WLSAT Section 8

Section 8
Creative Advanced Attacks

On the downhill slide of our journey with Wireless LAN Security Assessment Toolkit, well show you
some of the cutting edge and exciting tools and techniques that exist in the WLAN ecosystem.

Your kit includes a professional Honeypot to trap would be attackers to your Wireless LANs. Plus we’ve
included some unique ‘tools’ on a USB ‘Attack Stick’ – remember, only WITH PERMISSION.

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 1 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

Lab 8.1: Create a Honeypot KF Sensor

KFSensor is a Windows based Honeypot Intrusion Detection System (IDS).
It acts as a honeypot to attract and detect hackers and worms by simulating
vulnerable system services and trojans.
By acting as a decoy server it can divert attacks from critical systems and
provide a higher level of information than can be achieved by using firewalls
and NIDS alone.
KFSensor is designed for use in a Windows based corporate environment and
contains many innovative and unique features such as remote management,
a Snort compatible signature engine and emulations of Windows networking
protocols.
With its GUI based management console, extensive documentation and low
maintenance, KFSensor provides an effective way of improving an
organization's network security.

Product Information

Source
Key Focus
KF Sensor Professional – Commercial License
$999.00
http://www.keyfocus.net/kfsensor/index.php

Where, When, Why

When you want to ‘catch’ someone in the act of attacking your network, a
Honeypot is the tool of choice. KF Sensor is a robust, professional Honeypot
that can also be used attached to a ‘rogue’ access point of your design to
‘catch’ folks attempting to access your network via the Wireless LAN.

Usage and Features

Monitors every port - KFSensor Professional monitors attacks on every TCP and
UDP port, as well as detecting ICMP or ping messages. It also monitors all
network activity of native Windows server applications. Allowing these to act
as part of a Honeypot configuration.
Remote administration - KFSensor Enterprise Edition contains the ability to
manage and monitor multiple honeypot installations. Events from different
sensors across the network are concatenated in real time allowing an
immediate view of attacks as they happen.
KFSensor uses 3072 bit RSA public/private key authentication and 256 bit AES
encryption to provide the top of the range security for communication between
sensors.
IDS signature engine - KFSensor is the first product to combine the benefits of
signature-based IDS with a honeypot system.
Its fast signature search engine, has a minimal impact on system performance
and can handle thousands of rules.

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 2 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

It is easy to update the rulebase with new rules from different sources and to
create new rules directly from an event.

Requirements / Dependencies
• Windows NT, Windows 2000, Windows XP, Windows 2003 Server
• 500mb hard disk space
• 512mb RAM
• 1 NIC card and/or direct internet connection

Lab Part 1 - Configuring KF Sensor

In this lab exercise you configure KFSensor using the Wizard and the individual
settings windows.

Step 1. Launch KFSensor (it may already be started on your system. Look for the
KFSensor icon in the system tray - it may be a different color).

Perhaps your computer has ports currently in use (Listened)

Step 2. Select Settings > Set Up Wizard . The Set Up Wizard guides you
through the configurations of:

- Port Classes
- Domain Name Selection
- Email Alerts
- Systems Service

Step 3. Click the Next button to begin configuring KF Sensor. By default all the port
classes will be selected.

Click Next to accept this configuration using all port classes.

Step 4. Now you need to give your system a name. Use a fictitious name that may be
attractive to someone who is doing discovery for “juicy” targets. For example,
using the following words somewhere in your domain name may get you more
hits:
- credit
- bank
- financial
- investment
- accounting
- private
- internal

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 3 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

Enter your domain name (don’t forget to include the .com, .org, .net or
whatever extension you are going to use). Click Next .

Step 5. If you would like to receive email alerts of events, enter your target
email address and the source email address in this window.

Click Next .

Step 6. Now you can configure the system services. Click the Wizard Help
button for more details on each option.

Denial of Service
- Normal/Cautious

Port Activity
- 1-12 Hours

Proxy Emulation
- Allow banner grabs and loop backs
- No external connections

Network Protocol Analyzer

- Disable packet dump files
- Enable packet dump files

Use the following settings for this lab exercise:

Click Next .

Step 7. Now you are on the system service set up window. A system service allows
KFSensor to run like a daemon on your system regardless of who is logged into it.
You can change between users without affecting the system service. You must be
logged in as the administrator to install the system service.

”Install as a system service” should be selected.

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 4 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

Click Next .

Step 8. KFSensor should now be ready to configure your system. Click Finish .

Step 9. Now we are going to customize KF Sensor. Select Settings >

Customize . In this area you define the alert behavior, KFSensor window
behavior, recent activity intervals, startup behavior and the maximum number of
events to keep loaded.

We definitely want to disable the audible alarm and we want to increase the
number of events that are displayed when KFSensor starts up.

Configure your KFSensor as shown next.

Click OK when you have set these configurations.

Step 10. Now you are ready to review the DOS Attack Settings and see if you want to stay
with Normal – or use Cautious – or a customized setting. Select Settings >
DOS Attack Settings .

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 5 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

Step 11. To compare the two default settings – Normal and Cautious – click on each
separately and review the settings . You can select either
setting or define a customized setting for this lab exercise. Click OK when you
are finished.

Step 12. Now we are ready to configure the network analyzer function of KF Sensor. We
enabled this feature in the Set Up Wizard.

Select Settings > Network Protocol Analyzer .

In this area you can select to monitor specific interfaces and define the types of
packets that you want to capture.

Step 13. Configure your KFSensor network protocol analyzer as shown on the below.

NOTE: This system has a dial-up adapter loaded. On your systems, choose all
adapters that are displayed in the list (which include your wired and wireless
adapter and the generic Microsoft adapter).

Click OK when you are done.

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 6 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

Note: Your analyzer trace files are stored in the c:\kfsensor\dumps directory.

Step 14. Select Settings > Email Alerts and review the configuration. You
may want to select a Message Title or rethink the sender’s address so you can
easily apply email filters for your KFSensor alerts. In this area you also define the
email alert interval and the message severity level. Click OK when you are
finished.

Step 15. Now select Settings > Local Sensor Configuration . Here you
will see the Sensor ID of your KFSensor server. If you install more than one KF
Sensor, assign a unique ID to each since this number is kept in the logs to enable
you to determine which KFSensor server was hit.

Change your KFSensor ID value to kfsensor-zzz where zzz are your first,
middle and last initials.

We’ll keep this default port and the log level setting at this time. Click OK to
accept this setting.

Note: It might warn about restarting KF Sensor in the ‘normal’ way and shuts
down. Just restart to return.

Step 16. Look through the other options under the Settings menu option . If you
need to know more about any setting, click the Help button on the setting
window.

Lab Part 2 - Viewing, Editing and Creating New Scenarios

In this lab exercise you continue to configure KFSensor by viewing the Main
Scenario, creating a new scenario and defining the Listens and KFSensor
behavior for those Listens.

Step 17. In the KFSensor window, select Scenario > Edit Scenarios . You
should have only one scenario defined on your system – the Main Scenario. This is
the active scenario at this time.

NOTE: First we are going to look at the Main Scenario – we are not going to edit
that scenario, however. We are going to back out and make a new scenario
called WLSAT Scenario.

Step 18. Click Edit . At this time you might see a KF Warning box appear. This is not
unusual – it indicates that certain ports were in use already when KFSensor
started. You can select “Convert to Native” on those ports to have KFSensor listen
to activity on them. For example, on Windows systems the NBT (NetBIOS) ports
are enabled by default and will generate errors.

Click OK .

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 7 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

We don’t want to edit this scenario – we only want to look at it. This window is
showing you “Listens” or defined ports that we are listening on using this
scenario.

Step 19. Double-click on FTP Guild (see previous graphic) to get more detail
on the configuration of the FTP Listen.

Here you can get an idea of how a Listen is defined – you define the port number
and protocol and address to bind the Listen to. This is also where you define the
KFSensor action when that Listen is hit as well as the severity level. Finally you
can define the DOS attack limits to protect KFSensor from being overwhelmed by

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 8 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

too many connections on that Listen.

Now we are ready to build a brand new scenario.

Step 20. Click Cancel to close the Edit Listen window and Cancel to close the Edit
Scenario Window. You should now be viewing the Edit Scenarios window as shown
below.

Step 21. Click Add to create a new scenario. You may receive the warning about ports in
use. Click OK to close the warning window.

Step 22. Enter the scenario name WLSAT Scenario . Enter the domain name that
you defined in the Set Up Wizard. Click Add/Remove Classes…

button .

Step 23. Check off all the classes listed except Linux and click OK .

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 9 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

Step 24. Now you will see all the Listens for these classes show up in your new scenario.
We are going to add a Listen to this group. Click Add .

You are going to add a Listen for Laura’s Attack . Enter the information as
shown in the configuration below. Click OK when you are done.

Step 25. Your new Listen should show up in the list now. Click OK to save this scenario and
close the New Scenario window. Now your NAST Scenario should be listed in the
Edit Scenario window. Click OK to close the Edit Scenario window.

Step 26. Select Scenario > Switch Scenario . Select your WLSAT
Scenario from the drop-down list and click OK .

NOTE: KFSensor hesitates for a moment as it switches scenarios –

be patient. It might need to be restarted – the switch might cause the services
to stop.

Lab Part 3 - Viewing and Adding Visitor Rules

In this lab exercise you view and edit rules related to visitors that hit KF
Sensor. You will work with your WLSAT Scenario only.

First IP Address: ___________________________________

Last IP Address: ___________________________________

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 10 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

NOTE: If you are going to connect to the KFSensor system using a Listen port
(perhaps one that has been converted to native, such as the FTP port) and you
don’t want your communication to be logged, enter a Visitor Rule to exclude
your connection on that port. Visitor rules are only used to close connections
with, or ignore visitors. They are NOT a “lockout” feature. Use signatures to do
lockouts based on ports or payload.

Step 1. In KF Sensor, select Scenario > Edit Active Visitor Rules to

open the Visitor Rules window.

Step 2. Click Add .

Step 3. Enter the following rule information:

Name: Instructor Machine

First IP: See above

Last IP: See above

Host DNS name: Leave blank

Protocol: Any

Sensor Port: Leave blank

Visitor Port: Leave blank

Min. Connections: Leave blank

Max. Connections: Leave blank

Actions: Ignore

Set Severity: No change

Click OK to close the Edit Rule window.

Step 4. Your new rule is visible when you edit the active scenario and click the Rules
button .

Lab Part 4 - Creating Signature Rules

In this lab exercise you create a signature rule based on traffic received and
review how signatures are created and imported.

Step 5. In KF Sensor, click the Ports View button .

This might be enabled by default when the server starts.

Step 6. Maximize the window so you can see the Received column information.
This column shows the data related to the event (if any).

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 11 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

Step 7. Double-click one of the events that show data was transferred.
The Event Detail window appears.

Step 8. Click the Signature tab . If no signature is associated with this event,
click the Create button. The Edit Signature window appears showing the signature
data definition.

Click OK to accept this configuration.

Step 9. The Add Signature window is now displayed. You can provide a message with your
signature and include a Source Reference (such as a website that contains
additional information on this signature).

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 12 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

Note: Unless you are actively working with a ‘partner’ to see live traffic, you’ll
only see your own little network’s Windows traffic.

The signature will be defined as “hand coded” which means it takes

precedence over the other KF signatures. It is that easy to add signatures from
existing events.

In order for KFSensor's signature engine to be most effective it is best to build

up and maintain a large rule base. KFSensor can import rules written in Snort
format. There are a number of different sources for Snort rules and the first
stage is to download copies of different rule sets.

Unlike a network IDS, KFSensor uses signatures to provide information on an

attack and not to identify attacks. It is therefore possible to use experimental
and non-certified rule sets.

The official Snort and community rules sets can be obtained at:
http://www.snort.org/rules/

Another important source of rules is Bleeding Snort:

http://www.bleedingsnort.com/index.php

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 13 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

Lab 8.2: Creative Wireless Attacks

Instructor will now demonstrate creative

wireless attacks.

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 14 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

Lab 8.3: NirSoft Password & History Utilities

This group is a series of individual software packages aimed at Password
Recovery, History Recovery or Product Key Recovery.

Because of the sensitive nature of the information obtained by these tools –

please be careful and always have permission first before deploying these
recovery tools.

Product Information

Source
NirSoft
Freeware
www.nirsoft.net

Where, When, Why

Security—Password and History Recovery Utilities (multiple applications)
Have you or any of your friends or family ever forgotten a password? Of course
you have had this experience. Well, with these simple tools you can quickly
find the passwords and get back to happy computing.
Now, with this great power comes great responsibility as well. You need to use
these tools for good and not for evil!
You can recover passwords, history from IE and Cookies as well as recover
those pesky Microsoft Product Keys. Use the ProduKey BEFORE you need to
reinstall and you can be ready for those Office and XP keys – you’ll be all ready
to reinstall after a crash.

WARNING: ALWAYS HAVE PERMISSION BEFORE

USING ANY OF THESE RECOVERY UTILITIES
IMPORTANT NOTE: Many of these utilities might trip your Anti-Virus alarms –
not as a ‘virus’ per se, but as a ‘hacking tool.’
Some AV products will delete the offending files directly from your USB Stick –-
to replace them, copy the original files from the Student DVD to the
appropriate location on your Ultimate USB stick \5 – Security\Toolname\Tool

Usage and Features

• MessenPass – Recovery of instant messenger passwords
• MailPassView – Recovery of popular e-mail client passwords
• Protected Storage PassView – Recovery of all passwords and
AutoComplete strings from Protected Storage
• Dialupass – Recovery of VPN and Internet dialup connection
passwords
• Asterisk Logger – Reveal passwords hidden behind asterisk (******)
characters in password boxes

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 15 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

• SniffPass – Listen on the network for POP3, IMAP4, SMTP, FTP and
HTTP passwords
• Network Password Recovery – Recover network passwords
stored by Windows XP
• WirelessKeyView – View Wireless LAN WEP and WPA keys
• IE PassView – View Internet Explorer passwords
• IECookiesView – View and Modify cookies stored on your computer
• IEHistoryView – View and Delete URLS you’ve visited in the last
few days
• WinUpdatesList – Display all the Windows updates on the target
machine
• ProduKey – Recover Microsoft Office/Windows Product CD-Keys

Requirements / Dependencies
• Any Windows operating system

Where to Go for More Information

• www.nirsoft.net

This is the ‘Manual’ way of running these… in the next lab we will use an
‘Attack’ Stick to automate the process

What you will do in this lab:

• Run through a series of hands-on lab exercises testing a variety of
password and history recovery utilities.
• As a penetration test – showing what information is vulnerable

Lab Part 1 - Messenpass

Step 1. Launch MessenPass .

Did it find any of your Instant Messenger accounts and passwords? _______

Step 2. Try exporting an HTML file of the results

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 16 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

Lab Part 2 - MailPassView

Step 1. Launch MailPassView .

Did it find any of your Mail accounts and passwords? ________

Step 2. You can export an HTML file of the results.

Lab Part 3 – Protected Storage Passview

Protected Storage PassView is a small utility to reveal the content of the
"Protected Storage" registry key. This registry key contains the passwords
stored on your computer by Internet Explorer, Outlook Express and MSN
Explorer.
The usage is trivial: once executed, Protected Storage PassView displays in its
window all the passwords it's able to find, showing the resource name, the
password type, the username (if available) and the password.
The 'View' menu allows you to filter the main window content by displaying
only certain types of passwords

Step 1. Launch Protected Storage PassView .

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 17 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

Step 2. Note the wealth of information this quickly provides – web sites, passwords, etc. –
These items are clearly and easily available to anyone who has access to your
computers!
What was discovered on *your* computer? _____________________________
How does this make you feel about the security of your private information?
____________________________________________________

Step 3. Like the other NirSoft products, this too can export to an HTML file.

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 18 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

Lab Part 4 – Asterisk Logger

Step 1. Launch Asterisk Logger .

Step 2. Open the window that contains the asterisk text-box you want to reveal. The
password will be instantly revealed inside the password box, and in addition, a
record containing the password and other information will be added to the main
window of Asterisk Logger utility.

Step 3. After you reveal all the passwords you need, you can select the desired passwords
in the main window of Asterisk Logger, and save them into a text or HTML file.

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 19 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

Lab Part 5 - SniffPass

Step 1. Launch SniffPass .

Step 2. Click on Fileà Start Capture or click on the green arrow.

Step 3. A Capture Options window opens. Highlight the adaptor you are using
for packet captures and select either RAW Sockets or WinPcap Packet
Capture Driver .

Note: Choose RAW Sockets if you don’t have WinPcap loaded already on your
target machine.

Step 4. Click OK .

Step 5. Generate some traffic by using the browser to login to a site where you must
enter your name and password.

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 20 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

Lab Part 6 – Network Password Recovery

Step 1. Launch Network Password Recovery .

Step 2. Did it find any of your Windows Network accounts and passwords? _______

Step 3. You can export an HTML file of the results

Lab Part 7 - WirelessKeyView

Step 1. Launch WirelessKeyView .

Step 2. Did it find any of your Wireless accounts and passwords? ____________

Note: The keys are shown in both HEX and ASCII values

Step 3. You can export an HTML file of the results

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 21 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

Lab Part 8 – IE PassView

Step 1. Launch IE PassView .

Step 2. Did it find any of your Internet Explorer accounts and passwords?

Step 3. You can export an HTML file of the results

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 22 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

Lab Part 9 – IECookiesView – Internet Explorer Cookies Manager

Step 1. Launch IECookiesView .

Step 2. Look through the column headings by scrolling to the right.

Step 3. You can export an HTML file of the results

Lab Part 10 - IEHistoryView

Step 1. Launch IEHistoryView .

Step 2. Did you know your surfing history was this easy to see?

Step 3. Now using the options in Microsoft IE, clear out your history and cache and try
running this utility again. Did it clear your data?

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 23 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

Lab Part 11 - WinUpdatesList

Step 1. Launch WinUpdatesList .

Step 2. How many times has the target machine been ‘patched’ or updated by Microsoft
for the Windows OS? _______

Step 3. You can export an HTML file of the results

Lab Part 12 - ProduKey

Step 1. Launch ProduKey .

Step 2. Cut and paste these keys into a text file and save as part of your backup. When
it’s time to restore, you’ll have your CD-Keys all ready to go.

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 24 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

What you learned in this Lab:

In this Lab you learned to use Password & History Recovery Utilities to:
1. View all the different types of saved passwords and history files that are
available to anyone with access to your computer
2. These tools can all be run remotely if a hacker has control of your
computer
3. As an example in a penetration test, you can show the clients the
vulnerabilities of their machines to a anyone with these simple software
utilities
4. Your Anti-Virus software might have caught a few of these tools, but what
about those the AV didn’t catch?

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 25 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

Lab 8.4: Attack and Recovery - USB Switchblade

The goal of the Attack & Recovery tools (based on USB Switchblade ) is
to silently recover information from a target Windows 2000 or higher
computer, including password hashes, LSA secrets, IP information, etc... the
original Amish technique of using social engineering to trick a user into
running the payload when choosing "Open folder to display files" upon
insertion.

While the USB Switchblade does require a system running Windows 2000, XP,
or 2003 logged in with Administrative privileges and physical access, the
beauty lies in the fact that the payload can run silently and without modifying
the system or sending network traffic, making it near invisible.

Product Information

Source
Hak.5 Team
Combination of Freeware

Where, When, Why

Ok, now this one is going to be hard to justify the Where, When and Why—
Unless you have the correct permissions to do a Penetration Test on the target
devices. A single USB stick designed to ‘hack’ into an unsuspecting computer,
copy down the SAM files, IE history, Protected Storage, Passwords, etc.
As a penetration testing demonstration, this small USB device excels at
‘scaring’ the target. By showing how easy it is to learn a very large amount of
information about the target machine, very quickly, very easily.
For example the USB Switchblade can be used to retrieve information from a
target system at a LAN party by lending the key to an unsuspecting individual
with the intent to distribute a game patch or the like.

Usage and Features

• Using this tool to stealthily retrieve passwords, Internet browsing history
and detailed information from a target machine.
• Shows Product Keys, Passwords from IE, Firefox, Wireless, Windows,
Protected storage and more!

DO NOT USE THIS WITHOUT APPROPRIATE PERMISSIONS!

Requirements / Dependencies
• Windows Target Machine with physical access to USB Port

Where to Go for More Information

• http://www.hak5.org/wiki/Switchblade_Packages
• http://www.hak5.org/forums/viewtopic.php?p=31505
• http://www.hak5.org/wiki/index.php?title=USB_Switchblade

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 26 www.inpnet.org • www.HOTLabs.org
WLSAT Section 8

What you will do in this lab:

• Use the ‘Attack Stick’ to run USB Switchblade on a target device to
retrieve passwords, detailed information, etc.

Lab Part 1 – Penetration Test Demonstration

DO NOT USE THIS WITHOUT APPROPRIATE PERMISSIONS!
Using this tool in a penetration testing mode can be used to ‘scare’ unaware
individuals of the items on their computer that ‘share’ their personal
information. With only a few seconds, and physical access to a USB port, many
pieces of personal information and history can be gathered.
Use with Caution.

Step 3. Insert ‘Attack Stick’ in target computer. If Autorun does not launch – they you
will need to Launch USB SwitchBlade. Start the GO.BAT
file in the \WIP\CMD\ directory – or at your USB
drive prompt, type:
\WIP\CMD\go.bat .

Step 4. You might have tripped an Anti-Virus alarm by running this Attack. Try turning
off Anti-Virus for a period of time.

Step 5. When the attack is complete, remove the USB stick.

Step 6. On a different computer (or the same as the target – it doesn’t matter) retrieve
the ‘found’ information by opening the \WIP\DUMP folder and finding a
folder with a name of the target computer. Inside you’ll find a set of files
containing massive amounts of personal information.

Step 7. Please review each of these files.

Step 8. Did you find passwords? For what programs? Did it find ALL passwords?
Why or why not? _________________________________________________

Step 9. There are other sets of tools that can use this same method for good and not
for evil! Running scripts to update A/V packages, etc.

IMPORTANT! Please delete the contents of the \win\dump folder before

continuing – it contains private information!

What you learned in this Lab:

In this Lab you learned to use USB Switchblade to:
• Wow! Was it really that easy to find all that personal information?
• How am I going to protect myself and my computer from this type of attack
in the future?
• What else might I do with this type of platform?

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals

1/12/11 27 www.inpnet.org • www.HOTLabs.org