Jump to content

USB Pocket-Knife Development


Leapo

Recommended Posts

Elmer: Absolutely correct! I don't think I could have explained it any better myself :grin:

Megaman: That's odd, my payload runs an app that should out-right kill Avast, AVG, and a few other AV's. I use Avast myself, and I can confirm that my payload kills it when left in a default configuration. If you've tweaked your AV's settings, it might be catching the batch scripts themselves and stopping them in their tracks.

Link to comment
Share on other sites

  • Replies 818
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

  • 2 weeks later...

Just a little update, I'm not dead!

My U3 drive is here and I'm working on converting my code over to be completely U3 compatible (files in danger of being deleted on the U3 partition). You can expect a non-U3 variation using TrueCrypt very shortly after the U3 version is done.

Every body just hang on, I'll get this sorted eventually  8)

Link to comment
Share on other sites

Good to see that you are not dead! I am looking forward to the TrueCrypt version. It will be the first non-u3 payload to not get deleted by anti-virus programs, and that is an achievement that is nothing to sneeze at. Is there anything we (the people who are waiting) can do to help you?

Link to comment
Share on other sites

The current Winrar script works well enough, but yeah, TrueCrypt will provide the be-all end-all solution.

As for community help...there are still those code snippets I posted up that are royally b0rked, if somebody could sort those out I would immediately throw up a new version of my payload (still based on the old code branch you've all been using, it will take a while yet to sort out all the bugs with the U3 version).

Link to comment
Share on other sites

The current Winrar script works well enough, but yeah, TrueCrypt will provide the be-all end-all solution.

True crypt isnt the be-all end-all solution, For the reasons specified below...

The problem with true crypt is, that you need the driver installed on the system if you're not an admin to work with it.

A lot of the tools used in the payload (specifically the ones that get detected by AV) need an admin account to work, I would create a combination of true crypt and rar.

Link to comment
Share on other sites

  • 1 month later...

dammit,

I have my own usb development ready to be released(completely different from the hacksaw,switchblade,& other payloads),

but before i was going to release it i wanted to give it a name and i thought up of "usb pocketknife" & just today i made a pic

just like the pics created on the hak5wiki of the switchblade & hacksaw, but as i see it was already taken, should of checked

the all the forms to see if the name was taken. . .

so unless Leapo wouldn't mind another USB pocketknife development thread.  i would be in the clear.

but until i get a reply ill be thinking of a new name along with editing my pic.  :???:

& nice work Leapo.

Link to comment
Share on other sites

Leapo's payload is dead, or at least appears to be based on the last post being over a month ago.  Strangely enough he seems to be online every now and then, but didn't answer my pm...

Oh and no offense but I hope GonZor's payload eats yours  :P.  (You don't happen to go by the name Santa... do you?)

Good luck thinking of another name.

Link to comment
Share on other sites

Leapo's payload is dead, or at least appears to be based on the last post being over a month ago.  Strangely enough he seems to be online every now and then, but didn't answer my pm...

Oh and no offense but I hope GonZor's payload eats yours  :P.  (You don't happen to go by the name Santa... do you?)

Good luck thinking of another name.

my payload  as i stated before is completely different from that the hacksaw, switchblade and other payloads

(which is why i was going to start a new development).

my name ive had it for a while, the 666 i just picked out of the air, other wise i can have just empire(like the paintball company)

& did u mean Satan? not Santa?

Link to comment
Share on other sites

(Sorry Leapo if you ever planned to continue this thread)

/Thread Jacked/

but until i get a reply ill be thinking of a new name along with editing my pic.  :???:

my name ive had it for a while, the 666 i just picked out of the air, other wise i can have just empire(like the paintball company)

& did u mean Satan? not Santa?

Thats what I meant by the name, a new name for your payload.

I did mean Santa, someone tried to pretend GonZor's payload was their own work, here

http://www.hellboundhackers.org/forum/view...&rowstart=0

Its since been edited to make it clear that GonZor is the creator.  The guy who did it was going on about he was going to make his own payload thats far better.

And integration between the different types of payloads has been the goal for a while now eg:. Leapo wanted to make an all encompassing payload for the non U3 folks, GonZor created a Gui and moved all the files onto the cd partition for the u3 folks (his payload is also non U3 compatable as well now).

Link to comment
Share on other sites

yes, yes, I know my payload appears dead, but I am still playing with it.

A fully U3 version is being worked on, and I have a small update to the non-U3 payload that I could probabbly release this weekend (a GUI to change settings). The U3 version will have everything moved over to the CD partition, and I've improved the RAR script on the non-U3 version so the backups are smaller and take less time to extract.

Don't count me out yet, I'm also cannibalizing GonZor's payload and adding everything I don't have from it to both versions of my payload....sure my code isn't as clean, but meh, now that it has  GUI, that isn't a huge issue. I might go ahead and release "streamlined" variations of my payload, with all the human-friendly formatting and comments removed so that the files are smaller, run faster, and backup/restore faster.

Yeah, I'll release the updated non-U3 version tomorrow morning, so watch out for that  :)

Link to comment
Share on other sites

  • 2 months later...

UPDATE: VERSION 0.6.2.1 IS OUT!

Ok guys, you've waiting a LONG time, but here it is, my lazy ass is finally releasing a new version of my payload. I've made some insanely cool new features that, as far as I can know, are brand new and never-before-seen :lol:

Quick update list (I'll be revising the first post in this thread shortly and making a wiki page):

VNC install method - OVERHAULED

I had heard some were having issues with the way I was installing VNC, so I went ahead and plugged in a new variant of the VNC installer. Password is still "yougothacked", and it's open on port 80 as well as 5900. Once configured properly with your gmail account, ti will also email you the external IP of the infected system.

Backup and Restore script - OVERHAULED

Narrowed down the amount of items being backed up and restored, optimized the restore process, and used a lower compression value on the archive to make restoring from it quicker.

Automatic Updates - NEW FEATURE

Yes, you read that right. I've created a single simple script that will download the latest versions of many of the tools used on the switchblade, extract them, and install them into the payload automatically. After the update process has finished, the extra files are cleaned up and the backup archive is rebuilt.

Automatically Compress Logs - NEW FEATURE

I've added a switch in Start.bat that, when enabled, will automatically compress log files as they are generated to save space on your flash drive. Not all that useful if log files is all you're collecting, but if you're slurping files, this should let you store a bit more data.

Centralized Management Interface - NEW FEATURE

Most that have used my payload know about the slew of batch files that were appearing on the root of the drive to run various functions, and how messy it was beginning to look; fear not, for that little problem has been rectified once and for all! There's now just one batch file called Menu.bat which will assist you in all of your management needs.

This simple GUI allows you to do any of the following:

- Open Start.bat with Notepad++ (included with my payload, can be found in X:DocumentsNotepad)

- Force a manual backup of the flash drive .

- Force a manual restore of the flash drive.

- Run the Auto-Update script described above.

- Run the payload.

- Drop back to the normal command line.

DOWNLOAD THE USB POCKET KNIFE V0.6.2.1

Yes, I know the version number took a jump, I've been working on this for a while, just go with it  :P

Download Mirrors:

RapidShare

Megaupload

Note: this new version is NOT compatable with the U3 ISO in my first post as of yet, that will be fixed shortly.

Link to comment
Share on other sites

There's a little more to it than just wget commands, as the files come down zipped, and there's extra garbage in the zip files we don't want. This is the general breakdown:

- Wget goes out and downloads all the files

- The CLI version of 7zip extracts everything into a temp folder.

- Files are copied to the proper locations.

- Attributes flags are set for the new files (read only, hidden, system).

Works pretty darn well, except in situations where the download link changes with version number. There's no good way to feed Wget a wildcard, so I have to manually tell it to poll the website for versions that might not exist yet (as is the case with pwdump). It works fantastically for programs where the download link stays the same, though.

Link to comment
Share on other sites

ok, yeah I figured thats what it would be like. Another way you could do it is post the version numbers of the updated progs to a server somewhere, then compare versions of current (on the stick) and newest (from the version number file) and update  anything if necessary. To make the system completely automated you could create a script that gets the latest file version number of each app and upload the list to your server.

Link to comment
Share on other sites

Yeah, i want to give that a shot, I just need to get a server set up that I can let everybody who uses my payload access for updates. I was thinking of setting up a free site at 50megs.com since all I need is FTP access to a few text files...think that'll be enough?

Link to comment
Share on other sites

Yeah that should be enough, you dont really need to host the update file on your server (although it could make things simpler) but even if you decide to you will have plenty of room. If you want I can help you with this, its been something I have thought about but never implemented into my payload because you would need to re flash every time you update.

EDIT - Just checked out 50megs.com and I think your better off going with 110mb.com

Link to comment
Share on other sites

Yeah, that's one of the few down sides to running the payload off of the U3 partition. You could make an app that updates the image and automatically re flashes it, but that's kinda a pain in the ass.

And yeah, lets get that server set up, it'll be a great resource for all the payloads in development here. How should we go about this, you want me to just go ahead and register with them now?

Link to comment
Share on other sites

Slight problem with 110mb.com, they aren't accepting registrations until the 14th due to a server move.

EDIT:

ok, there registration is up, but what we want to do boarders on violating their TOS (which means perma-ban and if the deem necessary, being reported to the authorities). Got a loser hosting service we can use?

Link to comment
Share on other sites

UPDATE: VERSION 0.6.2.3 IS OUT!

This is a quick experimental release for you all to try out. I've made some major changes that, by all accounts, should work just fine. I haven't actually had a chance to try this, so if you're looking for a release that's sure to work refer to my previous post  with the last stable release (Version 0.6.2.1).

I won't be appending this version to the front page until I'm sure I have all the kinks worked out. Like I said, it should work just fine, but for all I know I broke the whole works :lol:

Keyloger - NEW FEATURE

I've heavily modified the USB wiretap and added a few new features to it. When activated in Start.bat, it installs in the same manner as the USB hacksaw and begins logging keystrokes as soon as the current user logs off and logs back on (I'm working on a way to make it start without a relog). You may either run the payload again to collect logs, or give it your email address and it will email you the logs daily (just like the hacksaw).

Silent Operation - OVERHAULED

I found a nifty little app on MSFN forums created for the sole purpose of hiding command prompts. I realize that nircmd has quite a few more features over this new app, but there's a major upside. This new app isn't detected by ANY antivirus as a hacktool, which means more of the payload will now run on systems that kill Nircmd.

I also fixed a small bug where the start.bat command prompt would pop up when starting the payload from the autorun dialog box.

DOWNLOAD THE USB POCKET KNIFE V0.6.2.3

Keep in mind, this release is experimental! if you want the latest stable release, go back a page and grab 0.6.2.1!

Download Mirrors:

RapidShare

Megaupload

Note: this new version is NOT compatible with the U3 ISO in my first post as of yet, I'm putting together a few different versions of the launcher ISO, so watch out for that.

Link to comment
Share on other sites

UPDATE: FIXED U3 ISO!

I went ahead and fixed the U3 ISO to auto-launch my payload silently; this works with the latest stable AND the latest experimental release of my payload. I would really like some input on how the experimental version of the payload works, I wanna make sure nothing broke when I exchanged that new app for NIRCMD.

DOWNLOAD FIXED U3 ISO

Added these links to the first post as well...

Download Mirrors:

RapidShare, MegaUpload

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...