USB Pocket-Knife Development

[Verye]

@mencargo Yes I can.

edit:

@Verye check in your settings their is a setting to turn off its checking for it.

edit2: Here is a snippet of code.

Process.Start("cmd.exe", " /K cd c:\")

This opens command prompt, and changes its directory to C:\

You can change cmd.exe to like /folder/folder2/program.bat and enter the parameters in the next section of code.

If you guys could do that because I don't fully understand how payloads work I'll be sure to use it and accredit you for it.

Edit3: Before you do all of them post 1 or 2 so I can make sure it properly works.

Trust me, that setting is the first thing I checked. The option to bypass safety.txt is not enabled.

Plus, on one of my computers, if safety.txt is on C:, then it doesn't infect, and if it isn't there, then it does, like it should. It's just on this Vista computer that it infects even though safety.txt is on there.

I guess I can't use this payload, seeing as I'll infect myself every time I ever want to check logs...

Oh well. :(

[alexthedrifter]

You can hold something like shift or alt or shift alt for it to do nothing.

edit:

If somebody can post a line of code from a batch file that enables the option when that .bat is run we could also do it that way.

ex.

Shell (vncoptions.bat)

It runs the .bat with the commands in it to change the options.

edit2: Separate batch files could be a bit messy.

[DMilton]

Before I can work on it I need to know: Names of all programs and what has to be done to enable and disable them.

How are the files enabled?

shell config.bat -enable vnc

or

config.ini type thing with

e meaning enabled

d disabled

program1.exe = e

program2.exe = d

You can see how the files are enabled by looking the batch but i'll try to show you (mencargo does). The script looks for the existence of some files (IF EXIST %config%\Slurp3.cfg GOTO SetSlurpVars ELSE GOTO SkipSlurpVars). The actual on/off option is a check of existing files in the %config% directory, being on with files as: "Slurp3.cfg" or off with files as "_Slurp3.cfg". Actually, the batch renames the files using this on/off checking.

Other files, as those used for emailing are used to set up some variables as Haksaw.cfg does, setting up this variables:

SET emailfrom=YOUR_EMAIL_HERE@gmail.com

SET emailto=YOUR_EMAIL_HERE@gmail.com

SET password=YOUR_PASSWORD_HERE

I mean you can use all the config files you want, one for each script, profiles, etc... But when you have your attack planned, you should be able to save it and create a config file for it.

In last version of Leapo's you can do it by saving up to 3 profiles...

I thought the script looked into each .cfg file and read parameters from it, but it only does this with 8 of them (of 40 cfg files aprox), so I think it's not a big deal. With the other cfg files, it just checks if it exists. So in order to tryout my approach I'll have to recode all B) Like pocket-knife alternate version, haha, I'll think about that.

You can do so, but I have one question on it. Is not better to contributing in one proyect than developing one proyect each one of us? I think team working would be the best, despite it's difficult to do...

If you have some new adds planned, you can share them by editting the wiki unless you don't want to do (I'm sure is not the case), then everybody can use it in their own payloads.

Well, when I open the logs files the passwords appear in clear text, no hashes. This wont consume a lot of time as it's proportional to the weakness of the passwords, and well, we know most of them are, but still it's time.

Those passwords you see at clear text are some of them stored in RegKeys and uses some yet developedNirsoft utilities.

Anyway, there are a LOT of errors in the code and I'm seriously considering developing it.

The errors in the code mainly responds in allocating variables for paths that in English would work but in other installation languages or non-standard paths installations may not work. If this is your case (didn't you tell you're not english? ;) ), you can help in reformatting the code by using Reliable Paths Method for fixing all the unstable variables (or other method you think better)...

Do we have access to the Universal Customizer code? Backing up and restoring the whole drive it's just a waste of time when developing.

I don't know but you can develop the non-usb payload and when finished, updating the U3 payload...

Hmmm, not sure why everyone is ignoring me, but I guess I can repeat my problem for a 4th time:

Why is PocketKnife capturing passwords and taking info from my computer, which has safety.txt on the main HDD, C:?

Sorry, no one is ignoring yo, but I don't know why with Safety.txt on the main HDD, the payload runs for you... If you have enabled in the payload the cheking of Safety.txt, it would work...

Try this with the menu.bat

1 Manage Settings and Modules

3 Other Options

3 Perfom Safety.txt check (it must be enabled)

The payload looks if "_Safety_Check.cfg" is in the CONFIG directory of your drive, if found then there will not be a safety check.

Instead if the payload finds "Safety_check.cfg" in the CONFIG directory, will perform the checking of the Safety.txt in your C:\ and will work for you.

Check this for yourself in your CONFIG directory of your USB and tell us what you found there, the "_Safety_Check.cfg" or "Safety_check.cfg" file...

[alexthedrifter]

I sort of understand it should be done sometime within the next 5 days (Prob sooner).

[DMilton]

Trust me, that setting is the first thing I checked. The option to bypass safety.txt is not enabled.

Plus, on one of my computers, if safety.txt is on C:, then it doesn't infect, and if it isn't there, then it does, like it should. It's just on this Vista computer that it infects even though safety.txt is on there.

I guess I can't use this payload, seeing as I'll infect myself every time I ever want to check logs...

Oh well. :(

You can press SHIFT when you insert your USB drive, then autorun will not work for you.

Also you can add this to the beggining of the payload to avoid the payload runs in your computer or computers...

Edit the \SYSTEM\Start.bat from your USB pocketnife.

@ECHO off

CD SYSTEM >NUL

:: Finds the location of the flash partition and sets master variable.
IF EXIST z:\CONFIG\Drive_Location.cfg SET flshdrv=z:

Add this simple code:

@ECHO off
if %computername% == 'YOURCOMPUTERNAME' goto End
if %computername% == 'YOUR2NDCOMPUTERNAME' goto End
if %computername% == 'YOUR3RDCOMPUTERNAME' goto End

CD SYSTEM >NUL

:: Finds the location of the flash partition and sets master variable.
IF EXIST z:\CONFIG\Drive_Location.cfg SET flshdrv=z:

Do it by adding as much computer names as you own. Obviously, substitute 'YOURCOMPUTERNAME' with your REAL computer name. You can know it by opening a cmd session and typing ECHO %COMPUTERNAME%

One more question... Is safety.txt as you spell it in lowercase? The payload checks for this: Safety.txt, and I don't know if VISTA consider safety.txt and Safety.txt as different filenames (Win 2000 and XP doen't)... Check it too.

I sort of understand it should be done sometime within the next 5 days (Prob sooner).

Let's see it! If you need some other help... (And I can help you)...

[Verye]

Disregard this, problem solved, see below.

[DMilton]

There is a file named "Safety_Check.cfg" in the CONFIG folder.

Then you have your Safey test checking enabled...

I tried changing safety.txt to Safety.txt, and that didn't work.

I expected this, but... ;)

When I try to edit start.bat and add those lines of code, then save it, an error comes up saying:

This happens if I try to save it. So, not sure how I'm supposed to edit the file. =/

Thanks for the help.

Sorry, you are using U3 version... in the U3 version, the start.bat is in the CD partition. Then you have to update the CD partition with the new start.bat, modifying the U3.iso file (by actualizing the start.bat) and using the customizer again.

But I still don't know why it doen't work for you... Sorry...

[Verye]

Problem solved, see below.

[Verye]

Haha, disregard all that, I'm an idiot.

I accidentally named the file safety.txt, not safety. Thus, the file was called safety.txt.txt, and that was the problem. I got kind of confused and didn't notice the file extension was already part of it.

Problem solved in that regard.

The only other problem left is the fact that the payload is not doing anything to one of my other target computers. It's got no safety.txt on it, and the anti-virus has been disabled.

I have 2 computers. They're both laptops, and both have XP 32-bit. They both have McAfee as an anti-virus. When I put the USB drive in one of them, it captures all of its passwords and such fine. In the other, it does nothing and does not create a log for it in the LOGS folder. As in, the computer name doesn't even appear there.

[DMilton]

Haha, disregard all that, I'm an idiot.

I accidentally named the file safety.txt, not safety. Thus, the file was called safety.txt.txt, and that was the problem. I got kind of confused and didn't notice the file extension was already part of it.

I had a headache with this...

The only other problem left is the fact that the payload is not doing anything to one of my other target computers. It's got no safety.txt on it, and the anti-virus has been disabled.

I have 2 computers. They're both laptops, and both have XP 32-bit. They both have McAfee as an anti-virus. When I put the USB drive in one of them, it captures all of its passwords and such fine. In the other, it does nothing and does not create a log for it in the LOGS folder. As in, the computer name doesn't even appear there.

1.- Check if autorun is enabled in this other PC that doesn't go.

2.- Try to auto-execute go.vbs by double clicking it from your \SYSTEM dir. It'll surely will create the logs correctly if they're enabled.

EDIT: For checking state of auto-play you can run... gepedit.msc, go to "Computer Configuration", "Administrative Templates", "System", double click on "Turn off Autoplay" and check the state of autoplaying... If you change this value, you must to run... gpupdate

[Verye]

I had a headache with this...

1.- Check if autorun is enabled in this other PC that doesn't go.

2.- Try to auto-execute go.vbs by double clicking it from your \SYSTEM dir. It'll surely will create the logs correctly if they're enabled.

EDIT: For checking state of auto-play you can run... gepedit.msc, go to "Computer Configuration", "Administrative Templates", "System", double click on "Turn off Autoplay" and check the state of autoplaying... If you change this value, you must to run... gpupdate

Thanks, the auto-play thing did the trick.

The thing is though, it appears that auto-play was disabled by default. Isn't this kind of a big flaw, if it's supposed to run automatically and silently on computers?

Also, when I tried to run it manually either by clicking GO.vbs, it gave an error saying something was wrong with GO.vbs. This is the full error:

Script: F:\SYSTEM\GO.VBS

Line: 16

Char: 9

Error: The system cannot find the file specified.

Code: 80070002

Source: (null)

It does this if I click GO.vbs on any of my 3 computers. I'm assuming there's a known error in GO.vbs that is causing this to happen if you try to run PocketKnife manually. If this isn't a known error, then...why is it happening to me?

[DMilton]

Thanks, the auto-play thing did the trick.

The thing is though, it appears that auto-play was disabled by default. Isn't this kind of a big flaw, if it's supposed to run automatically and silently on computers?

It's not a flaw, if you read about how to prevent this kind of attacks, you'll notice than one of the firsts actions to do is disabling the auto-run... It can ever be run with a simply double-click...

Issue resolved. :P

[Verye]

It's not a flaw, if you read about how to prevent this kind of attacks, you'll notice than one of the firsts actions to do is disabling the auto-run... It can ever be run with a simply double-click...

Issue resolved. :P

Well, I'm saying the flaw is that auto-play was disabled by default. Meaning, the person would be immune from attacks without even knowing what auto-play WAS.

Also, what's with that GO.vbs error I kept getting?

[DMilton]

Well, I'm saying the flaw is that auto-play was disabled by default. Meaning, the person would be immune from attacks without even knowing what auto-play WAS.

Also, what's with that GO.vbs error I kept getting?

With the GO.vbs file, don't worry, it's a known error probably caused by a non well assigned variable in the vbs file (fixed a few posts before), problems are not persecuting you...

[user]mencargo[/user] posted a solution for it here. Probably it will be fixed by Leapo on next release.

[alexthedrifter]

If your willing to help me understand how interact with the payload please hit me up on MSN alex@normalms.com

[Jen]

anyone wanna give me a update on what happened last 3 days? TOo much stuff to read please

[DMilton]

anyone wanna give me a update on what happened last 3 days? TOo much stuff to read please

Some of the readers, have decided to create a GUI for Windows, non MS-DOS GUI (Elmer, alexthedrifter and mencargo). Some others we are interested in it, helping with what we can.

In fact, alexthedrifter has released an ALPHA-BETA :P version GUI (Look for new posts).

Some new implementations for the Payload (Slurp3 proof of concept).

Some issues with the Payload Verye had with the auto-run and how Windows manage file extensions where solved.

That's all

[DMilton]

Is there a way to flash the u3 partition without backing up and restoring the drive?

See what DingleBerries are doing... http://hak5.org/forums/index.php?showuser=9434 I think is the perfect solution, isn't it

[Abigwar]

Guys, I don't know if anyone else did this, but i solved the no disk error on my all my test machines by simply removing A: and B: from the drive testing part of the script. Your getting that error when it tries to scan a floppy drive for the config file. A: and B: tend to be the floppies on most systems. I have no more issues with it.

[Abigwar]

Well, I'm saying the flaw is that auto-play was disabled by default. Meaning, the person would be immune from attacks without even knowing what auto-play WAS.

Also, what's with that GO.vbs error I kept getting?

Even if auto-run is disabled, simply double clicking the U3 drive from my computer will launch it.

Still can use the old method too, if you're so inclined, and trick people into launching by using the folder icon and dialog for the Open Folder to View Files popup.

[alexthedrifter]

I updated the config massively. Check it out one of the first posts in the forum.

[Verye]

Even if auto-run is disabled, simply double clicking the U3 drive from my computer will launch it.

Still can use the old method too, if you're so inclined, and trick people into launching by using the folder icon and dialog for the Open Folder to View Files popup.

I'm not familiar with the "old method," sorry. What folder icon??

Also, I have another question, though this one isn't support-related:

How do I get someone's Windows login password? I got a bunch of hashes, and I'm presuming these are what I need...but how do I decrypt them?

And finally, I'd just like to speak up about the method of payload development that's been going on in this thread. It is very, very confusing that multiple people are making multiple updates to Leapo's payload. A GUI, bug fixes, etc. It's impossible for anyone to keep up.

In fact, I personally believe having independent payloads in general is bad. Leapo had the right idea; a payload with just about everything. People have been working with Leapo on this payload to make it a fusion of the best ideas and features, and that's been working, but I understand that he's been inactive for a while and people are taking it upon themselves to edit it and add/edit things to make it better. I know that he hasn't been on in a while, but I feel that things would be simpler and better for everyone if they simply collaborated with Leapo and worked on it with him, so there's only one version of Leapo's payload. Unless he does not plan on updating it any time in the next 2 months, or has quit, then people should just be working with him.

[alexthedrifter]

Old method was social engineering faking the autorun program too look like the open folders too view icon and text.

[Verye]

Ah, I see.

And sorry with all the questions, but oooone last thing:

When I put the flash drive in computers, a little window named AutoPlay pops up. Here's a picture of it:

For my Vista computer, it does this whether or not safety.txt is on the C: drive. This kind of defeats the purpose of running silently... Thankfully, it doesn't do that on most computers.

However, it doesn't really say how to change the settings of removable disks (USB flash drives) in the Control Panel.

So, first off, how do I make it so it doesn't come up with that window when I put it in my Vista computer?

Second...is there a way to make it so it doesn't pop up like that on any computer?

Thanks.

[Verye]

Ok, here's the problem.

If I put the flash drive in and just X out the little AutoPlay Window that pops up, the log writing gets messed up really, really badly. Here's a picture:

If I click "Open folder to view files," then it does everything normally. However, this means that I have to open the folder in order for it to run and write the logs properly, which is obviously bad.

How do I fix this? How do I get it to just autorun automatically, without that stupid window popping up? (For those who are confused, I explained the window that popped up in my previous post.) The worst part is that if I exit out of the window, the logs do not write correctly. If I click "open folder," it writes correctly, but this is a hassle for me, and also, if it's on someone else's computer, quite suspicious, as they see all the PocketKnife folders.