View Single Post
Old 11-23-2008, 09:53 PM   #6 (permalink)
~K3n~
1100101001110100100111
 
Join Date: May 2007
Location: Earth
Posts: 343
VipraSys Cash: 0.00
Thanks (Given):
Thanks (Received):
Likes (Given):
Likes (Received):
~K3n~ has a reputation beyond repute~K3n~ has a reputation beyond repute~K3n~ has a reputation beyond repute~K3n~ has a reputation beyond repute~K3n~ has a reputation beyond repute~K3n~ has a reputation beyond repute~K3n~ has a reputation beyond repute~K3n~ has a reputation beyond repute~K3n~ has a reputation beyond repute~K3n~ has a reputation beyond repute~K3n~ has a reputation beyond repute
Send a message via Yahoo to ~K3n~
Default Re: Hack U3 USB Smart Drive to Become Ultimate Hack Tool!!

Here some other Techniques you may want to try


Max Damage Technique

Max Damage's technique has been demonstrated on Hak5 episode 2x02 and requires a U3 compatible USB key, such as the newer Sandisk Cruzer Micro or Memorex Mini TravelDrive drives.


Payload

The payload contains the files necessary for the Switchblade to work properly.
How to Use
  • 1. Plug your U3 Drive in any computer with XP/2000/2003 (Requires Administrator account).
  • 2. Wait about 20-45 seconds.
  • 3. Eject U3 Drive.
  • 4. Go home and go to "Run" in the start menu. Type in "X:\Documents\logfiles"(X = Flash Drive Letter). Press enter.
  • 5. Open the text file with the computer name you got into.
  • 6. That's it.
Amish Technique

Amish's technique does not require a U3 compatible USB key and relies on social engineering to run the payload.
EDIT by nix: If you add the line "UseAutoPlay=1" in the beginning of your autorun.inf file in the root, the payload will be executed automatically, as if you had a U3 enabled drive (works on xp only, not sure about vista).
EDIT 2 by nix: apparently this function must be enabled somehow, so you might be lucky, you might not
I would've posted this on the forum, but i can't reg myself!
Installation
  • 1. Download the Amish Payload 1.0
  • 2. Extract the payload to the root of your flash drive.
  • 3. Go find out what they have been going to on their computers!
How to Use
  • 1. Plug your flash drive in to any computer.
  • 2A. Go to "My Computer" double-click(autorun) the USB Drive.
  • 2B. Select the "Open Files On Folder" option when inserted into a target computer.
  • 3. Wait about 20-45 seconds.
  • 4. Eject the flash drive.
  • 5. Go home and go to "Run" in the start menu. Type in "X:\Dump"(X = Flash Drive Letter). Press enter.
  • 6. Open the text file with the computer name you got into.
  • 7. That's it.
FilesLink nolonger works
iPod technique

This can be used on an iPod, i dont know how to autorun so for now you have to find it out yourself!
NOTES
  • 1. Disguised as iPod config folder for stealth.
  • 2. If you are one of those people that carries programs around on thier iPod then this is for you!
  • 3. You can create a shortcut to the progstart.bat on the root of the iPod and disguise it as a program.
  • 4. For now you can only hack 1 computer at a time untill you clear the files or it will just overwrite.
Installation
  • 1. Download the PAYLOAD FILES
  • 2. Extract the payload to the root of your flash drive.
  • 3. Open the exe and type in the password hak5, the payload will automatically install itself.
  • 4. Go find out what they have been going to on their computers!
Edit: Fixed link, sorry about before
How to Use
  • 1. Plug your flash drive in to any computer.
  • 2. Go to "My Computer" double-click the drive and navigate to the iPod_Config dir
  • 3. open the progstart.bat
  • 4. Wait about 10-25 seconds.
  • 5. Eject the flash drive.
  • 6. Go home and go to "Run" in the start menu. Type in "X:\iPod_Config\Dump"(X = iPod Drive Letter). Press enter.
  • 7. That's it, you have the hacked files.
Files
  • 1A Current payload (Extract yourself, no password):[1]
  • 2 older version, may or may not work:[2]
Gandalf's technique

I have combined a lot of packages from the different distributions along with my MSN log package (link see this forum post). It is _very_ configurable, works on all sorts of USB drives, and completes in about 19 seconds.
It uses a 7zipped image (around 0.5 MB) and 7zips and password protects the logs.
Installation

Download here and extract to any folder - on a USB drive, iPod, local computer, it doesn't matter. Then run start.vbs
How it works

start.vbs runs run.bat, which first cd's to the temp directory on the target machine (which can be changed), and then copies all files to there. Then it extracts image.7z with the password haxx0r using the command-line 7Z executable. Then it runs the list of commands, and zips the output and puts it back into the usb drive.
It deletes the dir. in %temp% and opens %systemdrive% in explorer to show it's finished.
The passwords and logs are placed in $backup/%computername%.7z. download 7Zip to extract it.
Download

Package
7-zip, used to extract log file.
Kapowdude technique

I have put together MaxDamage and Amish's solutions together. I'm calling it MAD for now =P. It doesn't require U3 and will steal both LM hashes and history messenger passwords etc. I also made it so that the file structure was a little neater. I also used another version of pwdump that seems to work better for me. If someone could scan and encrypt any exe's that show as "hacktools" that would be great.
Installation
  • 1. Download the MAD Payload 1.0
  • 2. Extract the payload to the root of your flash drive.
  • 3. Go find out what your friends been going to on their computers!
Payload
  • Combination of MaxDamage and Amish's original techniques
Additional Notes

A different version of pwdump is used.
How to Use
  • 1. Plug your flash drive in to any computer.
  • 2A. Go to "My Computer" double-click(autorun) the USB Drive.
  • 2B. Select the "Open Files On Folder" option when inserted into a target computer.
  • 3. Wait about 20-45 seconds.
  • 4. Eject the flash drive.
  • 5. Go home and go to "Run" in the start menu. Type in "X:\Switchblade\dump\'computername'"(X = Flash Drive Letter). Press enter.
  • 6. Open the text file with the computer name you got into.
  • 7. That's it.
FilesEdit: Link no longer works -Rain.
Author

If you have any problems well work it out for yourself cause I just got banned from GMail.
Silivrenion's Technique

I have also combined MaxDamage and Amish's solutions together, but I offer a slightly more standardized approach, following the file structure of MaxDamage's layout more closely. One of the best features of this version is that it does not require a U3 drive to run. This solution will give the same output as MaxDamage's version, except that it will also output a pre-organized list of all of the password hashes found during your password-hunting missions. One may simply copy pwlist.txt file to their rcrack directory, and run from there with the rcrack *.rt -f pwlist.txt option. This version also runs the most up to date version of pwdump, to avoid problems with lsass and other errors you may run across. To make this technique even better, it runs absolutely silently with just a precompiled .exe.
Installation
  • 1. Download the Switchblade-Siliv-1-3-0-1 Payload
  • 2. Extract the payload to the root of your flash drive.
  • 3. Go find out what your friends been going to on their computers!
Payload

Combination of MaxDamage and Amish's solutions, with the added benefit of automatic generation of a pwlist.txt file, for inputting into rcrack.exe. Runs silently thanks to a precompiled .exe
How to Use
  • 1. Plug your flash drive in to any computer.
  • 2A. Go to "My Computer" double-click(autorun) the USB Drive.
  • 2B. Select the "Open Files On Folder" option when inserted into a target computer. (See notes below about autorun). If you do not have autorun, execute launch.bat in the flash drive's root directory.
  • 3. Wait about 20-45 seconds.
  • 4. Eject the flash drive.
  • 5. Go home and go to "Run" in the start menu. Type in "X:\Documents\logfiles\"(X = Flash Drive Letter). Press enter.
  • 6A. Open the text file with the computer name you got into.
  • 6B. Open the text file named pwlist.txt
  • 7. That's it.
Will autorun on XP SP2, but not SP1. I did a lot of work to figure out a way to run the harvesting silently. Version 1-3 runs completely silently now, thanks to Adam Katsuragi and ExeScript.
To run the program, either use your system's autorun feature, or run /WIP/CMD/go.exe
Version History

1.3.0.1 Rebuilt source. Provided source .cmd for building. Updated to v1.06 ProduKey. Added IE PassView 1.0.2. Updated pwdump to 1.4.3.
1.3 First fully silent non-u3 version of Switchblade
1.2.2.2 Fixed problem with relative locations. Script will now run from anywhere that it is extracted to.
1.2.2.1 Upgraded pwdump to version 1.4.2. This means that the problems with lsass should be resolved, as well as a lot more. pwdump's changes history is available at http://www.foofus.net/fizzgig/pwdump/. I also decided to put a copy of the launcher in the root directory for the switchblade, for those that don't have autorun.
1.2.2 Developed a way to hide the command window. Restructured files a little bit, and cleaned up the \WIP\CMD\ folder a little.
1.2.1 First version. I started from 1.2.x because the main core files use MaxDamage's compilation of executables from the 1.2 zip. All versions will follow 1.2.x--- unless the core is updated too.
Compilation

Version 1.3.x is built with the following programs: Current source is available here: Issues

The previous versions of the switchblade had problems with the lsass process shutting down the system unexpectedly. This should now (hopefully) not be an issue.
Windows XP is blessed with the fact that autorun.inf doesn't work on SP1, but it works on SP2. We currently are able to use autorun to launch a program in SP2, but SP1 users will have to launch it manually.
Another challenge is actually getting around the autorun.inf compatible only for sp2 and greater systems, without investing in a U3 drive.
If AutoRun is disabled on the target PC it might not run the script and therfore not work.
FilesComments, Support, New Version Submissions

Email silivrenion (at) gmail (dot) com. Or find me on the IRC. Version submissions welcome! yes yes
DLSS's update (v2)

This is a update building forth on flthy jesus's edition also based on amish's version. it contains following changes :
Changes
  • Replaced the pspv with the IE7 compatible iepv
  • Added firepassword to grab the firefox passwords
  • Updated Mail PassView 1.35 to 1.36
  • Updated nircmd from 1.8.2 to 1.85
  • Updated produkey from 1.0.4 to 1.0.7
  • Added the scan.cmd to start it manually if autorun was disabled.
  • Added wul.exe (WinUpdatesList) (To estimate PC vunerabilty to which attacks.)
  • Added moonlit's avkiller
Installation and Running
  • 1. Turn off your AV's real time protection. (The software might detect as virus and cancel your download.)
  • 2. Copy the RAR file to the root of your flash drive. (You need Winrar or WinAce installed to extract it.)
  • 3. Right click the RAR file and choose "Extract Here".
  • 4. Delete the RAR file after extracting.
  • 5. Re-enable your real time protection. (As long as you stay out of the "tools" directory it won't detect anything.)
  • 6. Done! Unplug your USB stick and plug it in again. Go ahead and run the switchblade. (Top option on autorun or execute the scan.cmd file on the disk.)
  • 7. Check out what it found in the switchblade/dump/ directory.
Files new version is back up(Download Link, Mirrors are welcome)
Issues
  • Currently mailpv.exe is being detected by NOD32 AV(need an updated encrypted version?)
  • mailpv is also being detected by Avast 4.7 Home edition (free version) during the download. AVG 7.5.430 (the newest version) doesn't detect it even if you browse to the tools directory.
Spektormax's combo of HakSaw, SwitchBlade, VNC as well as an Nmap

This is basically the Hacksaw added into the Switchblade with some fun moddifications. This works for both U3 and non U3 devices
  • Some information was quite ugly, and was removed NicatronTg 21:23, 9 June 2008 (CDT)
Combo of SwitchBlade, HackSaw ("HackBlade")

Version 0.1
Based off of "DLSS's update (v2)", "HackSaw v0.1", combined and clean.
  • NOT PATH DEPENDENT! (Basically, it works no matter where you put it, not just \switchblade)
Gathers lots of info about the user's computer and software and emails it to youin a RAR file. (You need a Gmail account, get one at gmail.com.)
To Do: use local smtp server so we don't need to use Gmail, add other data to collect
Download: Main: http://zliu.zendurl.com/hackblade.rar (down) Mirror 1: http://rapidshare.com/files/38160175/hackblade.rar (up but .rar is broken)


When uncompressing the downloaded hakblade.rar file, a "file header corrupt" message shows. It is not possible to uncompress/untar this file with either of two tools I tried. I also tried downloading again. Perhaps the file was corrupted during its original transfer to the hosting site?
Edit: Bad file/Setup. -Rain.-=GonZor=- SwitchBlade

Payload for U3 Drives, all the tools are stored on the CD partition of the U3 Drive so they cannot be deleted by an AV. This payload is fully customisable easily through the use of an app I made 'SBConfig.exe'.
The site can be found here: http://www.users.on.net/~simmo_89/switchblade/Index.html
The Forum thread can be found here: http://forums.hak5.org/index.php/topic,6608.msg70406.html#msg70406
Options

All of these options can be turned on or off at any time with the use of SBConfig.exe
  • U3 Launchpad menu
  • The Payload
  • Dump System Info
  • Dump Network Services
  • Dump Port Scan
  • Dump Product Keys
  • Dump SAM (Via PWDump or FGDump)
  • Dump Wifi Hex
  • Dump Network Passwords
  • Dump Cache
  • Dump Messenger Passwords
  • Dump Firefox Passwords
  • Dump IE Passwords
  • Dump Mail Passwords
  • Dump LSA secrets
  • Dump Updates-List
  • Dump URL History
  • Dump External IP (to the log file)
  • Install HakSaw
  • Install VNC
Installation

There are more detailed instructions on the site for people that have no idea what to do. But the basic instructions are as follows
  • 1. Download the Payload and the Universal Customizer if you don't already have it
  • 2. Unzip the Universal Customizer
  • 3. Place the U3CUSTOM.ISO from the payload zip into the BIN folder of the Universal Customizer
  • 4. Run the Universal Customizer
  • 5. Place the SBConfig.exe from the payload zip onto your flash partition somewhere and run it
How to use
  • Install the payload and run SBConfig.exe
  • Plug the flash drive into a computer
  • Wait for the payload to finish (the time the payload takes to complete varies because it is fully customisable, using options like 'Dump Network Services' or 'Dump Port Scan' take longer)
  • Eject the flash drive
  • The log files are saved as follows: \System\Logs\%computername%\%computername%-[%count%].log (hence it doesn't overwrite a log file)
Files

All the files are available from the download page of the site: http://www.users.on.net/~simmo_89/switchblade/download.html
OR HERE:
Main Switchblade:
http://rapidshare.com/files/36419370/GonZors_SwitchBlade-V1.2.zip
This is the Universal Loader to load the payload onto the U3 drive, I did not create this if you have a problem with it please talk to the creator (U3 Hacker):
http://rapidshare.com/files/36419359/Universal_Customizer.zip
If you are using V1.X of my payload please make sure you have updated to SBConfig-V1.0.11.
http://rapidshare.com/files/36419349/SBConfig.zip


Comments, Support, Questions, Ideas

Email me or add me on msn [email protected]


EnAble-Abel Switchblade Addition

Designed for the Siliv non U3 switchblade. This little modification will make the switchblade change some registry values to allow local users to authenticate as themselves over the network (In other words, allow Cain to connect remotely to install Abel.) It also creates a new hidden Administrator account on the target machine called "IUSR_ADMIN" with the password "password" with which to remotely connect without the need to aquire a current administrators password.
Download

http://rapidshare.com/files/108791157/EnAble-Abel.rar
Instructions are included in the archive.
Obviously, changing registry values -could- lead to the extinction of the human race and/or messing up the target PC so use at your own risk. This has been tested and works on both Win XP Pro & Vista machines!
__________________

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.



To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

~K3n~ is offline   Reply With Quote