Verye
-
Posts
38 -
Joined
-
Last visited
Posts posted by Verye
-
-
Leeeaaapooooo
Any ideas on how to make the payload more...compatible...with Vista?
-
The payload seems to not self start on Windows Vista pc's. Anyone have a workaround?
Which payload? PocketKnife self-starts for me.
I put a picture on it, told Vista to auto-run all picture CDs, and boom, it auto-runs just fine.
Before that, it would simply ask me what to do with the removable disk, and if I clicked "open folder," it would also auto-run.
-
The autorun works fine, but when I try to run the pocketknife from option 2 of MENU.bat, I receive the error:
Script: G:\SYSTEM\GO.VBS
Line: 16
Char: 9
Error: The system cannot find the file specified.
Code: 80070002
Source: (null)
Everyone gets that error, myself included. I'm too lazy to edit GO.vbs and re-customize the flash drive though, and clicking the U3 icon in My Computer does the same job.
If you ever want to run it manually, just click the U3 CD-ROM icon.
-
The solution is modifying the GO.VBS. In this thread is the solution by mencargo...
Oh, it fixes this error too? Perfect then.
In my case, I don't think i'll use this way of slurping but if it can be useful for more people, I could try to script it it... Anybody?In any case, probably the consumption of time would do the slurping action not to be very efficient. Probably it will be better to slurp all the .txt, .doc, .rtf files...
Slurping all the .txt files would probably work.
Also, another quick question...I put the SwitchBlade into a friend's computer today, to show him its capabilities, and his AVG detected it as soon as I put it in. I did not have any installers enabled; it was just LSA secrets, PWDUMP, Application Info slurping, and FF/IE/Chrome password grabbing. Everytime AVG popped up with a message saying "unwanted program/virus/whatever detected," I'd always click Ignore. When I got the logs though, it said "Access denied" under all the categories. I guess AVG blocks Firefox/IE/Chrome passwords, and LSA Secrets?? Or is it just that it blocked all those parts of PocketKnife, and since they couldn't run, it displayed "Access denied"?
Note, I was not running with AVKill enabled. Alex told me that the AVKill program itself is detected by many AVs. So, I'm wondering, when IS it useful to have it enabled? Does it stop AVG?
Thanks.
-
Hey, I have (another) question, and also an idea.
The question...when I put the flash drive in computers with Windows 2000, 9 times out of 10 a message will pop up saying there's some sort of error with "wscript.exe," and it says to "please ensure that a floppy is drive A:." Now, this may be a problem due to the fact that these are being used on computers which previously had floppy drives, but were removed and disabled in the BIOS. Not sure why PocketKnife would cause an error having anything to do with floppies though, and I do not know what "wscript.exe" specifically means. This isn't a very big problem, since the payload still runs fine, just...I have to exit the error every time I put it in one of their computers, except for like 1 or 2 computers.
Second, the suggestion. The slurp application info is a very nice idea. I know it can take time, but slurping little bits and pieces of info like that is just helpful. However, what would make it even better is if it would also capture Notepad and possibly Word files that don't have much text in them. People often put passwords or private pieces of information in Notepad files. So, maybe it should capture all Notepad files that have, say, fewer than 40 words in them, or X amount of characters, or whatever.
I'm not sure if this would be hard to code, and also, I'm thinking that if it has to search the whole computer for them it may take a long time to run, so maybe it could just search the Desktop and Documents folders.
-
First of all, if we wanted to develop an independent payload, we surely would do. I have my own payload, of course, as many of us have. But the final purpose of posting in this Pocket Knife Thread is precisely allowing Leapo in developing his payload. This stuff doesn't belong to Leapo, but the entire community.
But if Leapo did the effort to compile in a batch a compendium of other scripts, and tryed to improve them is because, probabily he had an altruistic thought.
The reason of posting is, precisely, helping in developing his first (and now very evolved) code. Without the collaboration of many people (I would not nominate anyone for not forgetting anyone), he probabily would have left this proyect.
But don't forget that if you, me (or someone else) post a code trying to update the code is, surelly, because we want to collaborate and, of course, making readers understand the code and share knowledge.
But the last one that has to update his code is Leapo. By the way, we only can try to help.
In fact me too, but as you see, if someone wants to make a independent payload, he does it in a independent thread... If you refer to someone that are developing a GUI, surely, if Leapo sees that, will contact him/them (and vice-versa) to work hand in hand. If the author of a GUI, show us (by publishing the code) how he did it, surely, it'll be usefull, because it's one more less thing to do (or one more thing to improve!
) Those who doesn't want to be "one more" but "The One", haven't no place in this forum...Finally, I don't know if he is planning on updating the payload, probably yes (he told it a few days ago), but also probably he has other things to do (as many of us). In second place, there's many things to do, many improvements to implement and many others to investigate. Then, let Leapo decide if he wants to do it, and let others to decide if we want to use his code (as me), helping him in it's developing and others in understanding of how it works. I remember GonZor did the same far, far time ago (sigh!), and the response to him was the same as for Leapo, in fact I remember many people helping in Gonzor's stuff (will not say names).
As far as I know, Leapo always appreciated contributions, then be sure, when he can read the post, recompile, compile and rebuild his code, he'll do it. Otherwise, I'm sure he'll pass the baton...
Meanwhile, I will be waiting for his answers and learning more things (There's some very good threads here and in other communities), and the developing of this kind of stuf will surely be alive, with of without Leapo (better with).
Every body knows that Leapo begun this Thread and did the first re-compilation, re-compilated from other re-compilations, searching for code from other anonymous people (and not anonymous ones), and those from others... till the beginnings of the times... :P There's no new in doing so, but is a work in doing it.
Can you contribute? Perfect, do it...
We still be waiting for next release, with or without GUI... (Better with)
I understand what you're saying. However, I personally find it confusing if people go through the trouble to make an edit to his payload, then upload it, then ask other people to download it. I've seen a few things like that here.
Recommendations or writing bits of code to improve it make sense, it's just that going through the trouble of essentially releasing another version of it, with or without Leapo's permission, in his thread, seems odd.
But whatever. I'm not really complaining. It's just that I see cool edits and additions in this thread, and I think to myself, "hmmm, should I download/add this, or should I just wait for Leapo to implement it?" I'm just eagerly anticipating Leapo's next update.
-
pocketknife doesn't work on vista
Well, it works, just it doesn't do it automatically. If I want it to work right I simply have to click "view folder." I can exit it and it works fine.
But are you saying this problem occurs on Vista universally? If so, then okay, I understand.
-
Ok, here's the problem.
If I put the flash drive in and just X out the little AutoPlay Window that pops up, the log writing gets messed up really, really badly. Here's a picture:
If I click "Open folder to view files," then it does everything normally. However, this means that I have to open the folder in order for it to run and write the logs properly, which is obviously bad.
How do I fix this? How do I get it to just autorun automatically, without that stupid window popping up? (For those who are confused, I explained the window that popped up in my previous post.) The worst part is that if I exit out of the window, the logs do not write correctly. If I click "open folder," it writes correctly, but this is a hassle for me, and also, if it's on someone else's computer, quite suspicious, as they see all the PocketKnife folders.
-
Ah, I see.
And sorry with all the questions, but oooone last thing:
When I put the flash drive in computers, a little window named AutoPlay pops up. Here's a picture of it:
For my Vista computer, it does this whether or not safety.txt is on the C: drive. This kind of defeats the purpose of running silently... Thankfully, it doesn't do that on most computers.
However, it doesn't really say how to change the settings of removable disks (USB flash drives) in the Control Panel.
So, first off, how do I make it so it doesn't come up with that window when I put it in my Vista computer?
Second...is there a way to make it so it doesn't pop up like that on any computer?
Thanks.
-
Even if auto-run is disabled, simply double clicking the U3 drive from my computer will launch it.
Still can use the old method too, if you're so inclined, and trick people into launching by using the folder icon and dialog for the Open Folder to View Files popup.
I'm not familiar with the "old method," sorry. What folder icon??
Also, I have another question, though this one isn't support-related:
How do I get someone's Windows login password? I got a bunch of hashes, and I'm presuming these are what I need...but how do I decrypt them?
And finally, I'd just like to speak up about the method of payload development that's been going on in this thread. It is very, very confusing that multiple people are making multiple updates to Leapo's payload. A GUI, bug fixes, etc. It's impossible for anyone to keep up.
In fact, I personally believe having independent payloads in general is bad. Leapo had the right idea; a payload with just about everything. People have been working with Leapo on this payload to make it a fusion of the best ideas and features, and that's been working, but I understand that he's been inactive for a while and people are taking it upon themselves to edit it and add/edit things to make it better. I know that he hasn't been on in a while, but I feel that things would be simpler and better for everyone if they simply collaborated with Leapo and worked on it with him, so there's only one version of Leapo's payload. Unless he does not plan on updating it any time in the next 2 months, or has quit, then people should just be working with him.
-
According to the manual that came with my Cruzer Titanium Plus, it says that if you forget your password you must format the drive. There is no service to restore passwords, and there really is no way to view them, as far as I know.
I think you should keep trying to remember the password. If you really can't, your only option is to format and try and remember the Word document you wrote, then write it again.
-
It's not a flaw, if you read about how to prevent this kind of attacks, you'll notice than one of the firsts actions to do is disabling the auto-run... It can ever be run with a simply double-click...
Issue resolved. :P
Well, I'm saying the flaw is that auto-play was disabled by default. Meaning, the person would be immune from attacks without even knowing what auto-play WAS.
Also, what's with that GO.vbs error I kept getting?
-
I had a headache with this...1.- Check if autorun is enabled in this other PC that doesn't go.
2.- Try to auto-execute go.vbs by double clicking it from your \SYSTEM dir. It'll surely will create the logs correctly if they're enabled.
EDIT: For checking state of auto-play you can run... gepedit.msc, go to "Computer Configuration", "Administrative Templates", "System", double click on "Turn off Autoplay" and check the state of autoplaying... If you change this value, you must to run... gpupdate
Thanks, the auto-play thing did the trick.
The thing is though, it appears that auto-play was disabled by default. Isn't this kind of a big flaw, if it's supposed to run automatically and silently on computers?
Also, when I tried to run it manually either by clicking GO.vbs, it gave an error saying something was wrong with GO.vbs. This is the full error:
Script: F:\SYSTEM\GO.VBSLine: 16
Char: 9
Error: The system cannot find the file specified.
Code: 80070002
Source: (null)
It does this if I click GO.vbs on any of my 3 computers. I'm assuming there's a known error in GO.vbs that is causing this to happen if you try to run PocketKnife manually. If this isn't a known error, then...why is it happening to me?
-
Haha, disregard all that, I'm an idiot.
I accidentally named the file safety.txt, not safety. Thus, the file was called safety.txt.txt, and that was the problem. I got kind of confused and didn't notice the file extension was already part of it.
Problem solved in that regard.
The only other problem left is the fact that the payload is not doing anything to one of my other target computers. It's got no safety.txt on it, and the anti-virus has been disabled.
I have 2 computers. They're both laptops, and both have XP 32-bit. They both have McAfee as an anti-virus. When I put the USB drive in one of them, it captures all of its passwords and such fine. In the other, it does nothing and does not create a log for it in the LOGS folder. As in, the computer name doesn't even appear there.
-
Problem solved, see below.
-
You can download a new version of universal customizer 1.4.0.2 for Windows Vista
http://rapidshare.de/files/40767219/Univer....4.0.2.rar.html
Tanks Hak5
This is your first post here?
Sounds kinda fishy.
I recommend someone virus scans this.
-
Disregard this, problem solved, see below.
-
@mencargo Yes I can.
edit:
@Verye check in your settings their is a setting to turn off its checking for it.
edit2: Here is a snippet of code.
Process.Start("cmd.exe", " /K cd c:\")
This opens command prompt, and changes its directory to C:\
You can change cmd.exe to like /folder/folder2/program.bat and enter the parameters in the next section of code.
If you guys could do that because I don't fully understand how payloads work I'll be sure to use it and accredit you for it.
Edit3: Before you do all of them post 1 or 2 so I can make sure it properly works.
Trust me, that setting is the first thing I checked. The option to bypass safety.txt is not enabled.
Plus, on one of my computers, if safety.txt is on C:, then it doesn't infect, and if it isn't there, then it does, like it should. It's just on this Vista computer that it infects even though safety.txt is on there.
I guess I can't use this payload, seeing as I'll infect myself every time I ever want to check logs...
Oh well. :(
-
Hmmm, not sure why everyone is ignoring me, but I guess I can repeat my problem for a 4th time:
Why is PocketKnife capturing passwords and taking info from my computer, which has safety.txt on the main HDD, C:?
-
I'll ask just this one more time, because it's still confusing me greatly:
Can anyone think of why PocketKnife would slurp the info and passwords of a computer it is put in, even though safety.txt is in the C: drive? And yet, when I put it in a computer with anti-virus disabled and no safety.txt, it does not obtain any of its info. Only my 3rd computer acts how it should; slurps info if safety.txt is not on C:, doesn't slurp if it is on C:.
I suppose there are numerous possible reasons for why it wouldn't get any info from that computer, but I find it baffling that it IS getting the info on a computer with safety.txt.
Just as a note, the computer I'm putting it in, with safety.txt, is Vista Home Premium 64-bit. I can't see why it'd be having problems with the safety just because it's Vista (or x64), but it's definitely bypassing the safety. Also, I am 100% sure the option to "ignore safety.txt" is disabled.
-
Okay, I've tested it on 3 different computers now: One Vista, 2 XP. The Vista one is 64-bit, the 2 XP ones are 32-bit. I'm getting some really strange results overall. The payload seems to work, sort of, but not consistently, and not how it should. Including capturing passwords and system info of my Vista computer, even with safety.txt on the C: drive. Yet, it will only capture passwords on one of the XP computers with safety.txt not on the C: drive. The other, it will not log anything, with or without safety.txt.
It's pretty much impossible to communicate everything I've done and then also respond to questions over a message board like this, so I'd very much prefer if someone could contact me over AIM or MSN over this.
AIM screenname = TheWoWLawyer
MSN screenname = wowlawyer@bendblizzpolicy.com
Thanks.
-
Things to try:
On your safetyed machine, run Menu.bat and disable everything. Turn on system information.
Okay.
On your target machine, turn off the antivirus. (the AVKill feature isn't working right now. We're working on it)Okay.
On your target machine, verify that autorun is turned on. (I don't remember how to check that)I also do not know how to check this. =/
*Then* stick your thumb drive in.Please report back what happened.
Okay, with the anti virus disabled, and with only "dump system information" enabled in Menu.bat...
I stuck it in and nothing seemed to happen. By nothing, I mean there was no "do you want to explore the folder of this removable device" message, nor any sort of U3 pop-up or message. I waited for a few minutes, took it out. I put it back in the computer with safety.
There's a file in my LOGS folder with all the system information of...the computer with the safety??
I'm very confused. I put it in the target computer with anti-virus disabled, and nothing happened. Then, when I put it back into my safety'd computer, I see a log of MY computer, not the victim one.
Ironically, the computer with the safety has the complete Eset Smart Security, all enabled. And yet, it captures the info of THAT computer, with safety.txt and an enabled and good anti-virus, yet cannot capture the info of a computer with no safety, and the anti-virus completely disabled? Why is it even capturing the info of my safety'd computer?
To explain just how ridiculous this all is, let me simplify it:
1. I stick USB drive into victim computer.
2. I check the LOGS folder on that computer...nothing.
3. I stick it back into my computer with safety.
4. A file is instantly created in LOGS with the computer info of the computer it is currently in. My main computer; my safety'd one.
So, it appears that even though I do not want it to get the info of my main computer, it retrieves it any time I stick the USB drive in it, even though it has safety.txt on C:, and yet, when I put it in the computer with anti-virus completely disabled and no safety.txt, it does not capture any of its info and does not create a LOGS file of it.
Is there any chance we could talk over some sort of instant messaging program? Telling you for me to test something, and then me giving you the results, and then you telling me to do something else, and me giving the results, etc. etc. could take many days, since both of us are not checking this thread every minute.
-
Ok, Yes, we *do* expect everybody to read all 29 pages of this thread. When I found this forum I read all the pinned threads. (they're pinned for a reason) I also read about half the other threads. There's all kinds of things to learn there.
This goes against my better judgment, but...
When you install the Universal Customizer, it puts a "Universal_Customizer" directory in C:\. Inside that directory you will find a few sub-directories.
Before you do anything, create a text file in C:\ and name it "safety.txt" That'll keep you from hosing yourself.
If you wanna do a payload from source files.
Empty the "c:\Universal_Customizer\U3CUSTOM\" sub-directory. Leapo's payload has two parts, a "U3 ISO Source" directory and a "Flash Partition" directory. Everything in the U3 ISO Source directory get copied into "c:\Universal_Customizer\U3CUSTOM\". Then double click on "c:\Universal_Customizer\ISOCreate.cmd" That will run a batch file that will create the .ISO file and put it where it belongs.
If you have a .iso file, rename it "U3CUSTOM.ISO" and move it into "c:\Universal_Customizer\bin".
In either case, have your U3 thumb drive already plugged in and click on "Universal_Customizer.exe" (you'll find it in "c:\Universal_Customizer\") Follow instructions *exactly* Expecially the bit at the end where it has you extract the thumb drive and re-insert it. I don't think it matters if you close the window first, but I always extract, re-insert, then close the customizer.
NOTE: Some payloads don't have anything to copy to the non-U3 partition of your thumb drive. Gonzor's and Leapo's do.
For Leapo's, copy the contents of the "Flash Partition" sub-directory (that I mentioned above) to the second partition on the thumb drive. Open the non-U3 partition and run "Menu.bat" to configure the payload.
For Gonzor's, copy "SBConfig-V2.0.18.exe" (or whatever the current version is) to the non-U3 partition and run it.
Here's a tip if you're re-flashing a thumb drive. Delete the logs from the flash partition. One of the steps that the Universal Customizer does is to archive and restore the flash partition. Sometimes there are files in the logs that don't make it through that process. Better to get rid of them first.
I did read through the thread. I understand we are expected to do so. However, there was no clear-cut guide on how to actually install it on any page of the thread.
I understand that they're sort of assuming people know how to use the Universal Customizer and how to burn .iso's to a flash drive's U3 partition. However, I didn't. I'm quite new to U3 and USB hacks in general, so I was just a bit confused.
After reading what you've said, and talking to Alex, who simplified it for me for a little, I think I was able to successfully install it. However, it still doesn't seem to work. At least, not on the computer I put it in.
I left it in for about 3 minutes.
I took it out of that computer and put it back in my computer with safety.txt. As soon as I put the flash drive back in in, a message pops up in the bottom right saying there was some sort of write error, and data was lost. It was kind of confusing and didn't last long enough for me to write down fully.
Anyway, I looked through the flash drive, but the LOGS folder, and other folders, were empty. It didn't appear to capture anything.
Both computers have XP. The victim computer's antivirus did not seem to detect or stop it.
After trying it again, the weird error didn't pop on when I put it back in my main computer, but still, no logs. Is it possible that it simply isn't finishing? I think I remember it saying in Menu.bat that it will pop open the "Logs" file when it finishes. Well, that doesn't happen. I've waited quite a while though...
Is there any way to tell if the payload is actually extracting passwords and such from a target computer?
-
Ok, Alex helped me out, but he's away right now.
So I got Pocketknife on my Cruzer Micro. I enabled most of the settings in menu.bat and such, and everything seemed to be fine.
However, when I sticked it in another computer of mine (there was no safety.txt on the C drive), nothing happened. It detected the drive, and I could access the files on it (which were all Pocketknife files), but it did not take any logs.
I noticed no U3 symbol popped up or anything like that. Actually, after I installed the Universal Customizer, the entire U3 program doesn't start when I put the drive in a computer. I thought this was normal, since Universal Customizer replaces it...however, if it removes U3, or at least its program, how is it supposed to auto run, or run at all? Universal Customizer doesn't seem to be an actual program, either. I extracted it to a folder on my desktop, put a flash drive in the computer, ran Universal_Customizer.exe from that desktop folder, and it detected the USB drive, flashed it, and did whatever it does. I cannot find any application that runs Universal Customizer afterwards, though.
I've heard 2 different ways to install Pocketknife. One apparently involves moving an .iso to the Universal Customizer folder. The other, which alexthedrifter helped me do over MSN, was just dragging and dropping the Leapo's Payload/U3 Devices/Flash Partition/ folder to the root of my flash drive.
But it's not working. Actually, the whole Universal Customizer in general confuses me. Why do I even need it for Pocketknife? I just dragged and dropped the folder. There is no Universal Customizer folder or files on my flash drive. I didn't add Pocketknife using the Universal Customizer program, which, from what I can see, doesn't even exist.
I'm very confused.
) Those who doesn't want to be "one more" but "The One", haven't no place in this forum...
I had a headache with this...
Vista autorun
in USB Hacks
Posted
Don't know what to tell you guys. It would auto-run if I clicked "open folder," and after a data slurp put a picture on it, it asked me how it wanted to handle pictures on CDs (though, this applies to any removable disk) from now on. I said to have it auto-open them, and it does.
It's possible that the open folder/auto-open picture thing has nothing to do with auto-running, and auto-running is just, for some reason, enabled my default on my computer. I really don't know, sorry. :(