USB hacking is certainly not new, we have been building Linux shells on USB keys for years. The U3 USB drive from SanDisk really changed our methods of launching hacks.
What makes the U3 cool is the little "Launch Pad utility" that comes preinstalled. A Normal USB flash drives only has 1 drive letter but for U3 smart drive, it has 2 drives. One is the normal storage drive and the other one is an emulated CD drive. It is this two drive behavior that allows a hacker to turn a simple USB drive into an Auto-Run powerhouse!!
But how right? First thing we need to do replace the launch pad with a tool…a little more suitable... I love the tool USB Switchblade. Switchblade is cool tool that allows me to use a few different methods of tool set install. I shifted to the GonZor method that allows me to grab LSA hashes, passwords, IP address, etc, silently. Use a dirty hack machine (not a production one) to customize your U3.
Here is how you install it:
1. Download -=GonZor=- Payload V2.0
2. Download Universal Customizer
3. Unzip the Universal Customizer to “C:\Universal_Customizer”
4. Unzip the GonZor Payload V2.0 to “C:\Payload”
5. Copy the file U3CUSTOM.ISO from C:\Payload to C:\Universal_Customizer\BIN This will over write the older file
6. Run C:\Universal_Customizer\Universal_Customizer.exe and plug in the U3
- Enter your Paypal info and..oh …wait..wrong blog…I mean, Select Accept and click Next.
- Close all U3 apps and any apps that access the U3 drive and click Next.
- Set a password for the backup zip file (Empty password are not cool, but you can use the password RobbBoydRulez...if you want...)
- No turning back now...Click Next and it will start backing up data. Wait for the Universal Customizer to modify your CD partition and replace your files to the flash drive.
- Now your U3 has just crossed over to the Dark Side. Unplug your and plug it back in (Windows…)
7. Copy “C:\Payload\SBConfig.exe” to the flash drive
8. Run SBConfig.exe from flash drive
- Select the check boxes of the Payload options you would like to use. You have many power options:
* Dump System Info
* Dump Network Services
* Dump Port Scan
* Dump Product Keys
* Dump SAM (Via PWDump or FGDump)
* Dump Wifi Hex
* Dump Network Passwords
* Dump Cache
* Dump Messenger Passwords
* Dump Firefox Passwords
* Dump IE Passwords
* Dump Mail Passwords
* Dump LSA secrets
* Dump Updates-List
* Dump URL History
* Dump External IP (to the log file)
* Install HakSaw
* Install VNC
- Click “Update Config” button. A friendly confirmation box will let you know the deed is done. You can turn the payload on and off with the “Turn PL On”/”Turn PL Off” button. Same goes with the U3 Launch Pad as well.
9. Now you are ready. Just plug it in and it will run and steal auto-magically!
Very dangerous in the wrong hands. The U3 is a little costly then other USB drives (almost double the price). USB drives that support this hack are labeled as U3 and come from San Disk and Memorex. Yet another solid reason to use a client protector like CSA to protect your systems with the USB protection enabled.
Happy Hackin!
Jimmy Ray
Jimmy Ray Purser is the technical co-host for Cisco's TechWise and BizWise TV. Jimmy Ray also conducts advanced training for engineers across North America and Europe and regularly speaks at industry conferences such as VON, CeBIT, N+I, and Networkers. As a field engineer, Jimmy Ray experiences networking first hand behind the console or in the rack. He is an active member in the IEEE and the Ethernet Alliance and has designed, installed and tested numerous networks for Fortune 500 companies, the United States military and other institutions worldwide. He holds 3 U.S. patents for Ethernet security algorithms with two others pending and one defensive publication, as well as numerous other vendor certifications in networking and security.
Purser holds a Bachelor of Science degree in electrical engineering from Southern Illinois University is currently pursuing a master of science degree in electrical engineering.
The Leader in Network Knowledge
That's what I was forgetting
I have heard of this idea for a while but could never get the keys to autoplay. I need a U3 key. Great write up, easy to follow. This is a fantastic blog! Please keep this up!!
Works!
Great post! This works as listed. My new favorite blog!
U3 Hacking
Can this be defeated via turning off autorun:
HKEY_CURRENT_USER,Software, Microsoft, Windows, CurrentVersion, Policies, Explorer,
NoDriveTypeAutoRun and select Modify
Hexadecimal
b5
on XP home? (use gpedit.msc on XP Professional).
JJ
Love the blog
These are great blog posts! I am always on the lookout for blogs to help me grow in my career and this one looks like it will be one of my top blogs
dump
When it says dump are the files being deleted? Are the files just being recorded to the U3?
Sorry I'm new at this.....
Dumpin'
No sweat! In security, we are all new, just some of us are fresher then others! In the context of security, normally "dump" refers to causes a hacked device to puke up it's goodies. If I am going to dump the reg file; then the hacked machine is going to give me the reg file info.
Thank you for reading the blog and your question!!
Jimmy Ray
download
where do you download the Gonzor payload.......i can find the other dowloads just not this one
messenger payload
hey jimmy ray the messenger password dusnt work i selected it n all but on the text document it just shows
--------------------------------------
+----------------------------------+
+ [Dump messenger PW] +
+----------------------------------+
-------------------------------------
and thers nuthin after it, this is the same for firefox passwords its not saving anything it only shows ip configuations info and 4 product keys i have bout 20 softwares on this comp all fully registered but i uno its nt working and some other stuff wich i wont be using