~Gozor~ Finished Payload

[RedRaven]

Status report

-----------------

Windows XP Pro. x64

*****************

- PWDUMP.EXE -> crashes (screenshot)

(http://redzraven.freeweb7.com/crash.jpg)

I tried to start the service PWDUMP (just a final test), the following error was returned:

The system cannot find the path specified. (which is L:SRCpwservice.exe).

There is no SRC directory in L: (which is my U3 'disk').

Gonzor, did you use any service installs in this version ? If not, can earlier installs be the cause of this problem ?

Windows 2000 Pro.

*****************

- Disk error !!! This is really odd...  :(

(http://redzraven.freeweb7.com/nodisk.jpg)

- PWDUMP.EXE -> no errors on this one.

- FGDUMP.EXE -> no crash, but this error was returned:

Could not connect to service manager: this may be a Win95, 98, SNAP or other non-NT-based system.
Could not connect to service manager: this may be a Win95, 98, SNAP or other non-NT-based system.
Could not connect to service manager: this may be a Win95, 98, SNAP or other non-NT-based system.
Could not connect to service manager: this may be a Win95, 98, SNAP or other non-NT-based system.
Could not connect to service manager: this may be a Win95, 98, SNAP or other non-NT-based system.
Could not connect to service manager: this may be a Win95, 98, SNAP or other non-NT-based system.
Could not connect to service manager: this may be a Win95, 98, SNAP or other non-NT-based system.
Could not connect to service manager: this may be a Win95, 98, SNAP or other non-NT-based system.
Could not connect to service manager: this may be a Win95, 98, SNAP or other non-NT-based system.
Starting dump on 127.0.0.1
ERROR GetOSVersion: 53 - The network path was not found.

** Beginning local dump **
Unable to determine OS version, see previous error for details
Could not connect to service manager: this may be a Win95, 98, SNAP or other non-NT-based system.
CRITICAL: Error retrieving remote service information. Remote registry may not be running, simple file sharing may be enabled, or the account may not have 'Log On as Batch Job' permission. Skipping this host.
Error dumping server 127.0.0.1, see previous messages for details

Edit: If you get a 'forbidden' error, click the URL bar and hit return on your keyboard... I'm switching servers after this  :???:

[DLSS]

wow i stept on a lot of toes apparently ...

i meant new people with low post count (thats why i said its getting waay too crowded) , happy now ?

no need to take offence ...

ps ...

Wow everyone was being productive in the thread besides you.  If you need to vent please don't spam GonZor's thread.  Most of this is bug reports, feature requests, and productive questions.  If you think you can do better, go work on your own switchblade.

ever check the wiki ?

http://wiki.hak5.org/wiki/USB_Switchblade#...update_.28v2.29

i was the first to add some of the extra features, almost everyone uses now, even gonzor ...

[trustme]

Its funny how, I did in fact check the wiki...  :P

Notice how I said go work on your own switchblade, not to go make your own.

I'm sure everyone appreciates your past contributions, instead of complaining you could be a little more productive, you've proven yourself capable.

Did you ever consider that people with a low post count might actually be more intelligent than yourself?

Just because they only recently joined the community doesn’t prevent them from being an expert in a certain field.  Responses like yours only make the community seem hostile to those who may have something valuable to offer.

At the very least, the comment had no place in the thread, come back when you're ready to contribute.

[DLSS]

Its funny how, I did in fact check the wiki...  :P

Notice how I said go work on your own switchblade, not to go make your own.

I'm sure everyone appreciates your past contributions, instead of complaining you could be a little more productive, you've proven yourself capable.

Did you ever consider that people with a low post count might actually be more intelligent than yourself?

Just because they only recently joined the community doesn’t prevent them from being an expert in a certain field.  Responses like yours only make the community seem hostile to those who may have something valuable to offer.

At the very least, the comment had no place in the thread, come back when you're ready to contribute.

i don't think they are less mate , i just made an observation , i've been off the forum for a long time and compared to the last time i was on the boards it has gotten verry crowded ...

but i commend the progress everyone made etc,....

sorry if it seemed hostile, ....

and yeah to be honest i wasn't rally thinking where i was posting, its basically the first topic i looked @.

i'll be trying to get back in to this, but i cba to check all new info :(  (the original switchblade and hacksaw went from 7 to 14-17 pages)

but yeah sorry, if it seemed hostile , and is unfit ...

-------------------------------------------------------------------------------------------------------------------------------------------------------

now to get on topic, you guys said something bout having it completely undetected ?

i'm interested in how ...

seeing as i've recently noticed the old payloads get massivly detected (downside of our succes :(  )

[marc]

As always, an awesome revision to the payload. I cant wait for all our new features and that.

I vote for the dyndns with VNC. As much as our updated reg file works, its hopeless without someone being in DMZ or no forwarding.

[trustme]

Or a corporate environment  :P

....

[Joerg]

My idea is to first set up a reverse shell, then call via the shell a batch which starts the vnc proces with parameters.

-> You only have vnc if you really need it

// With my switchblade i had the issue that every 15 min a vnc window appeared and that was bad

[GonZor]

Ok I'd like to hear others opinions on my idea, After trying to make the U3 launchpad play nice and work the way I want it to work I have found the complete lack of ability to organise my apps (my many apps) really irritating and have turned to PStart. It has many advantages over the U3 Menu system like organisation and it has a much smaller memory footprint (about 1/3).

Should I in future payloads use PStart instead of the current U3 menu ?

I can see several benefits for the swap:

• [li]Better organisation for those of us with many portable apps[/li]

[li]Smaller memory footprint[/li]

[li]Reduce the size of the payload by 4MB[/li]

[li]Apps available increase without having to make your own u3p[/li]

The only downfall I can see of this would be if you are targeting an educated user and they expect the standard U3 menu to pop up it wont. Although is this really a big issue?

[DLSS]

Ok I'd like to hear others opinions on my idea, After trying to make the U3 launchpad play nice and work the way I want it to work I have found the complete lack of ability to organise my apps (my many apps) really irritating and have turned to PStart. It has many advantages over the U3 Menu system like organisation and it has a much smaller memory footprint (about 1/3).

Should I in future payloads use PStart instead of the current U3 menu ?

I can see several benefits for the swap:

• [li]Better organisation for those of us with many portable apps[/li]

[li]Smaller memory footprint[/li]

[li]Reduce the size of the payload by 4MB[/li]

[li]Apps available increase without having to make your own u3p[/li]

The only downfall I can see of this would be if you are targeting an educated user and they expect the standard U3 menu to pop up it wont. Although is this really a big issue?

i personally prefere the portable apps menu , its easily to mod how it looks , it looks a lot more stylish ,adding apps is easyer, its more cimilar to the u3 menu ...

(ps there' a howto on the wiki how to change the look of portable apps menu ...)

[trustme]

How about a poll....  I know people keep opening polls when they should only start threads, but this would be a good time for one.

I personally don't care (surprise!  :P)

Changing to something else would allow people to make their own launch pic so they stop complaining about mine :(, unless of course the files need to go on the U3 partition... they shouldn't though, but if they do then they're sol  :P. 

[marc]

I would prefer the U3, although I will go happily with the majority :).

[G-Stress]

Not sure if this has been asked before, but does anyone possibly know how to either code the hacksaw to instead of dumping and sending files from a usb drive to instead search the local machine for .txt or any type of file and only send those those type of file's via e-mail without sending the same file twice?

Or code stunnel or actually any e-mail client to send file's stealthy via e-mail?

Sure it's possible gonna mess around with it, just figured I'd asked in case it hasn't already been asked.

[DigitalZion4u]

GoZor-- This thing rocks. . . . .  I have not had this much fun playing with something new in quite some time.  Your little tutorial was plenty to get me up and running.  I can think of like a zillion white hat applications for a tool like this but about a zillion more bad ones as well.

I am off to see if I can write a little batch file to call the kill disk.  That would be pretty handy for our help desk guys.  Just stick in a stick and it kills the c:

Anyway thanks for a great tool

DigitalZion4u

[Whiplord]

I feel like an idiot, simply signing up to post a problem, but oh well I guess. 

I had been using 1. 2, and it was working great despite the No Disk errors received on occasion.  Just updated to 2. 0, and while it gets rid of the No Disk errors, the U3 pad won't autostart.  I have it turned on in SBConfig, and I've tried on multiple computers to no avail.  I can start it up manually just fine by  manually exploring the sys drive and starting it from there, but I'd like if it would autostart.

[marc]

Have you tried to turn on/off autostart in the actual U3 software itself?

[GonZor]

Have you tried to turn on/off autostart in the actual U3 software itself?

That seems like the most likely option

For those of you interested in the reasons I have been absent from the forums for a while, my main computer recently died and I have been working a lot more lately, I'm still in the process of fixing my computer and my hours at work are increasing. Hopefully within the next week my computer will be back up to normal and I can continue to annoy everyone on the forums  :-P

[dr.kaos]

The long awaited V2. 0 is now out of beta, sorry for the delay.

• [li]Fixed VNC (confirmed working - new password is "easy")[/li]

Hrrm.  I've tried both "hacked" and "easy" as VNC passwords with no success.  Did I miss another VNC password, specified elsewhere or later in the topic?

EDIT: Found a reference in the Tutorial topic to "yougothacked", which worked.

Thanks,

-dr. k

[dr.kaos]

While the HakSaw Antidote sufficiently removes HakSaw, VNC is left behind. While I can manually remove VNC, is there any specific guidance for doing so? I.e., are there any files I wouldn't otherwise expect associated with VNC that also need to be removed to eliminate all traces of its' installation?

[marc]

The long awaited V2. 0 is now out of beta, sorry for the delay.

• [li]Fixed VNC (confirmed working - new password is "easy")[/li]

Hrrm.  I've tried both "hacked" and "easy" as VNC passwords with no success.  Did I miss another VNC password, specified elsewhere or later in the topic?

EDIT: Found a reference in the Tutorial topic to "yougothacked", which worked.

Thanks,

-dr. k

I was the one with my friend who modified the reg file for the password "easy". The problem was, in the actual VNC Server, the password limit was 8 characters long, and therefore "yougothacked" sometimes screwed up in the registery. We then changed it to something easy to remember, "easy". I am not sure what reg file you are using, but we believe we only changed the entries which changed when we changed the server password. Another reason it may not work is the port forwarding issue.

While the HakSaw Antidote sufficiently removes HakSaw, VNC is left behind. While I can manually remove VNC, is there any specific guidance for doing so? I.e., are there any files I wouldn't otherwise expect associated with VNC that also need to be removed to eliminate all traces of its' installation?

I think its WINVNC.EXE and VNCHOOKS.REG in the %systemroot% folder. I am not by a Windows machine to check for you though, or have the bat files handy.

[marc]

GonZor, since the last release, I now get the "no disk" error. I believe the options are Try Again, Continue, and something else, or something similar. I did it on a friends PC, and didn't have enough time to grab a screenshot, just enough time to click continue, and pull the thing out. The machine was running Vista. I will try to get you any other specs that I can, but I believe I get this error on my other friends laptop too, also with Vista. Here is the screenshot of my SBConfig setup:

http://brapperbrap.tripod.com/sb.png

However, all that was dumped was:

System Info

External IP

VNC

HackSaw

Nothing else was dumped, and there were no other errors.

I hope you can help here.

[trustme]

I got a no disk error as well, I've used it on this computer with 2.0 and not gotten one before, but for some reason the other day one popped up.

Haven't managed to replicate it since then.

Weird :-|

Good luck fixing your comp.

[marc]

OK, did some testing today. I worked out that disabling the network dump and the messenger dump prevents the no disk error. There may be other things which cause it, but please see my screenshot above to see which options I am not using anyway, and therefore didn't test.

As far as I know, the "no disk" error is given if the network passwords dump and messenger passwords dump are on. If just one of them is on, one "no disk" error will occur. If both are on, two will occur. If neither is on, it is completely silent, (with my AV disabled to stop an alarm when SBS.exe is called).

[geocine]

wow just tested it

[jinster364]

How do you uninstall hacksaw and VNC on the victims computer tho

[trustme]

@ Everyone who keeps posting questions that aren't about GonZors payload/Haven't read the thread.

You don't... at least not with Gonzors switchblade, it doesn't support the antidote yet.  Search before you ask too, it would probably have turned up an answer, such as the antidote...

Also, please read the entire thread before posting, many of the answers to your problems are inside it.