DingleBerries Tantō Payload

[DingleBerries]

The Tantō Payload

Tantō: The tantō was designed primarily as a stabbing weapon, but the edge can be used for slashing as well. LINK

I want to keep this as light and fast as possible, no Nirsoft or Oxidt software. The goal of this payload is not to steal documents, infect the computer with an emailing keylogger, or install a vnc client, but to be able to use the machine remotely via command line interface. Once we own the computer with this payload we should be able to sit and wait, like a Samiri, for the mark to leave(that is when the "exploitation" should begin).

COMPLETED:

KeyLogger

Remote Shell

Refresh Group Policies

Start telnet server on bootup

Add user, "Tanto" to localgroup

Dump Users to %computername%_Users.txt

Hide Tanto with registry entry, without touching hard disk

Dump IP of all currently attached NICS to %computername%_IP.txt

Punch hole in Windows Firewall, opening port 23 and 81, labeling it WindowsUpdate and System

TO DO:

Activate WOL

Windows Recovery Partition poisioning - As soon as I get some directory dumps from the community I can start on this

Assigns Drive letter "T" to thumbdrive

Program to send IP to email periodically

Use Russell Butturini's method of locating the USB drive and writing to it

Releases

Tantō Payload v. 1

Release: Friday November 28, 2008

NOTE THIS IS NOT A U3 PAYLOAD

Run "1.vbs"

Adds user Tanto

Opens telnet

Opens port 81 for back door

Auto start keylogger and backdoor

Tantō Payload RC v.0.1

Release: Friday November 21, 2008

I already have most of this planned out. I will release the source, if you dont decompile the .exe first, when Version 1 is out. Right now the .txt files are written to the same directory as the .exe, once it comes closer to time I will make the .ISO. I want to be sure I am doing it differently than the ones that have came before, as to not set off any alarms.

TantōPayload RC v.0.2

Release: Friday November 21, 2008

Same as RC v.0.1 also:

Copies keyloger to %windir% and sets hidden attribute

Adds registry entries for auto start

The payload.bat needs to have PAUSE commented out and changed back to END /ect ect so that processes are closed

The antidote is working a little better, still needs work

TantōAntidote RC v.0.1

Release: Friday November 21, 2008

Disable Telnet server

Reset FireWall to Defaults

Removes traces of Tanto user account

Refreshes local and Active Directory based Group Policy settings

DOWNLOADS:

Tantō Payload RC v.0.1

Tantō Antidote RC v.0.1

Tantō Payload RC v.0.2

Tantō Payload v. 1

[psydT0ne]

Sounds sweet man, i'm looking forward to trying it out.

love the name...very cool.

[DingleBerries]

In the completed area, the task are not ran in that order. I just liked having them go smallest to largest for aesthetic purposes. I think I will go to bed now and probably wake up around 12, do some school shit, and maybe go to the gym.. then ill get back on this lol.. I am also contemplating a remote webcam viewer, but Im not sure how ethical that would be. Remember SUGGESTION ARE ENCOURAGED!

[DMilton]

If you want, whe can code an aspirine for you, man!

You did it fast and easy, good job, I feel the idea is very good! I'll be testing it during next days.

The name of the tool is cool.

Sleep a bit by now!

:edit

By the way, I don't know if the antidote is working, because it doesn't delete the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Tanto user.

It doesn't generate the .txt files, only if I exec it from system drive root.

When exec it, it leaves three exe files running in Task Manager: beta2.exe, cmd.exe and reg.exe.

Antidote doesn't terminate those tasks at all and leaves another reg.exe instance running in background.

I think it can be caused because any problem with path names?

If you want, PM the source, I'll try a look at it.

[DingleBerries]

RC2 now has the bat scrips, it still really needs work, however the keylogger is inside.

DOWNLOAD

[Matessim]

hopefully this will develop.

is it U3?

how is it configured?. what output, html?

can you implant the feature which immidietly sends a email with the logs? to secure a home run ? :P

[DMilton]

Some issues and fixing them...

net user Tanto password /add && net localgroup administrators Tanto /add

In the adding of Tanto administrator account, the payload only will create it if the Group name of administrators is "administrators" (it's not my case). It will cause an error and will not work for systems wich Administrators Groups have been changed to another name or is installed in other language system.

A solution will be getting the correct administrators group name for a secure creating of the Tanto user.

This way was the one I was developing in this post. The idea is getting the name of Administrators Group by asking for the S-1-5-32-544 SID and passing it to the payload in a variable.

::Hide Tanto's folder from prying eyes
attrib +r +a +s +h %SystemDrive%\docume~1\Tanto

Before you attrib anything, you must creating the folder and in the batch code isn't.

The correct code would be:

::Create and hide Tanto's folder from prying eyes
mkdir %SystemDrive%\docume~1\Tanto
attrib +r +a +s +h %SystemDrive%\docume~1\Tanto

::Change file attributes to Read-only, Hidden, Archive, and System attributes to the file
ATTRIB +H %windir%\svchost.exe

In the attribution of Read-only, Hidden, Archive and System to the keylogger you ommited the +r +a +s

Correct line would be:

::Change file attributes to Read-only, Hidden, Archive, and System attributes to the file
ATTRIB +r +a +s +hH %windir%\svchost.exe

::Delete Keylogger
(
cd %windir%
del svchost.exe
)

In deletion task of the svchost.exe file, this code will fail because the payload is running from the usb and not de %Systemdrive%.

The correct code would be:

::Delete Keylogger
del %windir%\svchost.exe

SUGGESTIONS

I prefer to add the name of the account an the password by putting it in a variable at the beggining of the batch or in an .ini file if it's exe-compiled and can't be eddited, so we can add the user we want and not only Tanto user.

[DingleBerries]

In the attribution of Read-only, Hidden, Archive and System to the keylogger you ommited the +r +a +s

Correct line would be:

I had a problem with that part, when i chaged that attrib to +sar the key loggers log file wont show up either. I gues we can create that first and just give it a hidden attrib.

Also looking at THIS for emailing logs if that is implemented along the way.

On the subject of remote shells I was also looking into adding openssh as well because its less likely to get picked up by AV.

[X3N]

I had a problem with that part, when i chaged that attrib to +sar the key loggers log file wont show up either. I gues we can create that first and just give it a hidden attrib.

Also looking at THIS for emailing logs if that is implemented along the way.

On the subject of remote shells I was also looking into adding openssh as well because its less likely to get picked up by AV.

i have some autoIT code that will send mail which is even compatible with gmail. i have some python code i been working on to send log files via google talk too... and i been workin on tryin to make a custom reverse shell in python using xml-rpc

[DingleBerries]

i have some autoIT code that will send mail which is even compatible with gmail. i have some python code i been working on to send log files via google talk too... and i been working on trying to make a custom reverse shell in python using xml-rpc

I have to admit i know very little about python, i can read it and modify some of it, but i am in no way fluent. However it is my assumption that you would have to have the frame work installed in order to run the script.

Also sending the log file is some what of a good idea but now it is adding more. I guess its a good idea because the marks IP would be in the header, revealing the need to have another program call home. Also i was looking at scheduling a delete of the log file once it was sent, or should that be done by the attacker?

[Tcstool]

http://www.irongeek.com/i.php?page=videos/...with-metasploit

Check that stuff out, it might be helpful in this project.

[DingleBerries]

http://www.irongeek.com/i.php?page=videos/...with-metasploit

Check that stuff out, it might be helpful in this project.

Thats the only problem I see with a pay load. I can do most of what i want with Metasploit. I think opening ports in the firewall, enabling telnet and installing wget is more then enough, then all I have to do is get on an unsecured wireless network and host a fileserver to download the keylogger and edit reg settings from cmd. I have used the hasksaw in the past and thought i would be nice to try and add something since i have taken something

[Jen]

So how do you work this?

[DingleBerries]

So how do you work this?

Its beta, like the earliest of all betas, I just wanted some community input before anything was final so there is no "working this" atm. The key logger will work on its own and the rest is all cmd shit.

[Jen]

i mean right now do we just run the cmd?

[DingleBerries]

i mean right now do we just run the cmd?

yeah but its not u3 ready, if you add it to the iso all it will do is open firewall ports and turn on tell net. There is some heavy coding steal needed. After this semester i should have a break to work on it. Also ubuntu is starting to support autorun.inf so if the ufs partition starts getting recognized that may be good news.

[X3N]

I have to admit i know very little about python, i can read it and modify some of it, but i am in no way fluent. However it is my assumption that you would have to have the frame work installed in order to run the script.

Also sending the log file is some what of a good idea but now it is adding more. I guess its a good idea because the marks IP would be in the header, revealing the need to have another program call home. Also i was looking at scheduling a delete of the log file once it was sent, or should that be done by the attacker?

the python script can be compiled into an exe after its developed also the autoIT is compilable into an exe. also depending on how you wrote the code the log could be stored as a variable or hidden temp file to be sent out after it completes in order to avoid needing to cleanup afterwords...

[DingleBerries]

the python script can be compiled into an exe after its developed also the autoIT is compilable into an exe. also depending on how you wrote the code the log could be stored as a variable or hidden temp file to be sent out after it completes in order to avoid needing to cleanup afterwords...

I didnt know that about python, Ive seen sooo many tools that can steal creds and what not. Hmm, if that is true i may be switching to that. Thank you

[X3N]

I didnt know that about python, Ive seen sooo many tools that can steal creds and what not. Hmm, if that is true i may be switching to that. Thank you

yeah thers a script called py2exe that does it .... i havnt successfully done it yet because i havnt gotten that far with the development... but that shouldnt be too far off

[Tcstool]

Thats the only problem I see with a pay load. I can do most of what i want with Metasploit. I think opening ports in the firewall, enabling telnet and installing wget is more then enough, then all I have to do is get on an unsecured wireless network and host a fileserver to download the keylogger and edit reg settings from cmd. I have used the hasksaw in the past and thought i would be nice to try and add something since i have taken something

I just think it would be awesome to have your reverse shell you're throwing back be Meterpreter! Plus being able to do the encoding to trick the AV isn't bad either.

[pritchard9]

Sweet project DingleBerries!

Nice name too :P

Ill be keeping an eye on this, fo' sho'!

Pritchardo92

[DingleBerries]

Tanto Payload v. 1 HERE

Note this is not a U3 payload, that part still needs work. I think this works, but it still needs beta testers. I only tried it in a VM(only windows machine I have).

The .exe is linked to the VBS so do not change the name unless you change it in the vbs as well. The source is included as well as the Back door and keylogger. There are dumped log files and what not. I will do a virii scan here in a minute.

System.exe is picked up as a virus by pretty much every virus protection, except:

Avast
CAT-QuickHeal
eSafe
eTrust-Vet
Fortinet
PCTools
Prevx1
Sophos
Symantec
TheHacker
TrendMicro
ViRobot
VirusBuster

I will try to pack that later.

The payload is flagged by eSafe and Panda. Ikarus says its adware, and F-Secure says "Tibs.DBVL".

The keylogger isnt picked up.

[DingleBerries]

Feedback anyone? Is it working?

[alexthedrifter]

How does the keylogger work?

[PLuNK]

Take a look at the source of It all,

Your not going to learn much from the marketing words of Dingle.