For the Eternally Impatient The quick lowdown: I wrote a DLL capable of logging the credentials entered at logon for Windows Vista, 7 and future versions which you can download at  The credentials are logged to a file located at c:\cplog.txt.  Simply copy the dll to the system32 directory and run the included register.reg […]

Scenario You have an Internet system that you would like to administer remotely without leaving the administrative service open to the entire Internet.  However you’re not always coming from the same source IP address.  Although it’s common practice to restrict access to only secure administration services (eg SSH) I’d like to avoid having any TCP […]

I just wrote this simple rootkit dropper using the curl library which is extremely easy to customize to fit many needs.  Currently there are only three defines to change to specify the file you want to download and run.  Right now I’ve tested it grabbing the file via HTTP and executing it, works very nice. […]

Here’s the scenario: You send a target a backdoor through whatever means you want; phishing email, USB stick, whatever. If the network is like most environments today they are not restricting outbound requests on standard ports like 80 or 443 and thus our backdoor calls home on these ports and we have a connection inside […]

I’m releasing version 0.01 of WOMAN (Who’s On Ma Network). I find myself creating fake access points often for penetration tests and created this very simple tool to fill a need of mine. When clients associate to me I want a quick and dirty (and reliable) way to identify which systems are active and the […]

My good friend Justin and I recently won the Derbycon Capture The Flag competition. A few people mentioned that they’d be interested to see a write up from us. It seemed that more people were interested in our methodology than anything else so I will discuss our strategy and tactics and if anyone is interested […]

The point should be obvious. Deploy a stealthy box/laptop (linux based toaster?) at a target’s site. Have it call home on a ubiquitous/innocuous port, bypassing any firewall rules and voila you are inside the candy shell. Install Linux (depending on situation you might want FDE) install security tools (nmap, build-essential, nc, etc) vi /etc/default/acpi-support Disable […]

As promised below is a link to the netcat like callback program.  It’s sole purpose is to send back cmd.exe to the IP and port of your choosing.  Default is on port 1025.  These can be redefined in main.c.  There is no window on the client so it is relatively stealthy.  Just start your […]

Threw this together real quick.  Basically just calls the netcat command every 10 seconds to callback to our server and open a shell.  It’s use is limited since it doesn’t hide the cmd window that it generates.  However I can see a few cases where this would be acceptable and it’s a good POC if […]

Someone asked me about a virus on a machine that altered the registry to execute itself every time another executable was opened. I explained that this was relatively trivial to do and thought I should back it up with some source code. First piece is how do we tell windows to launch an exe before […]