kz26

someone needs to stop asking for money...

Big kudos to Steve8x for posting great material that's not just n00b talk. This is a very elegant method, but I see one potential flaw. Anyone running a sniffer over the net or who could look at the program parameters could see where the log is being posted to. Since a webserver's owner can be traced in most cases, this might have potentially catastrophic consequences for the hacker were he/she to be found out...

Wow guys, I'm impressed (and flattered!) that this thread has been going on for so long. Just to clear up some things: From what they've told me he was trying to steal exams from the teacher since he was more or less failing the class...usually I am against busting people, but this kid had the rep of being a slimeball and the teacher he targeted is one of my favorite...this teacher actually *offered* to write letters of rec for me. The guy would *definitely* fall under the "irresponsible hacker" category. This wasn't just a simple case of changing passwords, since it looks like he had some password dumpers running there was the potential for a full domain compromise. Thankfully he wasn't anywhere near intelligent enough to get that far.

This might have limited success with some of the lower-end AVs like AVG or Avast, but I can tell you right now that this won't work at all against better AVs like NOD32 and Kaspersky. They usually install low-level kernel/system hooks to prevent the process from being terminated from user space.

Well, it just happens that my HS has the exact same type of filter, the R3000 by 8e6 Technologies. It seems to do its job well enough, but apparently our sysadmin forgot to block port 22 (SSH). I have fast shell accounts in a variety of places so I simply use PuTTY to securely tunnel all my activity. If port 22 is blocked, I would just run an SSH server on port 443 instead. That makes SSH traffic resemble HTTPS (how would the filter know?), which isn't blocked as many legit sites use it.

Java: Eclipse Microsoft languages/.NET: Visual Studio for everything else, there's notepad++

Not even worth bothering with, simply because the iPhone/iPod Touch are notorious for their closedness. Apple wants to restrict the platform down to the level where THEY decide what you get to do with the device. And wireless cracking is NOT something they want you to do :D

Um...because I'm not a dick and I respect that teacher and that particular kid was a douche?

Well, aside from the whole school hacking thing being a really bad idea, using something like scar - which is Java-dependent - is very unreliable. You can't guarantee that the target computer will have Java enabled or that the program will run properly...

Hey...don't end up like the kid I called out: http://hak5.org/forums/index.php?showtopic=9150 Hack to learn, not the other way around.

Basically, anything that accesses protected system stuff (pretty much all password dumpers, services, and other such tools won't work) file copy should work, though. If you want it to run completely silently look at one of the U3 payloads. If you don't have/want/need U3 there are many other options. Not trying to advertise myself here, but I actually designed my ZBLADE2 payload with something like this in mind. It uses ROBOCOPY to mirror the file types you select, and detects whether or not admin access is present and runs the appropriate tools. Good luck :)

In my school, there's basically two groups, the smart, cultured people and the dumba$$es. I (and my friends) belong to the former, while this kid was just some piece of trash (screws around with everything, no respect for rules, bad grades, etc). I happen to particularly respect this teacher, plus I later found out that he had copied MY files from MY USB. So why should I have any respect for him? All of this happened during class, with an overhead projector showing the screen, with his username and password in public view Answers to questions: 1. usually they aren't, vast majority of teacher+student accounts have no local admin privileges but this particular teacher's account has admin status for some reason 2. I'm kinda the tech guy around my school, and actually I used msconfig 3. see #1 - result of having admin access. If the teacher's account had been properly locked down this never would have happened 4. what kind of teacher is going to go thru the hassle of logging out and logging in just to get a presentation? and the student kinda has the element of surprise on their side 5. dunno, school is using Symantec Corporate AV w/ really old 2007 definitions

just stumbled across these, I'll bet some of you USB hackers will find this useful :P http://www.f2ko.de/English/b2e/index.php http://www.f2ko.de/English/v2e/index.php

Well, this is a long story. I'll start at the beginning: In my AP Psych class recently, people were giving Powerpoint presentations. The teacher and one group complains that the computer is running really slow. So I go over and take a look at it, thinking it's just a bull**** subjective complaint. I notice that the computer is almost unresponsive - they weren't kidding. Opening up task manager, I try to figure out what's going on. Didn't really expect to find much there, but suddenly a few weirdo processes catch my eye: RAR.EXE, BLAT.EXE, sbs.exe, and stunnel.EXE. Obviously, these are all classic components of the USB Hacksaw. I reboot the comp into safe mode, take a look at the startup entries, and find a link to "sbs" in C:\Windows\$NtUninstall931337$. Bingo. Navigating to this folder I find all the incriminating evidence - programs, file dumps, etc. Of course no Hacksaw is complete without the send.bat. As expected the attacker's username and password are here. I was kind of wary, half-expecting the Gmail credentials to be a fake/throwaway account, but when I saw the inbox and the name on it I realized this was a very real account People confirmed that this was a real student - a senior, in fact. I told the teacher immediately, who called the IT guys. They were swarming over the computer and were shocked by the fact that all the teacher's files were copied. Fortunately, our school blocks outbound SMTP on port 465 (which Gmail uses) so this lo$er's plan wouldn't have worked anyway. I guess he's facing suspension (expulsion?). All this from a computer that was running slow Odd, though - does the Hacksaw really slow down the computer? Perhaps if this kid had written his own code it would have worked out a lot better for him...but now he's gonna be cooling his heels for a while. PWNED.

What's wrong with blat in the Hacksaw? Blat is a lot more configurable and well-known anyway...

These are username-salted MSCASH hashes, thus rainbow tables won't work. You will need something like John The Ripper (with the MSCASH patch), cachebf, or Cain and Abel to perform a dictionary and/or brute force attack.

Um, join a vigilante forum with no rules that will only encourage more tardface skiddies? I don't think so. There are enough skiddies as is on Hak5 to begin with. We don't need more encouragement.

Excellent! No more skiddy noobs asking questions about other people's payloads. Hack to learn, not the other way around.

Yeah, seriously...it's a trivial task to writer a better pic ripper anyway. An even better way is to integrate with a full-fledged file dumper. And how about ZIPping all the pics together? It's kinda tedious even for a batch script to FTP a gazillion files.

I wanted a fast and flexible solution for USB Switchblade-based file dumping. And I think I found the perfect tool - ROBOCOPY (Robust file copy) from the Windows Server 2003 Resource Kit. It is a portable, single EXE command-line tool. Robocopy can mirror an entire directory structure to another location (the USB drive) AND allows you to pick what file extensions/types to copy. Other tools I used did one or the other but not both, which was more or less useless. http://www.microsoft.com/downloads/details...;displaylang=en Once you install the Resource Kit, just copy robocopy.exe from the installation directory to your USB drive. The following code is an example of how to integrate it into a payload's runtime script. set dump_ext=*.doc *.docx *.xls *.xlsx *.txt *.rtf *.pdf robocopy.exe "%homedrive%%homepath" %drive%zblade2dumps%computername%files %dump_ext% /MIR /R:0 The /MIR option enables directory mirroring and /R:0 means to skip files that cannot be copied. Robocopy can also do session logging if you want to save a list of all the files it copies. I am already using ROBOCOPY in my custom ZBLADE2 payload, and it works great. I truly believe that this is the best solution by far for file dumping. Please post if you have any suggestions or comments on using Robocopy in a payload - I just remembered this program and would love to see what people think!

A 1GB Sandisk Cruzer with the U3 disabled (who needs that shit anyway) Portable firefox + portable putty for SSH tunnelling and internet filter bypass my own payload (ZBLADE2 R2) and sometimes I throw Backtrack Linux on there...for "special" purposes :twisted: .

[tt]http://forums.hak5.org/index.php/topic,6631.0.html[/tt] This is a thread I started a while ago on using ZIP compression in a payload.

I'm not an iPod user myself, but I know you can set part of the hard drive to act as a computer data partition. Once you figure out how to do that, just put the switchblade files on there and it should show up as a USB removable device.

UPDATE: I've updated my own ZBLADE custom payload to use the ZIP technique. Here's a description: ZBLADE List of programs * pwdump6 1.5.0 * cachedump 1.2beta * NirCmd 1.85 * MessenPass v1.10 * IE PassView v1.04 * Protected Storage PassView v1.63 * Network Password Recovery v1.10 * ProduKey v1.06 * FirePassword 2.0.1 * InfoZip/Zip 2.32 Installation Input the Windows drive letter of your removable media as prompted below. For example, if your drive was the F drive, type in "F:" without the quotes. Program Features This ZBLADE package is designed for use on a writable removable media such as a USB flash drive or Zip disk. The silent-run capability is dependent on the Autorun/Autoplay feature of Windows (manual run is required if Autorun/Autoplay is disabled.) The program runs the password dumpers as listed above and gathers basic information about the logged-in user and the computer. Its most special feature is the ability to copy certain filetypes from the user's account to the removable media. All dumped/generated files are compressed using InfoZip into tidy, convenient packages. The download is a WinRAR SFX installer for the ZBLADE. Link is in my signature.

Which messenger are you talking about? If it's AOL IM, then (assuming IM Logging is enabled) they are in %homedrive%%homepath%My DocumentsAIMLogger