File extension değiştirme

STEPS:

1- Windows - Start - Run - charmap   

2- Find U+202E (RTLO) in charmap . We can use the "Go to Unicode"  function for this in the charmap program. We just need to type in 202E in the box and the program will find the character for you.

3- Now that we found the character, we gotta copy it.Use the select & copy functions.

4- Now, we'll use our favorite "notepad.exe"  to test the RTLO spoofing.

Note: We're using "notepad.exe" just for demonstration, in real scenario the attacker would use the same technique for the "malware binary".

Let's save a copy of notepad.exe to a test directory and open windows command prompt "cmd".Then rename the file to something "interesting & intelligent ".

So, we've successfully renamed "notepad.exe" to "FY12taxannexe.doc", with the below  command

ren notepad.exe FY12taxann?cod.exe 

for a novice user it's a "DOC" file but windows runs it as an executable. We can modify the extension to anything of choice (jpg,png  etc.)

Now lets's understand how it worked ?

ren notepad.exe FY12taxanncod.exe 

We used the RTLO character, to reverse the text direction of the file extension, framing the file as a completely different filetype (i.e. DOC in this case).


örnekler

[RTLO]cod.stnemucodtnatropmi.exe
[RTLO]cod.yrammusevituc[LTRO]n1c[LTRO].exe
[RTLO]gpj.!nuf_stohsnee[LTRO]n1c[LTRO].scr

alternatif yöntem

http://www.wildhacker.com/2012/06/extension-changing-tutorial-how-to-run.html

The best way of hacking victim’s passwords of Facebook, Gmail, Yahoo and other sites, is by installing remote keylogger on his computer.  This is the easiest method for hacking Facebook and other email account passwords. No doubt, it is used by most hackers. Today I will demonstrate how to create a remote keylogger and the ways to send it to them.

Things you Need: -

1. Ardamax keylogger v3.9

2. Ftp account - Create a free ftp account from here or here.
                          OR
                         Use any of your email accounts.

3. Crypter and Binder Software - To disable antivirus detection.
    Stealth Crypter v4.0 -  Download

Steps:-
1. Right click Ardamax keylogger icon and select Remote Installation, click next.
2. Now in appearance, select log viewer and click next.
3. Now in invisibility, check all the boxes and click next.
4. Now in security, click “enable” and enter a password so that no one can open the keylogger.
5. In options, you can set a date for self-destruct if you want and then click next.
6. In control, check “sends logs every” and set your time say 60 minutes , Then select  your delivary method. (FTP, E-mail or Network) and click next.

If E-mail is set as delivery then, enter your email address along with your password. Then click “test”.

Now, if you have received a mail means it works fine.


If FTP is set as delivery then, enter the ftp host, username, password and the remote folder. Then click “test”.

Now, if you have received a log message means it works fine.

7. Now in control, adjust the settings of each and then click next.
8. In destination, select the directory where you want to save the keylogger. You can change the icon too and click next.

9. Then simply say finish.

Now to bypass anti viruses we need to bind and crypt the file, So to do this open Stealth crypter software.

Now select file 1 as the server file (key logger file which you created) and then select file 2 as any application, select a good application finally click Crypt file, Now you will get a crypted server file ( key logger file ) which is FUD. Or use this inbuilt binder of Windows.

Now just send this file to your friend or victim. You can send this file by email or remotely or with any third party device. Once the victim clicks the application,  Ardamax keylogger will  automatically install and will send logs to your account.

FUD binder how to bind keylogger or virus to any exe with Iexpress

How to use Iexpress Binder? 1. Go to Start, then Run and type- “iexpress” and hit on OK.

2. Create new SED (Save Self Extraction Directive), Hit on Next twice. In “Package Title”, enter the name of the software with which you are going to bind your server (keylogger or virus).
Example: - I am binding my Ardamax remote keylogger server with Teracopy. So, I’ll enter Teracopy.

3. In Confirmation Prompt, hit on “Prompt User with” and enter something like this:

“Windows will install necessary files. Please disable your Antivirus before further installation proceeds.”
or
“Please disable your Antivirus before further installation proceeds. As this software performs a pre-crack.”

So, whenever the victim will run our binded file, he will get a message alert to disable his antivirus. This step helps us in bypassing antivirus detection. Hit on Next twice.

4. You will come to “Packaged files” interface. Hit on Add and select the two files you want to bind. Hit on Next.

5. Now, this one is important. In Install Program to launch pane, select the files as

Install Program: Select your server (keylogger or virus) file.

Post Install Command: Select your software (.exe file) with which you want to bind the server.

6. Hit on Next and select “Hidden”. Click on Next twice.

7. In Package Name and Options, hit on Browse and select the path where you want to save the binded file. Also, check “Hide File Extracting Animation from User” and hit on Next.

8. In Configure Restart, select “No Restart” and hit on Next. In SED, select “Don’t save” and hit on Next twice. Iexpress will start binding file for you. Finally, hit on Finish to complete the binding process.

Thus, you have now binded your server to .exe file. Now, simply send this binded file to your victim and ask him to run your binded file on his computer. Once he disables his antivirus, your server will get installed and you can easily hack his email password. The best part of Iexpress file joiner binder is that it is going to remain FUD forever because it is a windows utility. Also, Iexpress file joiner does not corrupt your server.

kilitli oturumu açma

meterpreter session varsa ve bilgisayar kilitliyse

run screen_unlock diyerek bellekte şifreyi disable edip
run vnc yada rdp ile bağlanıp herhangi bir şifre girip enter a basmanız yeterli.

açık olan oturum elinizde

extract msu/msp/msi/exe files on the command line

Microsoft Hotfix Installer (.exe)

setup.exe /t:C:\extracted_files\ /c

Microsoft Update Standalone Package (.msu)

expand -F:* update.msu C:\extracted_files
cd extracted_files
expand -F:* update.cab C:\extracted_files

Microsoft Patch File (.msp)

msix patch.msp /out C:\extracted_files


msix uygulamasına https://docs.google.com/open?id=0ByaI-UvVUk6PZ2lfbThUd1hmWjQ adresinden erişebilirsiniz.

Windows Installer Package (.msi)

msiexec /a setup.msi /qb TARGETDIR=C:\extracted_files