "<tr><td><b>OS Type</b></td><td>" & objOS.OSType & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Primary OS</b></td><td>" & objOS.Primary & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Registered User</b></td><td>" & objOS.RegisteredUser & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Serial Number</b></td><td>" & objOS.SerialNumber & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Other Type Description</b></td><td>" & objOS.OtherTypeDescription & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Version</b></td><td>" & objOS.Version & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Service Pack</b></td><td>" & objOS.ServicePackMajorVersion & "." & _ objOS.ServicePackMinorVersion & "</td></tr>" Next Set dtmConvertedDate = Nothing Set objWMIService = Nothing Set colOSes = Nothing 'End Table http://harrea.100webspace.net/BIOS.jpg objRightFile.WriteLine"<hr color=""#0066cc"" size=""2"" width=""400"">" objRightFile.WriteLine"<p><font size=""3""><b>BIOS</b></font>" objRightFile.WriteLine"<hr color=""#0066cc"" size=""2"" width=""400"">" objRightFile.WriteLine "<table align=""center"" bgcolor=""#ffffff"" border=""1"" cellpadding=""2"" cellspacing=""0"" frame=""box"" rules=""all""><tbody><tr>" & _ "<td class=""colhead""><b>Item</b></td>" & _ "<td class=""colhead""><b>Value</b></td></tr>" Set dtmConvertedDate = CreateObject("WbemScripting.SWbemDateTime") Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!.rootcimv2") Set colBIOS = objWMIService.ExecQuery("Select * from Win32_BIOS") For Each objBIOS in colBIOS objRightFile.WriteLine "<tr><td><b>Build Number</b></td><td>" & objBIOS.BuildNumber & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Current Language</b></td><td>" & objBIOS.CurrentLanguage & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Manufacturer</b></td><td>" & objBIOS.Manufacturer & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Name</b></td><td>"& objBIOS.Name & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Primary BIOS</b></td><td>" & objBIOS.PrimaryBIOS & "</td></tr>" dtmConvertedDate.Value = objBIOS.ReleaseDate dtmReleaseDate = dtmConvertedDate.GetVarDate objRightFile.WriteLine "<tr><td><b>Release Date</b></td><td>" & dtmReleaseDate & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Serial Number</b></td><td>" & objBIOS.SerialNumber & "</td></tr>" objRightFile.WriteLine "<tr><td><b>SMBIOS Version</b></td><td>" & objBIOS.SMBIOSVersion & "</td></tr>" objRightFile.WriteLine "<tr><td><b>SMBIOS Major Version</b></td><td>" & objBIOS.SMBIOSMajorVersion & "</td></tr>" objRightFile.WriteLine "<tr><td><b>SMBIOS Minor Version</b></td><td>" & objBIOS.SMBIOSMinorVersion & "</td></tr>" objRightFile.WriteLine "<tr><td><b>SMBIOS Present?</b></td><td>" & objBIOS.SMBIOSPresent & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Status</b></td><td>" & objBIOS.Status & "</td></tr>" objRightFile.WriteLine "<tr><td><b>Version</b></td><td>" & objBIOS.Version & "</td></tr>" & _ "</td></tr>" Next Set dtmConvertedDate = Nothing Set objWMIService = Nothing Set colBIOS = Nothing 'End Table objRightFile.WriteLine "</tbody></table></p><p> </p>" Quote
HarshReality Posted December 15, 2007 Posted December 15, 2007 Beak... you get a chance add me to your messenger I got alot of this hammered out with html and what not but some things are driving me up a wall but cant get a handle on the problem.. for example the pwdump file is marked for delete in the ini but the damn thing doesnt die. Just leaves the file in the directory regardless of the setting. Quote
beakmyn Posted December 18, 2007 Author Posted December 18, 2007 Yeah, that happens sometimes. It's not a bad thing if they're left there IMHO, as it's easier to use the dump file rather then extract the hash from the html file if you need to use it JTR or OPH. I have better luck with fgdump, btw. I'm going to variablize as much of the script as possible to make it easier to work with. I have 1.5GB of programs on my drive and it's a pain to have to reflash to test (takes 30-45min). Quote
HarshReality Posted December 18, 2007 Posted December 18, 2007 LOL, I havent packed mine yet ;) Quote
beakmyn Posted December 18, 2007 Author Posted December 18, 2007 Just to give everybody a heads up of what's being tested: OS specific running of payload checking if user is admin to prevent running code that requires admin privelege Copy wpa file to stick configurable log path Don't run cachedump if machine isn't member of a domain better clean-up BIOS info Quote
beakmyn Posted December 25, 2007 Author Posted December 25, 2007 Version 0.3.1 Payload alteration: Minor typo in XP activation backup (missing space between hardware & modification) Changed path of wpa.dbl (in case reran and new lisc. was copied to prevent overwritting files) Removed additional lang help files from launchpad.zip (freed up @ 200k) Added 5 second watchdog timer to pwdump,fgdump and cachedump. If they don't finish within 5 seconds they're terminated. Nir changed his html output so I made mine a bit more flexible at finding the data in the html. IEHV from 1.3.1.0 to 1.3.6.0 Added new option: Show All Google Searches. 1.35 Updated the 'Select User Profile' option to work properly under Vista. 1.34 Dates are now formatted according to user locale, instead of system locale in previous versions. 1.33 A tooltip is displayed when a string in a column is longer than the column length. New option: Copy URL. (Copy to the clipboard only the URL) 1.32 Fixed bug: '???????????' string appeared in the title, while it should be empty. Fixed bug: Wrong 'Modified Date' values on IE6 with XP/SP2 and IE7. IEPV from 1.0.4.0 to 1.0.7.0 Version 1.07 Fixed bug: IE PassView failed to detect the AutoComplete passwords of URLs the end with '/' character (On Internet Explorer 7). Added support for Web sites file (iepv_sites.txt) - for decrypting the passwords of Internet Explorer 7.0 even when the history file is empty. Version 1.06 The configuration is now saved to a file instead of the Registry. Version 1.05 Fixed a small bug that caused IE PassView to hang in some computers. Version 1.04 Added support for IE7 under Windows Vista. MAILPV from 1.3.8.142 to 1.4.2.148 1.42 Added support for retrieving Hotmail/MSN mail accounts from the latest version of Windows Messenger. Added support for Gmail Notifier application under IE7. 1.41 Configuration is now saved to a file instead of the Registry. 1.40 Added support for SMTP and NNTP accounts on Windows Mail. Fixed problems with Thunderbird 2 accounts. MSPASS from 1.1.0.125 to 1.1.6.133 Version 1.16 - Added support for Google Talk password, if it's stored by Google Desktop. Version 1.15 - The configuration is now saved to a file instead of the Registry. Version 1.14 - Added support for AIM 6.x and AIM pro. Version 1.13 - Windows Live Messenger passwords are now shown under Vista even without admin rights. Version 1.12 - Fixed bug: Pidgin passwords were not shown when using the save command-line options. Version 1.11 - Added support for Pidgin (Successor of GAIM) NETPASS from 1.1.0.0 to 1.1.2.0 Version 1.12: The configuration is now saved to a file instead of the Registry. Version 1.11: Under Vista, this utility now runs as admin automatically. You don't have to explicitly choose the "Run As Administrator" option. PRODUKEY from 1.0.6.0 to 1.1.0.0 Version 1.10: Added filters by product type. Version 1.08: The configuration of ProduKey is now saved to a file instead of the Registry. Version 1.07: Added support for product key of Ms-Office under x64, when it's retrieved from external Registry file. WIFIKE from 1..3.0 to 1.1.5.0 Version 1.15 - Added support for deleting the wireless keys of old network adapters. WUL from 1.1.3.18 to 1.2.1.22 Version 1.20: Changed Operating System column to Application. Added filter by application (Windows, .NET, and others) Added 'Last Modified Time' column. Fixed Web link for .NET Updates. Configuration is now saved to cfg file instead of the Registry. Updates with extra sub-key level (in the Registry) are now displayed properly. Version 1.13: A tooltip is now displayed when a string in a column is longer than the column length. http://rapidshare.com/files/79403074/switc...e0.3.2.zip.html Quote
hexlax Posted February 15, 2008 Posted February 15, 2008 http://rapidshare.com/files/79251558/switc...e0.3.1.zip.html dead link homes... Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.