USB Pocket-Knife Development

[sablefoxx]

Thats what the safty.txt is for!

[excid3]

Seems like the newest version isnt emailing the IP address correctly.  I'm getting the emails, but the ip is just dashes.  Just a side effect of the new version being experimental?

Also, have you had any experience in NSIS? I may try cloning your payload into an NSIS script. Things should be much cleaner and simpler using that. I would be better at coding the app than figuring out the commands for the actual payload. Let me know what you think.

[HarshReality]

Suggested addition (as I normally overhaul XP based systems) add to the autorun so that it backs up the windows activation files and attaches to an email *when used). Then before I overhaul one I could just jack in the USB and kill the system and have the logs and whatnot all there for my reinstall.

Ex: Go to your _:WINDOWSSystem32 and find a file called "wpa.dbl" and "wpa.bak" back those files up to a floppy, CD or whatever you want to put it on.

When you want to restore these files go into safe mode and put them into your windowssystem32 directory. When you reboot you should be activated without actually going through MS :)

[Leapo]

Seems like the newest version isnt emailing the IP address correctly.  I'm getting the emails, but the ip is just dashes.  Just a side effect of the new version being experimental?

Hmm, yeah, looks like there are some problems cropping with not using NIRCMD in the experimental release. I'll try and figure out how to solve that, but for now you can use the latest stable release (I've added it to the downloads section on page #1 of this forum post) which should be 100% working.

By the way, thanks for testing and reporting back on the experimental release!

Suggested addition (as I normally overhaul XP based systems) add to the autorun so that it backs up the windows activation files and attaches to an email *when used). Then before I overhaul one I could just jack in the USB and kill the system and have the logs and whatnot all there for my reinstall.

Ex: Go to your _:WINDOWSSystem32 and find a file called "wpa.dbl" and "wpa.bak" back those files up to a floppy, CD or whatever you want to put it on.

When you want to restore these files go into safe mode and put them into your windowssystem32 directory. When you reboot you should be activated without actually going through MS :)

Now THAT is a very good idea...I'll be adding that to the next release for sure, would solve a lot of activation headaches as long as the hardware was exactly the same.

[HarshReality]

Here is your little Addition... course I added it to the switchblade so feel free to recode...

1.We're first validating that it is XP (no point in running it if it isnt)

2. We're validating the exitance of the wpa file and if its there creating a folder within the logging folder to copy the file to. I rather liked Gonzor's idea of date/time for the log and on the odd chance you run it on 2 machines that have the same computer name it wont overwrite.

Ver | find "5.1." > nul
IF %ERRORLEVEL% == 0 (
IF EXIST %systemroot%system32wpa.dbl (
    ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1
    ECHO +----------------------------------+ >> %log% 2>&1
    ECHO +      [XP Activation Located]     + >> %log% 2>&1
    ECHO +----------------------------------+ >> %log% 2>&1
    ECHO This file is an activation backup and will only function when installed on the original machine that has had no hardware >> %log% 2>&1
        ECHO modifications. Boot the unit to safemode and copy the file to the System32 folder and restart. >> %log% 2>&1

        MD "%logdir%"XP-Activation-[%Year%%Month%%Day%-%Hour%%Minute%%Second%]
        COPY /Y %systemroot%system32wpa.dbl "%logdir%"XP-Activation-[%Year%%Month%%Day%-%Hour%%Minute%%Second%]
    )
)

[Jigsaw]

Hey, great job putting this together, very nice.  I personally like Gonzor for my U3, but I'm running this on another flash drive and my ipod.  I was looking through your slurp batches, and I noticed that it only takes logs for certain programs and things of that sort.  Why not just throw in some commands to take all of the . doc, . txt, and . html? i through them in there at the end and it works like a charm.  Yes, it is more files, but they tend to be quite small, and this way you can get ALL of there documents and a lot of the time there is a passwords. doc file where they have listed all of the passwords  :lol:.  But overall, very nice.  I'm looking forward to any new releases!

-Jigsaw

[suicidemayhem]

why wont this email the 'computername.log' file to the email specified?

[HarshReality]

read the ini.. vnc and hacksaw are not in the payload

[suicidemayhem]

I found that if the newest pocket knife is stripped to just SBS and Go.cmd (with edit to email logs), it runs undetected (tested on 3 pcs) and the log file shows up in my inbox in less than 20 secs each time. i have another drive for full exploit, but this way i can leave/give them away and still have the info received.

[HarshReality]

Link to DL? If I get it to fly I'll add it back to my own.

[suicidemayhem]

there isn't anything special to it, its just the pocket knife that only runs the Go.cmd command and emails it to me. very efficient if you are leaving these in places or giving them away. here is the link.

www.rivalgraphix.com/email_pocketknife.rar

it still has all the functionality of the pocket knife, just needs to be uncommented out.

[TuxedoKMax]

This is my first post so please excuse me if I do it wrong :). 

THANK YOU SO MUCH!!!!

I've been reading through the forums for quite some time now and I don't see these words often enough.  You guys are amazing and the work that you do is incredible.  Then, you're generous enough to share it with the rest of the world free of charge?  I wish I could buy you all drinks.

That being said I do have one question about switchblades in general.  Is it possible to manipulate webcams of target computers (I. E.  turning one on to snap a picture or video and sending the file online.  Possibly streaming?) through the use of a switchblade?  I've searched the forums and have not seen this discussed.  It could be that I have missed it entirely, or maybe it can't be done for reasons that are obvious to everyone besides myself.  And maybe I have somehow missed the proper thread.  Anyways, just thought I'd open up the possibility for discussion.  Thanks again everybody!

[Skunkfoot]

If you don't mind me asking, what would you want to do that for? It sounds kind of creepy to me, but maybe I'm missing the point...

[TuxedoKMax]

Yeah, I guess you're right about that after all.  I had read the earlier posts about trying to prove who was stealing usb drives and that's what got me thinking about this.  It would be a perfect way to obtain proof about stolen items or unauthorized computer use.  Now that I have read up on the topic more there do seem to be several webcam viruses floating around the net, giving this a very black hat connotation.  I guess this isn't really something that I necessarily want coded, just seemed like a possible solution and an interesting problem.

[Skunkfoot]

Yeah, I can understand that...just as long as you're not planning on using it as like a hidden camera for some weirdo voyeur shit, ya know?

And to answer your original question, as far as I know, it's not possible. But! That's just because I've never heard about it being done and I don't know how webcams work really. I think if it is possible, it would probably be different for each webcam...

I know you can do annoying stuff with hardware from a script (like opening the cd tray or something like that), but I don't know if the webcam thing is possible or not. Someone please correct me if I'm wrong, I'd love to learn something new. ^^

[trustme]

And to answer your original question, as far as I know, it's not possible. But! That's just because I've never heard about it being done and I don't know how webcams work really. I think if it is possible, it would probably be different for each webcam...

And therein lies the problem...

I know you can do annoying stuff with hardware from a script (like opening the cd tray or something like that), but I don't know if the webcam thing is possible or not. Someone please correct me if I'm wrong, I'd love to learn something new. ^^

Those only work because its calling a built in function thats universal to all cd drives.  With a webcam, each installs its own set of drivers and commands.  It'd be nearly impossible to include instructions for each, and since most are closed source finding the correct method to control it would be extremely difficult.

[G-Stress]

I had an idea for webcams using dorgem. Not exactly sure how I'd implement it just yet and haven't gotten to it yet, just an idea  ;)

[sc0rpi0]

Yeah that should be enough, you dont really need to host the update file on your server (although it could make things simpler) but even if you decide to you will have plenty of room. If you want I can help you with this, its been something I have thought about but never implemented into my payload because you would need to re flash every time you update.

EDIT - Just checked out 50megs.com and I think your better off going with 110mb.com

This looks good...but not quite as good as:

http://www.esmartstart.com/

You get 250 mg. instead of only 110.

Really fast/easy setup and usage too.

Of course, if it's just a couple of text files, it won't really matter as much.

[GonZor]

Yeah that should be enough, you dont really need to host the update file on your server (although it could make things simpler) but even if you decide to you will have plenty of room. If you want I can help you with this, its been something I have thought about but never implemented into my payload because you would need to re flash every time you update.

EDIT - Just checked out 50megs.com and I think your better off going with 110mb.com

This looks good...but not quite as good as:

http://www.esmartstart.com/

You get 250 mg. instead of only 110.

Really fast/easy setup and usage too.

Of course, if it's just a couple of text files, it won't really matter as much.

Reading the FAQ at esmartstart.com I noticed that it doesn't support server side scripting, which doesn't leave many options for expansion. 110mb on the other hand does offer this and actually allows 5GB of space.

Q. Do you offer or allow server-side scripting such as php, cgi, asp, etc.?

A. We do not offer or permit any server-side scripting such as php, perl, cgi, asp, shtml, cfm, etc. This service is for basic websites written in html. Javascript, which is client-side scripting, is permitted.

[sc0rpi0]

Yeah that should be enough, you dont really need to host the update file on your server (although it could make things simpler) but even if you decide to you will have plenty of room. If you want I can help you with this, its been something I have thought about but never implemented into my payload because you would need to re flash every time you update.

EDIT - Just checked out 50megs.com and I think your better off going with 110mb.com

This looks good...but not quite as good as:

http://www.esmartstart.com/

You get 250 mg. instead of only 110.

Really fast/easy setup and usage too.

Of course, if it's just a couple of text files, it won't really matter as much.

Reading the FAQ at esmartstart.com I noticed that it doesn't support server side scripting, which doesn't leave many options for expansion. 110mb on the other hand does offer this and actually allows 5GB of space.

Q. Do you offer or allow server-side scripting such as php, cgi, asp, etc.?

A. We do not offer or permit any server-side scripting such as php, perl, cgi, asp, shtml, cfm, etc. This service is for basic websites written in html. Javascript, which is client-side scripting, is permitted.

I see...I *should* check out 110mb.

I assumed wrongly from the title that one only gets 110 megabytes of storage.

[ki]

I've got a question, has the development of the pocket-knife changed since the a couple of releases since the initial release, im using an old version but it works fine, but except when I plug it into my own computer and it still logs me after I have safety. txt in my C: drive

Any reason why this would be happening?

Also if you need file storage, my server has a couple hundred gigs to spare if you don't mind using an ftp.

[edman2478411]

hmm so ive taken a liking to this little pocketknife very neat. Im not sure if its just me but i cant seem to get the nmap and other logs only the ip log and thats still just dashes, maybe Google server values are wrong?? Also using the remote desktop feature on a computer behind a router does not work or at least not in my trials without port forwarding. My suggestion would be to use remote port forwarding capability of SSH uhmm im not 100 % sure this would work but its an idea. For the most part my trials have been so so for the fact being that for some reason the stunnel on two of the pc's i tested on would not initiate or would just fail. Not sure. im looking into it these are computers that are severely locked down but everything seems to work BUT the stunnel. Thanks and good luck there is a huge amount of potential in this.

[oxoloxo]

Tested latest version and two virus scanners found this; csrss.exe after that it found pwdump and I can't remember the last one..

AVG

Mcafee

[assault]

er. . . . I ran this on my own machine to try and test it. . . . how do I remove it from my computer?

(ie, I want to remove VNC, nmap, etc. . . )

[Thaorius]

Hi, I'm new to Hak5.  :-P

Your payload works like a charm, It's actually the one I enjoyed most(I've tried a few that were posted on this forum).  Anyway, I have a hosting account with a LOT of space and bandwith, if you are interested I have no problem on giving you some space.  If you are interested let me now.

Bye