USB hacking is certainly not new, we have been building Linux shells on USB keys for years. The U3 USB drive from SanDisk really changed our methods of launching hacks.
What makes the U3 cool is the little "Launch Pad utility" that comes preinstalled. A Normal USB flash drives only has 1 drive letter but for U3 smart drive, it has 2 drives. One is the normal storage drive and the other one is an emulated CD drive. It is this two drive behavior that allows a hacker to turn a simple USB drive into an Auto-Run powerhouse!!
But how right? First thing we need to do replace the launch pad with a tool…a little more suitable... I love the tool USB Switchblade. Switchblade is cool tool that allows me to use a few different methods of tool set install. I shifted to the GonZor method that allows me to grab LSA hashes, passwords, IP address, etc, silently. Use a dirty hack machine (not a production one) to customize your U3.
Here is how you install it:
1. Download -=GonZor=- Payload V2.0
2. Download Universal Customizer
3. Unzip the Universal Customizer to “C:\Universal_Customizer”
4. Unzip the GonZor Payload V2.0 to “C:\Payload”
5. Copy the file U3CUSTOM.ISO from C:\Payload to C:\Universal_Customizer\BIN This will over write the older file
6. Run C:\Universal_Customizer\Universal_Customizer.exe and plug in the U3
- Enter your Paypal info and..oh …wait..wrong blog…I mean, Select Accept and click Next.
- Close all U3 apps and any apps that access the U3 drive and click Next.
- Set a password for the backup zip file (Empty password are not cool, but you can use the password RobbBoydRulez...if you want...)
- No turning back now...Click Next and it will start backing up data. Wait for the Universal Customizer to modify your CD partition and replace your files to the flash drive.
- Now your U3 has just crossed over to the Dark Side. Unplug your and plug it back in (Windows…)
7. Copy “C:\Payload\SBConfig.exe” to the flash drive
8. Run SBConfig.exe from flash drive
- Select the check boxes of the Payload options you would like to use. You have many power options:
* Dump System Info
* Dump Network Services
* Dump Port Scan
* Dump Product Keys
* Dump SAM (Via PWDump or FGDump)
* Dump Wifi Hex
* Dump Network Passwords
* Dump Cache
* Dump Messenger Passwords
* Dump Firefox Passwords
* Dump IE Passwords
* Dump Mail Passwords
* Dump LSA secrets
* Dump Updates-List
* Dump URL History
* Dump External IP (to the log file)
* Install HakSaw
* Install VNC
- Click “Update Config” button. A friendly confirmation box will let you know the deed is done. You can turn the payload on and off with the “Turn PL On”/”Turn PL Off” button. Same goes with the U3 Launch Pad as well.
9. Now you are ready. Just plug it in and it will run and steal auto-magically!
Very dangerous in the wrong hands. The U3 is a little costly then other USB drives (almost double the price). USB drives that support this hack are labeled as U3 and come from San Disk and Memorex. Yet another solid reason to use a client protector like CSA to protect your systems with the USB protection enabled.
Jimmy Ray Purser is the technical co-host for Cisco's TechWise and BizWise TV. Jimmy Ray also conducts advanced training for engineers across North America and Europe and regularly speaks at industry conferences such as VON, CeBIT, N+I, and Networkers. As a field engineer, Jimmy Ray experiences networking first hand behind the console or in the rack. He is an active member in the IEEE and the Ethernet Alliance and has designed, installed and tested numerous networks for Fortune 500 companies, the United States military and other institutions worldwide. He holds 3 U.S. patents for Ethernet security algorithms with two others pending and one defensive publication, as well as numerous other vendor certifications in networking and security.
Purser holds a Bachelor of Science degree in electrical engineering from Southern Illinois University is currently pursuing a master of science degree in electrical engineering.