Remote Administration Tool Guide - Sub7

This is a simple Guide on how to use a RAT. Do not use with malicious intent, only use on consenting individuals for educational purposes only. I will not be held responsible for any damage incurred either to the user or consenting individuals files or computer. Use completely at your own risk. You agree to this statement prior to following this guide.

Most AntiVirus products will state that these tools are Trojans (Backdoors) which they are, but the RAT tools can only do what the Hacker (you) wants them to do.

Note: Temporarily Disable your AntiVirus Real-Time Protection and Suspend your Firewall so the Backdoor Trojan RAT won't be detected and so the Client can communicate with the Server.

Go to this site: Sub7legends.com, register and get the latest copy of Sub7 (2.2) and other Misc files if you want. Get the archive password from site, extract archive on your computer. You can use other RAT tools, like BO2K, BOXP, Netbus, Optix, etc but I will be concentrating on the Sub7 RAT.

Process:

Run Editserver- Normal Mode. Note: Log all settings like Port number, Passwords etc in a text file. When done you can also save all settings to a Preset file. Below are some settings to get you started:

--> Server Settings

Port: 27374
You can set any port number, but Ports 1-1000 are well known ports which are generally used for specific services like SMTP (25), FTP (21) and HTTP (80). So pick a random port over 1000.

Victim Name:
Enter any name you want.

Password:
Enter any Password.

Protection PWD:
Enter any Password.

Melt Server After Installation: Yes
When checked, the Server file, when executed on the remote system will install and then delete itself.

Server Filename: Random
The Server name will be randomly generated.

--> Startup
Reg Key Name: RunDLL32
Leave the default values.

Startup Types:
RegRun, RegRun Services, new method #3 [marklord]. If the Victim has a 9x OS like Win98, use *.ini startup methods.

--> Notifications
email Notification to:
You can be notified by the Server when activated via. ICQ, email, Internet Realy Chat (IRC) and other methods. Below is the format for the email notification:

computer is online on ip: [$ip], port: [$port], password: [$password],
connection: [$connection], server version: [$server_version].

--> Binded Files
Here you can bind the Server to any exe or mp3 files. Depending on your method, the file will either be executed or extracted when the Server is ran. What you can do is use an application or setup file like DVDDecrypter.exe.

--> Plugins
Here you can Bind All x10 Sub7 Plugins, located in the Sub7 2.2\Plugins Folder. You should only use the plugins you need. Eg. the s7keys.dll and s7passwords.dll will log all pressed keys and Passwords on the remote computer, like a keylogger. You can also instruct the server to download the needed plugins when activated from an URL.

--> Restrictions
Here you can limit what the Server can do, usefull if someone else manages to gain control of your remote server.

--> Email
Here, you can instruct the Server to automaically Email you all pressed Keys, Passwords & Recorded passwords to your email without having to connect to the Server using the Client program.

--> Exe Icon/Other
Here you can set a fake Error message upon remote execution of the Server. Eg. Installation Error: CRC Check Failed. You can also instruct the Server to download additional files from the Web, like more backdoors, etc. You can also set a built-in or external Icon.

--> Done.
You have now built your server. Save the settings to a preset file like: Sub7v2.2-Server-Preset-Setings.s7p. Save the the Server using the 'Save As...' function, if you binded an application, like DVDDecrypter.exe, name your server: DVDDecrypter_[Vir].exe so you can easily recognise the Server.

DO NOT under any circumstances execute the 'server.exe', DVDDecrypter_[Vir].exe or any other servers on your own System.

Note: You can also configure the Server to use a Reverse Connection, effectively this means the Server contacts the Client, so you will not have to know the Victims IP Address. Also, as long as the Firewall (like Windows XP Firewall) is blocking inbound and not outbound connections, it will not block the Server, because the Server initiates the outbound connection to the Client (on your computer) and not Vice-Versa.

You will need some way of getting the Server to the Victim. This guide assumes that the Victim and the Hacker know each other and are following this guide for educational purposes. So, lets assume you have their email address.

Some people will bind their Servers to applications uploaded to file sharing sites, like Rapidshare or P2P networks using Torrent applications and post links to those files on forums, when users download the files onto their computers, the Hacker will be able to connect to those computers. Of course, we won't be doing that.

Rename the DVDDecrypter_[Vir].exe file to DVDDecrypter.exe. Your email and your Victim's email may have AV Scanners (either locally installed AV or WebMail Server AV), if so, commpress the Server (DVDDecrypter.exe) to zip and password protect/encrypt it using Explorer or 7zip so email Scanners won't detect the Virus. You can open zip archive in Explorer> File> Add Password...

Then email the DVDDecrypter.zip containing the Server (only) as an attachment and provide the Victim with the Password for the zip Archive.

You could say in the email that you have found a cool Freeware application for decrypting commercial DVDs to your PC HDD for storage or burning, say its free and that the Victim should definately check it out. You can familarise yourself with the original uninfected app too.

Once the Victim executes the Trojan DVDDecrypter binded Server file, it will run the DVDDecrypter.exe Server. The app (DVDDecrypter.exe) will run while the Server, binded to the app will run and install in the background invisibly simultaneously. Then the server install file will melt (delete itself). The Server is configured to AutoStart with Windows, so should survive PC reboots.

The Victim will not know they have been infected. HIPS (Host Intrusion Protection), up to date AntiVirus and correctly configured Firewalls can interfere with this process.

The Server will send an automated email to the specified email address including the Victims Internet IP Address, Port, Password, connection and server version. Wait x2 days or more for response.

When you receive this email, you can use the client: Sub7 v2.2\Sub7.exe to connect to the Victims PC remotely, using the supplied IP Address (eg. 230.45.95.35), Port (eg. 2737) and PWD obtained from the automated email sent from the Server on the Victims PC.

Note: See txt file: Sub7 v2.2 Server Settings.txt for Configuration (like passwords) if needed.

You now have complete control of the Victims computer, Registry and files. Here are some things you can do:

Take screenshots of computer, log keys, move files to your PC, move files to their PC, delete files, format HDDs, Chat realtime, Browse Files and Registry, Sniff Network, Operate Webcam, Open files, Restart computer,

When you are done go here: Connection> Server Options... to Uninstall the Server from the Victims remote computer. The Client Sub7.exe also has additional features like: IP Tools, Proxy Support and Plugin support.

There are many options in the Client Sub7.exe to control the Victims remote computer using the emailed Server file. Do NOT draw attention to yourself by doing everything you can, this may lead the Victim to become suspicious and install/update their AV or Firewall.

Suppose you wanted to log their Hotmail/MSN/Other passwords, you would go here:
Sub7 Client> Keys/Messages> Keyboard> Open Keylogger... and Open Logged Keys...

--> Usefull applications (Google) >>

ActivePorts, IPScan, Advanced Port Scanner, nPOP, PixaMSN, Remote Shutdown, Remote Desktop Remote Enable, Stealth Tools, UPX Compression, Hex Editor, Sub7 Misc, Tutorials, TCP Ports Info, Gmail SMTP Settings, Sandboxie app.

Disclaimer:

The User 'You' do hearby acknowledge that the auther '[mercnet]' of this guide holds NO responsibility as to what the User may do in regards to this guide. The guide is meant for Educational Use ONLY, consenting users and not for malicious intent. If you do not agree with this statement, then do NOT actively follow this Guide.

Happy hacking!

(c) [mercnet]

Internet Radio Ripping

Listen to a lot of music? Checkout SHOUTcast online radio, presented by NULLsoft, the makers of Winamp and Reaper Music Production suite. It contains thousands of digital radio stations in every genre. Similar apps are IcyRadio and StationRipper.

Say you're listening to the music online, but want to save the streamed music onto you're harddrive? You need either ScreamerRadio, which plays and rips the stream to the mp3 format, or StationRipper (both free), which rips 2 streams at once (free version) and has an integrated browser, but you need an external audio player to listen (Winamp, VLC Player, Windows Media Player).

Please note: I do not condone any illegal practice in regards to the aforementioned applications. Use responsibly and read any Licenses provided with said applications.

(c) [mercnet]

Portable Applications

Have you ever wished you could take your favorite applications with you to work, or anywhere else? You should checkout PortableApps.com. Use Firefox? Got to the site, download the Portable version of Firefox, install it on your USB Flash drive and your're good to go!

You can carry a number of essential applications with you on your pendrive, such as a Microsoft Office substitue called OpenOffice- which can open and save Office files such as Word (*.doc). Some others: ClamWin AntiVirus, Filezilla, GIMP, Thunderbird, VLC Player, WinWGet, etc.

Once you run any of these Portable applications made from Open Source software, all your settings and files stay on your're USB instead of the computer you're working at which is good from a security/privacy standpoint.

(c) [mercnet]

VST Instruments on your PC Guide

I use Reaper and Audacity Music Production Suites (both free) to make various styles of music, including: Drum & Bass, Dance, Chillout, Ambient, Hip- Hop, Dub-step and a Mix of these styles.

Want to play high quality Digital Instruments on your computer? You need an application called MiniHost (Freeware), Search in Google. MiniHost 'Hosts' VST Instruments.

Virtual Studio Technology (VST) Instruments and Effects by Steinberg GmBH is an Interface for playing Instrument files that have a .dll extension (Dynamic Link Library) Extension. There are thousands of Commercial and Freeware VST/i on the net, google 'VST Freeware'.

Exract the MiniHost.zip file, Search in Google for ASIO4ALL, install. Asio4All is an Audio Interface, delivering reduced latency between when a sound is played (on keyboard or onscreen) and when you actually hear the sound. ASIO, by Steinberg GmBH, is usually better than DirectX or other Audio Interfaces. You need an ASIO driver like ASIO4ALL to run MiniHost.

So, you have MiniHost running with ASIO4ALL (it will state an error if you do not have an ASIO interface enabled), now you can drag and drop a VST (*.dll) file onto the MiniHost Window, or click File- Open and browse to your VST file. Thats it! You can now play high quality synthesizers and record the output to WAV files.

Note: Never open two instances of MiniHost, this will crash the system, causing a BSOD, but is relativly harmless, you just lose unsaved data.

To get the following instruments and effects (all are Free), copy the name into Google and add the letters 'VST Download', so eg. 'FreeAlpha 3 VST Download', would take you to the FreeAlpha 3 Synth download page in Google.

Here is a list of professional free VST Indstruments (Google): Native Instruments Kore Player Free with free sound bank, Independence Free, EMU Proteus VX, UVI Workstation Sampler with free sound bank, Tacam CVPiano, UVI Universal Player, Plugsound Free, FreeAlpha3, Sonik Synth 2 Free. I will post a blog of my favorite VST FX in the future.

Checkout Computer Music Magazine (from most shops inc. WHS), it includes a monthly DVD containing Audio Samples and some Freeware/Commercial VSTs/Demos. Checkout Audacity and Reaper.

(c) [mercnet]

Image: Shows MiniHost with ASIO4ALL running the HG Fortune Freeware VST Instrument- ProtoPlasmTSM.dll.

Themes for Windows Guide

The default theme in Windows XP, Luna, looks very old and outdated. I use different themes that I have downloaded from various sites. Note: You can use the official 'MS Styles' themes from Microsoft, however, they are very limited in terms of quantity. Note- These steps may work in Vista, however you will need specific Vista Themes and files.

To use different Visual Styles in Windows, you have to Path or Hack on of the files in your system called 'Uxtheme.dll'. In order to do this you can download the patched version of the file or download the UXTheme Patcher.exe application, Search Google with this string: 'Patched uxtheme download' and get either the above app or the patched uxtheme.dll file (note: the app says 'Windows Server 2003', but you can use it on Windows XP too). The program automatically patches your file, located in this directory: %systemroot%\System32\Uxtheme.dll, where %systemroot% is your system Folder, either WNNT or WINDOWS located on your system partition, usually C:\.

If you have downloaded the Patched Uxtheme.dll file, use Replacer.cmd to Replace the original UXTheme.dll with your new Patched version. Download Replacer.cmd site. Run- drag and drop the original unpatched Uxtheme.dll in the directory mentioned above onto the Replacer.cmd Window, press ENTER, then drag and drop the Patched Uxtheme.dll file in the link above onto the Replacer Window, press ENTER, confirm, ok. Now reboot.

This replaces the Microsoft original file with the Patched version. You can't manually replace the file as the Windows System File Protection won't allow you (I will be writing a post about SFP later). The Replacer.cmd script allows you to replace some files on your system that are in use, with other files.

My favorite theme, which I have been using for a while now is called 'Ashen', with black Taskbar and Explorer Windows, it looks very professional. Search Google: 'Ashen XP Theme'. Can get version 1 or the Updated version- Ashen II.

When you have your theme, it should contain, at a minimum, a file with the *.msstyles. Might also have a Folder called 'Shells' which contain dll files and a *.theme template file that you can open and edit with Notepad. Double-click on the *.theme file, if there is one, or the *.msstyles file (replace '*' with the name of the file). This should show the Display Properties Dialog box, if your Uxtheme.dll file was properly patched (and you rebooted your machine) then it should accept your Visual Style Theme. Click Apply- Ok. The Visual Style should now be loaded.

Here are some links to Visual Styles/Themes Sites: Wincustomize, ThemeXP, XPThemes, BelchFire, Nevezen, creator of the Ashen Theme Gallery, browse DeviantArt for some of the best themes, and many more, just google 'Themes XP' or 'Themes Vista'. Tip- press Ctrl & click on any links to open them in a new Window or Tab (IE7).

Note: Please respect any Licences contained within any of the downloads in this post. The Uxtheme.dll, Uxtheme Patcher.exe, Replacer.cmd, Ashen and the Ashen II files and applications are the copyrighted material of their respective owners and authors.

(c) [mercnet]

Image: Shows my desktop: XPSP3 with the Ashen Theme and Styler Toolbar (note- I have modified the image to conceal personal information). Iwill post a Guide on Styler & BootSkin/ LogonScreen later, Enjoy.

Best Freeware Applications

My type of application is usually small in size, does a specific job very well and leaves a small footprint on my system (ie. no/little registry entries and files).

Here are some of the best apps out there: To obtain any of these Applications, Search Google: 'Download Freeware '. You can use an app called Universal Extractor to extract the downloaded Setup file or install Setup. Some apps require Registry values, etc so to be safe, install the Application. Most of the Single file Executables below run ok without any other files or Registry values.

Note: Most of these are either Freeware or OpenSource while some may be Shareware. There may be some restrictions upon use in a Commercial environment, so always read the included Licenses, if any.

Best single file applications across the whole spectrum of application types: Sysinternals Suite, including Autoruns, Procexp, Procmon and TCPView. CCleaner- cleans your system [to be continued]..

Note: Please respect any Licences contained within any of the Applications listed above in this post. All Applications and Files are the copyrighted material of their respective owners and authors.

(c) [mercnet]


Image: Shows just a few of the best single-file applications I have come across. These and more are included in the above download links.

Elevating Permissions Guide

Applies to: Windows XP Service Pack 3, maybe Vista.

Problem: User is restricted access to certain files and folders on the system, or need elevated permissions to run an application or modify the registry, when the Administrator Account, with Admin Permissions, is not enough and assigning added permissions via the ACL is not allowed.

Solution: You need to run the app, edit the registry or access the file or folder with the System Account, with System Permissions. There are many ways do this, however, I find that the fastest and best way is to run Explorer.exe with the System Account. Then anything you run from Explorer (any apps you start, any files or folders you access including the registry) will run with Elevated System Permissions. You can now do/change anything on your System, should the need arise. Caution- make sure you know what your doing when running as the System Account.

Process: Download Sysrun.zip Site, or Search Google. Note: This application requires Administrator Account Permissions and Privileges.

Extract/install Sysrun.exe, place anywhere you like, no installation required. Run- browse to your System32 directory, ie. %systemroot%\System32, where %systemroot% is your system Folder (WNNT or WINDOWS) on your system partition (usually C:\). From that folder, run taskmgr.exe. Press Run on the Sysrun app- Task Manger will now open.

Go to the Process tab- notice that the Task Manager is running from the System Account. Right-click explorer.exe in the Image Name part, click End Process, ok. Now go to the Applications tab in Task Manger, click New Task, type in explorer.exe. The Explorer window should show with a different desktop and Profile- you are now running as the System Account. Don't worry, your desktop files are still there and your applications are still running.

You can now access any file/folder and app/registry with full Permissions granted to all files. To revert back to your Profile automatically (Administrator Account), simply start Task Manager via. Ctl + Alt + Del (note- don't right-click on the taskbar: Task Manager, as this will run app as System), terminate explorer.exe as mentioned above, click on the Applications tab- New Task- explorer.exe. You now have your Administrator Desktop back (albeit, with fewer privileges...).
The System Profile you were just logged onto is located here:

%systemroot%\System32\config\systemprofile.

Alternativly: You can also run any app or file and edit the registry with System Privileges without any 3rd Party apps using an Administrator Account. Say you are using an Administrator Account and you want to change any configuration information on your system, or access any application that you do not have permissions to access (ie. some HKLM- System- Enum Keys), instead of assigning Permissions via the ACL, you could do the following:

Open a Command Window, type 'AT' which is the Task Scheduler Service (note- the Task Scheduler Service must be running) then type in the Time in the HH:MM format (see System Tray for the time), leaving a few minutes to spare, so if its 17.03, type: AT 17:05, add the '/i' switch followed by the Application you want to run with System Privileges eg. Cmd.exe. Here is the full command:

AT HH:MM /i "cmd.exe"

The Command Prompt should appear at the time you entered with the AT command. The Command Window is running with System Privileges, you can now run any apps in your Path variable and browse via the Cmd window to files and apps. One step further is to enter this command:

TASKKILL /F /IM "explorer.exe"

This terminates the Windows Explorer Process along with your desktop (apps still running). Now enter:

explorer.exe

Enter this command from the Command Window opened by the Scheduler Service AT command, this will start explorer.exe as a System Profile process. You will now be running as the System Account, with a different Desktop and User Settings. The System Account Priveleges is the highest control you can have over your system. To revert back to your Account, press Crtl + ALT + DEL to bring up the Task Manager which will run from your Account, terminate Explorer.exe and restart Explorer.exe.

All this can only be done from an Administrator User Account or an Account with Administrative Privileges ONLY ie. NOT from a Power User or Limited User Account. Use the 'Run-As' Feature to run Sysrun or a Cmd Window as an Admin User first. Caution is advised, only use this command for ethical reasons and NOT to browse other User Profiles or damage the system intentionally.

Hope this has helped anyone out there, or is interesting to Techies anyway. Note: Please respect any Licences contained within any of the downloads in this post. The Sysrun.exe is the copyrighted material of the respective owner and author.

(c) [mercnet]

Image: Shows Task Manager and Explorer running with
the System Account with System Permissions.