Self-Extracting Executables for Hackers

Поділитися
Вставка
  • Опубліковано 27 гру 2024

КОМЕНТАРІ • 163

  • @Grifter
    @Grifter 3 місяці тому +23

    Reminds me of doing naughty things with winrar back in the day. You could create a winrar executable that would function like a normal zip file but at the end of extraction you could specify an executable to run. So you could essentially give the downloader what they were looking for but sneak in a little surprise with it.

  • @trens1005
    @trens1005 3 місяці тому +10

    I use to use IExpress back on Windows XP because I didn't know how to write a binder. Wait until you find out WPF applications on web pages to bypass security. Not as easy as it use to be with IE but still there. Also use a MSI file with resilience to re-download when the file is removed. Old as time, but works even today.

  • @neutrino2211_
    @neutrino2211_ 4 місяці тому +18

    With this I think I'm not just "living off the land", your computer is my Dukedom

  • @TheWeakLink101
    @TheWeakLink101 4 місяці тому +12

    "open and run this EXE on your computer, I promise it's not malware!" Hahaha John, one of your last videos showcased people watching UA-cam tutorials and getting compromised by following those instructions! Kidding aside, I love the content, keep up the good work!

  • @CU.SpaceCowboy
    @CU.SpaceCowboy 4 місяці тому +50

    literally never heard of it, great video.

    • @nyandesu9165
      @nyandesu9165 3 місяці тому +6

      wow, you must have had a sad childhood if you never went to play in system32

    • @CU.SpaceCowboy
      @CU.SpaceCowboy 3 місяці тому +2

      @@nyandesu9165lol not really no i had an imac as a kid not a windows. ive just never read about this particular binary. ill usually look at windir for dll sideloading and stuff by checking missing dll’s in procmon or wtv. havent explored a lot of lolbins. :D

  • @jamesion2733
    @jamesion2733 3 місяці тому +8

    How do people even find this stuff! At a addicted learner at this genre of IT, this is gold!

  • @lfcbpro
    @lfcbpro 3 місяці тому +1

    When you were running the .exe files, I assumed you were in Admin role, I am curious what would display on the UAC for a none Admin role?
    Would it have Microsoft on there? I noticed you showed it was unverified, but if it still says Microsoft, I am sure that is enough to fool most people?
    Also, I was not sure were the connection to Internet Explorer came from in the Sigcheck details?

  • @flok.7735
    @flok.7735 3 місяці тому +1

    Finally the 40+min. Videos are back. I missed them. I would love more stuff like the 'Throwback Network' Videos. And no offence, but the 10-15min. Videos with 3min. Advertisements in the middle got kinda boring over the time. Lov ya, take care.❤

  • @qw5pcnvkzghhrybb231
    @qw5pcnvkzghhrybb231 3 місяці тому +2

    What an outro 😂 with the loop of calc

  • @adnan6041
    @adnan6041 3 місяці тому

    This is golden info😊

  • @darkshoxx
    @darkshoxx 4 місяці тому +9

    Okay serious question. I can't test it on my own machine, because it refused to build a cabinet, threw an error. If this was generated on a different PC and downloaded from the internet, it would still have the mark of the web though, right? And windows would at least try to prevent me from running it? Or is the point to generate the file on the infected machine itself? But then why use the malware program to create an executable that runs something, if it's already running malware? I'm not very familiar with LOLBAS or the like, but I'm curious. What exactly is the attack angle that Iexpress provides? (also silly me writing a comment mid-video, might get answered later)

    • @darkshoxx
      @darkshoxx 4 місяці тому +2

      Is it just obfuscation for deeper layers of malware? Or does it allow you to run programs in admin mode? That AdminQuiet mode seemed interesting, can that be used to level up your permissions?

    • @88tx
      @88tx 4 місяці тому

      this thing basically just zip your files and ship it as an exe. literally any antivirus would detect it and see right through it, and only skids would use it.

    • @_JohnHammond
      @_JohnHammond  4 місяці тому +14

      Is the error you are getting referring to being unable to open the Report file? If that's the case, try running iexpress.exe from the same working directory that you are writing the EXE or CAB file to -- I've seen it be finicky with that. You are right that any file downloaded would still have Mark of the Web (unless you wrapped it inside of a container file like an ISO or others, like discussed in the previous MOTW video). As you mentioned, you certainly could generate the file on the same target machine you already have initial access on, and that can still be a valuable angle to either setup other persistence mechanisms, or craft one of those social engineering ploys like a "backdoored" regular and normal application, to trick an end user into willingly running a program as an elevated user, or entering credentials that otherwise weren't on the machine. Think of a tampered program sitting on the desktop that the user usually runs, or something pinned on their taskbar or in their start menu that anyone would just intentionally click on And you are right that it can be extra obfuscation for deeper layers of malware of malware just as well, it can just as easily be used for the next stage of an attack chain, again to obscure code execution. In regards to iexpress being "just an installer to run what you specify, as any installer would", keep in mind that CompressionType QUANTUM doesn't even need to have it invoke as an installer since you are simply running the command regularly and not it's generated EXE... and there is nothing stopping you from providing the file with a remote location by a SMB network share or UNC path (iexpress.exe /n /q \\192.168.111.179\share
      emote.SED), so it doesn't need to be on disk or depend on another file artifact.

    • @darkshoxx
      @darkshoxx 4 місяці тому +2

      @@_JohnHammond Just tried it from the same folder, yeah that works. Thanks for the explanation, yeah that all makes sense. Fascinating

  • @ebbrayezkhanzada7304
    @ebbrayezkhanzada7304 3 місяці тому

    You have my attention for rest of my life

  • @hacking4good
    @hacking4good 4 місяці тому +2

    I ❤ living in QUANTUM time, thanks to Microsoft (and John & the researchers)

  • @HeinrichChristiansen
    @HeinrichChristiansen 3 місяці тому

    Rebuilding Installer.exe from Installer.SED - Can the other way around be done too?
    Just curious

  • @a2bros186
    @a2bros186 4 місяці тому +6

    This is some very good information, mister

  • @akaballechoes
    @akaballechoes 21 день тому

    Is this a way to make an auto executing USB ?

  • @BkSMedia
    @BkSMedia 3 місяці тому +8

    This is mental, I will never trust an exe ever again 🤣 Thank goodness I use Linux as a daily OS

    • @Critical3rror
      @Critical3rror 3 місяці тому

      Why? Because you are only vulnerable to Linux viruses? You aren't safe just because you use Linux. Running things willy nilly is bad no matter the OS. The strongest anti virus is a smart user, but even they aren't infallible.

    • @EpicNoobx
      @EpicNoobx 3 місяці тому +3

      linux isn't immune to viruses also you dont need to mention that you use linux everywhere

  • @Atmatan
    @Atmatan 4 місяці тому

    Yo mate, one of my machines just got hacked.
    Other than Twitter, how can I send you the logs and artifacts?
    It might be worth looking into, since you're into that stuff.

    • @Atmatan
      @Atmatan 4 місяці тому

      Nevermind. This video has what your site doesn't: the full list of links 😂

  • @AltaBross
    @AltaBross 4 місяці тому +10

    can it bypass AV by putting first Exclusion to C:\ drive then executing powershell base64 memory Ransomware

    • @yukiqt
      @yukiqt 4 місяці тому +2

      no

    • @User-kq3od
      @User-kq3od 4 місяці тому +4

      Give up kid

    • @CyphrSec
      @CyphrSec 4 місяці тому +4

      This made me laugh out loud, Ty kid

    • @spongieQC
      @spongieQC 4 місяці тому

      it doesn't really work like that 😅

    • @galsherp6173
      @galsherp6173 4 місяці тому +1

      this fixes a problem which is not there, you understand? there are 1000s ways of bundling your software, but like some other comments said: the avs can see right thru it (which is logic because its not obfuscated...

  • @BLiNKx86
    @BLiNKx86 4 місяці тому +2

    Love the early morning uploads! At least in California

  • @k4m1kazep1lot4
    @k4m1kazep1lot4 4 місяці тому +2

    I wonder if u can prompt a user to run on admin privilege

    • @yukiqt
      @yukiqt 4 місяці тому +1

      you can, just like you can with any exe

    • @k4m1kazep1lot4
      @k4m1kazep1lot4 4 місяці тому +1

      @@yukiqt yeah but the installer doesnt specifically ask for admin privilege

    • @yukiqt
      @yukiqt 4 місяці тому

      @@k4m1kazep1lot4 if you're asking if it can bypass uac, it can't

  • @siomek101
    @siomek101 4 місяці тому

    you can put the command in the gui too, its not stopping you (13:05)

  • @autohmae
    @autohmae 4 місяці тому +2

    After I saw you can automate it, without any windows: definitely should be on the list !

  • @BLKMGK4
    @BLKMGK4 3 місяці тому

    Seems to me the run command could be a nice SMB command to a machine you've got a listener on to grab creds and you're off to the races if you get the right person :)
    BTW John have you seen some of the cute "shortcut" files people are trying to distribute of late that are malicious? Shady!

  • @modzgodzo
    @modzgodzo 3 місяці тому

    wtf John, stop please, you makin' me really anxious of everything connected to internet. :D

  • @AnonymousPhucker
    @AnonymousPhucker 3 місяці тому

    maybe run net user add commands on secondary options ? hefty way to have sneaked in local admin accounts ?

  • @heatherryan9820
    @heatherryan9820 3 місяці тому +2

    Would antivirus catch the iexpress instance though? Like when you first call iexpress, would antivirus throw a warning?

    • @0x4e696b
      @0x4e696b 3 місяці тому +2

      Probably not, as it’s built in on Windows. But if you use it to execute some generic and known malicious payload like from Metasploit, it will most likely block that.

  • @STANSLASGANDA
    @STANSLASGANDA 3 місяці тому +1

    I wonder how to block that as part of Windows PC hardening🤔🤔🤔???

  • @ninjasiren
    @ninjasiren 3 місяці тому

    Gosh this is like that WinRAR or WinZip self-executative zip or rar files. Where it auto-extracts and runs the applications you want to run (either making your own version of an installation of a software or this)
    Or those stuff like NSIS or InstallShield stuff I also used abit

  • @markusTegelane
    @markusTegelane 4 місяці тому +1

    0:13 that's what they want you to think

  • @mbashiry
    @mbashiry 4 місяці тому

    very good information

  • @darshanakhare6676
    @darshanakhare6676 4 місяці тому +2

    I would like to see this with metasploit in action but yt will not allow it right

    • @yukiqt
      @yukiqt 4 місяці тому

      youtube would allow it, it just wouldn't be very interesting

    • @CU.SpaceCowboy
      @CU.SpaceCowboy 3 місяці тому +2

      i mean you cam use whatever you want for cnc lol, id rather use something that wont get flagged in memory or wtv like a dotnet agent, then use a beacon or meterpreter for advanced control after i have persistence

  • @Sristi-Misti
    @Sristi-Misti 4 місяці тому

    Sir, Would you make videos about scammers please 🙏

    • @Sristi-Misti
      @Sristi-Misti 3 місяці тому

      @@romanemul1 Am I requested you? or you are a scammer?

  • @ai-spacedestructor
    @ai-spacedestructor 3 місяці тому +1

    hang on, you sta5rted a bomb on your actual computer instead of a virtual machine?
    your living on the edge here!

  • @darkshoxx
    @darkshoxx 4 місяці тому +5

    28:05 Tags, also known as "greater than less than symbol waka waka alligator faces" 🐊🐊

  • @jonnyfatboy7563
    @jonnyfatboy7563 3 місяці тому

    it seems like a great tool to keep in the windows install... if you are the NSA 😲

    • @boopathin4255
      @boopathin4255 5 днів тому

      Bro help bro i have doubt im kiddo

  • @leahcimnaerc9543
    @leahcimnaerc9543 3 місяці тому

    iexpress as a trojan is like the old comics. where the CIA use old soviet gear to perform surveillance. The old soviet gear being giant satellite dishes with giant head phones and antenna.

  • @Jesseoreilly-ed7ft
    @Jesseoreilly-ed7ft 3 місяці тому

    Not really living off the land when I have to then social engineer someone to install the file or run it from within a service ive already exploited, better ways to get this done, nice way to make an installer though i guess...

  • @HauthyPiyces
    @HauthyPiyces 4 місяці тому +1

    hm,that might be a problem

  • @not_user11
    @not_user11 4 місяці тому

    I can't try it out because my pc doesn't run windows

    • @_Yassir_
      @_Yassir_ 4 місяці тому

      poor little linux user

    • @robotron1236
      @robotron1236 3 місяці тому

      Runs in WINE on linux.

    • @robotron1236
      @robotron1236 3 місяці тому

      @@_Yassir_ in the words of OTW, “if you don’t know Linux, you’re not a hacker.”

    • @robotron1236
      @robotron1236 3 місяці тому

      @@not_user11 I use windows stuff like this all the time. Pretty much anything old, or CLI will run with WINE. Hell, I’d say a good 80% of Windows software, even a lot of newer stuff, runs pretty well with WINE. This will run flawlessly.

  • @DjPsYcOtIc
    @DjPsYcOtIc 3 місяці тому

    Cheers.

  • @CZghost
    @CZghost 4 місяці тому

    Definitely. After watching the video, certainly! :D

  • @GNUGradyn
    @GNUGradyn 4 місяці тому

    honestly this only feels useful for a script kiddy kind of thing because all of this is already trivial for actual developers, e.g. via costura

  • @WylieBayes-q9m
    @WylieBayes-q9m 3 місяці тому +1

    Damn it John. Stop burning my unknown lolbins!

  • @vladimirmisata
    @vladimirmisata 3 місяці тому

    Meow! Now, Everyone Is A Suspect! This Is The Back Door We All Suspected To Exist On A Global Scale, But Backwards! Now, If Each Binary Is A Lock, Then We Have Multiple Locks To Complete A Series. Then Technically Each Series Has A "Master" Key. So We Will Have Different Series Relating To Different Topics, Giving Us A Set Of "Grand Master" Keys. A Set Could Be 10 Master Keys, Which Would Be Considered Too Many! Why Do I SENSE, Somewhere In There, A "GRAND-GRAND MASTER" Key!? In All Things Considered, Human Nature Is Full Of Self Gratification Shortcuts Not To Repeat Insanity! Awesome Report On This One, John! YOU Gave Me Another Next TEN YEARS Of To-Do Fulfillment Duties, Then Be Outdated! LOL!

    • @Cyba_IT
      @Cyba_IT 3 місяці тому

      Go easy on the shift key bud. 😂

  • @Gizmologist_
    @Gizmologist_ 3 місяці тому

    The duke of windows nuking

  • @TangoBravo-z4p
    @TangoBravo-z4p 4 місяці тому +1

    100 percent of kids would do this on every pc in schools back in my day looooool if only we had youtube haha

  • @BangBangBang.
    @BangBangBang. 3 місяці тому

    You can right click on an exe and choose extract.

  • @sreejith_jinachandran
    @sreejith_jinachandran 3 місяці тому

    From below 3 which one is efficient
    AWUS036ACM
    AWUS036ACH
    AWUS036NHA
    According to you?

  • @leahcimnaerc9543
    @leahcimnaerc9543 3 місяці тому

    Using this "SED" technique. lol

  • @logiciananimal
    @logiciananimal 4 місяці тому

    The wikipedia page on this is interesting. But I am trying to figure out - why does it exist? But yes, it belongs in the lolbin category.

  • @1.1-z9d
    @1.1-z9d 4 місяці тому +3

    Sup

  • @antonioveloy9107
    @antonioveloy9107 4 місяці тому

    oh jeez, ofc thats a lolbin

  • @bolter99
    @bolter99 2 місяці тому

    Windows defender instantly detected my test file lol

  • @seancrouch
    @seancrouch 3 місяці тому

    Hey can someone give me a idea of what i should price my mobile app as?? Main purpose/function is to be able to hash files and verify files on mobile already made it and works well just dont know what to price it at was thinking £2? Dont want to open source it got bills to pay, any advice or idea's are welcome

    • @robotron1236
      @robotron1236 3 місяці тому

      @@seancrouch why can’t I do that on my PC? My phone is basically for calling and texting people and sometimes watching UA-cam/surfing the web. If I were going to use my phone like a computer, I’d just install a Linux distro on it and have everything I could ever want for free.

  • @RandomytchannelGD
    @RandomytchannelGD 4 місяці тому

    Hi

  • @cybersecurity-yo9ec
    @cybersecurity-yo9ec 3 місяці тому

    Bypass antivirus whith iexplorer encode payload en opera example

  • @DaRaccoonCrypto
    @DaRaccoonCrypto 3 місяці тому

    Iexpress something the RAT kiddies used to love using to pack up the nasty RAT's. Not seen this in time surprised its not in the LOTL files.

  • @juliussakalys4684
    @juliussakalys4684 3 місяці тому

    yikes

  • @looweegee252
    @looweegee252 3 місяці тому +1

    Bro who you yelling at tho

    • @Cyba_IT
      @Cyba_IT 3 місяці тому

      He's just passionate about the subject. He doesn't yell half as much as some youtubers do.

    • @looweegee252
      @looweegee252 3 місяці тому

      @@Cyba_IT I'm just trying to stay chill and learn about IT not have lunch with Samuel L Jackson 😆😆😆

    • @Cyba_IT
      @Cyba_IT 3 місяці тому

      @@looweegee252 😂😂😂

  • @88tx
    @88tx 4 місяці тому +52

    for "hackers", specifically the skids lmao

    • @inspirationchannel101
      @inspirationchannel101 4 місяці тому +1

      Well said 😂

    • @SecGuy-v9p
      @SecGuy-v9p 4 місяці тому +4

      well, lolbins not really only being used by skiddies, several bigger threats have been using lolbins like certutil or installutils.

    • @inspirationchannel101
      @inspirationchannel101 4 місяці тому +13

      @@88tx well guess any good pen tester would use anything at their disposal even if its easy no reason to work twice the amount with the same outcome🙂

    • @isheamongus811
      @isheamongus811 4 місяці тому

      I have seen sth like that with .bat

    • @Alfred-Neuman
      @Alfred-Neuman 4 місяці тому

      Why would it be used specifically by script kids?
      People like you seems to think real hackers are only using their own zero-days written in assembly and they're connecting to the internet by using a hacked norwegian satellites etc... lol

  • @HyBlock
    @HyBlock 4 місяці тому +144

    41 minutes of yapping just to tell us that an installer can run whatever you tell it to.

    • @MygenteTV
      @MygenteTV 4 місяці тому +54

      You may be right about that but remember, you aren't entitled to anything and he doesn't own us anything.

    • @CU.SpaceCowboy
      @CU.SpaceCowboy 4 місяці тому +21

      domt be a dick bud

    • @CU.SpaceCowboy
      @CU.SpaceCowboy 4 місяці тому +17

      he literally jumped right in explained what the tool was

    • @skillato9000
      @skillato9000 4 місяці тому +5

      ​@@MygenteTV🤓

    • @rohit.vikram
      @rohit.vikram 4 місяці тому +18

      ​@HyBlock spoken like someone who doesn't understand how lolbin attacks work

  • @bob-p7x6j
    @bob-p7x6j 4 місяці тому

    basically first

  • @oxygen02
    @oxygen02 4 місяці тому

    first

  • @gojo99998
    @gojo99998 4 місяці тому

    First 🥇

  • @sweet09876
    @sweet09876 4 місяці тому

    second

  • @Grumpy-Fallboy
    @Grumpy-Fallboy 4 місяці тому +3

    don't worry soon microsoft will get rid all old ~[control-panel] and other vintage [features] and stuff in windows, so u don't mess around :D

    • @seen-bc9eq
      @seen-bc9eq 4 місяці тому +1

      Update: they are not getting rid of it

    • @robotron1236
      @robotron1236 3 місяці тому

      Yup just like those .pif files too.

  • @TangoBravo-z4p
    @TangoBravo-z4p 4 місяці тому

    bro

  • @comosaycomosah
    @comosaycomosah 4 місяці тому

    lol classic

  • @darkshoxx
    @darkshoxx 4 місяці тому

    twf no secret end-of-video keyword 😞

  • @PeterSimon-pk9tb
    @PeterSimon-pk9tb 4 місяці тому

    Bb

  • @OVERKILL_PINBALL
    @OVERKILL_PINBALL 4 місяці тому

    omg

  • @Alaz21
    @Alaz21 4 місяці тому

    First 😂

  • @VaracolacidVesci
    @VaracolacidVesci 4 місяці тому +6

    This is kind of stupid.
    Any installer maker can do this, and there are many easier to use and abuse. It is not in the lust because AN INSTALLER MAKER is known to be able to do this, it is not a design flaw or weakness.

    • @anik2443
      @anik2443 3 місяці тому +2

      This isn't stupid. It comes pre-installed even in the latest version of windows. It can be used for living off the land. Any installer won't be present by default in a windows device that you gained access to but this one is native to windows.

    • @VaracolacidVesci
      @VaracolacidVesci 3 місяці тому

      @@anik2443 it does not matter that comes with windows. Why would it?
      Is not like YOU are making your own malware to infect yourself.
      Any bad actor can use whatever dont have to be pre-installed. That is why it is stupud

    • @anik2443
      @anik2443 3 місяці тому +1

      @@VaracolacidVesci do you know nothing about post exploitation? It's for remaining undetected by using tools available natively in the system. Go Research about it

    • @VaracolacidVesci
      @VaracolacidVesci 3 місяці тому

      @@anik2443 hahahaha ofc not! You are trying to sound fancy but clearly you are just another asshole in the internet.
      it's not like the av engines or any other software would say OH it is made by the system tool, let's allow it!.
      hahaha how stupid can you be

    • @VaracolacidVesci
      @VaracolacidVesci 3 місяці тому

      @@anik2443 hahahaha OFC NOT!
      There is nothing special about it being on the system, is not like the exe would have anything special about it. is not like the AV engines or any other protection would say, OH it is made by the system tool let's allow it regardless, hahahaha HOW STUPID CAN YOU BE?

  • @RyanGForcE-xo9zx
    @RyanGForcE-xo9zx 4 місяці тому +1

    Bring game hacking *🎉❤

  • @mineyoucraftube1768
    @mineyoucraftube1768 3 місяці тому

    i remember pranking my friends with a .bat file (named hello.bat) containing:
    start hello.bat
    call hello.bat
    very funny, unless you have unsaved work
    (unfortunately it won't work if you don't have access to "start" like on school computers, but you can still call other programs using "call", it's just not exponential)

  • @mikeonthecomputer
    @mikeonthecomputer 3 місяці тому

    Instructions unclear. Typing does nothing on my Windows 95 computer's start menu.