Jump to content

USB Pocket-Knife Development


Leapo

Recommended Posts

tempnode,

Thanks for the file but what am I supposed to do with it. I have gonzor's switchblade, but I want to turn my geeksquad U3 USB back to normal. Do I just run the program you gave me or what. Also I want to keep the U3 disk part of it so i dont want to use the U3 uninstaller!

THANK YOU FOR ALL OF YOUR HELP!!!!!

Link to comment
Share on other sites

  • Replies 818
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

I don't know if this will help anyone, but I found an app called USB thumbscrew. It makes your USB drive read only enabled so if you have a in this case a payload the av won't nuke it. You can also disable the read only to add more files to your USB drive and then enable it again. A friend of mine tested it out on his non U3 switchblade and said it worked fine! I hope this will help!

Link to comment
Share on other sites

I assume that the thumbdrive is altered, not the pc:

So you say a software makes a hardware device unwriteable?

I don't believe it.

Edited after googling: This program simply changes a value in the registry on the machine.

Link to comment
Share on other sites

Oh ok, like I said a friend of mine tried it out NOT me so sorry if I made a false statement. Next time I post somthing I will try it out first!

So this won't help AT ALL?

Link to comment
Share on other sites

  • 2 weeks later...

heyy guyss great tool u guys have put out..i just had a couple of bugs i was wondering if i could get help with

1. when i run the menu.bat and choose the option 4 to run the usb hack...after a while i get an error saying unable to find c:\\windows\\$NtUninstallKB931552$\\winlogon.exe...is there anyway around that because after this error..the batch process get stuck..as in it doesn't progress from there

2. i did edit the send.bat files and added in my gamil account info...but i do not get any emails of the keystrokes and the loggs

it wud be great if you guys cud help me out with these problems...thnx alot

regards

nrahim!

Link to comment
Share on other sites

  • 2 weeks later...
Introduction:

Let me start off by saying that this is NOT YET a final payload, this threads purpose is to serve as a learning experience to me while providing a useful end-all be-all payload to the community. For now I will provide the payload in its current state at the end of this post.

This payload is the result of slowly browsing this forum and saving every bit of code and every full payload I've come across, then stitching it all together into a modular switchblade with just about every feature in existence. I've gone through and fully commented most of the code (still working on that), I've made sure everything is virus free, I've separated out major functions so that they can be turned on and off at will, and I've made sure it runs completely silently on a U3 and non-U3 thumbdrive in the least-obvious way possible.

Current State and Features:

The following is a list of everything included in the payload:

Key:

- Non-U3 Drives Only

- U3 Drives only

- Not yet Implemented

- Everything Else

Features:

- Upon insertion, the first option in the Autorun dialog box starts the payload, while appearing only to open the drive.

- Full silent autorun with no user interaction for U3 drives.

- A "Menu.bat" is included to mange all special functions, modules, and features of the switchblade.

- Payload checks the root of the C: drive and prevents the payload from running if the file "Safety.txt" is found.

- Includes TightVNC viewer so you always have it with you.

- Includes Notepad++ for easy batch editing.

- Includes antidote batch files for Nmap, the Hacksaw, and VNC.

- Fully commented code and fully featured ReadMe with instructions on setting up the payload for your needs.

- A custom backup and restore script, which automatically restores the switchblade (to the last time it was backed up) before every run. This ensures the payload is always put back to a normal state, even after it's been nuked by an antivirus.

- A custom auto-update script that goes out and downloads the most recent versions of many of the tools used on the switchblade (pwdump, nircmd, etc). Simply run it from Menu.bat, and the tools will be downloaded, extracted, and installed into the payload. The backup archive for the entire payload will also be updated to keep the latest versions of the files from being overwritten by an old backup. *working on a way to get this working for U3 drives.

- Auto Compress logs as they are generated to save space

- Email logs Back to yourself

- Optional auto-repack of executable to circumvent AV detection

Payload Components:

- Runs AVKill (csrss.exe)

- Restores the payload to the last backup point

- Disables the Windows Firewall Silently

- Hides Hidden and System Files

- Enables the Remote Desktop service

- Dumps general System Info

- Dumps the SAM

- Dumps LSA secrets

- Dumps LSA secrets via an alternate method (less detectable, not as pretty)

- Dumps Network Passwords

- Dump messenger passwords

- Dump IE passwords.

- Dump saved wireless keys

- Dump URL history

- Dump Firefox passwords

- Dump Cache Passwords

- Dump Current Network Services

- Generic Port Scanning

- Dumps current external IP

- Dumps email, messenger, and general website passwords

- Dumps currently installed hot fixes and IE history

- Installs Hacksaw the usual way

- Installs WinVNC client.

- Installs Nmap as a service (emails you results like the Hacksaw)

- Installs a keylogger which emails its logs off to you daily [New!]

- File slurping for logs, chat-logs, downloads, bookmarks, etc. (smaller files)

- File slurping for various Documents and Media folders. (larger files)

- Opens an explorer window to the Documents folder when finished

- Automatic update scrip to keep various executables up to date.

- Compress logs as they are generated to save space.

- Optionally email logs in addition to storing them on the switchblade.

- Management interface to manage the various functions of the pocket Knife. [updated!]

A Look Inside the Payload:

Updating information for new payload version

Hello,

I am trying to install this but I have no idea how to make the U3 partition with this .bat accually I have no idea what to do for this. For Gonzo's payload there was an exe that partitioned the flash drive and also added everything correctly to the flash drive.

I just want to know how I install this on my 16G Flash drive. I have U3 but I also have Gonzos payload installed. Should I reformat the drive? Remove Gonzos? Install your with Gonzos? Sorry I just have no idea I haven't seen an install read me or anything. The one that yours provides is Initial Setup, and if you don't have U3. there are no directions on how to install this application properly on the flash drive as well as how to partition this. Would it be possible to get some help on this. Sorry if the grammar is off, I'm a little 420'd =)

Link to comment
Share on other sites

@Leapo

This is the best payload i have used so far, no offense to others

It works the fastest and has the most options and is super easy to set up!

It worked in 21 second, and installed VNC and Hacksaw, keylogger and NMAP

I just have 1 question for you sir, or for anybody here........... in the log it says for the

for the messenger PW's and LSA secrets "access denied" but for the IE PW's it doesnt say anything......but none of them reveled the passwords, could that be because of the Norton Firewall there? ( I know they use Norton for AV, and i would assume that they use it for the firewall)

Thanks again Leapo

Thanks in advance to anyone that answers me

Link to comment
Share on other sites

  • 2 weeks later...

Leapo,

Menu bug.

I ran menu.bat >

Manage Settings And Modules >

Enable or Disable Modules >

At this point, any selection I make results in:

"The system cannot find the file specified."

Dump System Information IS enabled upon arrival at this screen.

I'm sure this has to be an error in my setup

and not in your script.

My installation went like this:

1. Contents of Leapos_Payload_U3\U3 ISO Source\ converted to U3CUSTOM.ISO.

2. Replaced Universal_Customizer\BIN\U3CUSTOM.ISO with newly created ^.

3. Ran Universal_Customizer.exe.

4. Placed contents of Leapos_Payload_U3\Flash Partition\ into H:\ (non-emulated partition of thumbdrive).

If you could help me with my problem, I could stop typing so mundanely.

Thanks,

Patch

p.s. You got skills.

Link to comment
Share on other sites

The non-U3 version of the payload works fine.

Menu works like a charm.

Dump System Information is still enabled by default.

That is, the emulated drive has a blank U3CUSTOM.ISO installed

and all payload is installed on the non-read-only partition.

I would really like to use the U3 Payload,

so please let me know if there is anything I can do to help.

Link to comment
Share on other sites

I got the same errors again, but I'm not sure if what I did wiped the U3 portion of the drive. I used Universal Customizer to make an ISO with only a blank text document (it wouldn't allow a blank ISO).

Also, I don't know much about programming, but would holding shift/not holding shift when you insert the drive have any affect on all of this. Is it okay to completely rely on safety.txt?

Link to comment
Share on other sites

I used powerISO to make my U3CUSTOM.ISO.

I didn't know the Universal_Customizer would make .ISO files.

lopacity, probably best not to hold shift if you are trying to have it enabled.

I don't know what affect it would have for certain (I haven't read the code),

but I do know holding shift is a feature for disabling some payloads.

Also, I would say it is safe to rely on safety.txt, but again, I don't know that for sure.

Link to comment
Share on other sites

Well, Universal Customizer itself doesn't create them, but it comes with a little isocreate.cmd (or something similarly named) that works.

Does shift disable this payload? Because I saw in my menu.bat that there was an option to use the safety.txt feature, but it was disabled, and since I can't seem to edit that, it is still disabled.

Link to comment
Share on other sites

  • 3 weeks later...
Leapo,

Menu bug.

I ran menu.bat >

Manage Settings And Modules >

Enable or Disable Modules >

At this point, any selection I make results in:

"The system cannot find the file specified."

I was getting the same problem whenever I checked the log file after using the drive on my computer. I looked through the START.BAT file that goes on the U3 partition and it looks like there's a slight bug:

where it sets the target path to the program folder it goes to the flash drive and not the U3 iso. I just changed this line:

SET progdir="%flshdrv%\SYSTEM\PROGS\"

to this:

SET progdir=".\SYSTEM\PROGS\"

do the same with:

SET scriptdir="%flshdrv%\SYSTEM\PROGS\SCRIPT\"

SET installdir="%flshdrv%\SYSTEM\INSTALL\"

so that you have:

SET scriptdir=".\SYSTEM\PROGS\SCRIPT\"

SET installdir=".\SYSTEM\INSTALL\"

that seems to fix the bug for me.

also, @ Leapo or anyone who might know:

Is there any way to get the gathered data from MessenPass, Protected Storage PassView, etc. and get it to show up in the log file instead of opening new windows? It would just make it that much more stealthy.

Link to comment
Share on other sites

Hi all,

with great interest and respect I followed this very interesting conversation. So, if I understood it correctly, the main problem is, virus scanner could detect the payload as virusses.

So my idea (and it is just an idea, so apologize), instead of using TrueCrypt or Rar with a key, you can put all the payload on an linux filesystem (I suggest ext2).

Why that ? Well, Windows does never see an ext2 or ext3 filesystem (you can create one on every usb-stick), and whenever you might need it, start a little programm, which let windows get access to this filesystem, mount it, and, when you do not need it any more, just unmount it, and kill the ext2-access-programm = partition disappeared again.

No virusscanner would find it, as the filesystem (as it is no hidden-fat or ntfs) could never be recognized or seen without the helper-programm.

Just a little idea, what do you think ?

Cheers

vanguard

Link to comment
Share on other sites

I was getting the same problem whenever I checked the log file after using the drive on my computer. I looked through the START.BAT file that goes on the U3 partition and it looks like there's a slight bug:

where it sets the target path to the program folder it goes to the flash drive and not the U3 iso. I just changed this line:

SET progdir="%flshdrv%\SYSTEM\PROGS\"

to this:

SET progdir=".\SYSTEM\PROGS\"

do the same with:

SET scriptdir="%flshdrv%\SYSTEM\PROGS\SCRIPT\"

SET installdir="%flshdrv%\SYSTEM\INSTALL\"

so that you have:

SET scriptdir=".\SYSTEM\PROGS\SCRIPT\"

SET installdir=".\SYSTEM\INSTALL\"

that seems to fix the bug for me.

also, @ Leapo or anyone who might know:

Is there any way to get the gathered data from MessenPass, Protected Storage PassView, etc. and get it to show up in the log file instead of opening new windows? It would just make it that much more stealthy.

Wow, that's some excellent bug hunting! looks like I missed a bit when I was making the U3 version of the payload, I'll go ahead and fix the drive detection so it'll set the correct variable on U3 drives.

Edit: Here's a bugfix release for you guys, also added it to my first post:

Current Version: USB Pocket Knife 0.8.1.0 Pre-Release by Leapo

Download Mirrors: RapidShare Megaupload

Changelog:

Change 0: Now fully U3 compatible (fixed from v0.8.0.0)

Change 1: Menu.bat has been greatly reduced in size.

Link to comment
Share on other sites

How to install Leapo`s version ? Just make an ISO from the content of the wanted directory (i.e. "U3"), and then using Gonzor`s ISO-installer ?

yes thats what i did, however the windows no disc error persists.

using u3 sandisk cruzer micro.

neat little app but a decent wiki would be useful. Also, when i plug in the device, the folder the log files are stored in automatically opens. am i wrong in thinking that this should be silent?

thanks!

Link to comment
Share on other sites

Ah, yes, somewhere I read something like that. Thanks ! At the moment I am using Gonzor`s switchblade. Just as you on a scandisk cruizer 4GB version. But I miss the option, to start the exploit manually. My purposes are not to hack someone, I use it for education purposes. It is is a little bit long-wined, to start for every activation the graphical interface.

My purposes would be:

1. Hide every executables on the cd-part.

2. Use Gonzors nice GUI to adjust the parts you need.

3. let the single parts visible and touchable (when wanted), so that they may be started manually and directly when needed. So I can start only special things.

4. Very important: A good protection for accidently using the exploits! I like the idea with the (was it?) "safeguard.txt"-file. But when using this, everything should be able to start manually, but under the full control of the owner of of the usb-drive (so that no one, who I am giving the stick for a short moment, does accidently hack his computer. You know, what I mean)

Last but not least: I like the idea, Gonzor and Leapo working together. This will improve things, like we saw in the past at "Backtrack" (was: SLAX + WHOPPIX).

Link to comment
Share on other sites

4. Very important: A good protection for accidently using the exploits! I like the idea with the (was it?) "safeguard.txt"-file. But when using this, everything should be able to start manually, but under the full control of the owner of of the usb-drive (so that no one, who I am giving the stick for a short moment, does accidently hack his computer. You know, what I mean)
I can add an option to menu.bat keep the payload from autorunning, if that's what you're looking for.

Edit: I just added the option to "disarm" the payload. If the payload is disarmed, it won't be able to run on any computer (not just ones that have a safety.txt file safeguarding them). I also slipped in the option to "ignore safety.txt check" back in 8.0.0 if that interests you.

yes that's what i did, however the windows no disc error persists.
I'm working on fixing that, I believe it's a problem with the VBScript used to launch the payload in the U3 version.

neat little app but a decent wiki would be useful. Also, when i plug in the device, the folder the log files are stored in automatically opens. am i wrong in thinking that this should be silent?
Read the readme. You can use menu.bat to turn on and off different features (including opening of the log files folder upon completion).
Link to comment
Share on other sites

Hi !

Just flashed the latest version (U3). But sorry, I got an error (my cdrom part is D:\):

D:\SYSTEM\go.vbs not found

I checked the selfmade U3CUSTOM.ISO, but it is in the ISO. I tried making the ISO with "mkisofs" under Windows and under linux with no success. As I know, windows does not differ between capital and non-capital letters, although I tried using capital and non-capital letters for go.vbs. No success ! Seems as a bug to me, so this is the way, it works. If you like, you may use this in a README or in your instructions. Please feel free to improve my bad English or other errors

-------------------------------

1. Tested with scandisk micro cruzer 4GB

Instructions for U3 Installation

Step 1: It is recommended to remove all your datas from the normal partition to a safe place. Flashing will be much faster in this case, and you can restart, when something goes wrong.

Step 2: You need Leapos fine payload in the last version. You can get it here [please enter the URL here] and Gonzors "Universal_Customizer" you can get here [please enter URL here]

Step 3: Unpack both. You get 2 main-folders. One names "Universal_Customizer" and "Leapos_Payload".

Step 4: Copy the content of the folder "U3 ISO Source" into the Folder "U3CUSTOM" below the "Universal_Customizer". If you like to keep the nice launchpad, which was made by Gonzor, you have to unpack the U3CUSTOM.ISO and look for the files "Launchpack.zip", "Launchu3.exe" and "Autorun.inf". Put them into the "U3CUSTOM"-folder, too, so that they will be in the root directory of the ISO later. Do not forget to edit "Autorun.inf", so it is to pointing to the file "go.vbs" below "SYSTEM". (Look at Leapo`s file!)

Step 5: Execute "ISOCreate.cmd" by clicking on it. This creates the new file "U3CUSTOM.ISO" in the Folder "Universal_Customizer\Bin\"

Step 6: Execute now "Universal_Customizer.exe" in the folder "Universal_Customizer". Follow the steps in the GUI.

Step 7: Remove and put in the usb stick. It should give no errors.

Step 8: If everything works fine, copy the contents of "Leapos_Payload\Flash_Partition" to the normal partition. You will now like to execute "Menu.bat" on it, to tune your drive.

Step 9: Put back your datas. Have fun !

------------------------------------------

Some things I did not add still, as I do not know, if they work. Maybe someone can confirm or deny this:

Step 10: Hide all folders and executables, so they are (hopefully not seen) by the user. [Does this have an effect for the use ?]

The other thing: I suggest, to put all folders of the flash partition into a subfolder ( so that there is only one folder in the root of the drive. I suggest the name "System". I know, all given paths must be adjusted then). But then you need just to hide this folder !

@Leapo: great work ! And yes, this was the thing I needed. Thanks !

@Gonzor: Thanks much, too !

@ALL: May I suggest you, to put your work under a free license ? GPL V3 would be fine (if you admit). I am always a little bit concerned, when there is no clear license defined. Just a suggestion.....

Link to comment
Share on other sites

Just another thing. U3 is now working fine, so I looked at the Non-U3 version.

There is one thing, I tried to change, but did not manage: getting explorer started in the root of the usb drive when clicking on the usb-stick-icon. I had the same problem with siliverons switchblade, but get it solved by adding a batchfile, to wich the Autorun.inf diod point to. Accidently I deleted this batchfile (shame on me), and got no copy of it.

The batchfile did the following:

1. Suppress the commands in dos-window (@echo off, this is easy)

2. Get the current path, then cd to the root of the drive.

3. starting explorer.exe in the root of the usb-drive.

4. executing the payload in the background.

But you can kill me: I do not remember, how I managed it. I know, it was a litle bit tricky, and I know, the dos-window shortly flickered (what did not much matter). I hope, someone can help !

Link to comment
Share on other sites

hey i dont know if this has been mentioned but how about a program that will verify if the malicous program is detectable like it loads a list that it downloads from the internet and it feeds the program into kaspersprays online verifer if its undetectable then download to the victims pc if not go on to the next program

just an idea

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...