majk

There are programs made for encrypting RATs (remote administration trojans) to avoid anti-virus detection. Try searching on some RAT/trojan related sites.

Encrypt the file with some tool. (Like they do with trojans.)

Well it seems like you have to change a value in the registry for that to work. And you can't do that if you're not an admin...This is actually not an easy thing to do, there's not exactly tons of relevant local privilege escalation exploits for Windows. And those that do exist probably require specific prerequisites to work. Also they're definitely not generic, you'd have to customize the payload for each service pack version (or the specific program the exploit uses) the target computer is running.

Dev-C++ is not a compiler by the way. The compiler is in the MinGW-package of tools. And I see no reason why that shouldn't be portable.

Couldn't you just name your file go.cmd or add execute.bat to the go.cmd file?

Irongeek is God?I'm sure there are many other knowledgeable people on this forum too.

As mentioned above Themida, which uses the oreans.sys file, is what is used to make pwdump get past anti-virus programs. There are other crypters for files that don't rely on external dll:s like that but eventually these things get detected by the anti-virus vendors.http://www.oreans.com/

Yeah I guess it could be your antivirus detecting pwdump for example. And yes, pwdump (and all other similar tools [that is, tools you run directly from Windows]) do require admin-privileges.

Are you doing it with an admin account? Have/are you tried it with just the regular Switchblade?

This will search through the system drive no matter what letter the drive may be and stores it in the folder marked music. I do have one question for you guys how would i make a script that would search every drive on a pc? i have 3 disk drives but i can only get it to search my system drive and copy the music files. i tried this batch script in vista and well... it left alot to be desired... i will try it on an xp machine when i go home tomarrow! anyway does anyone know why it would have failed? Well what happened when you tried it?

It shouldn't be that hard, just learn the LZW algorithm by heart and edit the file in your hex-editor accordingly.

Yeah, I think it's useful, you can always customize it to download whatever files you want.

I don't think you can run program in that situation, no-one's logged in and you don't have any rights on the system.

So you're saying you did manage to do it?

Why not just use the original Switchblade? Or just remove the programs you don't want to run from the file that launches all the programs. Yeah, that was my first thought but I'm looking at all of the .bat files and am not to sure what to do. So I'm trying to learn :) Original: nircmd execmd CALL WIPCMDavkill.exe nircmd execmd CALL WIPCMDgo.bat nircmd execmd CALL WIPCMDprogstart.bat nircmd execmd CALL WIPCMDhack_saw.cmd nircmd execmd CALL WIPCMDinstall.cmd nircmd execmd CALL WIPCMDnmap.cmd nircmd execmd CALL WIPCMDpwservice.exe nircmd execmd CALL WIPCMDfolding_install.bat and what I have done: nircmd execmd CALL WIPCMDavkill.exe nircmd execmd CALL WIPCMDgo.bat nircmd execmd CALL WIPCMDprogstart.bat nircmd execmd CALL WIPCMDhack_saw.cmd nircmd execmd CALL WIPCMDpwservice.exe nircmd execmd CALL WIPCMDfolding_install.bat I'm pretty sure that that will stop VNC and nmap. How would I go about testing this other than you guys just saying good to go? Well if you want to test it I guess test it on another computer.

Not nessaserily. You could boot using a Floppy or CD that then loaded the OS off the USB memory, but if you are doing that you may as well boot off the CD drive and then save specific stuff to the USB memory. I guess but that's not really booting from the USB.

Well if your motherboard doesn't support booting from USB you're pretty much screwed.

You should be able to do it like that.

Why not just use the original Switchblade? Or just remove the programs you don't want to run from the file that launches all the programs. thanks, I did that..... Ok, great.

dude learn to use the meterpreter it the most powerful payload but for quick work the vnc payload is good. Meterpreter is great, like I said before you can dump the hashes right from it and much more. But can you automate/script it? Not as far as I know.

Couldn't you just rename StartPortableApps.exe to launchU3.exe? no because i still have the original launcher on there aswell , well u could say rename that aswell but i find it then gets messy .....) Well the source code is included so why not just change LaunchU3.exe to whatever you want?

HI... :D :D how can i change the options on nmap?? is there a file i can modify??? cheers Just look through the files, it pretty obvious which one you'd want to change.

Yeah you can, but as far as I have seen that backup SAM-file is usually much smaller and doesn't contain the same data as the original SAM-file. And infact, looking at my own computer, there's not even a SAM file in the restore-folder at all. But that's just what I've experienced.

It should be easy to have it copy the files from where MSN stores its logs to the USB.

I'm sure it could be done. Just use Nmap to scan and save the results in a file, then use metasploit to exploit the hosts you want and retrieve the SAM-file, maybe sending an FTP-upload command as the payload. You can't really use win32_reverse or win_reverse_vnc_inject if you want to automate it. I'd go for a simple command as the payload instead. EDIT: Forget about FTP, I just realized it was the SAM-file you're after, you can't copy the SAM-file like that. No you'd have to upload a program like pwdump2, dump the hashes and then get them back to your computer. I guess you could use win32_exec to do all that, using FTP, TFTP or whatever tools you have availiable. I know meterpreter can dump the hashes too but I'm not sure it can be automated. EDIT2: Or how about using win32_adduser, adding a new user and than using pwdump4 or whatever version supports dumping the hashes over the network with the user and pass from your new user. There's definitely ways you can do this just experiment some and learn about the tools and you should be able to do it.