Hak5
Save 10% at GoDaddy.com with coupon code HAK

USB Switchblade

From Hak5 Wiki

Revision as of 13:53, 3 October 2006 by Jalada (Talk | contribs)
Jump to: navigation, search


The goal of the "USB Switchblade" is to silently recover information from a target Windows 2000 or higher computer, including password hashes, LSA secrets, IP information, etc... Several methods for silent activation exist including the original MaxDamage technique of using a special autorun loader on the virtual CD-ROM partition of a U3 compatible USB key, and the original Amish technique of using social engineering to trick a user into running the autorun when choosing "Open folder to display files" upon insertion.

While the USB Switchblade does require a system running Windows 2000, XP, or 2003 logged in with Administrative privledges and physical access the beauty lies in the fact that the payload can run silently and without modifying the system or sending network traffic, making it near invisible. For example the USB Switchblade can be used to retrieve information from a target system at a LAN party by lending the key to an unsuspecting individual with the intent to distribute a game patch or other such warez.

http://www.hak5.org/images/usbswitchblade.gif


Contents

Basic Install

  • Step 1: Find a flash disk of at least 32MB which you want to install this on.
  • Step 2: Download WinRAR from www.rarlabs.com
  • Step 3: Download the an appropriate Payload (Amish's non-U3 Payload here)
  • Step 4: Unpack the RAR file to the root of your flash disk.
  • Step 5: Done. To use, plug into a machine logged in as admin, ensure that the top item is selected to execute the batch files. Logs are stored in /Dump/COMPUTERNAME.
  • Step 6: Test your specific Payload in different AV environments to ensure desired result.

Techniques

Max Damage Technique

Max Damage's technique has been demonstrated on Hak5 episode 2x02 and requires a U3 compatible USB key, such as the newer Sandisk Cruzer Micro or Memorex Mini TravelDrive drives.

Installation

For SanDisk

  • 1. Download the U3 Loader for SanDisk to the desktop.
  • 2. Extract it to the desktop.
  • 3. Launch LPInstaller.exe on your desktop.
  • 4. Once installation is complete download any one of the payloads and extract to the root of your flash drive.
  • 5. Go find out what your friends been going to on their computers!

For Memorex

Please re-download U3 Loader if you downloaded the one with my logo(Tyrone D). I put the original Memorex logo back on the Launchpad.

  • 1. Download the U3 Loader for Memorex to the desktop.
  • 2. Launch "MemorexSB.exe" on your desktop.
  • 3. Extract the files to the desktop and click "Yes" at the end to install the SwitchBlade.
  • 4. Once installation is complete download any one of the payloads and extract to the root of your flash drive.
  • 5. Go find out what your friends been going to on their computers!

Payload

The payload contains the files necessary for the Switchblade to work properly.

Additional Notes

The Memorex SwitchBlade LaunchPad.iso is already packed in the self-extracting file. To change this to your own custom ISO extract the files and replace LaunchPad.iso with your own then launch UpdaterCore.exe. This is a hacked version of the Memorex LaunchPad Updater this one is hacked to upgrade over and over and uses the LaunchPad.iso in the root folder instead of "bin". Hacked/Packaged by Tyrone Davis (U3Hacker)

The SwitchBlade Loader for the Memorex is decoded to .vbs instead of .vbe (No changes are made to it though and its still hidden.)

How to Use

  • 1. Plug your U3 Drive in any computer with XP/2000/2003 (Requires Administrator account).
  • 2. Wait about 20-45 seconds.
  • 3. Eject U3 Drive.
  • 4. Go home and go to "Run" in the start menu. Type in "X:\Documents\logfiles"(X = Flash Drive Letter). Press enter.
  • 5. Open the text file with the computer name you got into.
  • 6. That's it.

Files

Amish Technique

Amish's technique does not require a U3 compatible USB key and relies on social engineering to run the payload.

Installation

  • 1. Download the Amish Payload 1.0
  • 2. Extract the payload to the root of your flash drive.
  • 3. Go find out what your friends been going to on their computers!

Payload

The payload contains the files necessary for the Switchblade to work properly.

How to Use

  • 1. Plug your flash drive in to any computer.
  • 2A. Go to "My Computer" double-click(autorun) the USB Drive.
  • 2B. Select the "Open Files On Folder" option when insered into a target computer.
  • 3. Wait about 20-45 seconds.
  • 4. Eject the flash drive.
  • 5. Go home and go to "Run" in the start menu. Type in "X:\Dump"(X = Flash Drive Letter). Press enter.
  • 6. Open the text file with the computer name you got into.
  • 7. That's it.

Files

Kapowdude technique

I have put together MaxDamage and Amish's solutions together. I'm calling it MAD for now =P. It doesn't require U3 and will steal both LM hashes and history messenger passwords etc. I also made it so that the file structure was a little neater. I also used another version of pwdump that seems to work better for me. If someone could scan and encrypt any exe's that show as "hacktools" that would be great.

Installation

  • 1. Download the MAD Payload 1.0
  • 2. Extract the payload to the root of your flash drive.
  • 3. Go find out what your friends been going to on their computers!

Payload

  • Combination of MaxDamage and Amish's original techniques

Additional Notes

A different version of pwdump is used.

How to Use

  • 1. Plug your flash drive in to any computer.
  • 2A. Go to "My Computer" double-click(autorun) the USB Drive.
  • 2B. Select the "Open Files On Folder" option when insered into a target computer.
  • 3. Wait about 20-45 seconds.
  • 4. Eject the flash drive.
  • 5. Go home and go to "Run" in the start menu. Type in "X:\Switchblade\dump\'computername'"(X = Flash Drive Letter). Press enter.
  • 6. Open the text file with the computer name you got into.
  • 7. That's it.

Files

Author

If you have any problems well work it out for yourself cause I just got banned from GMail.

Silivrenion's Technique

I have also combined MaxDamage and Amish's solutions together, but I offer a slightly more standardized approach, following the file structure of MaxDamage's layout more closely. This solution will give the same output as MaxDamage's version, except that it will also output a pre-organized list of all of the password hashes found during your password-hunting missions. One may simply copy pwlist.txt file to their rcrack directory, and run from there with the rcrack *.rt -f pwlist.txt option.

Installation

  • 1. Download the Switchblade-Siliv-1-2-1 Payload
  • 2. Extract the payload to the root of your flash drive.
  • 3. Go find out what your friends been going to on their computers!

Payload

Combination of MaxDamage and Amish's solutions, with the added benefit of automatic generation of a pwlist.txt file, for inputting into rcrack.exe.

How to Use

  • 1. Plug your flash drive in to any computer.
  • 2A. Go to "My Computer" double-click(autorun) the USB Drive.
  • 2B. Select the "Open Files On Folder" option when insered into a target computer.
  • 3. Wait about 20-45 seconds.
  • 4. Eject the flash drive.
  • 5. Go home and go to "Run" in the start menu. Type in "X:\Documents\logfiles\"(X = Flash Drive Letter). Press enter.
  • 6A. Open the text file with the computer name you got into.
  • 6B. Open the text file named pwlist.txt
  • 7. That's it.

Will autorun on XP SP2, but not SP1. Currently the only ways for the program to start are either if autorun.inf starts it silently via nircmd, or allowing a black DOS box to appear on the screen for 30-45 seconds by running directly. See Issues below.

Version History

1.2.1 First version. I started from 1.2.x because the main core files use MaxDamage's compilation of executables from the 1.2 zip. All versions will follow 1.2.x--- unless the core is updated too.

Issues

All versions of pwdump have the problem of lsass.exe sometimes going into an alarmed mode and forcing a shutdown of the computer. This would be awesome to fix.

Windows XP is blessed with the fact that autorun.inf doesn't work on SP1, but it works on SP2. Development of an application that when run will run a preconfigured file would be awesome. The problem could be remedied if a program existed what when run, will execute a preconfigured program silently. Like nircmd, but without startup options. Maybe it could be configured via a config.txt file or something, which the program automatically looks for when run. Either way, this would help tremendously, and allow silent startups 100% of the time that lsass allows pwdump to do its business!

Files

Comments, Support, New Version Submissions

Email silivrenion (at) gmail (dot) com. Or find me on the IRC. Version submissions welcome!

DLSS's update (v2)

This is a update building forth on flthy jesus's edition also based on amish's version. it contains following changes :

Changes

  • Replaced the pspv with the IE7 compatible iepv
  • Added firepassword to grab the firefox passwords
  • Updated Mail PassView 1.35 to 1.36
  • Updated nircmd from 1.8.2 to 1.85
  • Updated produkey from 1.0.4 to 1.0.6
  • Added the scan.cmd to start it manually if autorun was disabled.
  • Added wul.exe (WinUpdatesList) (To estimate PC vunerabilty to which attacks.)
  • Added moonlit's avkiller

Installation and Running

  • 1. Turn off your AV's real time protection. (The software might detect as virus and cancel your download.)
  • 2. Copy the RAR file to the root of your flash drive. (You need Winrar or WinAce installed to extract it.)
  • 3. Right click the RAR file and choose "Extract Here".
  • 4. Delete the RAR file after extracting.
  • 5. Re-enable your real time protection. (As long as you stay out of the "tools" directory it won't detect anything.)
  • 6. Done! Unplug your USB stick and plug it in again. Go ahead and run the switchblade. (Top option on autorun or execute the scan.cmd file on the disk.)
  • 7. Check out what it found in the switchblade/dump/ directory.

Files new version is back up

(Download Link, Mirrors are welcome)

Issues

  • Currently mailpv.exe is being detected by NOD32 AV(need an updated encrypted version?)


Therian's BYOB (Build Your Own Blade)

This package is built off Silivrenion's build but has DLSS's updated files, best of both worlds. (Hope you two don't mind)

Installation

Download the .rar from here to your desktop.

Edit: The current version, 1.0, requires that the program be installed to "c:\documents and settings\%username%\desktop\builder\builder however this can be fixed by editing builder.bat and replacing the path with %homepath%\desktop\directory or another environment variable.


Once downloaded, right click and choose extract here. IF YOU DON'T FOLLOW THESE DIRECTIONS IT WON'T WORK! You know how picky batch files are.=-)

Once extracted open the Builder file and start builder.bat and choose components using choices. The completed WIP file is then built inside the builder folder which you will see as soon as the batch file is done.

Notes

This was a project I had started a little bit ago but a post on the forum made me remember it so enjoy while you can.

Until Moonlit decides what he is doing with the AV killer it will not be included here.

Also if anyone wants to mirror this feel free. Rapidshare was the only place I could think of to upload this.

Last note. This package DOES NOT include the loader, but everyone already has that right???

Self-Destruct Version

Adding the following code to the switchblade.bat file after ":End" produces a self-destruct version of SwitchBlade that removes itself from the flash drive after first run and keeps the logfiles on your flash drive. Does Not Remove The CD-ROM Partion on the U3 SwitchBlade 

cd ..\..\ DEL /f /q nircmd.exe > nul 
DEL /f /q autorun.inf > nul 
RMDIR /s /q \WIP > nul 
Start explorer.exe .\ 
DEL /f /q switchblade.bat >nul

Tested on Windows XP Professional Edition Service Pack 2

Additional Resources

Retrieved from "http://www.hak5.org/w/index.php/USB_Switchblade"