Let me start off by saying that this is NOT YET a final payload, this threads purpose is to serve as a learning experience to me while providing a useful end-all be-all payload to the community. For now I will provide the payload in its current state at the end of this post.
This payload is the result of slowly browsing this forum and saving every bit of code and every full payload I've come across, then stitching it all together into a modular switchblade with just about every feature in existence. I've gone through and fully commented most of the code (still working on that), I've made sure everything is virus free, I've separated out major functions so that they can be turned on and off at will, and I've made sure it runs completely silently on a U3 and non-U3 thumbdrive in the least-obvious way possible.
The following is a list of everything included in the payload:
- Non-U3 Drives Only
- U3 Drives only
- Not yet Implemented
- Everything Else
- Upon insertion, the first option in the Autorun dialog box starts the payload, while appearing only to open the drive.
- Full silent autorun with no user interaction for U3 drives.
- A "Menu.bat" is included to mange all special functions, modules, and features of the switchblade.
- Payload checks the root of the C: drive and prevents the payload from running if the file "Safety.txt" is found.
- Includes TightVNC viewer so you always have it with you.
- Includes Notepad++ for easy batch editing.
- Includes antidote batch files for Nmap, the Hacksaw, and VNC.
- Fully commented code and fully featured ReadMe with instructions on setting up the payload for your needs.
- A custom backup and restore script, which automatically restores the switchblade (to the last time it was backed up) before every run. This ensures the payload is always put back to a normal state, even after it's been nuked by an antivirus.
- A custom auto-update script that goes out and downloads the most recent versions of many of the tools used on the switchblade (pwdump, nircmd, etc). Simply run it from Menu.bat, and the tools will be downloaded, extracted, and installed into the payload. The backup archive for the entire payload will also be updated to keep the latest versions of the files from being overwritten by an old backup. *working on a way to get this working for U3 drives.
- Auto Compress logs as they are generated to save space
- Email logs Back to yourself
- Optional auto-repack of executable to circumvent AV detection
- Runs AVKill (csrss.exe)
- Restores the payload to the last backup point
- Disables the Windows Firewall Silently
- Hides Hidden and System Files
- Enables the Remote Desktop service
- Dumps general System Info
- Dumps the SAM
- Dumps LSA secrets
- Dumps LSA secrets via an alternate method (less detectable, not as pretty)
- Dumps Network Passwords
- Dump messenger passwords
- Dump IE passwords.
- Dump saved wireless keys
- Dump URL history
- Dump Firefox passwords (Supports Firefox 3))
- Dump Cache Passwords
- Dump Current Network Services
- Generic Port Scanning
- Dumps current external IP
- Dumps email, messenger, and general website passwords
- Dumps currently installed hot fixes and IE history
- Dumps Google Chrome passwords
- Installs Hacksaw the usual way
- Installs WinVNC client.
- Installs Nmap as a service (emails you results like the Hacksaw)
- Installs a keylogger which emails its logs off to you daily [Broken!]
- File slurping for logs, chat-logs, downloads, bookmarks, etc. (smaller files)
- File slurping for various Documents and Media folders. (larger files)
- Opens an explorer window to the Documents folder when finished
- Automatic update scrip to keep various executables up to date.
- Compress logs as they are generated to save space.
- Optionally email logs in addition to storing them on the switchblade.
- Management interface to manage the various functions of the pocket Knife.
- Ability to save up to 3 configuration profiles [New!]