USB Penetration Testing
USB ports are some of the most vulnerable parts of a computer, they exist on desktops, laptops, and servers. Most time they are fully accessible if you have physical access to a machine. Personally getting access to a USB port on a server or even a desktop linked to the target network is a very high priority when I’m pen testing any company. Many times you only need access to a USB port once to gather enough information to compromise a organization.
USB Switcblade / Hacksaw
USB Switchblade is the product of Hak5 and the surrounding community way back in 2006. It has the ability to capture and record information about the computer it is used on, but can also take password hashes, IP information, auto-fill information and some versions of Switchblade can create backdoors in the system for access at a later date.
In order to do this Switchblade uses a U3 drives ability to create a virtual CD-ROM drive allowing autorun to function. It can capture and record password hashes for later cracking. Switchblade can also take browser history (not Chrome history!) and any autofill information on the system. As well product keys for any installed Windows products. Some versions can also create a ghost administrator account for later access. The biggest advantage of using Switchblade is that all this can be done hands free within a few seconds.
USB Rubber Ducky
USB Rubber Ducky is the next generation of Switchblade. It has it’s own code called duckycode for writing plugins for it. You can buy it pre-installed for 59 $. But the source code is also open.
I’ll be posting later about how to install it on a 3rd party device. The post is now here. For now though you can check it out on Hak5′s store. Or you can download the source code from github.
I recently wrote an article about USB keyloggers and how a top executive had found a suspicious USB device inserted in between his keyboard and his computer. It turned out that the device was a physical keylogger, and unless you are doing physical inspections of hardware they are nearly undetectable. Of course these types of loggers require that you have access to the target machine on a regular basis to make them useful. They are also rather pricey. But can really change the tide of a pen testing attack.
The Best Option
I use USB Hacksaw/ Switchblade depending on the kind of attack I am preforming. It is by far the cheapest option and can give you tons of very valuable intel as well as a discreetly installed backdoor with Switchblade.
Setting Up USB Switchblade
Picking a USB drive
I will be setting switch blade up on a U3 drive because they have the ability to emulate a CD drive and automatically executed the Switchblade payload without any interaction other than plugging it in. Potentially allowing you to attack a locked computer.
These are the drives I will use to setup on. Two very unassuming drives that will draw little attention plugged into a target machine. But also with enough space to take a lot of information from several different computers.
Installing on the Drive
I’ve put together a package of all the required information for you to download. Switchblade is no longer being maintained and is very difficult to find on the internet. Before you start download that package at the bottom of the page.
Once you download it unzip it all follow the instructions exactly.
1. Unzip the NarwhaleUSB package you downloaded.
2. Open the Switchblade folder.
3. Unzip the Universal Customizer to “C:\Universal_Customizer“
4. Unzip the -=GonZor=- Payload V2.1 to “C:\Payload“
5. Copy the file U3CUSTOM.ISO from C:\Payload to C:\Universal_Customizer\BIN replacing the old one.
6. Run C:\Universal_Customizer\Universal_Customizer.exe and plug in U3 smart drive.
- Select Accept and click Next.
- Close all U3 applications and any applications that access your U3 drive and click Next.
- Set a password for the backup zip file (Empty password not allowed)
- Click Next and it will start backing up data. Wait for the Universal Customizer to modify your CD partition and replace your files to the flash drive.
- The modification should now be complete, Unplug your U3 Drive and plug it back in
7. Copy “C:\Payload\SBConfig.exe” to the mass storage of the flash drive
8. Run SBConfig.exe from flash drive
- Select the check boxes of the Payload options you would like to use
- Enter your email address and password for the HackSaw if you wish to use it.
- Click “Update Config” button, a message box should appear to confirm this is completed
- Toggle between using the payload or not by clicking the “Turn PL On”/”Turn PL Off” button
- Toggle between using the U3 Launcher or not by clicking the “Turn U3 Launchpad On”/”Turn U3 Launchpad Off” button
9. You now have -=GonZor=- Payload V2.1 in your U3 smart drive which can automatically steal password once it is plugged in to a computer with administrative privileges.
I’ve tested it and it’s very scary because when I plugged in the hacked U3 smart drive with USB Switchblade payload, the payload ran silently and invisibly! It did not modify any system settings nor sent any network traffic. There is a log file created at F:\System\Logs\COMPUTERNAME (F: drive is the storage drive) by the payload and I am shocked to see that my network configurations, router password, Windows Live Messenger password, Google Talk password, Gmail password, all Firefox passwords, Internet Explorer passwords, ICQ password, Windows Product Keys and etc being recorded in that log file!
As you can see from this guide USB drives can be very dangerous when network security is involved. I recommend securing all servers inside locked racks and regularly inspecting workstations as well as private and company laptops. Basically any computer that may connect to the network you are attempting to secure. Have any tips for securing USB ports or any tool you use for making your drives dangerous? Tell us in the comments.
NarwhalUSB Package – When you download it will show up as a virus. Because thats what it is.